openstack/nova
Code Issues Proposed changes

Implement rules_exist method for quantum security group driver

Browse Source 
Originally I thought the quantum security group driver should
not enforce rules exist on the nova-api side and instead it should
just forward the request to quantum which would return the error.
That said there is no extra cost to doing this on the nova-api side
as nova-api already queries for the group before adding the rule.

In addition, rules_exists() is used in revoke_security_group_ingress()
for the ec2 compat APIs so this needs to be implemented.

This patch moves create_security_group_rule() and rule_exists() from
nova/compute/api.py to nova/network/security_group/security_group_base.py
as the same code can be leveraged in both places.

Fixes bug 1136345

Change-Id: I444ffc2b53b30ed496b6e3250433d14f316e594d
This commit is contained in:
Aaron Rosen
2013-02-28 14:47:11 -08:00
parent 35b2b2c5c4
commit 5a2b9d7e95
4 changed files with 49 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
nova/compute/api.py
View File

@@ -2987,21 +2987,6 @@ class SecurityGroupAPI(base.Base, security_group_base.SecurityGroupBase):
self.trigger_handler('instance_remove_security_group', self.trigger_handler('instance_remove_security_group',
context, instance, security_group_name) context, instance, security_group_name)
def rule_exists(self, security_group, new_rule):
"""Indicates whether the specified rule is already
defined in the given security group.
"""
for rule in security_group['rules']:
is_duplicate = True
keys = ('group_id', 'cidr', 'from_port', 'to_port', 'protocol')
for key in keys:
if rule.get(key) != new_rule.get(key):
is_duplicate = False
break
if is_duplicate:
return rule.get('id') or True
return False
def get_rule(self, context, id): def get_rule(self, context, id):
self.ensure_default(context) self.ensure_default(context)
try: try:
@@ -3094,15 +3079,6 @@ class SecurityGroupAPI(base.Base, security_group_base.SecurityGroupBase):
msg = _("Security group id should be integer") msg = _("Security group id should be integer")
self.raise_invalid_property(msg) self.raise_invalid_property(msg)
def create_security_group_rule(self, context, security_group, new_rule):
if self.rule_exists(security_group, new_rule):
msg = (_('This rule already exists in group %s') %
new_rule['parent_group_id'])
self.raise_group_already_exists(msg)
return self.add_rules(context, new_rule['parent_group_id'],
security_group['name'],
[new_rule])[0]
def trigger_handler(self, event, *args): def trigger_handler(self, event, *args):
handle = getattr(self.sgh, 'trigger_%s_refresh' % event) handle = getattr(self.sgh, 'trigger_%s_refresh' % event)
handle(*args) handle(*args)

8
nova/network/security_group/quantum_driver.py
View File

@@ -215,10 +215,6 @@ class SecurityGroupAPI(security_group_base.SecurityGroupBase):
new_rules.append(new_rule) new_rules.append(new_rule)
return {'security_group_rules': new_rules} return {'security_group_rules': new_rules}
def create_security_group_rule(self, context, security_group, new_rule):
return self.add_rules(context, new_rule['parent_group_id'],
security_group['name'], [new_rule])[0]
def remove_rules(self, context, security_group, rule_ids): def remove_rules(self, context, security_group, rule_ids):
quantum = quantumv2.get_client(context) quantum = quantumv2.get_client(context)
rule_ids = set(rule_ids) rule_ids = set(rule_ids)
@@ -396,10 +392,6 @@ class SecurityGroupAPI(security_group_base.SecurityGroupBase):
'instance': instance['uuid']}) 'instance': instance['uuid']})
self.raise_not_found(msg) self.raise_not_found(msg)
def rule_exists(self, security_group, new_rule):
# Handled by quantum
pass
def populate_security_groups(self, instance, security_groups): def populate_security_groups(self, instance, security_groups):
# Setting to emply list since we do not want to populate this field # Setting to emply list since we do not want to populate this field
# in the nova database if using the quantum driver # in the nova database if using the quantum driver

