NSX|V3: Depracate config disable_port_security_for_ens
This config is only relevant for NSX version before 2.4.0, which are no longer supported in this branch Change-Id: I01c920230b537f20e3c3306c5653361ef7f1ac8c
This commit is contained in:
asarfaty
parent
c580d508be
commit
cdec722d44
@ -482,6 +482,9 @@ nsx_v3_opts = nsx_v3_and_p + [
|
||||
help=_("(Optional) Indicates whether ENS transport zones can "
|
||||
"be used")),
|
||||
cfg.BoolOpt('disable_port_security_for_ens',
|
||||
# This flag was relevant only for NSX version that did not
|
||||
# support ENS with security features
|
||||
deprecated_for_removal=True,
|
||||
default=False,
|
||||
help=_("When True, port security will be set to False for "
|
||||
"newly created ENS networks and ports, overriding "
|
||||
|
||||
@ -364,10 +364,6 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
|
||||
(port_security, has_ip) = self._determine_port_security_and_has_ip(
|
||||
context, port_data)
|
||||
port_data[psec.PORTSECURITY] = port_security
|
||||
# No port security is allowed if the port belongs to an ENS TZ
|
||||
if (port_security and is_ens_tz_port and
|
||||
not self._ens_psec_supported()):
|
||||
raise nsx_exc.NsxENSPortSecurity()
|
||||
self._process_port_port_security_create(
|
||||
context, port_data, neutron_db)
|
||||
|
||||
@ -438,10 +434,6 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
|
||||
updated_port[addr_apidef.ADDRESS_PAIRS])
|
||||
|
||||
if updated_port[psec.PORTSECURITY] and psec.PORTSECURITY in port_data:
|
||||
# No port security is allowed if the port belongs to an ENS TZ
|
||||
if is_ens_tz_port and not self._ens_psec_supported():
|
||||
raise nsx_exc.NsxENSPortSecurity()
|
||||
|
||||
# No port security is allowed if the port has a direct vnic type
|
||||
if direct_vnic_type:
|
||||
err_msg = _("Security features are not supported for "
|
||||
@ -887,10 +879,6 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
|
||||
context, net_id)
|
||||
return qos_policy_id
|
||||
|
||||
def _ens_psec_supported(self):
|
||||
"""Should be implemented by each plugin"""
|
||||
pass
|
||||
|
||||
def _ens_qos_supported(self):
|
||||
"""Should be implemented by each plugin"""
|
||||
pass
|
||||
@ -911,12 +899,6 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
|
||||
"""Should be implemented by each plugin"""
|
||||
pass
|
||||
|
||||
def _validate_ens_net_portsecurity(self, net_data):
|
||||
"""Validate/Update the port security of the new network for ENS TZ
|
||||
Should be implemented by the plugin if necessary
|
||||
"""
|
||||
pass
|
||||
|
||||
def _is_ens_tz_net(self, context, net_id):
|
||||
"""Return True if the network is based on an END transport zone"""
|
||||
tz_id = self._get_net_tz(context, net_id)
|
||||
@ -1121,7 +1103,6 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
|
||||
if not self._allow_ens_networks():
|
||||
raise NotImplementedError(_("ENS support is disabled"))
|
||||
self._assert_on_ens_with_qos(network_data)
|
||||
self._validate_ens_net_portsecurity(network_data)
|
||||
|
||||
return {'is_provider_net': is_provider_net,
|
||||
'net_type': net_type,
|
||||
|
||||
@ -662,23 +662,10 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
def _allow_ens_networks(self):
|
||||
return True
|
||||
|
||||
def _ens_psec_supported(self):
|
||||
"""ENS security features are always enabled on NSX versions which
|
||||
the policy plugin supports.
|
||||
"""
|
||||
return True
|
||||
|
||||
def _ens_qos_supported(self):
|
||||
return self.nsxpolicy.feature_supported(
|
||||
nsxlib_consts.FEATURE_ENS_WITH_QOS)
|
||||
|
||||
def _validate_ens_net_portsecurity(self, net_data):
|
||||
"""ENS security features are always enabled on NSX versions which
|
||||
the policy plugin supports.
