Fixed audit notifications for l3-agent-router ops

l3-agent-router-add and l3-agent-router-remove do not generate audit notifications which are used for security compliance. CRUD operations of core network resources are handled by neutron/api/v2/base.py. In base.py, each of create(), update(), delete() methods makes calls to oslo.messaging.Notifier.info() to generate these notifications. In the proposed fix, it is fixed in a similar fashion in extensions/l3agentscheduler.py inside create() and delete() methods by introducing info() method calls inside them. Change-Id: I1354e51e4af24eda128c042926765683018b320b Closes-Bug: 1317000
2014-06-07 05:42:45 -07:00 · 2014-06-07 05:42:45 -07:00 · 18dfd363c3
parent bcc0319e31
commit 18dfd363c3
2 changed files with 33 additions and 6 deletions
--- a/neutron/extensions/l3agentscheduler.py
+++ b/neutron/extensions/l3agentscheduler.py
@ -22,6 +22,7 @@ from neutron.api.v2 import base
 from neutron.api.v2 import resource
 from neutron.common import constants
 from neutron.common import exceptions
+from neutron.common import rpc as n_rpc
 from neutron.extensions import agent
 from neutron import manager
 from neutron.openstack.common import log as logging
@ -63,18 +64,23 @@ class RouterSchedulerController(wsgi.Controller):
        policy.enforce(request.context,
                       "create_%s" % L3_ROUTER,
                       {})
-        return plugin.add_router_to_l3_agent(
-            request.context,
-            kwargs['agent_id'],
-            body['router_id'])
+        agent_id = kwargs['agent_id']
+        router_id = body['router_id']
+        result = plugin.add_router_to_l3_agent(request.context, agent_id,
+                                               router_id)
+        notify(request.context, 'l3_agent.router.add', router_id, agent_id)
+        return result

    def delete(self, request, id, **kwargs):
        plugin = self.get_plugin()
        policy.enforce(request.context,
                       "delete_%s" % L3_ROUTER,
                       {})
-        return plugin.remove_router_from_l3_agent(
-            request.context, kwargs['agent_id'], id)
+        agent_id = kwargs['agent_id']
+        result = plugin.remove_router_from_l3_agent(request.context, agent_id,
+                                                    id)
+        notify(request.context, 'l3_agent.router.remove', id, agent_id)
+        return result


 class L3AgentsHostingRouterController(wsgi.Controller):
@ -192,3 +198,9 @@ class L3AgentSchedulerPluginBase(object):
    @abc.abstractmethod
    def list_l3_agents_hosting_router(self, context, router_id):
        pass
+
+
+def notify(context, action, router_id, agent_id):
+    info = {'id': agent_id, 'router_id': router_id}
+    notifier = n_rpc.get_notifier('router')
+    notifier.info(context, action, {'agent': info})
--- a/neutron/tests/unit/openvswitch/test_agent_scheduler.py
+++ b/neutron/tests/unit/openvswitch/test_agent_scheduler.py
@ -35,6 +35,7 @@ from neutron import manager
 from neutron.openstack.common import timeutils
 from neutron.openstack.common import uuidutils
 from neutron.plugins.common import constants as service_constants
+from neutron.tests import fake_notifier
 from neutron.tests.unit import test_agent_ext_plugin
 from neutron.tests.unit import test_db_plugin as test_plugin
 from neutron.tests.unit import test_extensions
@ -170,6 +171,10 @@ class AgentSchedulerTestMixIn(object):
        res = req.get_response(self.ext_api)
        self.assertEqual(res.status_int, expected_code)

+    def _assert_notify(self, notifications, expected_event_type):
+        event_types = [event['event_type'] for event in notifications]
+        self.assertIn(expected_event_type, event_types)
+
    def _register_one_agent_state(self, agent_state):
        callback = agents_db.AgentExtRpcCallback()
        callback.report_state(self.adminContext,
@ -223,6 +228,9 @@ class OvsAgentSchedulerTestCaseBase(test_l3_plugin.L3NatTestCaseMixin,
        self.l3agentscheduler_dbMinxin = (
            manager.NeutronManager.get_service_plugins().get(
                service_constants.L3_ROUTER_NAT))
+        self.notify_p = mock.patch(
+            'neutron.extensions.l3agentscheduler.notify')
+        self.patched_notify = self.notify_p.start()

    def restore_attribute_map(self):
        # Restore the original RESOURCE_ATTRIBUTE_MAP
@ -1186,6 +1194,7 @@ class OvsL3AgentNotifierTestCase(test_l3_plugin.L3NatTestCaseMixin,
        attributes.RESOURCE_ATTRIBUTE_MAP.update(
            agent.RESOURCE_ATTRIBUTE_MAP)
        self.addCleanup(self.restore_attribute_map)
+        fake_notifier.reset()

    def restore_attribute_map(self):
        # Restore the original RESOURCE_ATTRIBUTE_MAP
@ -1208,6 +1217,9 @@ class OvsL3AgentNotifierTestCase(test_l3_plugin.L3NatTestCaseMixin,
                    'router_added_to_agent',
                    payload=routers),
                topic='l3_agent.hosta')
+            notifications = fake_notifier.NOTIFICATIONS
+            expected_event_type = 'l3_agent.router.add'
+            self._assert_notify(notifications, expected_event_type)

    def test_router_remove_from_l3_agent_notification(self):
        plugin = manager.NeutronManager.get_plugin()
@ -1226,6 +1238,9 @@ class OvsL3AgentNotifierTestCase(test_l3_plugin.L3NatTestCaseMixin,
                    'router_removed_from_agent',
                    payload={'router_id': router1['router']['id']}),
                topic='l3_agent.hosta')
+            notifications = fake_notifier.NOTIFICATIONS
+            expected_event_type = 'l3_agent.router.remove'
+            self._assert_notify(notifications, expected_event_type)

    def test_agent_updated_l3_agent_notification(self):
        plugin = manager.NeutronManager.get_plugin()