Merge "NSXv: Fine grained control for logging security-group rules"

2016-03-29 16:39:39 +00:00 · 2016-03-29 16:39:39 +00:00 · c65a8fe1d7
commit c65a8fe1d7
parent 83addfaa77 1f9d16fe8d
12 changed files with 286 additions and 25 deletions
--- a/etc/nsx.ini
+++ b/etc/nsx.ini
@ -191,6 +191,14 @@
 # (Optional) DHCP lease time
 # dhcp_lease_time = 86400
 # (Optional) Indicates whether distributed-firewall rule for security-groups
 # blocked traffic is logged.
 # log_security_groups_blocked_traffic = False
 # (Optional) Indicates whether distributed-firewall security-groups rules are
 # logged.
 # log_security_groups_allowed_traffic = False
 [nsx]
 # Maximum number of ports for each bridged logical switch
 # The recommended value for this parameter varies with NSX version
--- a/etc/policy.json
+++ b/etc/policy.json
@ -139,5 +139,9 @@
    "get_service_provider": "rule:regular_user",
    "get_lsn": "rule:admin_only",
-    "create_lsn": "rule:admin_only"
+    "create_lsn": "rule:admin_only",
    "create_security_group:logging": "rule:admin_only",
    "update_security_group:logging": "rule:admin_only",
    "get_security_group:logging": "rule:admin_only"
 }
--- a/vmware_nsx/common/config.py
+++ b/vmware_nsx/common/config.py
@ -401,6 +401,14 @@ nsxv_opts = [
                       'involves configuring the dvs backing nsx_v directly. '
                       'If False, only features exposed via nsx_v will be '
                       'supported')),
    cfg.BoolOpt('log_security_groups_blocked_traffic',
                default=False,
                help=_("Indicates whether distributed-firewall rule for "
                       "security-groups blocked traffic is logged")),
    cfg.BoolOpt('log_security_groups_allowed_traffic',
                default=False,
                help=_("Indicates whether distributed-firewall "
                       "security-groups allowed traffic is logged")),
 ]
 # Register the configuration options
--- a/vmware_nsx/db/migration/alembic_migrations/versions/EXPAND_HEAD
+++ b/vmware_nsx/db/migration/alembic_migrations/versions/EXPAND_HEAD
@ -1 +1 @@
-4c45bcadccf9
+2c87aedb206f
--- a/vmware_nsx/db/migration/alembic_migrations/versions/newton/expand/2c87aedb206f_nsxv_security_group_logging.py
+++ b/vmware_nsx/db/migration/alembic_migrations/versions/newton/expand/2c87aedb206f_nsxv_security_group_logging.py
@ -0,0 +1,34 @@
 # Copyright 2016 OpenStack Foundation
 #
 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
 #    not use this file except in compliance with the License. You may obtain
 #    a copy of the License at
 #
 #         http://www.apache.org/licenses/LICENSE-2.0
 #
 #    Unless required by applicable law or agreed to in writing, software
 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
 #
 """nsxv_security_group_logging
 Revision ID: 2c87aedb206f
 Revises: 4c45bcadccf9
 Create Date: 2016-03-15 06:06:06.680092
 """
 # revision identifiers, used by Alembic.
 revision = '2c87aedb206f'
 down_revision = '4c45bcadccf9'
 from alembic import op
 import sqlalchemy as sa
 def upgrade():
    op.add_column('nsxv_security_group_section_mappings',
                  sa.Column('logging', sa.Boolean(), nullable=False))
--- a/vmware_nsx/db/nsxv_db.py
+++ b/vmware_nsx/db/nsxv_db.py
@ -366,10 +366,10 @@ def delete_nsxv_internal_edge(session, ext_ip_address):
                filter_by(ext_ip_address=ext_ip_address).delete())
-def add_neutron_nsx_section_mapping(session, neutron_id, ip_section_id):
+def add_neutron_nsx_section_mapping(session, neutron_id, section_id, logging):
    with session.begin(subtransactions=True):
        mapping = nsxv_models.NsxvSecurityGroupSectionMapping(
-            neutron_id=neutron_id, ip_section_id=ip_section_id)
+            neutron_id=neutron_id, ip_section_id=section_id, logging=logging)
        session.add(mapping)
    return mapping
--- a/vmware_nsx/db/nsxv_models.py
+++ b/vmware_nsx/db/nsxv_models.py
@ -114,6 +114,7 @@ class NsxvSecurityGroupSectionMapping(model_base.BASEV2):
                                         ondelete="CASCADE"),
                           primary_key=True)
    ip_section_id = sa.Column(sa.String(100))
    logging = sa.Column(sa.Boolean, default=False, nullable=False)
 class NsxvRuleMapping(model_base.BASEV2):
