Firewall group associated with ports is not allowed to be deleted
Currently, we determine that the firewall group is in use based on its ACTIVE status. But the firewall group may have just updated the port and is currently PENDING_UPDATE status, deletion should not be allowed at this time. This patch changes the judgment method for deleting firewall groups, no longer based on their status. But like other neutron resources, based on whether or not they are associated. Closes-Bug: #2018967 Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/883826 Change-Id: Ib7ab0daf9f6de45125ffc9408f865fc0964ff339
This commit is contained in:
parent
e479c1a1d6
commit
5b56eaf3b0
@ -339,7 +339,7 @@ class FirewallPluginV2(Firewallv2PluginBase):
|
||||
except f_exc.FirewallGroupNotFound:
|
||||
return
|
||||
|
||||
if fwg['status'] == nl_constants.ACTIVE:
|
||||
if fwg['ports']:
|
||||
raise f_exc.FirewallGroupInUse(firewall_id=id)
|
||||
|
||||
self.driver.delete_firewall_group(context, id)
|
||||
|
@ -270,31 +270,6 @@ class FirewallAgentDriver(driver_api.FirewallDriverDB,
|
||||
context, firewall_group['ports'])
|
||||
self.agent_rpc.create_firewall_group(context, fwg_with_rules)
|
||||
|
||||
def delete_firewall_group_precommit(self, context, firewall_group):
|
||||
if firewall_group['status'] == nl_constants.ACTIVE:
|
||||
raise f_exc.FirewallGroupInUse(firewall_id=firewall_group['id'])
|
||||
elif firewall_group['status'] != nl_constants.INACTIVE:
|
||||
# Firewall group is in inconsistent state, remove it
|
||||
return
|
||||
if not firewall_group['ports']:
|
||||
# No associated port, can safety remove it
|
||||
return
|
||||
|
||||
# Need to prevent agent to delete the firewall group before delete it
|
||||
self.firewall_db.update_firewall_group_status(
|
||||
context, firewall_group['id'], nl_constants.PENDING_DELETE)
|
||||
firewall_group['status'] = nl_constants.PENDING_DELETE
|
||||
|
||||
fwg_with_rules = self.firewall_db.make_firewall_group_dict_with_rules(
|
||||
context, firewall_group['id'])
|
||||
fwg_with_rules['del-port-ids'] = firewall_group['ports']
|
||||
fwg_with_rules['add-port-ids'] = []
|
||||
# Reflect state change in fwg_with_rules
|
||||
fwg_with_rules['status'] = nl_constants.PENDING_DELETE
|
||||
fwg_with_rules['port_details'] = self._get_fwg_port_details(
|
||||
context, fwg_with_rules['del-port-ids'])
|
||||
self.agent_rpc.delete_firewall_group(context, fwg_with_rules)
|
||||
|
||||
def _need_pending_update(self, old_firewall_group, new_firewall_group):
|
||||
port_updated = (set(new_firewall_group['ports']) !=
|
||||
set(old_firewall_group['ports']))
|
||||
|
@ -382,6 +382,22 @@ class FirewallPluginV2TestCase(test_db_plugin.NeutronDbPluginV2TestCase):
|
||||
firewall_group = self.deserialize(fmt or self.fmt, res)
|
||||
yield firewall_group
|
||||
if do_delete:
|
||||
self.plugin.driver.firewall_db.update_firewall_group_status(
|
||||
context.get_admin_context(),
|
||||
firewall_group['firewall_group']['id'],
|
||||
nl_constants.ACTIVE)
|
||||
data = {
|
||||
'firewall_group': {
|
||||
'ports': [],
|
||||
},
|
||||
}
|
||||
req = self.new_update_request(
|
||||
'firewall_groups',
|
||||
data,
|
||||
firewall_group['firewall_group']['id'],
|
||||
as_admin=True,
|
||||
)
|
||||
req.get_response(self.ext_api)
|
||||
self._delete('firewall_groups',
|
||||
firewall_group['firewall_group']['id'],
|
||||
as_admin=True)
|
||||
|
Loading…
Reference in New Issue
Block a user