Changes in security groups in default VPC mode

create-security-group create security-group in default vpc if not specified delete-security-group can delete from default vpc by group-name authorize_security_group_ingress with group-name specified create rule in the appropriate group in default vpc Change-Id: Ibdf5b508f9d8a042ceaba4570d4573b741adaf9f
2017-02-10 21:39:08 +03:00 · 2017-02-10 21:39:08 +03:00 · 6078fdccda
parent df67b88930
commit 6078fdccda
3 changed files with 24 additions and 9 deletions
--- a/ec2api/api/security_group.py
+++ b/ec2api/api/security_group.py
@ -69,6 +69,8 @@ def create_security_group(context, group_name, group_description,
            raise exception.InvalidGroupReserved(group_name=group_name)
    filter = [{'name': 'group-name',
               'value': [group_name]}]
+    if not vpc_id and CONF.disable_ec2_classic:
+        vpc_id = ec2utils.get_default_vpc(context)['id']
    if vpc_id and group_name != vpc_id:
        filter.append({'name': 'vpc-id',
                       'value': [vpc_id]})
@ -115,15 +117,15 @@ def _create_default_security_group(context, vpc):
    # NOTE(Alex): OpenStack doesn't allow creation of another group
    # named 'default' hence vpc-id is used.
    try:
-        _create_security_group(context, vpc['id'],
+        sg_id = _create_security_group(context, vpc['id'],
                               'Default VPC security group', vpc['id'],
-                               default=True)
+                               default=True)['groupId']
    except (exception.EC2DBDuplicateEntry, exception.InvalidVpcIDNotFound):
        # NOTE(andrey-mp): when this thread tries to recreate default group
        # but another thread tries to delete vpc we should pass vpc not found
        LOG.exception('Failed to create default security group.')
-        return False
-    return True
+        return None
+    return sg_id


 def delete_security_group(context, group_name=None, group_id=None,
@ -211,6 +213,12 @@ def describe_security_groups(context, group_name=None, group_id=None,

 def authorize_security_group_ingress(context, group_id=None,
                                     group_name=None, ip_permissions=None):
+    if group_name and not group_id and CONF.disable_ec2_classic:
+        sg = describe_security_groups(
+            context,
+            group_name=[group_name])['securityGroupInfo'][0]
+        group_id = sg['groupId']
+        group_name = None
    return _authorize_security_group(context, group_id, group_name,
                                     ip_permissions, 'ingress')

@ -472,6 +480,12 @@ class SecurityGroupEngineNeutron(object):
    def delete_group(self, context, group_name=None, group_id=None,
                     delete_default=False):
        neutron = clients.neutron(context)
+        if CONF.disable_ec2_classic and group_name:
+            sg = describe_security_groups(
+                context,
+                group_name=[group_name])['securityGroupInfo'][0]
+            group_id = sg['groupId']
+            group_name = None
        if group_id is None or not group_id.startswith('sg-'):
            return SecurityGroupEngineNova().delete_group(context,
                                                          group_name,
--- a/ec2api/api/vpc.py
+++ b/ec2api/api/vpc.py
@ -141,9 +141,9 @@ def _create_vpc(context, cidr_block, is_default=False):
        vpc['route_table_id'] = route_table['id']
        db_api.update_item(context, vpc)
        neutron.update_router(os_router['id'], {'router': {'name': vpc['id']}})
-        security_group_api._create_default_security_group(context, vpc)
+        sg_id = security_group_api._create_default_security_group(context, vpc)
        cleaner.addCleanup(security_group_api.delete_security_group, context,
-                           group_name=vpc['id'], delete_default=True)
+                           group_id=sg_id, delete_default=True)
        if is_default:
            igw_id = internet_gateway_api.create_internet_gateway(
                context)['internetGateway']['internetGatewayId']
--- a/ec2api/tests/unit/test_vpc.py
+++ b/ec2api/tests/unit/test_vpc.py
@ -343,8 +343,6 @@ class VpcPrivateTestCase(base.BaseTestCase):

        self.neutron.create_router.side_effect = (
            tools.get_neutron_create('router', fakes.ID_OS_ROUTER_DEFAULT))
-        self.nova.security_groups.list.return_value = (
-            [fakes.NovaSecurityGroup(fakes.OS_SECURITY_GROUP_DEFAULT)])

        self.db_api.add_item.side_effect = (
            tools.get_db_api_add_item({'vpc': fakes.ID_EC2_VPC_DEFAULT}))
@ -356,11 +354,14 @@ class VpcPrivateTestCase(base.BaseTestCase):
        self.db_api.get_item_by_id.side_effect = (
            tools.get_db_api_get_item_by_id(fakes.DB_VPC_DEFAULT,
                                            fakes.DB_SUBNET_DEFAULT,
+                                            fakes.DB_SECURITY_GROUP_DEFAULT,
                                            DB_IGW_DEFAULT_DETACHED))
        create_route_table.return_value = fakes.DB_ROUTE_TABLE_DEFAULT
        create_internet_gateway.return_value = {'internetGateway':
                                                fakes.EC2_IGW_DEFAULT}
        create_subnet.return_value = {'subnet': fakes.EC2_SUBNET_DEFAULT}
+        create_default_security_group.return_value = (
+            fakes.ID_EC2_SECURITY_GROUP_DEFAULT)

        # exception during attaching internet gateway
        create_route.side_effect = Exception()
@ -374,7 +375,7 @@ class VpcPrivateTestCase(base.BaseTestCase):
            fakes.ID_EC2_SUBNET_DEFAULT)
        self.db_api.delete_item.assert_any_call(mock.ANY,
            fakes.ID_EC2_IGW_DEFAULT)
-        self.nova.security_groups.delete.assert_any_call(
+        self.neutron.delete_security_group.assert_any_call(
            fakes.ID_OS_SECURITY_GROUP_DEFAULT)
        self.db_api.delete_item.assert_any_call(mock.ANY,
            fakes.ID_EC2_ROUTE_TABLE_DEFAULT)