Merge "Add shared field to SG API response and filter"

2021-11-02 01:20:21 +00:00 · 2021-11-02 01:20:21 +00:00 · 6e9a368891
parent bc1db73474 4bd1c82213
commit 6e9a368891
12 changed files with 137 additions and 5 deletions
--- a/neutron/agent/securitygroups_rpc.py
+++ b/neutron/agent/securitygroups_rpc.py
@ -28,6 +28,8 @@ from oslo_log import log as logging

 from neutron.agent import firewall
 from neutron.conf.agent import securitygroups_rpc as sc_cfg
+from neutron.extensions import security_groups_shared_filtering_lib \
+    as sg_shared_filtering


 LOG = logging.getLogger(__name__)
@ -53,6 +55,7 @@ def disable_security_group_extension_by_config(aliases):
        _disable_extension(stateful_sg.ALIAS, aliases)
        _disable_extension(sgag_def.ALIAS, aliases)
        _disable_extension(security_groups_normalized_cidr.ALIAS, aliases)
+        _disable_extension(sg_shared_filtering.ALIAS, aliases)
        LOG.info('Disabled allowed-address-pairs extension.')
        _disable_extension('allowed-address-pairs', aliases)
        LOG.info('Disabled address-group extension.')
--- a/neutron/common/ovn/extensions.py
+++ b/neutron/common/ovn/extensions.py
@ -53,6 +53,7 @@ from neutron_lib.api.definitions import qos_default
 from neutron_lib.api.definitions import qos_rule_type_details
 from neutron_lib.api.definitions import qos_rules_alias
 from neutron_lib.api.definitions import rbac_address_scope
+from neutron_lib.api.definitions import rbac_security_groups
 from neutron_lib.api.definitions import router_availability_zone as raz_def
 from neutron_lib.api.definitions import security_groups_normalized_cidr
 from neutron_lib.api.definitions import security_groups_remote_address_group
@ -64,6 +65,8 @@ from neutron_lib.api.definitions import trunk
 from neutron_lib.api.definitions import vlantransparent
 from neutron_lib import constants

+from neutron.extensions import security_groups_shared_filtering_lib
+
 # NOTE(russellb) This remains in its own file (vs constants.py) because we want
 # to be able to easily import it and export the info without any dependencies
 # on external imports.
@ -120,10 +123,12 @@ ML2_SUPPORTED_API_EXTENSIONS = [
    'quotas',
    rbac_address_scope.ALIAS,
    'rbac-policies',
+    rbac_security_groups.ALIAS,
    'standard-attr-revisions',
    'security-group',
    security_groups_normalized_cidr.ALIAS,
    security_groups_remote_address_group.ALIAS,
+    security_groups_shared_filtering_lib.ALIAS,
    'standard-attr-description',
    constants.SUBNET_ALLOCATION_EXT_ALIAS,
    'standard-attr-tag',
--- a/neutron/db/securitygroups_db.py
+++ b/neutron/db/securitygroups_db.py
@ -337,6 +337,7 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase,
               'tenant_id': security_group['tenant_id'],
               'description': security_group['description'],
               'standard_attr_id': security_group.db_obj.standard_attr.id,
+               'shared': security_group['shared'],
               }
        if security_group.rules:
            res['security_group_rules'] = [
--- a/neutron/extensions/security_groups_shared_filtering.py
+++ b/neutron/extensions/security_groups_shared_filtering.py
@ -0,0 +1,21 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from neutron_lib.api import extensions
+
+from neutron.extensions import security_groups_shared_filtering_lib
+
+
+class Security_groups_shared_filtering(extensions.APIExtensionDescriptor):
+    """Extension class supporting filtering SGs depend on the shared field."""
+
+    api_definition = security_groups_shared_filtering_lib
--- a/neutron/extensions/security_groups_shared_filtering_lib.py
+++ b/neutron/extensions/security_groups_shared_filtering_lib.py
@ -0,0 +1,67 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+# NOTE(hangyang): This file can be removed once the api def is merged
+# to neutron-lib https://review.opendev.org/c/openstack/neutron-lib/+/812617
+
+from neutron_lib.api import converters
+from neutron_lib import constants
+
+
+# The alias of the extension.
+ALIAS = 'security-groups-shared-filtering'
+
+IS_SHIM_EXTENSION = False
+
+IS_STANDARD_ATTR_EXTENSION = False
+
+# The name of the extension.
+NAME = 'Security group filtering on the shared field'
+
+# The description of the extension.
+DESCRIPTION = "Support filtering security groups on the shared field"
+
+# A timestamp of when the extension was introduced.
+UPDATED_TIMESTAMP = "2021-10-05T09:00:00-00:00"
+
+# The resource attribute map for the extension.
+RESOURCE_ATTRIBUTE_MAP = {
+    'security_groups': {
+        constants.SHARED: {
+            'allow_post': False,
+            'allow_put': False,
+            'convert_to': converters.convert_to_boolean,
+            'is_visible': True,
+            'is_filter': True,
+            'required_by_policy': True,
+            'enforce_policy': True}
+    }
+}
+
+# The subresource attribute map for the extension.
+SUB_RESOURCE_ATTRIBUTE_MAP = {
+}
+
+# The action map.
+ACTION_MAP = {
+}
+
+# The action status.
+ACTION_STATUS = {
+}
+
+# The list of required extensions.
+REQUIRED_EXTENSIONS = ['rbac-security-groups']
+
+# The list of optional extensions.
+OPTIONAL_EXTENSIONS = [
+]
--- a/neutron/objects/securitygroup.py
+++ b/neutron/objects/securitygroup.py
@ -40,7 +40,8 @@ class SecurityGroup(rbac_db.NeutronRbacObject):
    # Version 1.2: Added stateful support
    # Version 1.3: Added support for remote_address_group_id in rules
    # Version 1.4: Added support for normalized_cidr in rules
-    VERSION = '1.4'
+    # Version 1.5: Make the shared field nullable
+    VERSION = '1.5'

