diff --git a/vmware_nsx/common/config.py b/vmware_nsx/common/config.py index 9909990a39..7d3f69d193 100644 --- a/vmware_nsx/common/config.py +++ b/vmware_nsx/common/config.py @@ -482,6 +482,9 @@ nsx_v3_opts = nsx_v3_and_p + [ help=_("(Optional) Indicates whether ENS transport zones can " "be used")), cfg.BoolOpt('disable_port_security_for_ens', + # This flag was relevant only for NSX version that did not + # support ENS with security features + deprecated_for_removal=True, default=False, help=_("When True, port security will be set to False for " "newly created ENS networks and ports, overriding " diff --git a/vmware_nsx/plugins/common_v3/plugin.py b/vmware_nsx/plugins/common_v3/plugin.py index 896fe1df8b..d5bf1ab778 100644 --- a/vmware_nsx/plugins/common_v3/plugin.py +++ b/vmware_nsx/plugins/common_v3/plugin.py @@ -364,10 +364,6 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, (port_security, has_ip) = self._determine_port_security_and_has_ip( context, port_data) port_data[psec.PORTSECURITY] = port_security - # No port security is allowed if the port belongs to an ENS TZ - if (port_security and is_ens_tz_port and - not self._ens_psec_supported()): - raise nsx_exc.NsxENSPortSecurity() self._process_port_port_security_create( context, port_data, neutron_db) @@ -438,10 +434,6 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, updated_port[addr_apidef.ADDRESS_PAIRS]) if updated_port[psec.PORTSECURITY] and psec.PORTSECURITY in port_data: - # No port security is allowed if the port belongs to an ENS TZ - if is_ens_tz_port and not self._ens_psec_supported(): - raise nsx_exc.NsxENSPortSecurity() - # No port security is allowed if the port has a direct vnic type if direct_vnic_type: err_msg = _("Security features are not supported for " @@ -887,10 +879,6 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, context, net_id) return qos_policy_id - def _ens_psec_supported(self): - """Should be implemented by each plugin""" - pass - def _ens_qos_supported(self): """Should be implemented by each plugin""" pass @@ -911,12 +899,6 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, """Should be implemented by each plugin""" pass - def _validate_ens_net_portsecurity(self, net_data): - """Validate/Update the port security of the new network for ENS TZ - Should be implemented by the plugin if necessary - """ - pass - def _is_ens_tz_net(self, context, net_id): """Return True if the network is based on an END transport zone""" tz_id = self._get_net_tz(context, net_id) @@ -1121,7 +1103,6 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, if not self._allow_ens_networks(): raise NotImplementedError(_("ENS support is disabled")) self._assert_on_ens_with_qos(network_data) - self._validate_ens_net_portsecurity(network_data) return {'is_provider_net': is_provider_net, 'net_type': net_type, diff --git a/vmware_nsx/plugins/nsx_p/plugin.py b/vmware_nsx/plugins/nsx_p/plugin.py index 3620d25d72..61d9676e5e 100644 --- a/vmware_nsx/plugins/nsx_p/plugin.py +++ b/vmware_nsx/plugins/nsx_p/plugin.py @@ -662,23 +662,10 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): def _allow_ens_networks(self): return True - def _ens_psec_supported(self): - """ENS security features are always enabled on NSX versions which - the policy plugin supports. - """ - return True - def _ens_qos_supported(self): return self.nsxpolicy.feature_supported( nsxlib_consts.FEATURE_ENS_WITH_QOS) - def _validate_ens_net_portsecurity(self, net_data): - """ENS security features are always enabled on NSX versions which - the policy plugin supports. - So no validation is needed - """ - pass - def _assert_on_resource_admin_state_down(self, resource_data): """Network & port admin state is only supported with passthrough api""" if (not cfg.CONF.nsx_p.allow_passthrough and diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py index 0eb85251ae..154b59a8d1 100644 --- a/vmware_nsx/plugins/nsx_v3/plugin.py +++ b/vmware_nsx/plugins/nsx_v3/plugin.py @@ -967,31 +967,10 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base, return created_net - def _ens_psec_supported(self): - return self.nsxlib.feature_supported( - nsxlib_consts.FEATURE_ENS_WITH_SEC) - def _ens_qos_supported(self): return self.nsxlib.feature_supported( nsxlib_consts.FEATURE_ENS_WITH_QOS) - def _validate_ens_net_portsecurity(self, net_data): - """Validate/Update the port security of the new network for ENS TZ""" - if not self._ens_psec_supported(): - if cfg.CONF.nsx_v3.disable_port_security_for_ens: - # Override the port-security to False - if net_data[psec.PORTSECURITY]: - LOG.warning("Disabling port security for new network") - # Set the port security to False - net_data[psec.PORTSECURITY] = False - - elif net_data.get(psec.PORTSECURITY): - # Port security enabled is not allowed - raise nsx_exc.NsxENSPortSecurity() - else: - # Update the default port security to False if not set - net_data[psec.PORTSECURITY] = False - def delete_network(self, context, network_id): if cfg.CONF.nsx_v3.native_dhcp_metadata: self._delete_network_disable_dhcp(context, network_id) @@ -1035,7 +1014,6 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base, utils.raise_if_updates_provider_attributes(net_data) extern_net = self._network_is_external(context, id) is_nsx_net = self._network_is_nsx_net(context, id) - is_ens_net = self._is_ens_tz_net(context, id) # Validate the updated parameters self._validate_update_network(context, id, original_net, net_data) @@ -1045,11 +1023,6 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base, self._extension_manager.process_update_network(context, net_data, updated_net) if psec.PORTSECURITY in net_data: - # do not allow to enable port security on ENS networks - if (net_data[psec.PORTSECURITY] and - not original_net[psec.PORTSECURITY] and is_ens_net and - not self._ens_psec_supported()): - raise nsx_exc.NsxENSPortSecurity() self._process_network_port_security_update( context, net_data, updated_net) self._process_l3_update(context, updated_net, network['network']) @@ -1318,8 +1291,7 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base, else: profiles.append(self._no_switch_security) if device_owner == const.DEVICE_OWNER_DHCP: - if ((not is_ens_tz_port or self._ens_psec_supported()) and - not cfg.CONF.nsx_v3.native_dhcp_metadata): + if not cfg.CONF.nsx_v3.native_dhcp_metadata: profiles.append(self._dhcp_profile) # Add QoS switching profile, if exists @@ -1333,8 +1305,7 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base, port_mac_learning = ( validators.is_attr_set(port_data.get(mac_ext.MAC_LEARNING)) and port_data.get(mac_ext.MAC_LEARNING) is True) - if ((not is_ens_tz_port or self._ens_psec_supported()) and - self._mac_learning_profile): + if self._mac_learning_profile: if force_mac_learning or port_mac_learning: profiles.append(self._mac_learning_profile) if is_ens_tz_port: @@ -1453,14 +1424,6 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base, LOG.warning(err_msg) raise n_exc.InvalidInput(error_message=err_msg) - def _disable_ens_portsec(self, port_data): - if (cfg.CONF.nsx_v3.disable_port_security_for_ens and - not self._ens_psec_supported()): - LOG.warning("Disabling port security for network %s", - port_data['network_id']) - port_data[psec.PORTSECURITY] = False - port_data['security_groups'] = [] - def base_create_port(self, context, port): neutron_db = super(NsxV3Plugin, self).create_port(context, port) self._extension_manager.process_create_port( @@ -1474,8 +1437,6 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base, self._validate_create_port(context, port_data) self._assert_on_dhcp_relay_without_router(context, port_data) is_ens_tz_port = self._is_ens_tz_port(context, port_data) - if is_ens_tz_port: - self._disable_ens_portsec(port_data) is_external_net = self._network_is_external( context, port_data['network_id']) @@ -1518,23 +1479,12 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base, 'disabled') LOG.error(msg) raise n_exc.InvalidInput(error_message=msg) - if (is_ens_tz_port and not self._ens_psec_supported() and - not port_data.get(mac_ext.MAC_LEARNING)): - msg = _('Cannot disable Mac learning for ENS TZ') - LOG.error(msg) - raise n_exc.InvalidInput(error_message=msg) # save the mac learning value in the DB self._create_mac_learning_state(context, port_data) elif mac_ext.MAC_LEARNING in port_data: # This is due to the fact that the default is # ATTR_NOT_SPECIFIED port_data.pop(mac_ext.MAC_LEARNING) - # For a ENZ TZ mac learning is always enabled - if (is_ens_tz_port and not self._ens_psec_supported() and - mac_ext.MAC_LEARNING not in port_data): - # Set the default and add to the DB - port_data[mac_ext.MAC_LEARNING] = True - self._create_mac_learning_state(context, port_data) # Operations to backend should be done outside of DB transaction. # NOTE(arosen): ports on external networks are nat rules and do @@ -1723,7 +1673,6 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base, # Update the DHCP profile if (updated_device_owner == const.DEVICE_OWNER_DHCP and - (not is_ens_tz_port or self._ens_psec_supported()) and not cfg.CONF.nsx_v3.native_dhcp_metadata): switch_profile_ids.append(self._dhcp_profile) @@ -1741,8 +1690,7 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base, psec_is_on) port_mac_learning = updated_port.get(mac_ext.MAC_LEARNING) is True # Add mac_learning profile if it exists and is configured - if ((not is_ens_tz_port or self._ens_psec_supported()) and - self._mac_learning_profile): + if self._mac_learning_profile: if force_mac_learning or port_mac_learning: switch_profile_ids.append(self._mac_learning_profile) if is_ens_tz_port: @@ -1837,11 +1785,6 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base, self._extend_nsx_port_dict_binding(context, updated_port) mac_learning_state = updated_port.get(mac_ext.MAC_LEARNING) if mac_learning_state is not None: - if (not mac_learning_state and is_ens_tz_port and - not self._ens_psec_supported()): - msg = _('Mac learning cannot be disabled with ENS TZ') - LOG.error(msg) - raise n_exc.InvalidInput(error_message=msg) if port_security and mac_learning_state: msg = _('Mac learning requires that port security be ' 'disabled') diff --git a/vmware_nsx/tests/unit/nsx_v3/test_plugin.py b/vmware_nsx/tests/unit/nsx_v3/test_plugin.py index 422bb2296e..9b79e6d035 100644 --- a/vmware_nsx/tests/unit/nsx_v3/test_plugin.py +++ b/vmware_nsx/tests/unit/nsx_v3/test_plugin.py @@ -537,24 +537,6 @@ class TestNetworksV2(test_plugin.TestNetworksV2, NsxV3PluginTestCaseMixin): # should succeed, and net should have port security disabled self.assertFalse(res['network']['port_security_enabled']) - def test_create_ens_network_with_port_sec(self): - cfg.CONF.set_override('ens_support', True, 'nsx_v3') - providernet_args = {psec.PORTSECURITY: True} - with mock.patch("vmware_nsxlib.v3.NsxLib.get_version", - return_value='2.3.0'),\ - mock.patch("vmware_nsxlib.v3.core_resources.NsxLibTransportZone." - "get_host_switch_mode", return_value="ENS"),\ - mock.patch("vmware_nsxlib.v3.core_resources.NsxLibLogicalSwitch." - "get", return_value={'transport_zone_id': 'xxx'}): - result = self._create_network(fmt='json', name='ens_net', - admin_state_up=True, - providernet_args=providernet_args, - arg_list=(psec.PORTSECURITY,)) - res = self.deserialize('json', result) - # should fail - self.assertEqual('NsxENSPortSecurity', - res['NeutronError']['type']) - def