Fixed inability to deploy if security groups are disabled

Existing implementation of Neutron-based networking assumed that the neutron's security groups are used to manage VM accessibility. However there may exist environments with disabled security-group extension in Neutron and thus relying on something else to restrict the traffic. Murano could not operate in such environments since it always was attempting to create resources of type OS::Neutron::SecurityGroup and attach VMs' ports to this resource. This is addressed by introducing a new subclass of SecurityGroupManager - DummySecurityGroupManager, which actually does nothing but silently ignores the calls to create security rules. This new security manager is instantiated instead of NeutronSecurityGroupManager for Neutron-based networks in cases if the 'security-group' extension is not present in Neutron's configuration. If it is instantiated a warning message is reported to the end-user to notify them that security requirements of the application were ignored. Change-Id: Ia3bc6c17f9ca0a4b8bf8c272481760a8c81b27b7 Closes-bug: #1593253
2016-06-17 14:51:35 +03:00 · 2016-06-17 14:51:35 +03:00 · f25776a5c3
commit f25776a5c3
parent 81ede22e78
5 changed files with 45 additions and 2 deletions
--- a/meta/io.murano/Classes/resources/NeutronNetworkBase.yaml
+++ b/meta/io.murano/Classes/resources/NeutronNetworkBase.yaml
@ -20,6 +20,11 @@ Name: NeutronNetworkBase
 Extends: Network

 Methods:
+  initialize:
+    Body:
+      - $._netExplorer: new(sys:NetworkExplorer, $this)
+      - $._securityGroupsEnabled: $._netExplorer.listNeutronExtensions().alias.contains('security-group')
+
  joinInstanceToNetwork:
    Arguments:
      - instance:
@ -49,7 +54,7 @@ Methods:
                  - subnet: $subnetRef
                replacement_policy: AUTO

-      - If: bool($securityGroupName)
+      - If: bool($securityGroupName) and $this._securityGroupsEnabled
        Then:
          - $template:
              resources:
@ -107,4 +112,9 @@ Methods:
      - environment:
          Contract: $.class(std:Environment).notNull()
    Body:
-      - Return: new(sys:NeutronSecurityGroupManager, environment => $environment)
+      - If: $this._securityGroupsEnabled
+        Then:
+          - Return: new(sys:NeutronSecurityGroupManager, environment => $environment)
+        Else:
+          - $environment.reporter.report($this, "Warning! Security groups are disabled!")
+          - Return: new(sys:DummySecurityGroupManager, environment => $environment)
--- a/meta/io.murano/Classes/system/DummySecurityGroupManager.yaml
+++ b/meta/io.murano/Classes/system/DummySecurityGroupManager.yaml
@ -0,0 +1,23 @@
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+Namespaces:
+  =: io.murano.system
+  std: io.murano
+
+Name: DummySecurityGroupManager
+Extends: SecurityGroupManager
+
+# This class actually adds nothing to the base SecurityGroupManager,
+# so a base class could be used instead. However, it's better to explicitly
+# declare this class and use it, since the base one is supposed to remain
+# "abstract" and never be instantiated.
--- a/meta/io.murano/manifest.yaml
+++ b/meta/io.murano/manifest.yaml
@ -67,6 +67,7 @@ Classes:
  io.murano.system.SecurityGroupManager: system/SecurityGroupManager.yaml
  io.murano.system.NeutronSecurityGroupManager: system/NeutronSecurityGroupManager.yaml
  io.murano.system.AwsSecurityGroupManager: system/AwsSecurityGroupManager.yaml
+  io.murano.system.DummySecurityGroupManager: system/DummySecurityGroupManager.yaml
  io.murano.system.MistralClient: system/MistralClient.yaml

  io.murano.test.TestFixture: test/TestFixture.yaml
--- a/murano/engine/system/net_explorer.py
+++ b/murano/engine/system/net_explorer.py
@ -191,3 +191,7 @@ class NetworkExplorer(object):

    def list_ports(self):
        return self._client.list_ports()['ports']
+
+    @session_local_storage.execution_session_memoize
+    def list_neutron_extensions(self):
+        return self._client.list_extensions()['extensions']
--- a/releasenotes/notes/no-neutron-sec-group-support-2d69082b7226d6c0.yaml
+++ b/releasenotes/notes/no-neutron-sec-group-support-2d69082b7226d6c0.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - Murano is now able to deploy applications in the environments with disabled
+    Neutron Security Groups. Detection is based on the presence of
+    'security-group' Neutron extension.