OpenStack Compute (Nova)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

581 lines
25KB

  1. # Copyright 2013 Nicira, Inc.
  2. # All Rights Reserved
  3. #
  4. # Licensed under the Apache License, Version 2.0 (the "License"); you may
  5. # not use this file except in compliance with the License. You may obtain
  6. # a copy of the License at
  7. #
  8. # http://www.apache.org/licenses/LICENSE-2.0
  9. #
  10. # Unless required by applicable law or agreed to in writing, software
  11. # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  12. # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
  13. # License for the specific language governing permissions and limitations
  14. # under the License.
  15. import sys
  16. import netaddr
  17. from neutronclient.common import exceptions as n_exc
  18. from neutronclient.neutron import v2_0 as neutronv20
  19. from oslo_log import log as logging
  20. from oslo_utils import excutils
  21. from oslo_utils import uuidutils
  22. import six
  23. from webob import exc
  24. from nova import exception
  25. from nova.i18n import _
  26. from nova.network.neutronv2 import api as neutronapi
  27. from nova.network.security_group import security_group_base
  28. from nova import utils
  29. LOG = logging.getLogger(__name__)
  30. # NOTE: Neutron client has a max URL length of 8192, so we have
  31. # to limit the number of IDs we include in any single search. Really
  32. # doesn't seem to be any point in making this a config value.
  33. MAX_SEARCH_IDS = 150
  34. class SecurityGroupAPI(security_group_base.SecurityGroupBase):
  35. id_is_uuid = True
  36. def create_security_group(self, context, name, description):
  37. neutron = neutronapi.get_client(context)
  38. body = self._make_neutron_security_group_dict(name, description)
  39. try:
  40. security_group = neutron.create_security_group(
  41. body).get('security_group')
  42. except n_exc.BadRequest as e:
  43. raise exception.Invalid(six.text_type(e))
  44. except n_exc.NeutronClientException as e:
  45. exc_info = sys.exc_info()
  46. LOG.exception("Neutron Error creating security group %s", name)
  47. if e.status_code == 401:
  48. # TODO(arosen) Cannot raise generic response from neutron here
  49. # as this error code could be related to bad input or over
  50. # quota
  51. raise exc.HTTPBadRequest()
  52. elif e.status_code == 409:
  53. self.raise_over_quota(six.text_type(e))
  54. six.reraise(*exc_info)
  55. return self._convert_to_nova_security_group_format(security_group)
  56. def update_security_group(self, context, security_group,
  57. name, description):
  58. neutron = neutronapi.get_client(context)
  59. body = self._make_neutron_security_group_dict(name, description)
  60. try:
  61. security_group = neutron.update_security_group(
  62. security_group['id'], body).get('security_group')
  63. except n_exc.NeutronClientException as e:
  64. exc_info = sys.exc_info()
  65. LOG.exception("Neutron Error updating security group %s", name)
  66. if e.status_code == 401:
  67. # TODO(arosen) Cannot raise generic response from neutron here
  68. # as this error code could be related to bad input or over
  69. # quota
  70. raise exc.HTTPBadRequest()
  71. six.reraise(*exc_info)
  72. return self._convert_to_nova_security_group_format(security_group)
  73. def validate_property(self, value, property, allowed):
  74. """Validate given security group property.
  75. :param value: the value to validate, as a string or unicode
  76. :param property: the property, either 'name' or 'description'
  77. :param allowed: the range of characters allowed, but not used because
  78. Neutron is allowing any characters.
  79. """
  80. # NOTE: If using nova-network as the backend, min_length is 1. However
  81. # if using Neutron, Nova has allowed empty string as its history.
  82. # So this min_length should be 0 for passing the existing requests.
