From 6ce6b4a77f0d07f0693dad6a49a80f1cd12c6852 Mon Sep 17 00:00:00 2001 From: Anna Khmelnitsky Date: Mon, 15 Apr 2019 14:21:47 -0700 Subject: [PATCH] NSX|P: Always use default domain The plugin used to create domain per openstack project. However nsx policy is phasing out domains as a concept. The plugin will now place all configuration in default domain. Change-Id: I4b597d66a0dcd866034ec1cc5b92597d16c60f1c --- vmware_nsx/plugins/nsx_p/plugin.py | 77 +++++++---------- .../fwaas/nsx_p/fwaas_callbacks_v2.py | 84 +++++++++++-------- .../plugins/nsxp/resources/securitygroups.py | 4 +- .../test_provider_security_groups.py | 6 +- .../tests/unit/nsx_p/test_fwaas_v2_driver.py | 27 +++--- vmware_nsx/tests/unit/nsx_p/test_plugin.py | 9 +- 6 files changed, 102 insertions(+), 105 deletions(-) diff --git a/vmware_nsx/plugins/nsx_p/plugin.py b/vmware_nsx/plugins/nsx_p/plugin.py index 65e704cbfc..56f8489d3b 100644 --- a/vmware_nsx/plugins/nsx_p/plugin.py +++ b/vmware_nsx/plugins/nsx_p/plugin.py @@ -1470,8 +1470,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): # remove the edge firewall if self.fwaas_callbacks and self.fwaas_callbacks.fwaas_enabled: - self.fwaas_callbacks.delete_router_gateway_policy( - project_id, router_id) + self.fwaas_callbacks.delete_router_gateway_policy(router_id) self.nsxpolicy.tier1.update(router_id, disable_firewall=True) # remove the edge cluster from the tier1 router @@ -2203,8 +2202,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): self._prepare_exclude_list_group() self._add_exclude_list_group() - def _create_security_group_backend_resources(self, context, secgroup, - domain_id): + def _create_security_group_backend_resources(self, context, secgroup): """Create communication map (=section) and group (=NS group) Both will have the security group id as their NSX id. @@ -2224,7 +2222,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): # Create the group try: self.nsxpolicy.group.create_or_overwrite_with_conditions( - nsx_name, domain_id, group_id=sg_id, + nsx_name, NSX_P_GLOBAL_DOMAIN_ID, group_id=sg_id, description=secgroup.get('description'), conditions=[condition], tags=tags) except Exception as e: @@ -2238,13 +2236,13 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): # create the communication map (=section) without and entries (=rules) try: self.nsxpolicy.comm_map.create_or_overwrite_map_only( - nsx_name, domain_id, map_id=sg_id, + nsx_name, NSX_P_GLOBAL_DOMAIN_ID, map_id=sg_id, description=secgroup.get('description'), tags=tags, category=category) except Exception as e: msg = (_("Failed to create NSX communication map for SG %(sg)s: " "%(e)s") % {'sg': sg_id, 'e': e}) - self.nsxpolicy.group.delete(domain_id, sg_id) + self.nsxpolicy.group.delete(NSX_P_GLOBAL_DOMAIN_ID, sg_id) raise nsx_exc.NsxPluginException(err_msg=msg) def _get_rule_ip_protocol(self, sg_rule): @@ -2310,7 +2308,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): def _get_sg_rule_local_ip_group_id(self, sg_rule): return '%s_local_group' % sg_rule['id'] - def _create_security_group_backend_rule(self, context, domain_id, map_id, + def _create_security_group_backend_rule(self, context, map_id, sg_rule, secgroup_logging, is_provider_sg=False): # The id of the map and group is the same as the security group id @@ -2338,7 +2336,8 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): expr = self.nsxpolicy.group.build_ip_address_expression( [remote_ip]) self.nsxpolicy.group.create_or_overwrite_with_conditions( - remote_group_id, domain_id, group_id=remote_group_id, + remote_group_id, NSX_P_GLOBAL_DOMAIN_ID, + group_id=remote_group_id, description='%s