    # required by RbacNeutronMetaclass
    rbac_db_cls = SecurityGroupRBAC
@ -50,7 +51,7 @@ class SecurityGroup(rbac_db.NeutronRbacObject):
        'id': common_types.UUIDField(),
        'name': obj_fields.StringField(nullable=True),
        'project_id': obj_fields.StringField(nullable=True),
-        'shared': obj_fields.BooleanField(default=False),
+        'shared': obj_fields.BooleanField(nullable=True),
        'stateful': obj_fields.BooleanField(default=True),
        'is_default': obj_fields.BooleanField(default=False),
        'rules': obj_fields.ListOfObjectsField(
--- a/neutron/plugins/ml2/plugin.py
+++ b/neutron/plugins/ml2/plugin.py
@ -121,6 +121,7 @@ from neutron.db import subnet_service_type_mixin
 from neutron.db import vlantransparent_db
 from neutron.extensions import dhcpagentscheduler as dhcp_ext
 from neutron.extensions import filter_validation
+from neutron.extensions import security_groups_shared_filtering_lib
 from neutron.extensions import vlantransparent
 from neutron.ipam import exceptions as ipam_exc
 from neutron.objects import base as base_obj
@ -216,6 +217,7 @@ class Ml2Plugin(db_base_plugin_v2.NeutronDbPluginV2,
                                    security_groups_normalized_cidr.ALIAS,
                                    security_groups_port_filtering.ALIAS,
                                    security_groups_remote_address_group.ALIAS,
+                                    security_groups_shared_filtering_lib.ALIAS,
                                    empty_string_filtering.ALIAS,
                                    filter_apidef.ALIAS,
                                    port_mac_address_regenerate.ALIAS,
--- a/neutron/tests/contrib/hooks/api_all_extensions
+++ b/neutron/tests/contrib/hooks/api_all_extensions
@ -55,6 +55,7 @@ NETWORK_API_EXTENSIONS+=",router-admin-state-down-before-update"
 NETWORK_API_EXTENSIONS+=",router_availability_zone"
 NETWORK_API_EXTENSIONS+=",security-group"
 NETWORK_API_EXTENSIONS+=",security-groups-remote-address-group"
+NETWORK_API_EXTENSIONS+=",security-groups-shared-filtering"
 NETWORK_API_EXTENSIONS+=",port-device-profile"
 NETWORK_API_EXTENSIONS+=",port-mac-address-regenerate"
 NETWORK_API_EXTENSIONS+=",port-numa-affinity-policy"
--- a/neutron/tests/unit/db/test_securitygroups_db.py
+++ b/neutron/tests/unit/db/test_securitygroups_db.py
@ -290,6 +290,7 @@ class SecurityGroupDbMixinTestCase(testlib_api.SqlTestCase):
            'description': 'Default security group',
            'stateful': mock.ANY,
            'standard_attr_id': mock.ANY,
+            'shared': False,
            'security_group_rules': [
                # Four rules for egress/ingress and ipv4/ipv6
                mock.ANY, mock.ANY, mock.ANY, mock.ANY,
--- a/neutron/tests/unit/extensions/test_securitygroup.py
+++ b/neutron/tests/unit/extensions/test_securitygroup.py
@ -17,6 +17,7 @@ import contextlib
 import copy
 from unittest import mock