test_create_ens_network_with_port_sec_supported(self): cfg.CONF.set_override('ens_support', True, 'nsx_v3') providernet_args = {psec.PORTSECURITY: True} @@ -658,29 +640,6 @@ class TestNetworksV2(test_plugin.TestNetworksV2, NsxV3PluginTestCaseMixin): context.get_admin_context(), network['id'], data) - def test_update_ens_network(self): - cfg.CONF.set_override('ens_support', True, 'nsx_v3') - providernet_args = {psec.PORTSECURITY: False} - with mock.patch("vmware_nsxlib.v3.NsxLib.get_version", - return_value='2.3.0'),\ - mock.patch("vmware_nsxlib.v3.core_resources.NsxLibTransportZone." - "get_host_switch_mode", return_value="ENS"),\ - mock.patch("vmware_nsxlib.v3.core_resources.NsxLibLogicalSwitch." - "get", return_value={'transport_zone_id': 'xxx'}): - result = self._create_network(fmt='json', name='ens_net', - admin_state_up=True, - providernet_args=providernet_args, - arg_list=(psec.PORTSECURITY,)) - net = self.deserialize('json', result) - net_id = net['network']['id'] - args = {'network': {psec.PORTSECURITY: True}} - req = self.new_update_request('networks', args, - net_id, fmt='json') - res = self.deserialize('json', req.get_response(self.api)) - # should fail - self.assertEqual('NsxENSPortSecurity', - res['NeutronError']['type']) - def test_update_ens_network_psec_supported(self): cfg.CONF.set_override('ens_support', True, 'nsx_v3') providernet_args = {psec.PORTSECURITY: False} @@ -1699,25 +1658,6 @@ class TestPortsV2(common_v3.NsxV3SubnetMixin, port = self.deserialize(self.fmt, port_req.get_response(self.api)) self.assertFalse(port['port']['port_security_enabled']) - def test_create_ens_port_with_port_sec(self): - with self.subnet() as subnet,\ - mock.patch("vmware_nsxlib.v3.NsxLib.get_version", - return_value='2.3.0'),\ - mock.patch("vmware_nsxlib.v3.core_resources.NsxLibTransportZone." - "get_host_switch_mode", return_value="ENS"),\ - mock.patch("vmware_nsxlib.v3.core_resources.NsxLibLogicalSwitch." - "get", return_value={'transport_zone_id': 'xxx'}): - args = {'port': {'network_id': subnet['subnet']['network_id'], - 'tenant_id': subnet['subnet']['tenant_id'], - 'fixed_ips': [{'subnet_id': - subnet['subnet']['id']}], - psec.PORTSECURITY: True}} - port_req = self.new_create_request('ports', args) - res = self.deserialize('json', port_req.get_response(self.api)) - # should fail - self.assertEqual('NsxENSPortSecurity', - res['NeutronError']['type']) - def test_create_ens_port_with_port_sec_supported(self): with self.subnet() as subnet,\ mock.patch("vmware_nsxlib.v3.core_resources.NsxLibTransportZone." @@ -1735,29 +1675,6 @@ class TestPortsV2(common_v3.NsxV3SubnetMixin, # should succeed self.assertTrue(res['port'][psec.PORTSECURITY]) - def test_update_ens_port(self): - with self.subnet() as subnet,\ - mock.patch("vmware_nsxlib.v3.NsxLib.get_version", - return_value='2.3.0'),\ - mock.patch("vmware_nsxlib.v3.core_resources.NsxLibTransportZone." - "get_host_switch_mode", return_value="ENS"),\ - mock.patch("vmware_nsxlib.v3.core_resources.NsxLibLogicalSwitch." - "get", return_value={'transport_zone_id': 'xxx'}): - args = {'port': {'network_id': subnet['subnet']['network_id'], - 'tenant_id': subnet['subnet']['tenant_id'], - 'fixed_ips': [{'subnet_id': - subnet['subnet']['id']}], - psec.PORTSECURITY: False}} - port_req = self.new_create_request('ports', args) - port = self.deserialize(self.fmt, port_req.get_response(self.api)) - port_id = port['port']['id'] - args = {'port': {psec.PORTSECURITY: True}} - req = self.new_update_request('ports', args, port_id) - res = self.deserialize('json', req.get_response(self.api)) - # should fail - self.assertEqual('NsxENSPortSecurity', - res['NeutronError']['type']) - def test_update_ens_port_psec_supported(self): with self.subnet() as subnet,\ mock.patch("vmware_nsxlib.v3.core_resources.NsxLibTransportZone."