for OS rule %s' % (remote_ip, sg_rule['id']), conditions=[expr], tags=tags) source = remote_group_id @@ -2349,7 +2348,8 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): expr = self.nsxpolicy.group.build_ip_address_expression( [local_ip]) self.nsxpolicy.group.create_or_overwrite_with_conditions( - local_group_id, domain_id, group_id=local_group_id, + local_group_id, NSX_P_GLOBAL_DOMAIN_ID, + group_id=local_group_id, description='%s for OS rule %s' % (local_ip, sg_rule['id']), conditions=[expr], tags=tags) destination = local_group_id @@ -2362,11 +2362,13 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): ip_protocol = self._get_rule_ip_protocol(sg_rule) logging = (cfg.CONF.nsx_p.log_security_groups_allowed_traffic or secgroup_logging) - scope = [self.nsxpolicy.group.get_path(domain_id, this_group_id)] + scope = [self.nsxpolicy.group.get_path(NSX_P_GLOBAL_DOMAIN_ID, + this_group_id)] action = (policy_constants.ACTION_DENY if is_provider_sg else policy_constants.ACTION_ALLOW) self.nsxpolicy.comm_map.create_entry( - nsx_name, domain_id, map_id, entry_id=sg_rule['id'], + nsx_name, NSX_P_GLOBAL_DOMAIN_ID, + map_id, entry_id=sg_rule['id'], description=sg_rule.get('description'), service_ids=[service] if service else None, ip_protocol=ip_protocol, @@ -2376,27 +2378,6 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): scope=scope, direction=direction, logged=logging) - def _create_project_domain(self, context, project_id): - """Return the NSX domain id of a neutron project - - The ID of the created domain will be the same as the project ID - so there is no need to keep it in the neutron DB - """ - tags = self.nsxpolicy.build_v3_api_version_project_tag( - context.tenant_name) - try: - domain_id = self.nsxpolicy.domain.create_or_overwrite( - name=project_id, - domain_id=project_id, - description="Domain for OS project %s" % project_id, - tags=tags) - except Exception as e: - msg = (_("Failed to create NSX domain for project %(proj)s: " - "%(e)s") % {'proj': project_id, 'e': e}) - raise nsx_exc.NsxPluginException(err_msg=msg) - LOG.info("NSX Domain was created for project %s", project_id) - return domain_id - def create_security_group(self, context, security_group, default_sg=False): secgroup = security_group['security_group'] # Make sure the ID is initialized, as it is used for the backend @@ -2406,9 +2387,6 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): project_id = secgroup['tenant_id'] if not default_sg: self._ensure_default_security_group(context, project_id) - else: - # create the NSX policy domain for this new project - self._create_project_domain(context, project_id) # create the Neutron SG with db_api.CONTEXT_WRITER.using(context): @@ -2428,14 +2406,14 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): try: # Create Group & communication map on the NSX self._create_security_group_backend_resources( - context, secgroup, project_id) + context, secgroup) # Add the security-group rules sg_rules = secgroup_db['security_group_rules'] secgroup_logging = secgroup.get(sg_logging.LOGGING, False) for sg_rule in sg_rules: self._create_security_group_backend_rule( - context, project_id, secgroup_db['id'], sg_rule, + context, secgroup_db['id'], sg_rule, secgroup_logging) except Exception as e: with excutils.save_and_reraise_exception(): @@ -2463,11 +2441,11 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): self._process_security_group_properties_update( context, secgroup_res, sg_data) + domain_id = NSX_P_GLOBAL_DOMAIN_ID # Update the name and description on NSX backend if 'name' in sg_data or 'description' in sg_data: nsx_name = utils.get_name_and_uuid( secgroup_res['name'] or 'securitygroup', sg_id) - domain_id = secgroup_res['tenant_id'] try: self.nsxpolicy.group.update( domain_id, sg_id, @@ -2497,13 +2475,13 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): super(NsxPolicyPlugin, self).delete_security_group(context, sg_id) - domain_id = sg['tenant_id'] + domain_id = NSX_P_GLOBAL_DOMAIN_ID try: self.nsxpolicy.comm_map.delete(domain_id, sg_id) self.nsxpolicy.group.delete(domain_id, sg_id) for rule in sg['security_group_rules']: self._delete_security_group_rule_backend_resources( - context, domain_id, rule) + context, rule) except nsx_lib_exc.ResourceNotFound: # If the resource was not found on the backend do not worry about # it. The conditions has already been logged, so there is no need @@ -2543,19 +2521,18 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): self._process_security_group_rule_properties( context, rules_db[i], r['security_group_rule']) - domain_id = sg['tenant_id'] is_provider_sg = sg.get(provider_sg.PROVIDER) secgroup_logging = self._is_security_group_logged(context, sg_id) for rule_data in rules_db: # create the NSX backend rule self._create_security_group_backend_rule( - context, domain_id, sg_id, rule_data, secgroup_logging, + context, sg_id, rule_data, secgroup_logging, is_provider_sg=is_provider_sg) return rules_db def _delete_security_group_rule_backend_resources( - self, context, domain_id, rule_db): + self, context, rule_db): rule_id = rule_db['id'] # try to delete the service of this rule, if exists if rule_db['protocol']: @@ -2568,7 +2545,8 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): if rule_db['remote_ip_prefix']: try: remote_group_id = self._get_sg_rule_remote_ip_group_id(rule_db) - self.nsxpolicy.group.delete(domain_id, remote_group_id) + self.nsxpolicy.group.delete(NSX_P_GLOBAL_DOMAIN_ID, + remote_group_id) except nsx_lib_exc.ResourceNotFound: pass @@ -2576,7 +2554,8 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): if self._get_security_group_rule_local_ip(context, rule_id): try: local_group_id = self._get_sg_rule_local_ip_group_id(rule_db) - self.nsxpolicy.group.delete(domain_id, local_group_id) + self.nsxpolicy.group.delete(NSX_P_GLOBAL_DOMAIN_ID, + local_group_id) except nsx_lib_exc.ResourceNotFound: pass @@ -2584,13 +2563,13 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): rule_db = self._get_security_group_rule(context, rule_id) sg_id = rule_db['security_group_id'] self._prevent_non_admin_edit_provider_sg(context, sg_id) - domain_id = rule_db['tenant_id'] # Delete the rule itself try: - self.nsxpolicy.comm_map.delete_entry(domain_id, sg_id, rule_id) + self.nsxpolicy.comm_map.delete_entry( + policy_constants.DEFAULT_DOMAIN, sg_id, rule_id) self._delete_security_group_rule_backend_resources( - context, domain_id, rule_db) + context, rule_db) except nsx_lib_exc.ResourceNotFound: # Go on with the deletion anyway pass diff --git a/vmware_nsx/services/fwaas/nsx_p/fwaas_callbacks_v2.py b/vmware_nsx/services/fwaas/nsx_p/fwaas_callbacks_v2.py index 1c067bd79f..e384aedb95 100644 --- a/vmware_nsx/services/fwaas/nsx_p/fwaas_callbacks_v2.py +++ b/vmware_nsx/services/fwaas/nsx_p/fwaas_callbacks_v2.py @@ -54,13 +54,14 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2): def nsxpolicy(self): return self.core_plugin.nsxpolicy - def _get_default_backend_rule(self, domain_id, router_id): + def _get_default_backend_rule(self, router_id): """Return the default allow-all rule entry This rule enrty will be added to the end of the rules list """ return