|
||||
So no validation is needed
|
||||
"""
|
||||
pass
|
||||
|
||||
def _assert_on_resource_admin_state_down(self, resource_data):
|
||||
"""Network & port admin state is only supported with passthrough api"""
|
||||
if (not cfg.CONF.nsx_p.allow_passthrough and
|
||||
|
||||
@ -967,31 +967,10 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
||||
|
||||
return created_net
|
||||
|
||||
def _ens_psec_supported(self):
|
||||
return self.nsxlib.feature_supported(
|
||||
nsxlib_consts.FEATURE_ENS_WITH_SEC)
|
||||
|
||||
def _ens_qos_supported(self):
|
||||
return self.nsxlib.feature_supported(
|
||||
nsxlib_consts.FEATURE_ENS_WITH_QOS)
|
||||
|
||||
def _validate_ens_net_portsecurity(self, net_data):
|
||||
"""Validate/Update the port security of the new network for ENS TZ"""
|
||||
if not self._ens_psec_supported():
|
||||
if cfg.CONF.nsx_v3.disable_port_security_for_ens:
|
||||
# Override the port-security to False
|
||||
if net_data[psec.PORTSECURITY]:
|
||||
LOG.warning("Disabling port security for new network")
|
||||
# Set the port security to False
|
||||
net_data[psec.PORTSECURITY] = False
|
||||
|
||||
elif net_data.get(psec.PORTSECURITY):
|
||||
# Port security enabled is not allowed
|
||||
raise nsx_exc.NsxENSPortSecurity()
|
||||
else:
|
||||
# Update the default port security to False if not set
|
||||
net_data[psec.PORTSECURITY] = False
|
||||
|
||||
def delete_network(self, context, network_id):
|
||||
if cfg.CONF.nsx_v3.native_dhcp_metadata:
|
||||
self._delete_network_disable_dhcp(context, network_id)
|
||||
@ -1035,7 +1014,6 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
||||
utils.raise_if_updates_provider_attributes(net_data)
|
||||
extern_net = self._network_is_external(context, id)
|
||||
is_nsx_net = self._network_is_nsx_net(context, id)
|
||||
is_ens_net = self._is_ens_tz_net(context, id)
|
||||
|
||||
# Validate the updated parameters
|
||||
self._validate_update_network(context, id, original_net, net_data)
|
||||
@ -1045,11 +1023,6 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
||||
self._extension_manager.process_update_network(context, net_data,
|
||||
updated_net)
|
||||
if psec.PORTSECURITY in net_data:
|
||||
# do not allow to enable port security on ENS networks
|
||||
if (net_data[psec.PORTSECURITY] and
|
||||
not original_net[psec.PORTSECURITY] and is_ens_net and
|
||||
not self._ens_psec_supported()):
|
||||
raise nsx_exc.NsxENSPortSecurity()
|
||||
self._process_network_port_security_update(
|
||||
context, net_data, updated_net)
|
||||
self._process_l3_update(context, updated_net, network['network'])
|
||||
@ -1318,8 +1291,7 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
||||
else:
|
||||
profiles.append(self._no_switch_security)
|
||||
if device_owner == const.DEVICE_OWNER_DHCP:
|
||||
if ((not is_ens_tz_port or self._ens_psec_supported()) and