  83. utils.check_string_length(value, name=property, min_length=0,
  84. max_length=255)
  85. def _convert_to_nova_security_group_format(self, security_group):
  86. nova_group = {}
  87. nova_group['id'] = security_group['id']
  88. nova_group['description'] = security_group['description']
  89. nova_group['name'] = security_group['name']
  90. nova_group['project_id'] = security_group['tenant_id']
  91. nova_group['rules'] = []
  92. for rule in security_group.get('security_group_rules', []):
  93. if rule['direction'] == 'ingress':
  94. nova_group['rules'].append(
  95. self._convert_to_nova_security_group_rule_format(rule))
  96. return nova_group
  97. def _convert_to_nova_security_group_rule_format(self, rule):
  98. nova_rule = {}
  99. nova_rule['id'] = rule['id']
  100. nova_rule['parent_group_id'] = rule['security_group_id']
  101. nova_rule['protocol'] = rule['protocol']
  102. if (nova_rule['protocol'] and rule.get('port_range_min') is None and
  103. rule.get('port_range_max') is None):
  104. if rule['protocol'].upper() in ['TCP', 'UDP']:
  105. nova_rule['from_port'] = 1
  106. nova_rule['to_port'] = 65535
  107. else:
  108. nova_rule['from_port'] = -1
  109. nova_rule['to_port'] = -1
  110. else:
  111. nova_rule['from_port'] = rule.get('port_range_min')
  112. nova_rule['to_port'] = rule.get('port_range_max')
  113. nova_rule['group_id'] = rule['remote_group_id']
  114. nova_rule['cidr'] = self.parse_cidr(rule.get('remote_ip_prefix'))
  115. return nova_rule
  116. def get(self, context, name=None, id=None, map_exception=False):
  117. neutron = neutronapi.get_client(context)
  118. try:
  119. if not id and name:
  120. # NOTE(flwang): The project id should be honoured so as to get
  121. # the correct security group id when user(with admin role but
  122. # non-admin project) try to query by name, so as to avoid
  123. # getting more than duplicated records with the same name.
  124. id = neutronv20.find_resourceid_by_name_or_id(
  125. neutron, 'security_group', name, context.project_id)
  126. group = neutron.show_security_group(id).get('security_group')
  127. return self._convert_to_nova_security_group_format(group)
  128. except n_exc.NeutronClientNoUniqueMatch as e:
  129. raise exception.NoUniqueMatch(six.text_type(e))
  130. except n_exc.NeutronClientException as e:
  131. exc_info = sys.exc_info()
  132. if e.status_code == 404:
  133. LOG.debug("Neutron security group %s not found", name)
  134. raise exception.SecurityGroupNotFound(six.text_type(e))
  135. else:
  136. LOG.error("Neutron Error: %s", e)
  137. six.reraise(*exc_info)
  138. except TypeError as e:
  139. LOG.error("Neutron Error: %s", e)
  140. msg = _("Invalid security group name: %(name)s.") % {"name": name}
  141. raise exception.SecurityGroupNotFound(six.text_type(msg))
  142. def list(self, context, names=None, ids=None, project=None,
  143. search_opts=None):
  144. """Returns list of security group rules owned by tenant."""
  145. neutron = neutronapi.get_client(context)
  146. params = {}
  147. search_opts = search_opts if search_opts else {}
  148. if names:
  149. params['name'] = names
  150. if ids:
  151. params['id'] = ids
  152. # NOTE(jeffrey4l): list all the security groups when following
  153. # conditions are met
  154. # * names and ids don't exist.
  155. # * it is admin context and all_tenants exist in search_opts.
  156. # * project is not specified.
  157. list_all_tenants = (context.is_admin
  158. and 'all_tenants' in search_opts
  159. and not any([names, ids]))
  160. # NOTE(jeffrey4l): The neutron doesn't have `all-tenants` concept.
  161. # All the security group will be returned if the project/tenant
  162. # id is not passed.
  163. if project and not list_all_tenants:
  164. params['tenant_id'] = project
  165. try:
  166. security_groups = neutron.list_security_groups(**params).get(
  167. 'security_groups')
  168. except n_exc.NeutronClientException:
  169. with excutils.save_and_reraise_exception():
  170. LOG.exception("Neutron Error getting security groups")
  171. converted_rules = []
  172. for security_group in security_groups:
  173. converted_rules.append(
  174. self._convert_to_nova_security_group_format(security_group))
  175. return converted_rules
  176. def validate_id(self, id):
  177. if not uuidutils.is_uuid_like(id):
  178. msg = _("Security group id should be uuid")
  179. self.raise_invalid_property(msg)
  180. return id
  181. def destroy(self, context, security_group):
  182. """This function deletes a security group."""
  183. neutron = neutronapi.get_client(context)
  184. try:
  185. neutron.delete_security_group(security_group['id'])
  186. except n_exc.NeutronClientException as e:
  187. exc_info = sys.exc_info()
  188. if e.status_code == 404:
  189. self.raise_not_found(six.text_type(e))
  190. elif e.status_code == 409:
  191. self.raise_invalid_property(six.text_type(e))
  192. else:
  193. LOG.error("Neutron Error: %s", e)
  194. six.reraise(*exc_info)
  195. def add_rules(self, context, id, name, vals):
  196. """Add security group rule(s) to security group.
  197. Note: the Nova security group API doesn't support adding multiple
  198. security group rules at once but the EC2 one does. Therefore,
  199. this function is written to support both. Multiple rules are
  200. installed to a security group in neutron using bulk support.