+from neutron_lib.api.definitions import rbac_security_groups as rbac_sg_def
 from neutron_lib.api.definitions import security_groups_remote_address_group \
    as sgag_def
 from neutron_lib.api import validators
@ -35,6 +36,8 @@ from neutron.db import address_group_db
 from neutron.db import db_base_plugin_v2
 from neutron.db import securitygroups_db
 from neutron.extensions import address_group as ext_ag
+from neutron.extensions import security_groups_shared_filtering_lib \
+    as sg_shared_filter_def
 from neutron.extensions import securitygroup as ext_sg
 from neutron.extensions import standardattrdescription
 from neutron.tests import base
@ -68,6 +71,9 @@ class SecurityGroupTestExtensionManager(object):
        # update with the remote address group api definition
        ext_sg.Securitygroup().update_attributes_map(
            sgag_def.RESOURCE_ATTRIBUTE_MAP)
+        # update with the shared field api definition
+        ext_sg.Securitygroup().update_attributes_map(
+            sg_shared_filter_def.RESOURCE_ATTRIBUTE_MAP)
        return (ext_sg.Securitygroup.get_resources() +
                ext_ag.Address_group().get_resources())

@ -225,7 +231,9 @@ class SecurityGroupTestPlugin(db_base_plugin_v2.NeutronDbPluginV2,
    __native_pagination_support = True
    __native_sorting_support = True

-    supported_extension_aliases = ["security-group"]
+    supported_extension_aliases = [
+        "security-group", sgag_def.ALIAS,
+        rbac_sg_def.ALIAS, sg_shared_filter_def.ALIAS]

    def create_port(self, context, port):
        tenant_id = port['port']['tenant_id']
@ -289,7 +297,8 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
    def test_create_security_group(self):
        name = 'webservers'
        description = 'my webservers'
-        keys = [('name', name,), ('description', description)]
+        keys = [('name', name,), ('description', description),
+                ('shared', False)]
        with self.security_group(name, description) as security_group:
            for k, v, in keys:
                self.assertEqual(v, security_group['security_group'][k])
@ -498,6 +507,20 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
                                      security_groups,
                                      query_params='description=sg')

+    def test_list_security_groups_with_shared_filter_true(self):
+        with self.security_group(name='sg1', description='sg'):
+            security_groups = ()
+            self._test_list_resources('security-group',
+                                      security_groups,
+                                      query_params='name=sg1&shared=True')
+
+    def test_list_security_groups_with_shared_filter_false(self):
+        with self.security_group(name='sg1', description='sg') as sg1:
+            security_groups = (sg1, )
+            self._test_list_resources('security-group',
+                                      security_groups,
+                                      query_params='name=sg1&shared=False')
+
    def test_list_security_groups_with_sort(self):
        with self.security_group(name='sg1', description='sg') as sg1,\
                self.security_group(name='sg2', description='sg') as sg2,\
--- a/neutron/tests/unit/objects/test_objects.py
+++ b/neutron/tests/unit/objects/test_objects.py
@ -106,7 +106,7 @@ object_data = {
    'RouterL3AgentBinding': '1.0-c5ba6c95e3a4c1236a55f490cd67da82',
    'RouterPort': '1.0-c8c8f499bcdd59186fcd83f323106908',
    'RouterRoute': '1.0-07fc5337c801fb8c6ccfbcc5afb45907',
-    'SecurityGroup': '1.4-7b63b834e511856f54a09282d6843ecc',
+    'SecurityGroup': '1.5-7eb8e44c327512e7bb1759ab41ede44b',
    'SecurityGroupPortBinding': '1.0-6879d5c0af80396ef5a72934b6a6ef20',
    'SecurityGroupRBAC': '1.0-192845c5ed0718e1c54fac36936fcd7d',
    'SecurityGroupRule': '1.2-27793368d4ac35f2ed6e0bb653c6aaad',
--- a/releasenotes/notes/add-sg-shared-field-to-response-9ff6b49d36f4af4d.yaml
+++ b/releasenotes/notes/add-sg-shared-field-to-response-9ff6b49d36f4af4d.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Add the shared field to security group API responses and support
+    using shared as a query filter.
+    For more information see bug
+    `1942615 <https://bugs.launchpad.net/neutron/+bug/1942615>`_.