Changes in security groups in default VPC mode
create-security-group create security-group in default vpc if not specified delete-security-group can delete from default vpc by group-name authorize_security_group_ingress with group-name specified create rule in the appropriate group in default vpc Change-Id: Ibdf5b508f9d8a042ceaba4570d4573b741adaf9f
This commit is contained in:
parent
df67b88930
commit
6078fdccda
|
@ -69,6 +69,8 @@ def create_security_group(context, group_name, group_description,
|
|||
raise exception.InvalidGroupReserved(group_name=group_name)
|
||||
filter = [{'name': 'group-name',
|
||||
'value': [group_name]}]
|
||||
if not vpc_id and CONF.disable_ec2_classic:
|
||||
vpc_id = ec2utils.get_default_vpc(context)['id']
|
||||
if vpc_id and group_name != vpc_id:
|
||||
filter.append({'name': 'vpc-id',
|
||||
'value': [vpc_id]})
|
||||
|
@ -115,15 +117,15 @@ def _create_default_security_group(context, vpc):
|
|||
# NOTE(Alex): OpenStack doesn't allow creation of another group
|
||||
# named 'default' hence vpc-id is used.
|
||||
try:
|
||||
_create_security_group(context, vpc['id'],
|
||||
sg_id = _create_security_group(context, vpc['id'],
|
||||
'Default VPC security group', vpc['id'],
|
||||
default=True)
|
||||
default=True)['groupId']
|
||||
except (exception.EC2DBDuplicateEntry, exception.InvalidVpcIDNotFound):
|
||||
# NOTE(andrey-mp): when this thread tries to recreate default group
|
||||
# but another thread tries to delete vpc we should pass vpc not found
|
||||
LOG.exception('Failed to create default security group.')
|
||||
return False
|
||||
return True
|
||||
return None
|
||||
return sg_id
|
||||
|
||||
|
||||
def delete_security_group(context, group_name=None, group_id=None,
|
||||
|
@ -211,6 +213,12 @@ def describe_security_groups(context, group_name=None, group_id=None,
|
|||
|
||||
def authorize_security_group_ingress(context, group_id=None,
|
||||
group_name=None, ip_permissions=None):
|
||||
if group_name and not group_id and CONF.disable_ec2_classic:
|
||||
sg = describe_security_groups(
|
||||
context,
|
||||
group_name=[group_name])['securityGroupInfo'][0]
|
||||
group_id = sg['groupId']
|
||||
group_name = None
|
||||
return _authorize_security_group(context, group_id, group_name,
|
||||
ip_permissions, 'ingress')
|
||||
|
||||
|
@ -472,6 +480,12 @@ class SecurityGroupEngineNeutron(object):
|
|||
def delete_group(self, context, group_name=None, group_id=None,
|
||||
delete_default=False):
|
||||
neutron = clients.neutron(context)
|
||||
if CONF.disable_ec2_classic and group_name:
|
||||
sg = describe_security_groups(
|
||||
context,
|
||||
group_name=[group_name])['securityGroupInfo'][0]
|
||||
group_id = sg['groupId']
|
||||
group_name = None
|
||||
if group_id is None or not group_id.startswith('sg-'):
|
||||
return SecurityGroupEngineNova().delete_group(context,
|
||||
group_name,
|
||||
|
|
|
@ -141,9 +141,9 @@ def _create_vpc(context, cidr_block, is_default=False):
|
|||
vpc['route_table_id'] = route_table['id']
|
||||
db_api.update_item(context, vpc)
|
||||
neutron.update_router(os_router['id'], {'router': {'name': vpc['id']}})
|
||||
security_group_api._create_default_security_group(context, vpc)
|
||||
sg_id = security_group_api._create_default_security_group(context, vpc)
|
||||
cleaner.addCleanup(security_group_api.delete_security_group, context,
|
||||
group_name=vpc['id'], delete_default=True)
|
||||
group_id=sg_id, delete_default=True)
|
||||
if is_default:
|
||||
igw_id = internet_gateway_api.create_internet_gateway(
|
||||
context)['internetGateway']['internetGatewayId']
|
||||
|
|
|
@ -343,8 +343,6 @@ class VpcPrivateTestCase(base.BaseTestCase):
|
|||
|
||||
self.neutron.create_router.side_effect = (
|
||||
tools.get_neutron_create('router', fakes.ID_OS_ROUTER_DEFAULT))
|
||||
self.nova.security_groups.list.return_value = (
|
||||
[fakes.NovaSecurityGroup(fakes.OS_SECURITY_GROUP_DEFAULT)])
|
||||
|
||||
self.db_api.add_item.side_effect = (
|
||||
tools.get_db_api_add_item({'vpc': fakes.ID_EC2_VPC_DEFAULT}))
|
||||
|
@ -356,11 +354,14 @@ class VpcPrivateTestCase(base.BaseTestCase):
|
|||
self.db_api.get_item_by_id.side_effect = (
|
||||
tools.get_db_api_get_item_by_id(fakes.DB_VPC_DEFAULT,
|
||||
fakes.DB_SUBNET_DEFAULT,
|
||||
fakes.DB_SECURITY_GROUP_DEFAULT,
|
||||
DB_IGW_DEFAULT_DETACHED))
|
||||
create_route_table.return_value = fakes.DB_ROUTE_TABLE_DEFAULT
|
||||
create_internet_gateway.return_value = {'internetGateway':
|
||||
fakes.EC2_IGW_DEFAULT}
|
||||
create_subnet.return_value = {'subnet': fakes.EC2_SUBNET_DEFAULT}
|
||||
create_default_security_group.return_value = (
|
||||
fakes.ID_EC2_SECURITY_GROUP_DEFAULT)
|
||||
|
||||
# exception during attaching internet gateway
|
||||
create_route.side_effect = Exception()
|
||||
|
@ -374,7 +375,7 @@ class VpcPrivateTestCase(base.BaseTestCase):
|
|||
fakes.ID_EC2_SUBNET_DEFAULT)
|
||||
self.db_api.delete_item.assert_any_call(mock.ANY,
|
||||
fakes.ID_EC2_IGW_DEFAULT)
|
||||
self.nova.security_groups.delete.assert_any_call(
|
||||
self.neutron.delete_security_group.assert_any_call(
|
||||
fakes.ID_OS_SECURITY_GROUP_DEFAULT)
|
||||
self.db_api.delete_item.assert_any_call(mock.ANY,
|
||||
fakes.ID_EC2_ROUTE_TABLE_DEFAULT)
|
||||
|
|
Loading…
Reference in New Issue