--- a/vmware_nsx/extensions/securitygrouplogging.py
+++ b/vmware_nsx/extensions/securitygrouplogging.py
@ -0,0 +1,67 @@
 # Copyright 2016 VMware, Inc.  All rights reserved.
 #
 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
 #    not use this file except in compliance with the License. You may obtain
 #    a copy of the License at
 #
 #         http://www.apache.org/licenses/LICENSE-2.0
 #
 #    Unless required by applicable law or agreed to in writing, software
 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
 from neutron.api import extensions
 from neutron.api.v2 import attributes
 RESOURCE_ATTRIBUTE_MAP = {
    'security_groups': {
        'logging': {
            'allow_post': True,
            'allow_put': True,
            'convert_to': attributes.convert_to_boolean,
            'default': False,
            'enforce_policy': True,
            'is_visible': True}
    }
 }
 class Securitygrouplogging(extensions.ExtensionDescriptor):
    """Security group logging extension."""
    @classmethod
    def get_name(cls):
        return "Security group logging"
    @classmethod
    def get_alias(cls):
        return "security-group-logging"
    @classmethod
    def get_description(cls):
        return "Security group logging extension."
    @classmethod
    def get_namespace(cls):
        # todo
        return "http://docs.openstack.org/ext/security_group_logging/api/v2.0"
    @classmethod
    def get_updated(cls):
        return "2015-04-13T10:00:00-00:00"
    def get_required_extensions(self):
        return ["security-group"]
    @classmethod
    def get_resources(cls):
        """Returns Ext Resources."""
        return []
    def get_extended_resources(self, version):
        if version == "2.0":
            return RESOURCE_ATTRIBUTE_MAP
        else:
            return {}
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@ -31,6 +31,7 @@ from neutron.api.v2 import attributes as attr
 from neutron.callbacks import events
 from neutron.callbacks import registry
 from neutron.callbacks import resources
 from neutron import context as n_context
 from neutron.db import agents_db
 from neutron.db import allowedaddresspairs_db as addr_pair_db
 from neutron.db import db_base_plugin_v2
@ -122,6 +123,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                                   "router",
                                   "security-group",
                                   "secgroup-rule-local-ip-prefix",
                                   "security-group-logging",
                                   "nsxv-router-type",
                                   "nsxv-router-size",
                                   "vnic-index",
@ -170,6 +172,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
        self._validate_config()
        self.sg_container_id = self._create_security_group_container()
        self.default_section = self._create_cluster_default_fw_section()
        self._process_security_groups_rules_logging()
        self._router_managers = managers.RouterTypeManager(self)
        if cfg.CONF.nsxv.use_dvs_features:
@ -264,7 +267,8 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
        # Default security-group rules
        block_rule = self.nsx_sg_utils.get_rule_config(
-            [self.sg_container_id], 'Block All', 'deny')
+            [self.sg_container_id], 'Block All', 'deny',
            logged=cfg.CONF.nsxv.log_security_groups_blocked_traffic)
        rule_list.append(block_rule)
        with locking.LockManager.get_lock('default-section-init'):
@ -282,6 +286,38 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                section_id = self.nsx_sg_utils.parse_and_get_section_id(c)
        return section_id
    def _process_security_groups_rules_logging(self):
        with locking.LockManager.get_lock('nsx-dfw-section',
                                          lock_file_prefix='dfw-section',
                                          external=True):
            context = n_context.get_admin_context()
            log_all_rules = cfg.CONF.nsxv.log_security_groups_allowed_traffic
            for sg in self.get_security_groups(context, fields=['id']):
                fw_section = self._get_section(context.session, sg['id'])
                # If the section/sg is already logged, then no action is
                # required.
                if fw_section is None or fw_section['logging']:
