x/vmware-nsx
Code Issues Proposed changes

[Tempest]: Adding of Provider security Group cases.

Browse Source 
During port update with psg check vm connectivity.

Change-Id: Iec25051122fdb1bb167266108dc28ac097a15694
This commit is contained in:
Puneet Arora 2017-02-06 23:46:29 +00:00
parent 1a9e134fc1
commit ec88650306
2 changed files with 202 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

155
vmware_nsx_tempest/tests/nsxv3/api/test_provider_sec_group.py
View File

@ -67,12 +67,12 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest):
sg_client.delete_security_group(sg_id)
def create_security_provider_group(self, cmgr=None,
tenant_id=None, provider=False):
project_id=None, provider=False):
cmgr = cmgr or self.cmgr_adm
sg_client = cmgr.security_groups_client
sg_dict = dict(name=data_utils.rand_name('provider-sec-group'))
if tenant_id:
sg_dict['tenant_id'] = tenant_id
if project_id:
sg_dict['tenant_id'] = project_id
if provider:
sg_dict['provider'] = True
sg = sg_client.create_security_group(**sg_dict)
@ -91,14 +91,14 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest):
return sg.get('security_group', sg)
def create_security_group_rule(self, security_group_id,
cmgr=None, tenant_id=None,
cmgr=None, project_id=None,
protocol=None):
cmgr = cmgr or self.cmgr_adm
sgr_client = cmgr.security_group_rules_client
sgr_dict = dict(security_group_id=security_group_id,
direction='ingress', protocol=protocol)
if tenant_id:
sgr_dict['tenant_id'] = tenant_id
if project_id:
sgr_dict['tenant_id'] = project_id
sgr = sgr_client.create_security_group_rule(**sgr_dict)
return sgr.get('security_group_rule', sgr)
@ -127,7 +127,8 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest):
sg = self.create_security_provider_group(self.cmgr_adm, provider=True)
sg_id = sg.get('id')
show_sec_group = sg_client.show_security_group(sg_id)
self.assertEqual(True, show_sec_group['security_group']['provider'])
self.assertEqual(True, show_sec_group['security_group']['provider'],
"Provider security group created")
sg_show = sg_client.update_security_group(sg_id, description=sg_desc)
self.assertEqual(sg_desc, sg_show['security_group'].get('description'))
self.delete_security_group(sg_client, sg_id)
@ -138,9 +139,9 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest):
@test.attr(type='nsxv3')
@test.idempotent_id('2bc5452f-5673-4dbe-afb3-fb40bf0916a5')
def test_admin_can_create_provider_security_group_for_tenant(self):
tenant_id = self.cmgr_alt.networks_client.tenant_id
project_id = self.cmgr_alt.networks_client.tenant_id
sg = self.create_security_provider_group(self.cmgr_adm,
tenant_id=tenant_id,
project_id=project_id,
provider=True)
self.assertEqual(True, sg.get('provider'))
@ -193,6 +194,9 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest):
net_client = self.cmgr_adm.networks_client
body = {'name': 'provider-network'}
network = net_client.create_network(**body)
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
net_client.delete_network,
network['network']['id'])
body = {"network_id": network['network']['id'],
"allocation_pools": [{"start": "2.0.0.2",
"end": "2.0.0.254"}],
@ -203,11 +207,13 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest):
"admin_state_up": 'true'}
port_client = self.cmgr_adm.ports_client
port_id = port_client.create_port(**body)
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
port_client.delete_port,
port_id['port']['id'])
ss = port_client.show_port(port_id['port']['id'])
self.assertEqual([sg_id], ss['port']['provider_security_groups'])
body = {"id": port_id}
port_client.delete_port(port_id['port']['id'])
net_client.delete_network(network['network']['id'])
kwargs = {"provider_security_groups": ''}
port_client.update_port(port_id['port']['id'], **kwargs)
@test.attr(type='nsxv3')
