Merge "NSX-V| Fix SG creation with nsx policy"
This commit is contained in:
commit
8e2fe26878
@ -21,10 +21,13 @@ from sqlalchemy.orm import exc
|
|||||||
from sqlalchemy import sql
|
from sqlalchemy import sql
|
||||||
|
|
||||||
from neutron.api.v2 import attributes
|
from neutron.api.v2 import attributes
|
||||||
|
from neutron.callbacks import events
|
||||||
|
from neutron.callbacks import registry
|
||||||
|
from neutron.callbacks import resources
|
||||||
from neutron.common import utils as n_utils
|
from neutron.common import utils as n_utils
|
||||||
from neutron.db import api as db_api
|
from neutron.db import api as db_api
|
||||||
from neutron.db import db_base_plugin_v2
|
from neutron.db import db_base_plugin_v2
|
||||||
from neutron.db.models import securitygroup as securitygroups_db # noqa
|
from neutron.db.models import securitygroup as securitygroups_db
|
||||||
from neutron.extensions import securitygroup as ext_sg
|
from neutron.extensions import securitygroup as ext_sg
|
||||||
from neutron_lib.api import validators
|
from neutron_lib.api import validators
|
||||||
from neutron_lib import constants as n_constants
|
from neutron_lib import constants as n_constants
|
||||||
@ -69,14 +72,30 @@ class ExtendedSecurityGroupPropertiesMixin(object):
|
|||||||
"==SecurityGroupPortBinding.security_group_id"))
|
"==SecurityGroupPortBinding.security_group_id"))
|
||||||
|
|
||||||
def create_provider_security_group(self, context, security_group):
|
def create_provider_security_group(self, context, security_group):
|
||||||
"""Create a provider security group.
|
return self.create_security_group_without_rules(
|
||||||
|
context, security_group, False, True)
|
||||||
|
|
||||||
|
def create_security_group_without_rules(self, context, security_group,
|
||||||
|
default_sg, is_provider):
|
||||||
|
"""Create a neutron security group, without any default rules.
|
||||||
|
|
||||||
This method creates a security group that does not by default
|
This method creates a security group that does not by default
|
||||||
enable egress traffic which normal neutron security groups do.
|
enable egress traffic which normal neutron security groups do.
|
||||||
"""
|
"""
|
||||||
s = security_group['security_group']
|
s = security_group['security_group']
|
||||||
|
kwargs = {
|
||||||
|
'context': context,
|
||||||
|
'security_group': s,
|
||||||
|
'is_default': default_sg,
|
||||||
|
}
|
||||||
|
|
||||||
|
self._registry_notify(resources.SECURITY_GROUP, events.BEFORE_CREATE,
|
||||||
|
exc_cls=ext_sg.SecurityGroupConflict, **kwargs)
|
||||||
tenant_id = s['tenant_id']
|
tenant_id = s['tenant_id']
|
||||||
|
|
||||||
|
if not default_sg:
|
||||||
|
self._ensure_default_security_group(context, tenant_id)
|
||||||
|
|
||||||
with db_api.autonested_transaction(context.session):
|
with db_api.autonested_transaction(context.session):
|
||||||
security_group_db = securitygroups_db.SecurityGroup(
|
security_group_db = securitygroups_db.SecurityGroup(
|
||||||
id=s.get('id') or (uuidutils.generate_uuid()),
|
id=s.get('id') or (uuidutils.generate_uuid()),
|
||||||
@ -84,8 +103,17 @@ class ExtendedSecurityGroupPropertiesMixin(object):
|
|||||||
tenant_id=tenant_id,
|
tenant_id=tenant_id,
|
||||||
name=s.get('name', ''))
|
name=s.get('name', ''))
|
||||||
context.session.add(security_group_db)
|
context.session.add(security_group_db)
|
||||||
|
if default_sg:
|
||||||
|
context.session.add(securitygroups_db.DefaultSecurityGroup(
|
||||||
|
security_group=security_group_db,
|
||||||
|
tenant_id=tenant_id))
|
||||||
|
|
||||||
secgroup_dict = self._make_security_group_dict(security_group_db)
|
secgroup_dict = self._make_security_group_dict(security_group_db)
|
||||||
secgroup_dict[provider_sg.PROVIDER] = True
|
secgroup_dict[sg_policy.POLICY] = s.get(sg_policy.POLICY)
|
||||||
|
secgroup_dict[provider_sg.PROVIDER] = is_provider
|
||||||
|
kwargs['security_group'] = secgroup_dict
|
||||||
|
registry.notify(resources.SECURITY_GROUP, events.AFTER_CREATE, self,
|
||||||
|
**kwargs)
|
||||||
return secgroup_dict
|
return secgroup_dict
|
||||||
|
|
||||||
def _process_security_group_properties_create(self, context,
|
def _process_security_group_properties_create(self, context,
|
||||||
|
@ -3257,15 +3257,6 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
|
|||||||
# just add the security group to the policy on the backend.
|
# just add the security group to the policy on the backend.
|
||||||
self._update_nsx_security_group_policies(
|
self._update_nsx_security_group_policies(
|
||||||
policy, None, nsx_sg_id)
|
policy, None, nsx_sg_id)
|
||||||
|
|
||||||
# Delete the neutron default rules (do not exist on the backend)
|
|
||||||
if securitygroup.get(ext_sg.SECURITYGROUPRULES):
|
|
||||||
with context.session.begin(subtransactions=True):
|
|
||||||
for rule in securitygroup[ext_sg.SECURITYGROUPRULES]:
|
|
||||||
rule_db = self._get_security_group_rule(context,
|
|
||||||
rule['id'])
|
|
||||||
context.session.delete(rule_db)
|
|
||||||
securitygroup.pop(ext_sg.SECURITYGROUPRULES)
|
|
||||||
else:
|
else:
|
||||||
try:
|
try:
|
||||||
self._create_fw_section_for_security_group(
|
self._create_fw_section_for_security_group(
|
||||||
@ -3358,9 +3349,11 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
|
|||||||
self._validate_security_group(context, sg_data, default_sg)
|
self._validate_security_group(context, sg_data, default_sg)
|
||||||
|
|
||||||
with context.session.begin(subtransactions=True):
|
with context.session.begin(subtransactions=True):
|
||||||
if sg_data.get(provider_sg.PROVIDER):
|
is_provider = True if sg_data.get(provider_sg.PROVIDER) else False
|
||||||
new_sg = self.create_provider_security_group(
|
is_policy = True if sg_data.get(sg_policy.POLICY) else False
|
||||||
context, security_group)
|
if is_provider or is_policy:
|
||||||
|
new_sg = self.create_security_group_without_rules(
|
||||||
|
context, security_group, default_sg, is_provider)
|
||||||
else:
|
else:
|
||||||
new_sg = super(NsxVPluginV2, self).create_security_group(
|
new_sg = super(NsxVPluginV2, self).create_security_group(
|
||||||
context, security_group, default_sg)
|
context, security_group, default_sg)
|
||||||
|
Loading…
Reference in New Issue
Block a user