vmware-nsx/vmware_nsx/extensions/providersecuritygroup.py
Roey Chen 2cfc1231dc Provider Security groups
This patch set introduces a new feature called provider-security-groups.
Provider security groups allow the provider to create a security group
that is automatically attached to a specific tenants ports. The one
important thing to note is that rules inside of a provider security
group are set to DENY where as a normal security group they are set
to ALLOW. Provider security groups allow the admin tenant to block specific
traffic for any tenant they like by creatng a provider group. To use this
feature the admin tenant must first create a provider security group
on behalf of the other tenant (i.e):

$ neutron security-group-create no-pokemon-go-access --provider=True \
	--tenant-id=<shall remain nameless>

Then, whenever the above tenant id creates a port they will see a an
additional field on the port "provider-security-groups" which will
contain the uuid of the provider security group. This user can then
query neutron to see which rules are in it that are blocking them.

NOTE: one needs to use the correct policy.json file from this repo
for neutron inorder to prevent the tenant from removing the group.

Co-Authored-By: Aaron Rosen <aaronorosen@gmail.com>

Change-Id: I57b130437327b0bbe5cc0068695f226b76b4e2ba
2016-08-02 13:34:37 +00:00

96 lines
2.8 KiB
Python

# Copyright 2016 VMware, Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from neutron.api import extensions
from neutron.extensions import securitygroup
from neutron_lib.api import converters
from neutron_lib import constants
from neutron_lib import exceptions as nexception
from vmware_nsx._i18n import _
PROVIDER = 'provider'
PROVIDER_SECURITYGROUPS = 'provider_security_groups'
EXTENDED_ATTRIBUTES_2_0 = {
'security_groups': {
PROVIDER: {
'allow_post': True,
'allow_put': False,
'convert_to': converters.convert_to_boolean,
'default': False,
'enforce_policy': True,
'is_visible': True}
},
'ports': {PROVIDER_SECURITYGROUPS: {
'allow_post': True,
'allow_put': True,
'is_visible': True,
'convert_to': securitygroup.convert_to_uuid_list_or_none,
'default': constants.ATTR_NOT_SPECIFIED}
}
}
NUM_PROVIDER_SGS_ON_PORT = 1
class SecurityGroupNotProvider(nexception.InvalidInput):
message = _("Security group %(id)s is not a provider security group.")
class SecurityGroupIsProvider(nexception.InvalidInput):
message = _("Security group %(id)s is a provider security group and "
"cannot be specified via the security group field.")
class DefaultSecurityGroupIsNotProvider(nexception.InvalidInput):
message = _("Can't create default security-group as a provider "
"security-group.")
class Providersecuritygroup(extensions.ExtensionDescriptor):
"""Provider security-group extension."""
@classmethod
def get_name(cls):
return "Provider security group"
@classmethod
def get_alias(cls):
return "provider-security-group"
@classmethod
def get_description(cls):
return "Admin controlled security groups with blocking rules."
@classmethod
def get_updated(cls):
return "2016-07-13T10:00:00-00:00"
def get_required_extensions(self):
return ["security-group"]
@classmethod
def get_resources(cls):
"""Returns Ext Resources."""
return []
def get_extended_resources(self, version):
if version == "2.0":
return EXTENDED_ATTRIBUTES_2_0
else:
return {}