self.nsxpolicy.gateway_policy.build_entry( - DEFAULT_RULE_NAME, domain_id, router_id, + DEFAULT_RULE_NAME, + policy_constants.DEFAULT_DOMAIN, router_id, self._get_random_rule_id(DEFAULT_RULE_ID), description=DEFAULT_RULE_NAME, sequence_number=None, @@ -69,7 +70,7 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2): source_groups=None, dest_groups=None, direction=nsx_constants.IN_OUT) - def _translate_service(self, domain_id, router_id, rule): + def _translate_service(self, project_id, router_id, rule): """Return the NSX Policy service id matching the FW rule service. L4 protocol service will be created per router-id & rule-id @@ -81,7 +82,7 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2): if rule.get('protocol'): tags = self.nsxpolicy.build_v3_tags_payload( rule, resource_type='os-neutron-fwrule-id', - project_name=domain_id) + project_name=project_id) tags = nsxlib_utils.add_v3_tag(tags, ROUTER_FW_TAG, router_id) l4_protocol = v3_utils.translate_fw_rule_protocol( rule.get('protocol')) @@ -155,7 +156,7 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2): LOG.error(error_msg) raise self.driver_exception(driver=self.driver_name) - def _get_rule_cidr_group(self, domain_id, router_id, rule, is_source, + def _get_rule_cidr_group(self, project_id, router_id, rule, is_source, is_ingress): field = 'source_ip_address' if is_source else 'destination_ip_address' direction_text = 'source' if is_source else 'destination' @@ -169,16 +170,16 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2): [group_ips]) tags = self.nsxpolicy.build_v3_tags_payload( rule, resource_type='os-neutron-fwrule-id', - project_name=domain_id) + project_name=project_id) tags = nsxlib_utils.add_v3_tag(tags, ROUTER_FW_TAG, router_id) self.nsxpolicy.group.create_or_overwrite_with_conditions( "FW_rule_%s_%s" % (rule['id'], direction_text), - domain_id, group_id=group_id, + policy_constants.DEFAULT_DOMAIN, group_id=group_id, description='%s: %s' % (direction_text, group_ips), conditions=[expr], tags=tags) return group_id - def _create_network_group(self, domain_id, router_id, neutron_net_id): + def _create_network_group(self, router_id, neutron_net_id): scope_and_tag = "%s|%s" % ('os-neutron-net-id', neutron_net_id) tags = [] tags = nsxlib_utils.add_v3_tag(tags, ROUTER_FW_TAG, router_id) @@ -189,14 +190,14 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2): group_id = '%s-%s' % (router_id, neutron_net_id) self.nsxpolicy.group.create_or_overwrite_with_conditions( "Segment_%s" % neutron_net_id, - domain_id, + policy_constants.DEFAULT_DOMAIN, group_id=group_id, description='Group for segment %s' % neutron_net_id, conditions=[expr], tags=tags) return group_id - def _translate_rules(self, domain_id, router_id, segment_group, + def _translate_rules(self, project_id, router_id, segment_group, fwaas_rules, is_ingress, logged=False): """Translate a list of FWaaS rules to NSX rule structure""" translated_rules = [] @@ -223,22 +224,24 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2): driver=self.internal_driver.driver_name) src_group = self._get_rule_cidr_group( - domain_id, router_id, rule, is_source=True, + project_id, router_id, rule, is_source=True, is_ingress=is_ingress) if not is_ingress and not src_group: src_group = segment_group dest_group = self._get_rule_cidr_group( - domain_id, router_id, rule, is_source=False, + project_id, router_id, rule, is_source=False, is_ingress=is_ingress) if is_ingress and not dest_group: dest_group = segment_group - srv_id = self._translate_service(domain_id, router_id, rule) + srv_id = self._translate_service(project_id, router_id, rule) direction = nsx_constants.IN if is_ingress else nsx_constants.OUT