                    continue
                # Section/sg is not logged, update rules logging according to
                # the 'log_security_groups_allowed_traffic' config option.
                try:
                    section_uri = fw_section['ip_section_id']
                    h, c = self.nsx_v.vcns.get_section(section_uri)
                    section = self.nsx_sg_utils.parse_section(c)
                    section_needs_update = (
                        self.nsx_sg_utils.set_rules_logged_option(
                            section, log_all_rules))
                    if section_needs_update:
                        self.nsx_v.vcns.update_section(
                            section_uri,
                            self.nsx_sg_utils.to_xml_string(section), h)
                except Exception as exc:
                    LOG.error(_LE('Unable to update section for logging. %s'),
                              exc)
    def _create_dhcp_static_binding(self, context, neutron_port_db):
        network_id = neutron_port_db['network_id']
@ -1926,6 +1962,22 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
        if mapping is not None:
            return mapping['ip_section_id']
    def _get_section(self, session, security_group_id):
        return nsxv_db.get_nsx_section(session, security_group_id)
    def _update_section_logging(self, session, section, section_db):
        logging = not section_db['logging']
        # Update the DB for the new logging settings.
        with session.begin(subtransactions=True):
            section_db['logging'] = logging
        # Update section rules logging only if we are not already logging them.
        log_all_rules = cfg.CONF.nsxv.log_security_groups_allowed_traffic
        section_needs_update = False
        if not log_all_rules:
            section_needs_update = (
                self.nsx_sg_utils.set_rules_logged_option(section, logging))
        return section_needs_update
    def create_security_group(self, context, security_group,
                              default_sg=False):
        """Create a security group."""
@ -1934,6 +1986,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
        new_security_group = super(NsxVPluginV2, self).create_security_group(
            context, security_group, default_sg)
        sg_id = new_security_group['id']
        nsx_sg_name = self.nsx_sg_utils.get_nsx_sg_name(sg_data)
        # NSX security-group config
@ -1943,12 +1996,17 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
        # Translate Neutron rules to NSXv fw rules and construct the fw section
        nsx_sg_id = section_uri = None
        try:
            log_all_rules = cfg.CONF.nsxv.log_security_groups_allowed_traffic
            # Create the nsx security group
            h, nsx_sg_id = self.nsx_v.vcns.create_security_group(sg_dict)
            section_name = self.nsx_sg_utils.get_nsx_section_name(nsx_sg_name)
-            nsx_rules = [self._create_nsx_rule(context, rule, nsx_sg_id) for
+            logging = sg_data.get('logging', False)
-                         rule in new_security_group['security_group_rules']]
+            nsx_rules = []
            for rule in new_security_group['security_group_rules']:
                nsx_rule = self._create_nsx_rule(
                    context, rule, nsx_sg_id, logged=log_all_rules or logging)
                nsx_rules.append(nsx_rule)
            section = self.nsx_sg_utils.get_section_with_rules(
                section_name, nsx_rules)
@ -1961,10 +2019,10 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
            # Save moref in the DB for future access
            nsx_db.add_neutron_nsx_security_group_mapping(
-                context.session, new_security_group['id'], nsx_sg_id)
+                context.session, sg_id, nsx_sg_id)
            # Add database associations for fw section and rules
            nsxv_db.add_neutron_nsx_section_mapping(
-                context.session, new_security_group['id'], section_uri)
+                context.session, sg_id, section_uri, logging)
            for pair in rule_pairs:
                # Save nsx rule id in the DB for future access
                nsxv_db.add_neutron_nsx_rule_mapping(context.session,
@ -1979,31 +2037,46 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                # Only admin can delete the default security-group
                if default_sg:
                    context = context.elevated()
-                super(NsxVPluginV2, self).delete_security_group(
+                super(NsxVPluginV2, self).delete_security_group(context, sg_id)
                    context, new_security_group['id'])
                # Delete the created nsx security-group and the fw section
                self._delete_section(section_uri)
                self._delete_nsx_security_group(nsx_sg_id)
                LOG.exception(_LE('Failed to create security group'))
        if context.is_admin:
            new_security_group['logging'] = logging
        return new_security_group
    def update_security_group(self, context, id, security_group):
        s = security_group['security_group']
        nsx_sg_id = nsx_db.get_nsx_security_group_id(context.session, id)
-        section_uri = self._get_section_uri(context.session, id)
+        section_db = self._get_section(context.session, id)
-        h, c = self.nsx_v.vcns.get_section(section_uri)
+        section_uri = section_db['ip_section_id']
-        section = self.nsx_sg_utils.parse_section(c)
+        section_needs_update = False
        sg_data = super(NsxVPluginV2, self).update_security_group(
            context, id, security_group)