  201. """
  202. neutron = neutronapi.get_client(context)
  203. body = self._make_neutron_security_group_rules_list(vals)
  204. try:
  205. rules = neutron.create_security_group_rule(
  206. body).get('security_group_rules')
  207. except n_exc.NeutronClientException as e:
  208. exc_info = sys.exc_info()
  209. if e.status_code == 404:
  210. LOG.exception("Neutron Error getting security group %s", name)
  211. self.raise_not_found(six.text_type(e))
  212. elif e.status_code == 409:
  213. LOG.exception("Neutron Error adding rules to security "
  214. "group %s", name)
  215. self.raise_over_quota(six.text_type(e))
  216. elif e.status_code == 400:
  217. LOG.exception("Neutron Error: %s", e)
  218. self.raise_invalid_property(six.text_type(e))
  219. else:
  220. six.reraise(*exc_info)
  221. converted_rules = []
  222. for rule in rules:
  223. converted_rules.append(
  224. self._convert_to_nova_security_group_rule_format(rule))
  225. return converted_rules
  226. def _make_neutron_security_group_dict(self, name, description):
  227. return {'security_group': {'name': name,
  228. 'description': description}}
  229. def _make_neutron_security_group_rules_list(self, rules):
  230. new_rules = []
  231. for rule in rules:
  232. new_rule = {}
  233. # nova only supports ingress rules so all rules are ingress.
  234. new_rule['direction'] = "ingress"
  235. new_rule['protocol'] = rule.get('protocol')
  236. # FIXME(arosen) Nova does not expose ethertype on security group
  237. # rules. Therefore, in the case of self referential rules we
  238. # should probably assume they want to allow both IPv4 and IPv6.
  239. # Unfortunately, this would require adding two rules in neutron.
  240. # The reason we do not do this is because when the user using the
  241. # nova api wants to remove the rule we'd have to have some way to
  242. # know that we should delete both of these rules in neutron.
  243. # For now, self referential rules only support IPv4.
  244. if not rule.get('cidr'):
  245. new_rule['ethertype'] = 'IPv4'
  246. else:
  247. version = netaddr.IPNetwork(rule.get('cidr')).version
  248. new_rule['ethertype'] = 'IPv6' if version == 6 else 'IPv4'
  249. new_rule['remote_ip_prefix'] = rule.get('cidr')
  250. new_rule['security_group_id'] = rule.get('parent_group_id')
  251. new_rule['remote_group_id'] = rule.get('group_id')
  252. if 'from_port' in rule and rule['from_port'] != -1:
  253. new_rule['port_range_min'] = rule['from_port']
  254. if 'to_port' in rule and rule['to_port'] != -1:
  255. new_rule['port_range_max'] = rule['to_port']
  256. new_rules.append(new_rule)
  257. return {'security_group_rules': new_rules}
  258. def remove_rules(self, context, security_group, rule_ids):
  259. neutron = neutronapi.get_client(context)
  260. rule_ids = set(rule_ids)
  261. try:
  262. # The ec2 api allows one to delete multiple security group rules
  263. # at once. Since there is no bulk delete for neutron the best
  264. # thing we can do is delete the rules one by one and hope this
  265. # works.... :/
  266. for rule_id in range(0, len(rule_ids)):
  267. neutron.delete_security_group_rule(rule_ids.pop())
  268. except n_exc.NeutronClientException:
  269. with excutils.save_and_reraise_exception():
  270. LOG.exception("Neutron Error unable to delete %s", rule_ids)
  271. def get_rule(self, context, id):
  272. neutron = neutronapi.get_client(context)
  273. try:
  274. rule = neutron.show_security_group_rule(
  275. id).get('security_group_rule')
  276. except n_exc.NeutronClientException as e:
  277. exc_info = sys.exc_info()
  278. if e.status_code == 404:
  279. LOG.debug("Neutron security group rule %s not found", id)
  280. self.raise_not_found(six.text_type(e))
  281. else:
  282. LOG.error("Neutron Error: %s", e)
  283. six.reraise(*exc_info)
  284. return self._convert_to_nova_security_group_rule_format(rule)
  285. def _get_ports_from_server_list(self, servers, neutron):
  286. """Returns a list of ports used by the servers."""