ip_protocol = (nsx_constants.IPV4 if rule.get('ip_version', 4) == 4 else nsx_constants.IPV6) rule_entry = self.nsxpolicy.gateway_policy.build_entry( - rule_name, domain_id, router_id, rule_id, + rule_name, + policy_constants.DEFAULT_DOMAIN, + router_id, rule_id, description=rule.get('description'), action=action, source_groups=[src_group] if src_group else None, @@ -251,28 +254,29 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2): translated_rules.append(rule_entry) return translated_rules - def _get_port_translated_rules(self, domain_id, router_id, neutron_net_id, + def _get_port_translated_rules(self, project_id, router_id, neutron_net_id, firewall_group): """Return the list of translated FWaaS rules per port Add the egress/ingress rules of this port + default drop rules in each direction for this port. """ net_group_id = self._create_network_group( - domain_id, router_id, neutron_net_id) + router_id, neutron_net_id) port_rules = [] # Add the firewall group ingress/egress rules only if the fw is up if firewall_group['admin_state_up']: port_rules.extend(self._translate_rules( - domain_id, router_id, net_group_id, + project_id, router_id, net_group_id, firewall_group['ingress_rule_list'], is_ingress=True)) port_rules.extend(self._translate_rules( - domain_id, router_id, net_group_id, + project_id, router_id, net_group_id, firewall_group['egress_rule_list'], is_ingress=False)) # Add ingress/egress block rules for this port port_rules.extend([ self.nsxpolicy.gateway_policy.build_entry( - "Block port ingress", domain_id, router_id, + "Block port ingress", + policy_constants.DEFAULT_DOMAIN, router_id, self._get_random_rule_id( DEFAULT_RULE_ID + neutron_net_id + 'ingress'), action=nsx_constants.FW_ACTION_DROP, @@ -280,7 +284,8 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2): scope=[self.nsxpolicy.tier1.get_path(router_id)], direction=nsx_constants.IN), self.nsxpolicy.gateway_policy.build_entry( - "Block port egress", domain_id, router_id, + "Block port egress", + policy_constants.DEFAULT_DOMAIN, router_id, self._get_random_rule_id( DEFAULT_RULE_ID + neutron_net_id + 'egress'), action=nsx_constants.FW_ACTION_DROP, @@ -308,7 +313,7 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2): router calls, and if it is True - add the service router accordingly. """ plugin = self.core_plugin - domain_id = router['project_id'] + project_id = router['project_id'] fw_rules = [] router_with_fw = False # Add firewall rules per port attached to a firewall group @@ -321,10 +326,10 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2): # Add the FWaaS rules for this port:ingress/egress firewall # rules + default ingress/egress drop rule for this port fw_rules.extend(self._get_port_translated_rules( - domain_id, router_id, port['network_id'], fwg)) + project_id, router_id, port['network_id'], fwg)) # Add a default allow-all rule to all other traffic & ports - fw_rules.append(self._get_default_backend_rule(domain_id, router_id)) + fw_rules.append(self._get_default_backend_rule(router_id)) self._set_rules_order(fw_rules) # Update the backend router firewall @@ -345,31 +350,32 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2): # No other services that require service router: delete it # This also deleted the gateway policy. self.core_plugin.delete_service_router( - context, domain_id, router_id) + context, policy_constants.DEFAULT_DOMAIN, router_id) sr_exists_on_backend = False if sr_exists_on_backend: # update the edge firewall - self.create_router_gateway_policy(context, domain_id, router_id, + self.create_router_gateway_policy(context, router_id, router, fw_rules) if