30
nova/network/security_group/security_group_base.py
View File

@@ -132,6 +132,30 @@ class SecurityGroupBase(object):
return values return values
def create_security_group_rule(self, context, security_group, new_rule):
if self.rule_exists(security_group, new_rule):
msg = (_('This rule already exists in group %s') %
new_rule['parent_group_id'])
self.raise_group_already_exists(msg)
return self.add_rules(context, new_rule['parent_group_id'],
security_group['name'],
[new_rule])[0]
def rule_exists(self, security_group, new_rule):
"""Indicates whether the specified rule is already
defined in the given security group.
"""
for rule in security_group['rules']:
is_duplicate = True
keys = ('group_id', 'cidr', 'from_port', 'to_port', 'protocol')
for key in keys:
if rule.get(key) != new_rule.get(key):
is_duplicate = False
break
if is_duplicate:
return rule.get('id') or True
return False
def validate_property(self, value, property, allowed): def validate_property(self, value, property, allowed):
pass pass
@@ -174,9 +198,6 @@ class SecurityGroupBase(object):
def add_rules(self, context, id, name, vals): def add_rules(self, context, id, name, vals):
raise NotImplementedError() raise NotImplementedError()
def create_security_group_rule(self, context, security_group, new_rule):
raise NotImplementedError()
def remove_rules(self, context, security_group, rule_ids): def remove_rules(self, context, security_group, rule_ids):
raise NotImplementedError() raise NotImplementedError()
@@ -192,9 +213,6 @@ class SecurityGroupBase(object):
def remove_from_instance(self, context, instance, security_group_name): def remove_from_instance(self, context, instance, security_group_name):
raise NotImplementedError() raise NotImplementedError()
def rule_exists(self, security_group, new_rule):
raise NotImplementedError()
@staticmethod @staticmethod
def raise_invalid_property(msg): def raise_invalid_property(msg):
raise NotImplementedError() raise NotImplementedError()

31
nova/tests/api/openstack/compute/contrib/test_quantum_security_groups.py
View File

@@ -237,6 +237,7 @@ class TestQuantumSecurityGroupRulesTestCase(TestQuantumSecurityGroupsTestCase):
id2 = '22222222-2222-2222-2222-222222222222' id2 = '22222222-2222-2222-2222-222222222222'
sg_template2 = test_security_groups.security_group_template( sg_template2 = test_security_groups.security_group_template(
security_group_rules=[], id=id2) security_group_rules=[], id=id2)
self.controller_sg = security_groups.SecurityGroupController()
quantum = get_client() quantum = get_client()
quantum._fake_security_groups[id1] = sg_template1 quantum._fake_security_groups[id1] = sg_template1
quantum._fake_security_groups[id2] = sg_template2 quantum._fake_security_groups[id2] = sg_template2
@@ -252,12 +253,26 @@ class TestQuantumSecurityGroupRules(
TestQuantumSecurityGroupRulesTestCase): TestQuantumSecurityGroupRulesTestCase):
def test_create_add_existing_rules_by_cidr(self): def test_create_add_existing_rules_by_cidr(self):
# Enforced by quantum sg = test_security_groups.security_group_template()
pass req = fakes.HTTPRequest.blank('/v2/fake/os-security-groups')
self.controller_sg.create(req, {'security_group': sg})
rule = test_security_groups.security_group_rule_template(
cidr='15.0.0.0/8', parent_group_id=self.sg2['id'])
req = fakes.HTTPRequest.blank('/v2/fake/os-security-group-rules')
self.controller.create(req, {'security_group_rule': rule})
self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create,
req, {'security_group_rule': rule})
def test_create_add_existing_rules_by_group_id(self): def test_create_add_existing_rules_by_group_id(self):
# Enforced by quantum sg = test_security_groups.security_group_template()
pass req = fakes.HTTPRequest.blank('/v2/fake/os-security-groups')
self.controller_sg.create(req, {'security_group': sg})
rule = test_security_groups.security_group_rule_template(
group=self.sg1['id'], parent_group_id=self.sg2['id'])
req = fakes.HTTPRequest.blank('/v2/fake/os-security-group-rules')
self.controller.create(req, {'security_group_rule': rule})
self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create,
req, {'security_group_rule': rule})
def test_delete(self): def test_delete(self):
rule = test_security_groups.security_group_rule_template( rule = test_security_groups.security_group_rule_template(
@@ -528,11 +543,15 @@ class MockClient(object):
def show_security_group(self, security_group, **_params): def show_security_group(self, security_group, **_params):
try: try:
return {'security_group': sg = self._fake_security_groups[security_group]
self._fake_security_groups[security_group]}
except KeyError: except KeyError:
msg = 'Security Group %s not found' % security_group msg = 'Security Group %s not found' % security_group
raise q_exc.QuantumClientException(message=msg, status_code=404) raise q_exc.QuantumClientException(message=msg, status_code=404)
for security_group_rule in self._fake_security_group_rules.values():
if security_group_rule['security_group_id'] == sg['id']:
sg['security_group_rules'].append(security_group_rule)
return {'security_group': sg}
def show_security_group_rule(self, security_group_rule, **_params): def show_security_group_rule(self, security_group_rule, **_params):
try: try: