From 7e1b1f1cf29c4950b3dc02e445f61d383a7feec9 Mon Sep 17 00:00:00 2001
From: Adit Sarfaty <asarfaty@vmware.com>
Date: Thu, 3 Nov 2016 09:05:19 +0200
Subject: [PATCH] NSX|v+v3: Allow multiple provider security groups per tenant

The admin will be able to create multiple provider security groups per tenant,
and the new compute ports of this tenant will get all those security groups.

This enhancement is required for the NSX Policy support, as each security group
can represent 1 policy, and we may need multiple mandatory policies per tenant.

Change-Id: I058f639c94602dcce5c6f796d5fae4692481ad88
---
 vmware_nsx/db/extended_security_group.py               | 10 ----------
 .../unit/extensions/test_provider_security_groups.py   |  8 ++++++++
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/vmware_nsx/db/extended_security_group.py b/vmware_nsx/db/extended_security_group.py
index 182ae628b8..1e5b25bb93 100644
--- a/vmware_nsx/db/extended_security_group.py
+++ b/vmware_nsx/db/extended_security_group.py
@@ -30,7 +30,6 @@ from neutron.extensions import securitygroup as ext_sg
 from neutron_lib.api import validators
 from neutron_lib import constants as n_constants
 
-from vmware_nsx._i18n import _
 from vmware_nsx.extensions import providersecuritygroup as provider_sg
 from vmware_nsx.extensions import securitygrouplogging as sg_logging
 
@@ -169,15 +168,6 @@ class ExtendedSecurityGroupPropertiesMixin(object):
         if default_sg:
             raise provider_sg.DefaultSecurityGroupIsNotProvider()
 
-        tenant_id = security_group['tenant_id']
-        ssg = self._get_tenant_provider_security_groups(context, tenant_id)
-        if ssg:
-            # REVISIT(roeyc): At the moment we only allow on provider
-            # security-group per tenant, this might change in the future.
-            raise Exception(_("Provider Security-group already exists"
-                              "(%(pvdsg)s) for tenant %(tenant_id)s.")
-                            % {'pvdsg': ssg, 'tenant_id': tenant_id})
-
     def _get_provider_security_groups_on_port(self, context, port):
         p = port['port']
         tenant_id = p['tenant_id']
diff --git a/vmware_nsx/tests/unit/extensions/test_provider_security_groups.py b/vmware_nsx/tests/unit/extensions/test_provider_security_groups.py
index 9378c526a8..f1c97915f6 100644
--- a/vmware_nsx/tests/unit/extensions/test_provider_security_groups.py
+++ b/vmware_nsx/tests/unit/extensions/test_provider_security_groups.py
@@ -155,6 +155,14 @@ class ProviderSecurityGroupExtTestCase(
         self.assertEqual(
             provider_secgroup['security_group']['security_group_rules'], [])
 
+    def test_create_provider_security_groups_same_tenant(self):
+        provider_secgroup = self._create_provider_security_group()
+        self.assertTrue(provider_secgroup['security_group']['provider'])
+
+        # Verify that another one can also be created for the same tenant
+        provider_secgroup2 = self._create_provider_security_group()
+        self.assertTrue(provider_secgroup2['security_group']['provider'])
+
     def test_create_port_gets_provider_sg(self):
         # need to create provider security group first.
         provider_secgroup = self._create_provider_security_group()