From 22dee90760bfca644812875921235f5178499f7e Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Sat, 21 Sep 2019 22:36:21 +0100 Subject: [PATCH] Remove 'os-security-group-default-rules' REST API This is a nova-network-only API. As with previously removed APIs, this API now return a 410 response for all routes. There are some DB methods that were only used by this API. They will be removed separately in a future change. Change-Id: Iaa7fb6c548613164d33793822ee85339f9f7fefb Signed-off-by: Stephen Finucane --- api-ref/source/index.rst | 2 +- .../os-security-group-default-rules.inc | 22 +- .../compute/rest_api_version_history.rst | 18 +- .../compute/security_group_default_rules.py | 117 +----- nova/policies/__init__.py | 2 - nova/policies/security_group_default_rules.py | 56 --- ...ty-group-default-rules-create-req.json.tpl | 8 - ...y-group-default-rules-create-resp.json.tpl | 11 - ...ity-group-default-rules-list-resp.json.tpl | 13 - ...ity-group-default-rules-show-resp.json.tpl | 11 - .../test_security_group_default_rules.py | 24 +- .../test_security_group_default_rules.py | 366 ------------------ nova/tests/unit/fake_policy.py | 1 - nova/tests/unit/test_policy.py | 1 - .../remove-nova-network-c02953ba72a1795d.yaml | 16 + 15 files changed, 61 insertions(+), 607 deletions(-) delete mode 100644 nova/policies/security_group_default_rules.py delete mode 100644 nova/tests/functional/api_sample_tests/api_samples/os-security-group-default-rules/security-group-default-rules-create-req.json.tpl delete mode 100644 nova/tests/functional/api_sample_tests/api_samples/os-security-group-default-rules/security-group-default-rules-create-resp.json.tpl delete mode 100644 nova/tests/functional/api_sample_tests/api_samples/os-security-group-default-rules/security-group-default-rules-list-resp.json.tpl delete mode 100644 nova/tests/functional/api_sample_tests/api_samples/os-security-group-default-rules/security-group-default-rules-show-resp.json.tpl delete mode 100644 nova/tests/unit/api/openstack/compute/test_security_group_default_rules.py create mode 100644 releasenotes/notes/remove-nova-network-c02953ba72a1795d.yaml diff --git a/api-ref/source/index.rst b/api-ref/source/index.rst index b83346f4a721..c3fac8adcc9e 100644 --- a/api-ref/source/index.rst +++ b/api-ref/source/index.rst @@ -71,7 +71,6 @@ limited to some maximum microversion. .. include:: os-floating-ip-pools.inc .. include:: os-floating-ips.inc .. include:: os-security-groups.inc -.. include:: os-security-group-default-rules.inc .. include:: os-security-group-rules.inc .. include:: os-hosts.inc @@ -90,3 +89,4 @@ Compute API in the past, but no longer exist. .. include:: os-floating-ips-bulk.inc .. include:: os-floating-ip-dns.inc .. include:: os-cells.inc +.. include:: os-security-group-default-rules.inc diff --git a/api-ref/source/os-security-group-default-rules.inc b/api-ref/source/os-security-group-default-rules.inc index e2a9aba552e2..9d47f0ad25ea 100644 --- a/api-ref/source/os-security-group-default-rules.inc +++ b/api-ref/source/os-security-group-default-rules.inc @@ -1,17 +1,15 @@ .. -*- rst -*- -.. NOTE(gmann): These APIs are deprecated so do not update this - file even body, example or parameters are not complete. - -================================================================================ - Rules for default security group (os-security-group-default-rules) (DEPRECATED) -================================================================================ +==================================================================== + Rules for default security group (os-security-group-default-rules) +==================================================================== .. warning:: This API only available with ``nova-network`` which is deprecated. It should be avoided in any new applications. These will fail with a 404 starting from microversion 2.36. + They were completely removed in the 21.0.0 (Ussuri) release. Lists, shows information for, and creates default security group rules. @@ -24,7 +22,8 @@ Lists default security group rules. Normal response codes: 200 -Error response codes: unauthorized(401), forbidden(403), itemNotFound(404), notImplemented(501) +Error response