        # Reflect security-group name or description changes in the backend,
        # dfw section name needs to be updated as well.
        h, c = self.nsx_v.vcns.get_section(section_uri)
        section = self.nsx_sg_utils.parse_section(c)
        if set(['name', 'description']) & set(s.keys()):
            nsx_sg_name = self.nsx_sg_utils.get_nsx_sg_name(sg_data)
            section_name = self.nsx_sg_utils.get_nsx_section_name(nsx_sg_name)
            self.nsx_v.vcns.update_security_group(
                nsx_sg_id, nsx_sg_name, sg_data['description'])
            section_name = self.nsx_sg_utils.get_nsx_section_name(nsx_sg_name)
            section.attrib['name'] = section_name
            section_needs_update = True
        # Update the dfw section if security-group logging option has changed.
        # TBD: enforce admin only?
        if 'logging' in s and s['logging'] != section_db['logging']:
            section_needs_update = self._update_section_logging(
                context.session, section, section_db)
        if section_needs_update:
            self.nsx_v.vcns.update_section(
                section_uri, self.nsx_sg_utils.to_xml_string(section), h)
        if context.is_admin:
            sg_data['logging'] = section_db['logging']
        return sg_data
    def delete_security_group(self, context, id):
@ -2028,7 +2101,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
            with excutils.save_and_reraise_exception():
                LOG.exception(_LE("Failed to delete security group"))
-    def _create_nsx_rule(self, context, rule, nsx_sg_id=None):
+    def _create_nsx_rule(self, context, rule, nsx_sg_id=None, logged=False):
        src = None
        dest = None
        port = None
@ -2089,7 +2162,8 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
            source=src,
            destination=dest,
            services=services,
-            flags=flags)
+            flags=flags,
            logged=logged)
        return nsx_rule
    def create_security_group_rule(self, context, security_group_rule):
@ -2103,10 +2177,18 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
        :param security_group_rules: list of rules to create
        """
        sg_rules = security_group_rules['security_group_rules']
        sg_id = sg_rules[0]['security_group_rule']['security_group_id']
        ruleids = set()
        nsx_rules = []
        self._validate_security_group_rules(context, security_group_rules)
        # Fetching the the dfw section associated with the security-group
        section_db = self._get_section(context.session, sg_id)
        section_uri = section_db['ip_section_id']
        logging = section_db['logging']
        log_all_rules = cfg.CONF.nsxv.log_security_groups_allowed_traffic
        # Translating Neutron rules to Nsx DFW rules
        for r in sg_rules:
            rule = r['security_group_rule']
@ -2114,12 +2196,9 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                rule[ext_loip.LOCAL_IP_PREFIX] = None
            rule['id'] = uuidutils.generate_uuid()
            ruleids.add(rule['id'])
-            nsx_rules.append(self._create_nsx_rule(context, rule))
+            nsx_rules.append(self._create_nsx_rule(
                context, rule, logged=log_all_rules or logging))
        # Find section uri for the security group, retrieve it and update with
        # the new rules
        section_uri = self._get_section_uri(
            context.session, rule['security_group_id'])
        _h, _c = self.nsx_v.vcns.get_section(section_uri)
        section = self.nsx_sg_utils.parse_section(_c)
        self.nsx_sg_utils.extend_section_with_rules(section, nsx_rules)
--- a/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py
+++ b/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py
@ -58,9 +58,10 @@ class NsxSecurityGroupUtils(object):
    def get_rule_config(self, applied_to_ids, name, action='allow',
                        applied_to='SecurityGroup',
                        source=None, destination=None, services=None,
-                        flags=None):
+                        flags=None, logged=False):
        """Helper method to create a nsx rule dict."""