not router_with_fw: # Do all the cleanup once the router has no more FW rules - self.delete_router_gateway_policy(domain_id, router_id) - self.cleanup_router_fw_resources(domain_id, router_id) + self.delete_router_gateway_policy(router_id) + self.cleanup_router_fw_resources(router_id) - def create_router_gateway_policy(self, context, domain_id, router_id, + def create_router_gateway_policy(self, context, router_id, router, fw_rules): """Create/Overwrite gateway policy for a router with firewall rules""" # Check if the gateway policy already exists try: - self.nsxpolicy.gateway_policy.get(domain_id, map_id=router_id) + self.nsxpolicy.gateway_policy.get(policy_constants.DEFAULT_DOMAIN, + map_id=router_id) except nsx_lib_exc.ResourceNotFound: LOG.info("Going to create gateway policy for router %s", router_id) else: # only update the rules of this policy self.nsxpolicy.gateway_policy.update_entries( - domain_id, router_id, fw_rules) + policy_constants.DEFAULT_DOMAIN, router_id, fw_rules) return tags = self.nsxpolicy.build_v3_tags_payload( @@ -377,33 +383,37 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2): project_name=context.tenant_name) policy_name = GATEWAY_POLICY_NAME % router_id self.nsxpolicy.gateway_policy.create_with_entries( - policy_name, domain_id, map_id=router_id, + policy_name, policy_constants.DEFAULT_DOMAIN, + map_id=router_id, description=policy_name, tags=tags, entries=fw_rules, category=policy_constants.CATEGORY_LOCAL_GW) - def delete_router_gateway_policy(self, domain_id, router_id): + def delete_router_gateway_policy(self, router_id): """Delete the gateway policy associated with a router, it it exists. Should be called when the router is deleted / FW removed from it """ try: - self.nsxpolicy.gateway_policy.get(domain_id, map_id=router_id) + self.nsxpolicy.gateway_policy.get(policy_constants.DEFAULT_DOMAIN, + map_id=router_id) except nsx_lib_exc.ResourceNotFound: return - self.nsxpolicy.gateway_policy.delete(domain_id, map_id=router_id) + self.nsxpolicy.gateway_policy.delete(policy_constants.DEFAULT_DOMAIN, + map_id=router_id) # Also delete all groups & services - self.cleanup_router_fw_resources(domain_id, router_id) + self.cleanup_router_fw_resources(router_id) - def cleanup_router_fw_resources(self, domain_id, router_id): + def cleanup_router_fw_resources(self, router_id): tags_to_search = [{'scope': ROUTER_FW_TAG, 'tag': router_id}] # Delete per rule & per network groups groups = self.nsxpolicy.search_by_tags( tags_to_search, self.nsxpolicy.group.entry_def.resource_type())['results'] for group in groups: - self.nsxpolicy.group.delete(domain_id, group['id']) + self.nsxpolicy.group.delete(policy_constants.DEFAULT_DOMAIN, + group['id']) services = self.nsxpolicy.search_by_tags( tags_to_search, diff --git a/vmware_nsx/shell/admin/plugins/nsxp/resources/securitygroups.py b/vmware_nsx/shell/admin/plugins/nsxp/resources/securitygroups.py index a06a22067a..7c13dd846c 100644 --- a/vmware_nsx/shell/admin/plugins/nsxp/resources/securitygroups.py +++ b/vmware_nsx/shell/admin/plugins/nsxp/resources/securitygroups.py @@ -19,6 +19,8 @@ from vmware_nsx.shell.admin.plugins.common import constants from vmware_nsx.shell.admin.plugins.common import utils as admin_utils from vmware_nsx.shell.admin.plugins.nsxp.resources import utils as p_utils +from vmware_nsxlib.v3.policy import constants as policy_constants + neutron_client = securitygroups_db.SecurityGroupDbMixin() @@ -33,8 +35,8 @@ def list_security_groups(resource, event, trigger, **kwargs): nsxpolicy = p_utils.get_connected_nsxpolicy() ctx = context.get_admin_context() sgs = neutron_client.get_security_groups(ctx) + domain_id = policy_constants.DEFAULT_DOMAIN for sg in sgs: - domain_id = sg['tenant_id'] map_status = p_utils.get_realization_info( nsxpolicy.comm_map, domain_id, sg['id']) group_status = p_utils.get_realization_info( diff --git a/vmware_nsx/tests/unit/extensions/test_provider_security_groups.py b/vmware_nsx/tests/unit/extensions/test_provider_security_groups.py index 9ea247a328..ae4e655c10 100644 --- a/vmware_nsx/tests/unit/extensions/test_provider_security_groups.py +++ b/vmware_nsx/tests/unit/extensions/test_provider_security_groups.py @@ -409,11 +409,11 @@ class TestNSXpProviderSecurityGrp(test_nsxp_plugin.NsxPPluginTestCaseMixin, with self.security_group_rule(security_group_id=sg_id) as rule: rule_data = rule['security_group_rule'] rule_id = rule_data['id'] - project_id = rule_data['project_id'] scope = [self.plugin.nsxpolicy.group.get_path( - project_id, sg_id)] + policy_constants.DEFAULT_DOMAIN, sg_id)] entry_create.assert_called_once_with( - rule_id, project_id, sg_id, entry_id=rule_id, + rule_id, policy_constants.DEFAULT_DOMAIN, + sg_id, entry_id=rule_id, description='', direction=nsx_constants.IN, ip_protocol=nsx_constants.IPV4, diff --git a/vmware_nsx/tests/unit/nsx_p/test_fwaas_v2_driver.py b/vmware_nsx/tests/unit/nsx_p/test_fwaas_v2_driver.py index ae0625fd36..36380d00d1 100644 --- a/vmware_nsx/tests/unit/nsx_p/test_fwaas_v2_driver.py +++ b/vmware_nsx/tests/unit/nsx_p/test_fwaas_v2_driver.py @@ -25,6 +25,7 @@ from vmware_nsx.services.fwaas.nsx_p import edge_fwaas_driver_v2 from vmware_nsx.services.fwaas.nsx_p import fwaas_callbacks_v2 from vmware_nsx.tests.unit.nsx_p import test_plugin as test_p_plugin from vmware_nsxlib.v3 import nsx_constants as consts +from vmware_nsxlib.v3.policy import constants as policy_constants FAKE_FW_ID = 'fake_fw_uuid' FAKE_ROUTER_ID = 'fake_rtr_uuid' @@ -60,7 +61,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin): def _default_rule(self, seq_num): return self.plugin.nsxpolicy.gateway_policy.build_entry( fwaas_callbacks_v2.DEFAULT_RULE_NAME, - self.project_id, FAKE_ROUTER_ID, + policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, fwaas_callbacks_v2.DEFAULT_RULE_ID, description=fwaas_callbacks_v2.DEFAULT_RULE_NAME, action=consts.FW_ACTION_ALLOW, @@ -72,7 +73,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin): net_group_id = '%s-%s' % (FAKE_ROUTER_ID, FAKE_NET_ID) ingress_rule = self.plugin.nsxpolicy.gateway_policy.build_entry( "Block port ingress", - self.project_id, FAKE_ROUTER_ID, + policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, fwaas_callbacks_v2.DEFAULT_RULE_ID + FAKE_NET_ID + 'ingress', action=consts.FW_ACTION_DROP, dest_groups=[net_group_id], @@ -82,7 +83,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin): egress_rule = self.plugin.nsxpolicy.gateway_policy.build_entry( "Block port egress", - self.project_id, FAKE_ROUTER_ID, + policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, fwaas_callbacks_v2.DEFAULT_RULE_ID + FAKE_NET_ID + 'egress', action=consts.FW_ACTION_DROP, source_groups=[net_group_id], @@ -172,21 +173,25 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin): if (fw_rule.get('source_ip_address') and not fw_rule['source_ip_address'].startswith('0.0.0.0')): self.assertEqual(['/infra/domains/%s/groups/source-%s' % ( - self.project_id, fw_rule['id'])], + policy_constants.DEFAULT_DOMAIN, + fw_rule['id'])], nsx_rule['source_groups']) elif not is_ingress: self.assertEqual(['/infra/domains/%s/groups/%s-%s' % ( - self.project_id, FAKE_ROUTER_ID, FAKE_NET_ID)], + policy_constants.DEFAULT_DOMAIN, + FAKE_ROUTER_ID, FAKE_NET_ID)], nsx_rule['source_groups']) if (fw_rule.get('destination_ip_address') and not fw_rule['destination_ip_address'].startswith('0.0.0.0')): self.assertEqual(['/infra/domains/%s/groups/destination-%s' % ( - self.project_id, fw_rule['id'])], + policy_constants.DEFAULT_DOMAIN, + fw_rule['id'])], nsx_rule['destination_groups']) elif is_ingress: self.assertEqual(['/infra/domains/%s/groups/%s-%s' % ( - self.project_id, FAKE_ROUTER_ID, FAKE_NET_ID)], + policy_constants.DEFAULT_DOMAIN, + FAKE_ROUTER_ID, FAKE_NET_ID)], nsx_rule['destination_groups']) def _fake_empty_firewall_group(self): @@ -245,7 +250,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin): expected_rules = (self._block_interface_rules(0) + [self._default_rule(2)]) update_fw.assert_called_once_with( - self.project_id, FAKE_ROUTER_ID, mock.ANY) + policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY) # compare rules one by one actual_rules = update_fw.call_args[0][2] self.assertEqual(len(expected_rules), len(actual_rules)) @@ -274,7 +279,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin): expected_default_rules = self._block_interface_rules( len(rule_list)) + [self._default_rule(len(rule_list) + 2)] update_fw.assert_called_once_with( - self.project_id, FAKE_ROUTER_ID, mock.ANY) + policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY) # compare rules one by one actual_rules = update_fw.call_args[0][2] @@ -336,7 +341,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin): # expecting only the default allow-all rule expected_rules = [self._default_rule(0)] update_fw.assert_called_once_with( - self.project_id, FAKE_ROUTER_ID, mock.ANY) + policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY) # compare rules one by one actual_rules = update_fw.call_args[0][2] self.assertEqual(len(expected_rules), len(actual_rules)) @@ -358,7 +363,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin): # expecting only the default allow-all rule expected_rules = [self._default_rule(0)] update_fw.assert_called_once_with( - self.project_id, FAKE_ROUTER_ID, mock.ANY) + policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY) # compare rules one by one actual_rules = update_fw.call_args[0][2] self.assertEqual(len(expected_rules), len(actual_rules)) diff --git a/vmware_nsx/tests/unit/nsx_p/test_plugin.py b/vmware_nsx/tests/unit/nsx_p/test_plugin.py index b707f54a78..0252a350c2 100644 --- a/vmware_nsx/tests/unit/nsx_p/test_plugin.py +++ b/vmware_nsx/tests/unit/nsx_p/test_plugin.py @@ -1196,11 +1196,11 @@ class NsxPTestSecurityGroup(common_v3.FixExternalNetBaseTest, sg_id = sg['security_group']['id'] nsx_name = utils.get_name_and_uuid(name, sg_id) group_create.assert_called_once_with( - nsx_name, self.project_id, group_id=sg_id, + nsx_name, policy_constants.DEFAULT_DOMAIN, group_id=sg_id, description=description, conditions=[mock.ANY], tags=mock.ANY) comm_map_create.assert_called_once_with( - nsx_name, self.project_id, map_id=sg_id, + nsx_name, policy_constants.DEFAULT_DOMAIN, map_id=sg_id, description=description, tags=mock.ANY, category=policy_constants.CATEGORY_ENVIRONMENT) @@ -1284,9 +1284,10 @@ class NsxPTestSecurityGroup(common_v3.FixExternalNetBaseTest, remote_ip_prefix) as rule: rule_id = rule['security_group_rule']['id'] scope = [self.plugin.nsxpolicy.group.get_path( - self.project_id, sg_id)] + policy_constants.DEFAULT_DOMAIN, sg_id)] entry_create.assert_called_once_with( - rule_id, self.project_id, sg_id, entry_id=rule_id, + rule_id, policy_constants.DEFAULT_DOMAIN, + sg_id, entry_id=rule_id, description='', direction=nsx_constants.IN, ip_protocol=nsx_constants.IPV4,