codes: unauthorized(401), forbidden(403), itemNotFound(404), +gone(410), notImplemented(501) Response -------- @@ -53,7 +52,8 @@ Shows details for a security group rule. Normal response codes: 200 -Error response codes: badRequest(400), unauthorized(401), forbidden(403), itemNotFound(404), notImplemented(501) +Error response codes: badRequest(400), unauthorized(401), forbidden(403), +itemNotFound(404), gone(410), notImplemented(501) Request ------- @@ -92,7 +92,8 @@ IP protocol ( ``ip_protocol`` ) value. Otherwise, the operation returns the ``Ba Normal response codes: 200 -Error response codes: badRequest(400), unauthorized(401), forbidden(403), conflict(409), notImplemented(501) +Error response codes: badRequest(400), unauthorized(401), forbidden(403), +conflict(409), gone(410), notImplemented(501) Request ------- @@ -137,7 +138,8 @@ Deletes a security group rule. Normal response codes: 204 -Error response codes: badRequest(400), unauthorized(401), forbidden(403), itemNotFound(404), notImplemented(501) +Error response codes: badRequest(400), unauthorized(401), forbidden(403), +itemNotFound(404), gone(410), notImplemented(501) Request ------- diff --git a/nova/api/openstack/compute/rest_api_version_history.rst b/nova/api/openstack/compute/rest_api_version_history.rst index 6e51b98e115e..37194b74c928 100644 --- a/nova/api/openstack/compute/rest_api_version_history.rst +++ b/nova/api/openstack/compute/rest_api_version_history.rst @@ -415,11 +415,25 @@ API endpoints as below:: '/os-baremetal-nodes' '/os-fping' -.. note:: A `regression`_ was introduced in this microversion which broke the +.. note:: + + A `regression`__ was introduced in this microversion which broke the ``force`` parameter in the ``PUT /os-quota-sets`` API. The fix will have to be applied to restore this functionality. -.. _regression: https://bugs.launchpad.net/nova/+bug/1733886 + __ https://bugs.launchpad.net/nova/+bug/1733886 + +.. versionchanged:: 18.0.0 + + The ``os-fping`` API was completely removed in the 18.0.0 (Rocky) release. + On deployments newer than this, the API will return HTTP 410 (Gone) + regardless of the requested microversion. + +.. versionchanged:: 21.0.0 + + The ``os-security-group-default-rules`` API was completely removed in the + 21.0.0 (Ussuri) release. On deployments newer than this, the APIs will + return HTTP 410 (Gone) regadless of the requested microversion. 2.37 ---- diff --git a/nova/api/openstack/compute/security_group_default_rules.py b/nova/api/openstack/compute/security_group_default_rules.py index 358d6e9ae600..fa1b300e171f 100644 --- a/nova/api/openstack/compute/security_group_default_rules.py +++ b/nova/api/openstack/compute/security_group_default_rules.py @@ -14,121 +14,24 @@ from webob import exc -from nova.api.openstack.api_version_request \ - import MAX_PROXY_API_SUPPORT_VERSION -from nova.api.openstack.compute import security_groups as sg from nova.api.openstack import wsgi -from nova import exception -from nova.i18n import _ -from nova.network.security_group import openstack_driver -from nova.policies import security_group_default_rules as sgdr_policies -class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase, - wsgi.Controller): +class SecurityGroupDefaultRulesController(wsgi.Controller): + """(Removed) Controller for default project security groups.""" - def __init__(self): - super(SecurityGroupDefaultRulesController, self).__init__() - self.security_group_api = ( - openstack_driver.get_openstack_security_group_driver()) - - @wsgi.Controller.api_version("2.1", MAX_PROXY_API_SUPPORT_VERSION) - @wsgi.expected_errors((400, 409, 501)) + @wsgi.expected_errors(410) def create(self, req, body): - context = req.environ['nova.context'] - context.can(sgdr_policies.BASE_POLICY_NAME) + raise exc.HTTPGone() - sg_rule = self._from_body(body, 'security_group_default_rule') - - try: - values = self._rule_args_to_dict(to_port=sg_rule.get('to_port'), - from_port=sg_rule.get('from_port'), - ip_protocol=sg_rule.get('ip_protocol'), - cidr=sg_rule.get('cidr')) - except (exception.InvalidCidr, - exception.InvalidInput, - exception.InvalidIpProtocol, - exception.InvalidPortRange) as ex: - raise