|
||||
not cfg.CONF.nsx_v3.native_dhcp_metadata):
|
||||
if not cfg.CONF.nsx_v3.native_dhcp_metadata:
|
||||
profiles.append(self._dhcp_profile)
|
||||
|
||||
# Add QoS switching profile, if exists
|
||||
@ -1333,8 +1305,7 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
||||
port_mac_learning = (
|
||||
validators.is_attr_set(port_data.get(mac_ext.MAC_LEARNING)) and
|
||||
port_data.get(mac_ext.MAC_LEARNING) is True)
|
||||
if ((not is_ens_tz_port or self._ens_psec_supported()) and
|
||||
self._mac_learning_profile):
|
||||
if self._mac_learning_profile:
|
||||
if force_mac_learning or port_mac_learning:
|
||||
profiles.append(self._mac_learning_profile)
|
||||
if is_ens_tz_port:
|
||||
@ -1453,14 +1424,6 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
||||
LOG.warning(err_msg)
|
||||
raise n_exc.InvalidInput(error_message=err_msg)
|
||||
|
||||
def _disable_ens_portsec(self, port_data):
|
||||
if (cfg.CONF.nsx_v3.disable_port_security_for_ens and
|
||||
not self._ens_psec_supported()):
|
||||
LOG.warning("Disabling port security for network %s",
|
||||
port_data['network_id'])
|
||||
port_data[psec.PORTSECURITY] = False
|
||||
port_data['security_groups'] = []
|
||||
|
||||
def base_create_port(self, context, port):
|
||||
neutron_db = super(NsxV3Plugin, self).create_port(context, port)
|
||||
self._extension_manager.process_create_port(
|
||||
@ -1474,8 +1437,6 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
||||
self._validate_create_port(context, port_data)
|
||||
self._assert_on_dhcp_relay_without_router(context, port_data)
|
||||
is_ens_tz_port = self._is_ens_tz_port(context, port_data)
|
||||
if is_ens_tz_port:
|
||||
self._disable_ens_portsec(port_data)
|
||||
|
||||
is_external_net = self._network_is_external(
|
||||
context, port_data['network_id'])
|
||||
@ -1518,23 +1479,12 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
||||
'disabled')
|
||||
LOG.error(msg)
|
||||
raise n_exc.InvalidInput(error_message=msg)
|
||||
if (is_ens_tz_port and not self._ens_psec_supported() and
|
||||
not port_data.get(mac_ext.MAC_LEARNING)):
|
||||
msg = _('Cannot disable Mac learning for ENS TZ')
|
||||
LOG.error(msg)
|
||||
raise n_exc.InvalidInput(error_message=msg)
|
||||
# save the mac learning value in the DB
|
||||
self._create_mac_learning_state(context, port_data)
|
||||
elif mac_ext.MAC_LEARNING in port_data:
|
||||
# This is due to the fact that the default is
|
||||
# ATTR_NOT_SPECIFIED
|
||||
port_data.pop(mac_ext.MAC_LEARNING)
|
||||
# For a ENZ TZ mac learning is always enabled
|
||||
if (is_ens_tz_port and not self._ens_psec_supported() and
|
||||
mac_ext.MAC_LEARNING not in port_data):
|
||||
# Set the default and add to the DB
|
||||
port_data[mac_ext.MAC_LEARNING] = True
|
||||
self._create_mac_learning_state(context, port_data)
