Merge "NSX-V| Fix SG creation with nsx policy"

This commit is contained in:
Jenkins 2017-01-26 18:19:06 +00:00 committed by Gerrit Code Review
commit 8e2fe26878
2 changed files with 36 additions and 15 deletions

View File

@ -21,10 +21,13 @@ from sqlalchemy.orm import exc
from sqlalchemy import sql from sqlalchemy import sql
from neutron.api.v2 import attributes from neutron.api.v2 import attributes
from neutron.callbacks import events
from neutron.callbacks import registry
from neutron.callbacks import resources
from neutron.common import utils as n_utils from neutron.common import utils as n_utils
from neutron.db import api as db_api from neutron.db import api as db_api
from neutron.db import db_base_plugin_v2 from neutron.db import db_base_plugin_v2
from neutron.db.models import securitygroup as securitygroups_db # noqa from neutron.db.models import securitygroup as securitygroups_db
from neutron.extensions import securitygroup as ext_sg from neutron.extensions import securitygroup as ext_sg
from neutron_lib.api import validators from neutron_lib.api import validators
from neutron_lib import constants as n_constants from neutron_lib import constants as n_constants
@ -69,14 +72,30 @@ class ExtendedSecurityGroupPropertiesMixin(object):
"==SecurityGroupPortBinding.security_group_id")) "==SecurityGroupPortBinding.security_group_id"))
def create_provider_security_group(self, context, security_group): def create_provider_security_group(self, context, security_group):
"""Create a provider security group. return self.create_security_group_without_rules(
context, security_group, False, True)
def create_security_group_without_rules(self, context, security_group,
default_sg, is_provider):
"""Create a neutron security group, without any default rules.
This method creates a security group that does not by default This method creates a security group that does not by default
enable egress traffic which normal neutron security groups do. enable egress traffic which normal neutron security groups do.
""" """
s = security_group['security_group'] s = security_group['security_group']
kwargs = {
'context': context,
'security_group': s,
'is_default': default_sg,
}
self._registry_notify(resources.SECURITY_GROUP, events.BEFORE_CREATE,
exc_cls=ext_sg.SecurityGroupConflict, **kwargs)
tenant_id = s['tenant_id'] tenant_id = s['tenant_id']
if not default_sg:
self._ensure_default_security_group(context, tenant_id)
with db_api.autonested_transaction(context.session): with db_api.autonested_transaction(context.session):
security_group_db = securitygroups_db.SecurityGroup( security_group_db = securitygroups_db.SecurityGroup(
id=s.get('id') or (uuidutils.generate_uuid()), id=s.get('id') or (uuidutils.generate_uuid()),
@ -84,8 +103,17 @@ class ExtendedSecurityGroupPropertiesMixin(object):
tenant_id=tenant_id, tenant_id=tenant_id,
name=s.get('name', '')) name=s.get('name', ''))
context.session.add(security_group_db) context.session.add(security_group_db)
if default_sg:
context.session.add(securitygroups_db.DefaultSecurityGroup(
security_group=security_group_db,
tenant_id=tenant_id))
secgroup_dict = self._make_security_group_dict(security_group_db) secgroup_dict = self._make_security_group_dict(security_group_db)
secgroup_dict[provider_sg.PROVIDER] = True secgroup_dict[sg_policy.POLICY] = s.get(sg_policy.POLICY)
secgroup_dict[provider_sg.PROVIDER] = is_provider
kwargs['security_group'] = secgroup_dict
registry.notify(resources.SECURITY_GROUP, events.AFTER_CREATE, self,
**kwargs)
return secgroup_dict return secgroup_dict
def _process_security_group_properties_create(self, context, def _process_security_group_properties_create(self, context,

View File

@ -3257,15 +3257,6 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
# just add the security group to the policy on the backend. # just add the security group to the policy on the backend.
self._update_nsx_security_group_policies( self._update_nsx_security_group_policies(
policy, None, nsx_sg_id) policy, None, nsx_sg_id)
# Delete the neutron default rules (do not exist on the backend)
if securitygroup.get(ext_sg.SECURITYGROUPRULES):
with context.session.begin(subtransactions=True):
for rule in securitygroup[ext_sg.SECURITYGROUPRULES]:
rule_db = self._get_security_group_rule(context,
rule['id'])
context.session.delete(rule_db)
securitygroup.pop(ext_sg.SECURITYGROUPRULES)
else: else:
try: try:
self._create_fw_section_for_security_group( self._create_fw_section_for_security_group(
@ -3358,9 +3349,11 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
self._validate_security_group(context, sg_data, default_sg) self._validate_security_group(context, sg_data, default_sg)
with context.session.begin(subtransactions=True): with context.session.begin(subtransactions=True):
if sg_data.get(provider_sg.PROVIDER): is_provider = True if sg_data.get(provider_sg.PROVIDER) else False
new_sg = self.create_provider_security_group( is_policy = True if sg_data.get(sg_policy.POLICY) else False
context, security_group) if is_provider or is_policy:
new_sg = self.create_security_group_without_rules(
context, security_group, default_sg, is_provider)
else: else:
new_sg = super(NsxVPluginV2, self).create_security_group( new_sg = super(NsxVPluginV2, self).create_security_group(
context, security_group, default_sg) context, security_group, default_sg)