exc.HTTPBadRequest(explanation=ex.format_message()) - - if values is None: - msg = _('Not enough parameters to build a valid rule.') - raise exc.HTTPBadRequest(explanation=msg) - - if self.security_group_api.default_rule_exists(context, values): - msg = _('This default rule already exists.') - raise exc.HTTPConflict(explanation=msg) - security_group_rule = self.security_group_api.add_default_rules( - context, [values])[0] - fmt_rule = self._format_security_group_default_rule( - security_group_rule) - return {'security_group_default_rule': fmt_rule} - - def _rule_args_to_dict(self, to_port=None, from_port=None, - ip_protocol=None, cidr=None): - cidr = self.security_group_api.parse_cidr(cidr) - return self.security_group_api.new_cidr_ingress_rule( - cidr, ip_protocol, from_port, to_port) - - @wsgi.Controller.api_version("2.1", MAX_PROXY_API_SUPPORT_VERSION) - @wsgi.expected_errors((400, 404, 501)) + @wsgi.expected_errors(410) def show(self, req, id): - context = req.environ['nova.context'] - context.can(sgdr_policies.BASE_POLICY_NAME) + raise exc.HTTPGone() - try: - id = self.security_group_api.validate_id(id) - except exception.Invalid as ex: - raise exc.HTTPBadRequest(explanation=ex.format_message()) - - try: - rule = self.security_group_api.get_default_rule(context, id) - except exception.SecurityGroupDefaultRuleNotFound as ex: - raise exc.HTTPNotFound(explanation=ex.format_message()) - - fmt_rule = self._format_security_group_default_rule(rule) - return {"security_group_default_rule": fmt_rule} - - @wsgi.Controller.api_version("2.1", MAX_PROXY_API_SUPPORT_VERSION) - @wsgi.expected_errors((400, 404, 501)) - @wsgi.response(204) + @wsgi.expected_errors(410) def delete(self, req, id): - context = req.environ['nova.context'] - context.can(sgdr_policies.BASE_POLICY_NAME) + raise exc.HTTPGone() - try: - id = self.security_group_api.validate_id(id) - except exception.Invalid as ex: - raise exc.HTTPBadRequest(explanation=ex.format_message()) - - try: - rule = self.security_group_api.get_default_rule(context, id) - self.security_group_api.remove_default_rules(context, [rule['id']]) - except exception.SecurityGroupDefaultRuleNotFound as ex: - raise exc.HTTPNotFound(explanation=ex.format_message()) - - @wsgi.Controller.api_version("2.1", MAX_PROXY_API_SUPPORT_VERSION) - @wsgi.expected_errors((404, 501)) + @wsgi.expected_errors(410) def index(self, req): - context = req.environ['nova.context'] - context.can(sgdr_policies.BASE_POLICY_NAME) - - ret = {'security_group_default_rules': []} - try: - for rule in self.security_group_api.get_all_default_rules(context): - rule_fmt = self._format_security_group_default_rule(rule) - ret['security_group_default_rules'].append(rule_fmt) - except exception.SecurityGroupDefaultRuleNotFound as ex: - raise exc.HTTPNotFound(explanation=ex.format_message()) - - return ret - - def _format_security_group_default_rule(self, rule): - sg_rule = {} - sg_rule['id'] = rule['id'] - sg_rule['ip_protocol'] = rule['protocol'] - sg_rule['from_port'] = rule['from_port'] - sg_rule['to_port'] = rule['to_port'] - sg_rule['ip_range'] = {} - sg_rule['ip_range'] = {'cidr': rule['cidr']} - return sg_rule + raise exc.HTTPGone() diff --git a/nova/policies/__init__.py b/nova/policies/__init__.py index d82ad6d1ab5f..de2deb86a4c5 100644 --- a/nova/policies/__init__.py +++ b/nova/policies/__init__.py @@ -53,7 +53,6 @@ from nova.policies import quota_class_sets from nova.policies import quota_sets from nova.policies import remote_consoles from nova.policies import rescue -from nova.policies import security_group_default_rules from nova.policies import security_groups from nova.policies import server_diagnostics from nova.policies import server_external_events @@ -116,7 +115,6 @@ def list_rules(): quota_sets.list_rules(), remote_consoles.list_rules(), rescue.list_rules(), - security_group_default_rules.list_rules(), security_groups.list_rules(), server_diagnostics.list_rules(), server_external_events.list_rules(), diff --git a/nova/policies/security_group_default_rules.py b/nova/policies/security_group_default_rules.py deleted file mode 100644 index 43e634bc35b1..000000000000 --- a/nova/policies/security_group_default_rules.py +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 2016 Cloudbase Solutions Srl -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from oslo_policy import policy - -from nova.policies import base - - -BASE_POLICY_NAME = 'os_compute_api:os-security-group-default-rules' - - -security_group_default_rules_policies = [ - policy.DocumentedRuleDefault( - BASE_POLICY_NAME, - base.RULE_ADMIN_API, - """List, show information for, create, or delete default security -group rules. - -These APIs are only available with nova-network which is now deprecated.""", - [ - { - 'method': 'GET', - 'path': '/os-security-group-default-rules' - }, - { - 'method': 'GET', - 'path': '/os-security-group-default-rules' - '/{security_group_default_rule_id}' - }, - { - 'method': 'POST', - 'path': '/os-security-group-default-rules' - }, - { - 'method': 'DELETE', - 'path': '/os-security-group-default-rules' - '/{security_group_default_rule_id}' - } - ]), -] - - -def list_rules(): - return security_group_default_rules_policies diff --git a/nova/tests/functional/api_sample_tests/api_samples/os-security-group-default-rules/security-group-default-rules-create-req.json.tpl b/nova/tests/functional/api_sample_tests/api_samples/os-security-group-default-rules/security-group-default-rules-create-req.json.tpl deleted file mode 100644 index 8836d0eeccfd..000000000000 --- a/nova/tests/functional/api_sample_tests/api_samples/os-security-group-default-rules/security-group-default-rules-create-req.json.tpl +++ /dev/null @@ -1,8 +0,0 @@ -{ - "security_group_default_rule": { - "ip_protocol": "TCP", - "from_port": "80", - "to_port": "80", - "cidr": "10.10.10.0/24" - } -} \ No newline at end of file diff --git a/nova/tests/functional/api_sample_tests/api_samples/os-security-group-default-rules/security-group-default-rules-create-resp.json.tpl b/nova/tests/functional/api_sample_tests/api_samples/os-security-group-default-rules/security-group-default-rules-create-resp.json.tpl deleted file mode 100644 index ae6c62bfd670..000000000000 --- a/nova/tests/functional/api_sample_tests/api_samples/os-security-group-default-rules/security-group-default-rules-create-resp.json.tpl +++ /dev/null @@ -1,11 +0,0 @@ -{ - "security_group_default_rule": { - "from_port": 80, - "id": 1, - "ip_protocol": "TCP", - "ip_range":{ - "cidr": "10.10.10.0/24" - }, - "to_port": 80 - } -} \ No newline at end of file diff --git a/nova/tests/functional/api_sample_tests/api_samples/os-security-group-default-rules/security-group-default-rules-list-resp.json.tpl b/nova/tests/functional/api_sample_tests/api_samples/os-security-group-default-rules/security-group-default-rules-list-resp.json.tpl deleted file mode 100644 index c083640c3e70..000000000000 --- a/nova/tests/functional/api_sample_tests/api_samples/os-security-group-default-rules/security-group-default-rules-list-resp.json.tpl +++ /dev/null @@ -1,13 +0,0 @@ -{ - "security_group_default_rules": [ - { - "from_port": 80, - "id": 1, - "ip_protocol": "TCP", - "ip_range": { - "cidr": "10.10.10.0/24" - }, - "to_port": 80 - } - ] -} \ No newline at end of file diff --git a/nova/tests/functional/api_sample_tests/api_samples/os-security-group-default-rules/security-group-default-rules-show-resp.json.tpl b/nova/tests/functional/api_sample_tests/api_samples/os-security-group-default-rules/security-group-default-rules-show-resp.json.tpl deleted file mode 100644 index 97b5259a181b..000000000000 --- a/nova/tests/functional/api_sample_tests/api_samples/os-security-group-default-rules/security-group-default-rules-show-resp.json.tpl +++ /dev/null @@ -1,11 +0,0 @@ -{ - "security_group_default_rule": { - "id": 1, - "from_port": 80, - "to_port": 80, - "ip_protocol": "TCP", - "ip_range": { - "cidr": "10.10.10.0/24" - } - } -} \ No newline at end of file diff --git a/nova/tests/functional/api_sample_tests/test_security_group_default_rules.py b/nova/tests/functional/api_sample_tests/test_security_group_default_rules.py index 4344da75596a..5ae59fc750d4 100644 --- a/nova/tests/functional/api_sample_tests/test_security_group_default_rules.py +++ b/nova/tests/functional/api_sample_tests/test_security_group_default_rules.py @@ -15,29 +15,17 @@ from nova.tests.functional.api_sample_tests import