|
||||
|
||||
# Operations to backend should be done outside of DB transaction.
|
||||
# NOTE(arosen): ports on external networks are nat rules and do
|
||||
@ -1723,7 +1673,6 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
||||
|
||||
# Update the DHCP profile
|
||||
if (updated_device_owner == const.DEVICE_OWNER_DHCP and
|
||||
(not is_ens_tz_port or self._ens_psec_supported()) and
|
||||
not cfg.CONF.nsx_v3.native_dhcp_metadata):
|
||||
switch_profile_ids.append(self._dhcp_profile)
|
||||
|
||||
@ -1741,8 +1690,7 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
||||
psec_is_on)
|
||||
port_mac_learning = updated_port.get(mac_ext.MAC_LEARNING) is True
|
||||
# Add mac_learning profile if it exists and is configured
|
||||
if ((not is_ens_tz_port or self._ens_psec_supported()) and
|
||||
self._mac_learning_profile):
|
||||
if self._mac_learning_profile:
|
||||
if force_mac_learning or port_mac_learning:
|
||||
switch_profile_ids.append(self._mac_learning_profile)
|
||||
if is_ens_tz_port:
|
||||
@ -1837,11 +1785,6 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
||||
self._extend_nsx_port_dict_binding(context, updated_port)
|
||||
mac_learning_state = updated_port.get(mac_ext.MAC_LEARNING)
|
||||
if mac_learning_state is not None:
|
||||
if (not mac_learning_state and is_ens_tz_port and
|
||||
not self._ens_psec_supported()):
|
||||
msg = _('Mac learning cannot be disabled with ENS TZ')
|
||||
LOG.error(msg)
|
||||
raise n_exc.InvalidInput(error_message=msg)
|
||||
if port_security and mac_learning_state:
|
||||
msg = _('Mac learning requires that port security be '
|
||||
'disabled')
|
||||
|
||||
@ -537,24 +537,6 @@ class TestNetworksV2(test_plugin.TestNetworksV2, NsxV3PluginTestCaseMixin):
|
||||
# should succeed, and net should have port security disabled
|
||||
self.assertFalse(res['network']['port_security_enabled'])
|
||||
|
||||
def test_create_ens_network_with_port_sec(self):
|
||||
cfg.CONF.set_override('ens_support', True, 'nsx_v3')
|
||||
providernet_args = {psec.PORTSECURITY: True}
|
||||
with mock.patch("vmware_nsxlib.v3.NsxLib.get_version",
|
||||
return_value='2.3.0'),\
|
||||
mock.patch("vmware_nsxlib.v3.core_resources.NsxLibTransportZone."
|
||||
"get_host_switch_mode", return_value="ENS"),\
|
||||
mock.patch("vmware_nsxlib.v3.core_resources.NsxLibLogicalSwitch."
|
||||
"get", return_value={'transport_zone_id': 'xxx'}):
|
||||
result = self._create_network(fmt='json', name='ens_net',
|
||||
admin_state_up=True,
|
||||
providernet_args=providernet_args,
|
||||
arg_list=(psec.PORTSECURITY,))
|
||||
res = self.deserialize('json', result)
|
||||
# should fail
|
||||
self.assertEqual('NsxENSPortSecurity',
|
||||
res['NeutronError']['type'])
|
||||
|
||||
def test_create_ens_network_with_port_sec_supported(self):
|
||||
cfg.CONF.set_override('ens_support', True, 'nsx_v3')
|
||||
providernet_args = {psec.PORTSECURITY: True}
|
||||
@ -658,29 +640,6 @@ class TestNetworksV2(test_plugin.TestNetworksV2, NsxV3PluginTestCaseMixin):
|
||||
context.get_admin_context(),
|
||||
network['id'], data)
|
||||
|
||||
def test_update_ens_network(self):
|
||||
cfg.CONF.set_override('ens_support', True, 'nsx_v3')
|
||||
providernet_args = {psec.PORTSECURITY: False}
|
||||
with mock.patch("vmware_nsxlib.v3.NsxLib.get_version",
|
||||
return_value='2.3.0'),\
|
||||
mock.patch("vmware_nsxlib.v3.core_resources.NsxLibTransportZone."
|
||||
"get_host_switch_mode", return_value="ENS"),\
|
||||
mock.patch("vmware_nsxlib.v3.core_resources.NsxLibLogicalSwitch."