@test.idempotent_id('2c44a134-f013-46b7-a2ec-14c7c38a4d8c')
@ -225,17 +231,17 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest):
@test.attr(type='nsxv3')
@test.idempotent_id('275abe9f-4f01-46e5-bde0-0b6840290d3b')
def test_provider_sec_group_with_multiple_rules(self):
tenant_id = self.cmgr_adm.networks_client.tenant_id
project_id = self.cmgr_adm.networks_client.tenant_id
sg = self.create_security_provider_group(self.cmgr_adm,
tenant_id=tenant_id)
project_id=project_id)
sg_rule1 = self.create_security_group_rule(sg.get('id'),
cmgr=self.cmgr_adm,
tenant_id=tenant_id,
project_id=project_id,
protocol='icmp')
sg_rule1_id = sg_rule1.get('id')
sg_rule2 = self.create_security_group_rule(sg.get('id'),
cmgr=self.cmgr_adm,
tenant_id=tenant_id,
project_id=project_id,
protocol='tcp')
sg_rule2_id = sg_rule2.get('id')
self.assertNotEqual(sg_rule1_id, sg_rule2_id)
@ -243,13 +249,16 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest):
@test.attr(type='nsxv3')
@test.idempotent_id('5d25370e-da6a-44a7-8565-7b1c2fc39fdc')
def test_clear_provider_sec_group_from_port(self):
tenant_id = self.cmgr_adm.networks_client.tenant_id
project_id = self.cmgr_adm.networks_client.tenant_id
self.create_security_provider_group(self.cmgr_adm,
tenant_id=tenant_id,
project_id=project_id,
provider=True)
net_client = self.cmgr_adm.networks_client
body = {'name': 'provider-network'}
network = net_client.create_network(**body)
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
net_client.delete_network,
network['network']['id'])
body = {"network_id": network['network']['id'],
"allocation_pools": [{"start": "2.0.0.2",
"end": "2.0.0.254"}],
@ -260,23 +269,28 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest):
"provider_security_groups": []}
port_client = self.cmgr_adm.ports_client
port_id = port_client.create_port(**body)
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
port_client.delete_port,
port_id['port']['id'])
ss = port_client.show_port(port_id['port']['id'])
self.assertEqual([], ss['port']['provider_security_groups'])
port_client.delete_port(port_id['port']['id'])
net_client.delete_network(network['network']['id'])
kwargs = {"provider_security_groups": ''}
port_client.update_port(port_id['port']['id'], **kwargs)
@test.attr(type='nsxv3')
@test.idempotent_id('dfc6bb8e-ba7b-4ce5-b6ee-0d0830d7e152')
def test_check_security_group_precedence_at_beckend(self):
count = 0
tenant_id = self.cmgr_adm.networks_client.tenant_id
provider_sg = self.create_security_provider_group(self.cmgr_adm,
tenant_id=tenant_id,
provider=True)
project_id = self.cmgr_adm.networks_client.tenant_id
provider_sg = \
self.create_security_provider_group(self.cmgr_adm,
project_id=project_id,
provider=True)
provider_sg_name = provider_sg.get('name')
default_sg = self.create_security_provider_group(self.cmgr_adm,
tenant_id=tenant_id,
provider=False)
default_sg = \
self.create_security_provider_group(self.cmgr_adm,
project_id=project_id,
provider=False)
sg_name = default_sg.get('name')
firewall_section = self.nsx.get_firewall_sections()
for sec_name in firewall_section:
@ -292,9 +306,9 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest):
@test.attr(type='nsxv3')
@test.idempotent_id('37d8fbfc-eb3f-40c8-a146-70f5df937a2e')
def test_tenant_cannot_delete_admin_provider_security_group(self):
tenant_id = self.cmgr_adm.networks_client.tenant_id
project_id = self.cmgr_adm.networks_client.tenant_id
sg = self.create_security_provider_group(self.cmgr_adm,
tenant_id=tenant_id,
project_id=project_id,
provider=True)
sg_id = sg.get('id')
sg_client = self.cmgr_alt.security_groups_client
@ -308,19 +322,94 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest):
@test.attr(type='nsxv3')
@test.idempotent_id('1bbebba3-780c-4e95-a95a-e52f577a6c1d')
def test_tenant_cannot_create_provider_sec_group(self):