        ruleTag = et.Element('rule')
        ruleTag.attrib['logged'] = 'true' if logged else 'false'
        nameTag = et.SubElement(ruleTag, 'name')
        nameTag.text = name
        actionTag = et.SubElement(ruleTag, 'action')
@ -146,3 +147,21 @@ class NsxSecurityGroupUtils(object):
    def parse_and_get_section_id(self, section_xml):
        section = et.fromstring(section_xml)
        return section.attrib['id']
    def is_section_logged(self, section):
        # Determine if this section rules are being logged by the first rule
        # 'logged' value.
        rule = section.find('rule')
        if rule is not None:
            return rule.attrib.get('logged') == 'true'
        return False
    def set_rules_logged_option(self, section, logged):
        value = 'true' if logged else 'false'
        rules = section.findall('rule')
        updated = False
        for rule in rules:
            if rule.attrib['logged'] != value:
                rule.attrib['logged'] = value
                updated = True
        return updated
--- a/vmware_nsx/tests/unit/extensions/test_secgroup_rule_local_ip_prefix.py
+++ b/vmware_nsx/tests/unit/extensions/test_secgroup_rule_local_ip_prefix.py
@ -120,5 +120,6 @@ class TestNsxVExtendedSGRule(test_nsxv_plugin.NsxVSecurityGroupsTestCase,
        super(TestNsxVExtendedSGRule,
              self).test_create_rule_with_local_ip_prefix()
        plugin.nsx_sg_utils.get_rule_config.assert_called_with(
-            destination=dest, applied_to_ids=mock.ANY, name=mock.ANY,
+            source=mock.ANY, destination=dest, services=mock.ANY,
-            services=mock.ANY, source=mock.ANY, flags=mock.ANY)
+            name=mock.ANY, applied_to_ids=mock.ANY, flags=mock.ANY,
            logged=mock.ANY)
--- a/vmware_nsx/tests/unit/nsx_v/test_plugin.py
+++ b/vmware_nsx/tests/unit/nsx_v/test_plugin.py
@ -50,6 +50,7 @@ from vmware_nsx.common import nsx_constants
 from vmware_nsx.db import nsxv_db
 from vmware_nsx.extensions import routersize as router_size
 from vmware_nsx.extensions import routertype as router_type
 from vmware_nsx.extensions import securitygrouplogging
 from vmware_nsx.extensions import vnicindex as ext_vnic_idx
 from vmware_nsx.plugins.nsx_v.vshield.common import constants as vcns_const
 from vmware_nsx.plugins.nsx_v.vshield import edge_utils
@ -2381,6 +2382,8 @@ class NsxVSecurityGroupsTestCase(ext_sg.SecurityGroupDBTestCase):
              ext_mgr=None,
              service_plugins=None):
        test_utils.override_nsx_ini_test()
        attributes.RESOURCE_ATTRIBUTE_MAP.update(
            securitygrouplogging.RESOURCE_ATTRIBUTE_MAP)
        mock_vcns = mock.patch(vmware.VCNS_NAME, autospec=True)
        mock_vcns_instance = mock_vcns.start()
        self.fc2 = fake_vcns.FakeVcns()
@ -2523,6 +2526,43 @@ class NsxVTestSecurityGroup(ext_sg.TestSecurityGroups,
        # This test is aimed to test the security-group db mixin
        pass
    def _plugin_update_security_group(self, context, id, logging):
        data = {'security_group': {'logging': logging}}
        security_group = (
            self.plugin.update_security_group(context, id, data))
        return security_group
    def _plugin_create_security_group(self, context, logging=False):
        data = {'security_group': {'name': 'SG',
                                   'tenant_id': 'tenant_id',
                                   'description': ''}}
        if logging:
            data['security_group']['logging'] = True
        security_group = (
            self.plugin.create_security_group(context, data, False))
        return security_group
    def test_create_security_group_default_logging(self):
        _context = context.get_admin_context()
        sg = self._plugin_create_security_group(_context)
        self.assertFalse(sg['logging'])
    def test_create_security_group_with_logging(self):
        _context = context.get_admin_context()
        sg = self._plugin_create_security_group(_context, logging=True)
        self.assertTrue(sg['logging'])
    def test_update_security_group_with_logging(self):
        _context = context.get_admin_context()
        sg = self._plugin_create_security_group(_context)
        sg = self._plugin_update_security_group(_context, sg['id'], True)
        self.assertTrue(sg['logging'])
    def test_security_group_logging_not_visible_for_user(self):
        _context = context.Context('user', 'tenant_id')
        sg = self._plugin_create_security_group(_context)
        self.assertFalse('logging' in sg)
 class TestVdrTestCase(L3NatTest, L3NatTestCaseBase,
                      test_l3_plugin.L3NatDBIntTestCase,