api_sample_base -# TODO(stephenfin): Remove this API since it's nova-network only class SecurityGroupDefaultRulesSampleJsonTest( api_sample_base.ApiSampleTestBaseV21): - USE_NEUTRON = False # nova-net only - ADMIN_API = True - sample_dir = 'os-security-group-default-rules' def test_security_group_default_rules_create(self): - response = self._do_post('os-security-group-default-rules', - 'security-group-default-rules-create-req', - {}) - self._verify_response('security-group-default-rules-create-resp', - {}, response, 200) + self.api.api_post('os-security-group-default-rules', {}, + check_response_status=[410]) def test_security_group_default_rules_list(self): - self.test_security_group_default_rules_create() - response = self._do_get('os-security-group-default-rules') - self._verify_response('security-group-default-rules-list-resp', - {}, response, 200) + self.api.api_get('os-security-group-default-rules', + check_response_status=[410]) def test_security_group_default_rules_show(self): - self.test_security_group_default_rules_create() - rule_id = '1' - response = self._do_get('os-security-group-default-rules/%s' % rule_id) - self._verify_response('security-group-default-rules-show-resp', - {}, response, 200) + self.api.api_get('os-security-group-default-rules/1', + check_response_status=[410]) diff --git a/nova/tests/unit/api/openstack/compute/test_security_group_default_rules.py b/nova/tests/unit/api/openstack/compute/test_security_group_default_rules.py deleted file mode 100644 index edfebb5f3d09..000000000000 --- a/nova/tests/unit/api/openstack/compute/test_security_group_default_rules.py +++ /dev/null @@ -1,366 +0,0 @@ -# Copyright 2013 Metacloud, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import mock -import webob - -from nova.api.openstack.compute import \ - security_group_default_rules as security_group_default_rules_v21 -from nova import context -import nova.db.api -from nova import exception -from nova import test -from nova.tests.unit.api.openstack import fakes - - -class AttrDict(dict): - def __getattr__(self, k): - return self[k] - - -def security_group_default_rule_template(**kwargs): - rule = kwargs.copy() - rule.setdefault('ip_protocol', 'TCP') - rule.setdefault('from_port', 22) - rule.setdefault('to_port', 22) - rule.setdefault('cidr', '10.10.10.0/24') - return rule - - -def security_group_default_rule_db(security_group_default_rule, id=None): - attrs = security_group_default_rule.copy() - if id is not None: - attrs['id'] = id - return AttrDict(attrs) - - -class TestSecurityGroupDefaultRulesNeutronV21(test.TestCase): - controller_cls = (security_group_default_rules_v21. - SecurityGroupDefaultRulesController) - - def setUp(self): - self.flags(use_neutron=True) - super(TestSecurityGroupDefaultRulesNeutronV21, self).setUp() - self.controller = self.controller_cls() - - def test_create_security_group_default_rule_not_implemented_neutron(self): - sgr = security_group_default_rule_template() - req = fakes.HTTPRequest.blank( - '/v2/%s/os-security-group-default-rules' % fakes.FAKE_PROJECT_ID, - use_admin_context=True) - self.assertRaises(webob.exc.HTTPNotImplemented, self.controller.create, - req, {'security_group_default_rule': sgr}) - - def test_security_group_default_rules_list_not_implemented_neutron(self): - req = fakes.HTTPRequest.blank( - '/v2/%s/os-security-group-default-rules' % fakes.FAKE_PROJECT_ID, - use_admin_context=True) - self.assertRaises(webob.exc.HTTPNotImplemented, self.controller.index, - req) - - def test_security_group_default_rules_show_not_implemented_neutron(self): - req = fakes.HTTPRequest.blank( - '/v2/%s/os-security-group-default-rules' % fakes.FAKE_PROJECT_ID, - use_admin_context=True) - self.assertRaises(webob.exc.HTTPNotImplemented, self.controller.show, - req, '602ed77c-a076-4f9b-a617-f93b847b62c5') - - def test_security_group_default_rules_delete_not_implemented_neutron(self): - req = fakes.HTTPRequest.blank( - '/v2/%s/os-security-group-default-rules' % fakes.FAKE_PROJECT_ID, - use_admin_context=True) - self.assertRaises(webob.exc.HTTPNotImplemented, self.controller.delete, - req, '602ed77c-a076-4f9b-a617-f93b847b62c5') - - -class TestSecurityGroupDefaultRulesV21(test.TestCase): - controller_cls = (security_group_default_rules_v21. - SecurityGroupDefaultRulesController) - - def setUp(self): - super(TestSecurityGroupDefaultRulesV21, self).setUp() - self.flags(use_neutron=False) - self.controller = self.controller_cls() - self.req = fakes.HTTPRequest.blank( - '/v2/%s/os-security-group-default-rules' % fakes.FAKE_PROJECT_ID) - - def test_create_security_group_default_rule(self): - sgr = security_group_default_rule_template() - - sgr_dict = dict(security_group_default_rule=sgr) - res_dict = self.controller.create(self.req, sgr_dict) - security_group_default_rule = res_dict['security_group_default_rule'] - self.assertEqual(security_group_default_rule['ip_protocol'], - sgr['ip_protocol']) - self.assertEqual(security_group_default_rule['from_port'], - sgr['from_port']) - self.assertEqual(security_group_default_rule['to_port'], - sgr['to_port']) - self.assertEqual(security_group_default_rule['ip_range']['cidr'], - sgr['cidr']) - - def test_create_security_group_default_rule_with_no_to_port(self): - sgr = security_group_default_rule_template() - del sgr['to_port'] - - self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create, - self.req, {'security_group_default_rule': sgr}) - - def test_create_security_group_default_rule_with_no_from_port(self): - sgr = security_group_default_rule_template() - del sgr['from_port'] - - self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create, - self.req, {'security_group_default_rule': sgr}) - - def test_create_security_group_default_rule_with_no_ip_protocol(self): - sgr = security_group_default_rule_template() - del sgr['ip_protocol'] - - self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create, - self.req, {'security_group_default_rule': sgr}) - - def test_create_security_group_default_rule_with_no_cidr(self): - sgr = security_group_default_rule_template() - del sgr['cidr'] - - res_dict = self.controller.create(self.req, - {'security_group_default_rule': sgr}) - security_group_default_rule = res_dict['security_group_default_rule'] - self.assertNotEqual(security_group_default_rule['id'], 0) - self.assertEqual(security_group_default_rule['ip_range']['cidr'], - '0.0.0.0/0') - - def test_create_security_group_default_rule_with_blank_to_port(self): - sgr = security_group_default_rule_template(to_port='') - - self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create, - self.req, {'security_group_default_rule': sgr}) - - def test_create_security_group_default_rule_with_blank_from_port(self): - sgr = security_group_default_rule_template(from_port='') - - self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create, - self.req, {'security_group_default_rule': sgr}) - - def test_create_security_group_default_rule_with_blank_ip_protocol(self): - sgr = security_group_default_rule_template(ip_protocol='') - - self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create, - self.req, {'security_group_default_rule': sgr}) - - def test_create_security_group_default_rule_with_blank_cidr(self): - sgr = security_group_default_rule_template(cidr='') - - res_dict = self.controller.create(self.req, - {'security_group_default_rule': sgr}) - security_group_default_rule = res_dict['security_group_default_rule'] - self.assertNotEqual(security_group_default_rule['id'], 0) - self.assertEqual(security_group_default_rule['ip_range']['cidr'], - '0.0.0.0/0') - - def test_create_security_group_default_rule_non_numerical_to_port(self): - sgr = security_group_default_rule_template(to_port='invalid') - - self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create, - self.req, {'security_group_default_rule': sgr}) - - def test_create_security_group_default_rule_non_numerical_from_port(self): - sgr = security_group_default_rule_template(from_port='invalid') - - self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create, - self.req, {'security_group_default_rule': sgr}) - - def test_create_security_group_default_rule_invalid_ip_protocol(self): - sgr = security_group_default_rule_template(ip_protocol='invalid') - - self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create, - self.req, {'security_group_default_rule': sgr}) - - def