|
||||
"get", return_value={'transport_zone_id': 'xxx'}):
|
||||
result = self._create_network(fmt='json', name='ens_net',
|
||||
admin_state_up=True,
|
||||
providernet_args=providernet_args,
|
||||
arg_list=(psec.PORTSECURITY,))
|
||||
net = self.deserialize('json', result)
|
||||
net_id = net['network']['id']
|
||||
args = {'network': {psec.PORTSECURITY: True}}
|
||||
req = self.new_update_request('networks', args,
|
||||
net_id, fmt='json')
|
||||
res = self.deserialize('json', req.get_response(self.api))
|
||||
# should fail
|
||||
self.assertEqual('NsxENSPortSecurity',
|
||||
res['NeutronError']['type'])
|
||||
|
||||
def test_update_ens_network_psec_supported(self):
|
||||
cfg.CONF.set_override('ens_support', True, 'nsx_v3')
|
||||
providernet_args = {psec.PORTSECURITY: False}
|
||||
@ -1699,25 +1658,6 @@ class TestPortsV2(common_v3.NsxV3SubnetMixin,
|
||||
port = self.deserialize(self.fmt, port_req.get_response(self.api))
|
||||
self.assertFalse(port['port']['port_security_enabled'])
|
||||
|
||||
def test_create_ens_port_with_port_sec(self):
|
||||
with self.subnet() as subnet,\
|
||||
mock.patch("vmware_nsxlib.v3.NsxLib.get_version",
|
||||
return_value='2.3.0'),\
|
||||
mock.patch("vmware_nsxlib.v3.core_resources.NsxLibTransportZone."
|
||||
"get_host_switch_mode", return_value="ENS"),\
|
||||
mock.patch("vmware_nsxlib.v3.core_resources.NsxLibLogicalSwitch."
|
||||
"get", return_value={'transport_zone_id': 'xxx'}):
|
||||
args = {'port': {'network_id': subnet['subnet']['network_id'],
|
||||
'tenant_id': subnet['subnet']['tenant_id'],
|
||||
'fixed_ips': [{'subnet_id':
|
||||
subnet['subnet']['id']}],
|
||||
psec.PORTSECURITY: True}}
|
||||
port_req = self.new_create_request('ports', args)
|
||||
res = self.deserialize('json', port_req.get_response(self.api))
|
||||
# should fail
|
||||
self.assertEqual('NsxENSPortSecurity',
|
||||
res['NeutronError']['type'])
|
||||
|
||||
def test_create_ens_port_with_port_sec_supported(self):
|
||||
with self.subnet() as subnet,\
|
||||
mock.patch("vmware_nsxlib.v3.core_resources.NsxLibTransportZone."
|
||||
@ -1735,29 +1675,6 @@ class TestPortsV2(common_v3.NsxV3SubnetMixin,
|
||||
# should succeed
|
||||
self.assertTrue(res['port'][psec.PORTSECURITY])
|
||||
|
||||
def test_update_ens_port(self):
|
||||
with self.subnet() as subnet,\
|
||||
mock.patch("vmware_nsxlib.v3.NsxLib.get_version",
|
||||
return_value='2.3.0'),\
|
||||
mock.patch("vmware_nsxlib.v3.core_resources.NsxLibTransportZone."
|
||||
"get_host_switch_mode", return_value="ENS"),\
|
||||
mock.patch("vmware_nsxlib.v3.core_resources.NsxLibLogicalSwitch."
|
||||
"get", return_value={'transport_zone_id': 'xxx'}):
|
||||
args = {'port': {'network_id': subnet['subnet']['network_id'],
|
||||
'tenant_id': subnet['subnet']['tenant_id'],
|
||||
'fixed_ips': [{'subnet_id':
|
||||
subnet['subnet']['id']}],
|
||||
psec.PORTSECURITY: False}}
|
||||
port_req = self.new_create_request('ports', args)
|
||||
port = self.deserialize(self.fmt, port_req.get_response(self.api))
|
||||
port_id = port['port']['id']
|
||||
args = {'port': {psec.PORTSECURITY: True}}
|
||||
req = self.new_update_request('ports', args, port_id)
|
||||
res = self.deserialize('json', req.get_response(self.api))
|
||||
# should fail
|
||||
self.assertEqual('NsxENSPortSecurity',
|
||||
res['NeutronError']['type'])
|
||||
|
||||
def test_update_ens_port_psec_supported(self):
|
||||
with self.subnet() as subnet,\
|
||||
mock.patch("vmware_nsxlib.v3.core_resources.NsxLibTransportZone."
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user