tenant_id = self.cmgr_alt.networks_client.tenant_id
project_id = self.cmgr_alt.networks_client.tenant_id
self.assertRaises(exceptions.Forbidden,
self.create_security_provider_group,
self.cmgr_alt, tenant_id=tenant_id,
self.cmgr_alt, project_id=project_id,
provider=True)
LOG.info(_LI("Non-Admin Tenant cannot create provider sec group"))
@test.attr(type='nsxv3')
@test.idempotent_id('0d021bb2-9e21-422c-a509-6ac27803b2a2')
def test_update_port_with_psg(self):
net_client = self.cmgr_adm.networks_client
body = {'name': 'provider-network'}
network = net_client.create_network(**body)
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
net_client.delete_network,
network['network']['id'])
body = {"network_id": network['network']['id'],
"allocation_pools": [{"start": "2.0.0.2",
"end": "2.0.0.254"}],
"ip_version": 4, "cidr": "2.0.0.0/24"}
subnet_client = self.cmgr_adm.subnets_client
subnet_client.create_subnet(**body)
body = {"network_id": network['network']['id'],
"provider_security_groups": []}
port_client = self.cmgr_adm.ports_client
port_id = port_client.create_port(**body)
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
port_client.delete_port,
port_id['port']['id'])
ss = port_client.show_port(port_id['port']['id'])
self.assertEqual([], ss['port']['provider_security_groups'],
"Provider security group is not set on port")
project_id = self.cmgr_adm.networks_client.tenant_id
sg = self.create_security_provider_group(self.cmgr_adm,
project_id=project_id,
provider=True)
sg_id = sg.get('id')
body = {"provider_security_groups": ["%s" % sg_id]}
port_client.update_port(port_id['port']['id'], **body)
ss = port_client.show_port(port_id['port']['id'])
self.assertEqual([sg_id], ss['port']['provider_security_groups'],
"PSG assigned to port is accurate")
kwargs = {"provider_security_groups": ''}
port_client.update_port(port_id['port']['id'], **kwargs)
@test.attr(type='nsxv3')
@test.idempotent_id('2922a7fb-75fb-4d9f-9fdb-4b017c191aba')
def test_update_port_with_psg_using_different_tenant(self):
net_client = self.cmgr_alt.networks_client
body = {'name': 'provider-network'}
network = net_client.create_network(**body)
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
net_client.delete_network,
network['network']['id'])
body = {"network_id": network['network']['id'],
"allocation_pools": [{"start": "2.0.0.2",
"end": "2.0.0.254"}],
"ip_version": 4, "cidr": "2.0.0.0/24"}
subnet_client = self.cmgr_alt.subnets_client
subnet_client.create_subnet(**body)
body = {"network_id": network['network']['id'],
"provider_security_groups": []}
port_client = self.cmgr_alt.ports_client
port_id = port_client.create_port(**body)
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
port_client.delete_port,
port_id['port']['id'])
ss = port_client.show_port(port_id['port']['id'])
self.assertEqual([], ss['port']['provider_security_groups'],
"Provider security group is not set on port")
project_id = self.cmgr_adm.networks_client.tenant_id
sg = self.create_security_provider_group(self.cmgr_adm,
project_id=project_id,
provider=True)
sg_id = sg.get('id')
body = {"provider_security_groups": ["%s" % sg_id]}
self.assertRaises(exceptions.NotFound,
port_client.update_port,
port_id['port']['id'], **body)
kwargs = {"provider_security_groups": ''}
port_client.update_port(port_id['port']['id'], **kwargs)
@test.attr(type='nsxv3')
@test.idempotent_id('cef8d816-e5fa-45a5-a5a5-f1f2ed8fb49f')
def test_tenant_cannot_create_provider_sec_group_for_other_tenant(self):
tenant_cmgr = self.cmgr_alt
tenant_id = tenant_cmgr.networks_client.tenant_id
project_id = tenant_cmgr.networks_client.tenant_id
self.assertRaises(exceptions.BadRequest,
self.create_security_provider_group, self.cmgr_pri,
tenant_id=tenant_id,
project_id=project_id,
provider=True)