test_create_security_group_default_rule_invalid_cidr(self): - sgr = security_group_default_rule_template(cidr='10.10.2222.0/24') - - self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create, - self.req, {'security_group_default_rule': sgr}) - - def test_create_security_group_default_rule_invalid_to_port(self): - sgr = security_group_default_rule_template(to_port='666666') - - self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create, - self.req, {'security_group_default_rule': sgr}) - - def test_create_security_group_default_rule_invalid_from_port(self): - sgr = security_group_default_rule_template(from_port='666666') - - self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create, - self.req, {'security_group_default_rule': sgr}) - - def test_create_security_group_default_rule_with_no_body(self): - self.assertRaises(webob.exc.HTTPBadRequest, - self.controller.create, self.req, None) - - def test_create_duplicate_security_group_default_rule(self): - sgr = security_group_default_rule_template() - - self.controller.create(self.req, {'security_group_default_rule': sgr}) - - self.assertRaises(webob.exc.HTTPConflict, self.controller.create, - self.req, {'security_group_default_rule': sgr}) - - def test_security_group_default_rules_list(self): - self.test_create_security_group_default_rule() - rules = [dict(id=1, - ip_protocol='TCP', - from_port=22, - to_port=22, - ip_range=dict(cidr='10.10.10.0/24'))] - expected = {'security_group_default_rules': rules} - - res_dict = self.controller.index(self.req) - self.assertEqual(res_dict, expected) - - @mock.patch('nova.db.api.security_group_default_rule_list', - side_effect=(exception. - SecurityGroupDefaultRuleNotFound("Rule Not Found"))) - def test_non_existing_security_group_default_rules_list(self, - mock_sec_grp_rule): - self.assertRaises(webob.exc.HTTPNotFound, - self.controller.index, self.req) - - def test_default_security_group_default_rule_show(self): - sgr = security_group_default_rule_template(id=1) - - self.test_create_security_group_default_rule() - - res_dict = self.controller.show(self.req, '1') - - security_group_default_rule = res_dict['security_group_default_rule'] - - self.assertEqual(security_group_default_rule['ip_protocol'], - sgr['ip_protocol']) - self.assertEqual(security_group_default_rule['to_port'], - sgr['to_port']) - self.assertEqual(security_group_default_rule['from_port'], - sgr['from_port']) - self.assertEqual(security_group_default_rule['ip_range']['cidr'], - sgr['cidr']) - - @mock.patch('nova.db.api.security_group_default_rule_get', - side_effect=(exception. - SecurityGroupDefaultRuleNotFound("Rule Not Found"))) - def test_non_existing_security_group_default_rule_show(self, - mock_sec_grp_rule): - self.assertRaises(webob.exc.HTTPNotFound, - self.controller.show, self.req, '1') - - def test_delete_security_group_default_rule(self): - sgr = security_group_default_rule_template(id=1) - - self.test_create_security_group_default_rule() - - self.called = False - - def security_group_default_rule_destroy(context, id): - self.called = True - - def return_security_group_default_rule(context, id): - self.assertEqual(sgr['id'], id) - return security_group_default_rule_db(sgr) - - self.stub_out('nova.db.api.security_group_default_rule_destroy', - security_group_default_rule_destroy) - self.stub_out('nova.db.api.security_group_default_rule_get', - return_security_group_default_rule) - - self.controller.delete(self.req, '1') - - self.assertTrue(self.called) - - @mock.patch('nova.db.api.security_group_default_rule_destroy', - side_effect=(exception. - SecurityGroupDefaultRuleNotFound("Rule Not Found"))) - def test_non_existing_security_group_default_rule_delete( - self, mock_sec_grp_rule): - self.assertRaises(webob.exc.HTTPNotFound, - self.controller.delete, self.req, '1') - - def test_security_group_ensure_default(self): - sgr = security_group_default_rule_template(id=1) - self.test_create_security_group_default_rule() - - ctxt = context.get_admin_context() - - setattr(ctxt, 'project_id', 'new_project_id') - - sg = nova.db.api.security_group_ensure_default(ctxt) - rules = nova.db.api.security_group_rule_get_by_security_group( - ctxt, sg.id) - security_group_rule = rules[0] - self.assertEqual(sgr['id'], security_group_rule.id) - self.assertEqual(sgr['ip_protocol'], security_group_rule.protocol) - self.assertEqual(sgr['from_port'], security_group_rule.from_port) - self.assertEqual(sgr['to_port'], security_group_rule.to_port) - self.assertEqual(sgr['cidr'], security_group_rule.cidr) - - -class SecurityGroupDefaultRulesPolicyEnforcementV21(test.NoDBTestCase): - - def setUp(self): - super(SecurityGroupDefaultRulesPolicyEnforcementV21, self).setUp() - self.controller = (security_group_default_rules_v21. - SecurityGroupDefaultRulesController()) - self.req = fakes.HTTPRequest.blank('') - - def _common_policy_check(self, func, *arg, **kwarg): - rule_name = "os_compute_api:os-security-group-default-rules" - rule = {rule_name: "project:non_fake"} - self.policy.set_rules(rule) - exc = self.assertRaises( - exception.PolicyNotAuthorized, func, *arg, **kwarg) - self.assertEqual( - "Policy doesn't allow %s to be performed." % - rule_name, exc.format_message()) - - def test_create_policy_failed(self): - self._common_policy_check(self.controller.create, self.req, {}) - - def test_show_policy_failed(self): - self._common_policy_check( - self.controller.show, self.req, fakes.FAKE_UUID) - - def test_delete_policy_failed(self): - self._common_policy_check( - self.controller.delete, self.req, fakes.FAKE_UUID) - - def test_index_policy_failed(self): - self._common_policy_check(self.controller.index, self.req) - - -class TestSecurityGroupDefaultRulesDeprecation(test.NoDBTestCase): - - def setUp(self): - super(TestSecurityGroupDefaultRulesDeprecation, self).setUp() - self.req = fakes.HTTPRequest.blank('', version='2.36') - self.controller = (security_group_default_rules_v21. - SecurityGroupDefaultRulesController()) - - def test_all_apis_return_not_found(self): - self.assertRaises(exception.VersionNotFoundForAPIMethod, - self.controller.create, self.req, {}) - self.assertRaises(exception.VersionNotFoundForAPIMethod, - self.controller.show, self.req, fakes.FAKE_UUID) - self.assertRaises(exception.VersionNotFoundForAPIMethod, - self.controller.delete, self.req, fakes.FAKE_UUID) - self.assertRaises(exception.VersionNotFoundForAPIMethod, - self.controller.index, self.req) diff --git a/nova/tests/unit/fake_policy.py b/nova/tests/unit/fake_policy.py index b57ce60d67fe..53a5336ce2c7 100644 --- a/nova/tests/unit/fake_policy.py +++ b/nova/tests/unit/fake_policy.py @@ -71,7 +71,6 @@ policy_data = """ "os_compute_api:os-quota-class-sets:update": "", "os_compute_api:os-quota-class-sets:show": "", "os_compute_api:os-rescue": "", - "os_compute_api:os-security-group-default-rules": "", "os_compute_api:os-server-diagnostics": "", "os_compute_api:os-server-password": "", "os_compute_api:os-server-tags:index": "", diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py index fe4a852dcce8..e261d59b0dbf 100644 --- a/nova/tests/unit/test_policy.py +++ b/nova/tests/unit/test_policy.py @@ -350,7 +350,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase): "os_compute_api:os-networks-associate", "os_compute_api:os-quota-sets:update", "os_compute_api:os-quota-sets:delete", -"os_compute_api:os-security-group-default-rules", "os_compute_api:os-server-diagnostics", "os_compute_api:os-services", "os_compute_api:os-shelve:shelve_offload", diff --git a/releasenotes/notes/remove-nova-network-c02953ba72a1795d.yaml b/releasenotes/notes/remove-nova-network-c02953ba72a1795d.yaml new file mode 100644 index 000000000000..fa63e969ffe0 --- /dev/null +++ b/releasenotes/notes/remove-nova-network-c02953ba72a1795d.yaml @@ -0,0 +1,16 @@ +--- +upgrade: + - | + The *nova-network* feature has been deprecated since the 14.0.0 (Newton) + release and has now been removed. The remaining *nova-network* specific + REST APIs have been removed along with their related policy rules. Calling + these APIs will now result in a ``410 (Gone)`` error response. + + * ``GET /os-security-group-default-rules`` + * ``POST /os-security-group-default-rules`` + * ``GET /os-security-group-default-rules/{id}`` + * ``DELETE /os-security-group-default-rules/{id}`` + + The following policies have also been removed. + + * ``os_compute_api:os-security-group-default-rules``