93
vmware_nsx_tempest/tests/nsxv3/scenario/test_provider_security_group.py
View File

@ -69,11 +69,11 @@ class TestProviderSecurityGroup(manager.NetworkScenarioTest):
self.servers = []
def create_security_provider_group(self, cmgr=None,
tenant_id=None, provider=False):
project_id=None, provider=False):
sg_client_admin = self.cmgr_adm.security_groups_client
sg_dict = dict(name=data_utils.rand_name('provider-sec-group'))
if tenant_id:
sg_dict['tenant_id'] = tenant_id
if project_id:
sg_dict['tenant_id'] = project_id
if provider:
sg_dict['provider'] = True
sg = sg_client_admin.create_security_group(**sg_dict)
@ -156,14 +156,14 @@ class TestProviderSecurityGroup(manager.NetworkScenarioTest):
return address['addr']
def create_security_group_rule(self, security_group_id,
cmgr=None, tenant_id=None,
cmgr=None, project_id=None,
protocol=None):
cmgr = cmgr or self.cmgr_adm
sgr_client = cmgr.security_group_rules_client
sgr_dict = dict(security_group_id=security_group_id,
direction='ingress', protocol=protocol)
if tenant_id:
sgr_dict['tenant_id'] = tenant_id
if project_id:
sgr_dict['tenant_id'] = project_id
sgr = sgr_client.create_security_group_rule(**sgr_dict)
return sgr.get('security_group_rule', sgr)
@ -225,13 +225,72 @@ class TestProviderSecurityGroup(manager.NetworkScenarioTest):
src=floating_ip))
raise
def _test_connectivity_between_default_psg_server(self, network_topo):
def _create_vms_without_psg(self, network_topo):
server_name_default = data_utils.rand_name('server-default-sec-group')
network = network_topo['network']
server_default = self._create_server(server_name_default, network)
tenant_id = network['tenant_id']
server_name_psg = data_utils.rand_name('server-psg-sec-group')
server_psg = self._create_server(server_name_psg, network)
servers = dict(server_default=server_default, server_psg=server_psg)
return servers
def _test_connectivity_between_vms_after_port_update(self, network_topo,
servers):
floating_ip_default = self.create_floating_ip(
servers['server_default'])
floating_ip_psg = self.create_floating_ip(servers['server_psg'])
private_ip_address_psg_vm = floating_ip_psg['fixed_ip_address']
public_ip_address_psg_vm = \
floating_ip_psg['floating_ip_address']
private_ip_address_default_vm = floating_ip_default['fixed_ip_address']
public_ip_address_default_vm = \
floating_ip_default['floating_ip_address']
private_key_default_vm = \
self._get_server_key(servers['server_default'])
private_key_psg_vm = \
self._get_server_key(servers['server_psg'])
self._check_server_connectivity(public_ip_address_default_vm,
private_ip_address_psg_vm,
private_key_default_vm)
self._check_server_connectivity(public_ip_address_psg_vm,
private_ip_address_default_vm,
private_key_psg_vm)
project_id = network_topo['network']['tenant_id']
sg = self.create_security_provider_group(provider=True,
tenant_id=tenant_id)
project_id=project_id)
sg_id = sg.get('id')
self.create_security_group_rule(sg_id, cmgr=self.cmgr_adm,
protocol='icmp')
p_client = self.ports_client
kwargs = {"provider_security_groups": ["%s" % sg_id]}
port_id_psg = self.get_port_id(network_topo['network']['id'],
network_topo['subnet']['id'],
servers['server_psg'])
port_id_default = self.get_port_id(network_topo['network']['id'],
network_topo['subnet']['id'],
servers['server_default'])
p_client.update_port(port_id_psg, **kwargs)
p_client.update_port(port_id_default, **kwargs)
self._check_server_connectivity(public_ip_address_default_vm,
private_ip_address_psg_vm,
private_key_default_vm,
should_connect=False)
self._check_server_connectivity(public_ip_address_psg_vm,
private_ip_address_default_vm,
private_key_psg_vm,
should_connect=False)
kwargs = {"provider_security_groups": ''}
p_client.update_port(port_id_psg, **kwargs)
p_client.update_port(port_id_default, **kwargs)
def _test_connectivity_between_default_psg_server(self, network_topo):
server_name_default = \
data_utils.rand_name('server-default-sec-group')
network = network_topo['network']
server_default = self._create_server(server_name_default, network)
project_id = network['tenant_id']
sg = self.create_security_provider_group(provider=True,
project_id=project_id)
sg_id = sg.get('id')
server_name_psg = data_utils.rand_name('server-psg-sec-group')
server_psg = self._create_server(server_name_psg, network)
@ -254,9 +313,9 @@ class TestProviderSecurityGroup(manager.NetworkScenarioTest):
server_name_default = data_utils.rand_name('server-default-sec-group')
network = network_topo['network']
server_default = self._create_server(server_name_default, network)
tenant_id = network['tenant_id']
project_id = network['tenant_id']
sg = self.create_security_provider_group(provider=True,
tenant_id=tenant_id)
project_id=project_id)
sg_id = sg.get('id')
server_name_psg = data_utils.rand_name('server-psg-sec-group')
server_psg = self._create_server(server_name_psg, network)
@ -296,9 +355,9 @@ class TestProviderSecurityGroup(manager.NetworkScenarioTest):
server_default_1 = self._create_server(server_name_default_1, network)
server_default_2 = self._create_server(server_name_default_2,
network2)
tenant_id = network['tenant_id']
project_id = network['tenant_id']
sg = self.create_security_provider_group(provider=True,
tenant_id=tenant_id)
project_id=project_id)
sg_id = sg.get('id')
server_name_psg_1 = data_utils.rand_name('server-psg-sec-group1')
server_psg_1 = self._create_server(server_name_psg_1, network)
@ -344,6 +403,14 @@ class TestProviderSecurityGroup(manager.NetworkScenarioTest):
self.network_topo = self.create_network_topo()
self._test_connectivity_between_default_psg_server(self.network_topo)
@test.attr(type='nsxv3')
@test.idempotent_id('a14b5c25-39ce-4641-bd51-f28c25e69440')
def test_vm_connectivity_port_update_with_psg(self):
self.network_topo = self.create_network_topo()
self.servers = self._create_vms_without_psg(self.network_topo)
self._test_connectivity_between_vms_after_port_update(
self.network_topo, self.servers)
@test.attr(type='nsxv3')
@test.idempotent_id('4a8eac6a-68ff-4392-bab9-70ea08132acb')
def test_connectivity_between_default_psg_servers(self):