  287. def _chunk_by_ids(servers, limit):
  288. ids = []
  289. for server in servers:
  290. ids.append(server['id'])
  291. if len(ids) >= limit:
  292. yield ids
  293. ids = []
  294. if ids:
  295. yield ids
  296. # Note: Have to split the query up as the search criteria
  297. # form part of the URL, which has a fixed max size
  298. ports = []
  299. for ids in _chunk_by_ids(servers, MAX_SEARCH_IDS):
  300. search_opts = {'device_id': ids}
  301. try:
  302. ports.extend(neutron.list_ports(**search_opts).get('ports'))
  303. except n_exc.PortNotFoundClient:
  304. # There could be a race between deleting an instance and
  305. # retrieving its port groups from Neutron. In this case
  306. # PortNotFoundClient is raised and it can be safely ignored
  307. LOG.debug("Port not found for device with id %s", ids)
  308. return ports
  309. def _get_secgroups_from_port_list(self, ports, neutron, fields=None):
  310. """Returns a dict of security groups keyed by their ids."""
  311. def _chunk_by_ids(sg_ids, limit):
  312. sg_id_list = []
  313. for sg_id in sg_ids:
  314. sg_id_list.append(sg_id)
  315. if len(sg_id_list) >= limit:
  316. yield sg_id_list
  317. sg_id_list = []
  318. if sg_id_list:
  319. yield sg_id_list
  320. # Find the set of unique SecGroup IDs to search for
  321. sg_ids = set()
  322. for port in ports:
  323. sg_ids.update(port.get('security_groups', []))
  324. # Note: Have to split the query up as the search criteria
  325. # form part of the URL, which has a fixed max size
  326. security_groups = {}
  327. for sg_id_list in _chunk_by_ids(sg_ids, MAX_SEARCH_IDS):
  328. sg_search_opts = {'id': sg_id_list}
  329. if fields:
  330. sg_search_opts['fields'] = fields
  331. search_results = neutron.list_security_groups(**sg_search_opts)
  332. for sg in search_results.get('security_groups'):
  333. security_groups[sg['id']] = sg
  334. return security_groups
  335. def get_instances_security_groups_bindings(self, context, servers,
  336. detailed=False):
  337. """Returns a dict(instance_id, [security_groups]) to allow obtaining
  338. all of the instances and their security groups in one shot.
  339. If detailed is False only the security group name is returned.
  340. """
  341. neutron = neutronapi.get_client(context)
  342. ports = self._get_ports_from_server_list(servers, neutron)
  343. # If detailed is True, we want all fields from the security groups
  344. # including the potentially slow-to-join security_group_rules field.
  345. # But if detailed is False, only get the id and name fields since
  346. # that's all we'll use below.
  347. fields = None if detailed else ['id', 'name']
  348. security_groups = self._get_secgroups_from_port_list(
  349. ports, neutron, fields=fields)
  350. instances_security_group_bindings = {}
  351. for port in ports:
  352. for port_sg_id in port.get('security_groups', []):
  353. # Note: have to check we found port_sg as its possible
  354. # the port has an SG that this user doesn't have access to
  355. port_sg = security_groups.get(port_sg_id)
  356. if port_sg:
  357. if detailed:
  358. sg_entry = self._convert_to_nova_security_group_format(
  359. port_sg)
  360. instances_security_group_bindings.setdefault(
  361. port['device_id'], []).append(sg_entry)
  362. else:
  363. # name is optional in neutron so if not specified
  364. # return id
  365. name = port_sg.get('name')
  366. if not name:
  367. name = port_sg.get('id')
  368. sg_entry = {'name': name}
  369. instances_security_group_bindings.setdefault(
  370. port['device_id'], []).append(sg_entry)
  371. return instances_security_group_bindings
  372. def get_instance_security_groups(self, context, instance, detailed=False):
  373. """Returns the security groups that are associated with an instance.
  374. If detailed is True then it also returns the full details of the
  375. security groups associated with an instance, otherwise just the
  376. security group name.
  377. """
  378. servers = [{'id': instance.uuid}]
  379. sg_bindings = self.get_instances_security_groups_bindings(
  380. context, servers, detailed)
  381. return sg_bindings.get(instance.uuid, [])
  382. def _has_security_group_requirements(self, port):
  383. port_security_enabled = port.get('port_security_enabled', True)
  384. has_ip = port.get('fixed_ips')
  385. deferred_ip = port.get('ip_allocation') == 'deferred'
  386. if has_ip or deferred_ip:
  387. return port_security_enabled
  388. return False
  389. def add_to_instance(self, context, instance, security_group_name):
  390. """Add security group to the instance."""
  391. neutron = neutronapi.get_client(context)
  392. try:
  393. security_group_id = neutronv20.find_resourceid_by_name_or_id(
  394. neutron, 'security_group',
  395. security_group_name,
  396. context.project_id)
  397. except n_exc.NeutronClientNoUniqueMatch as e:
  398. raise exception.NoUniqueMatch(six.text_type(e))
  399. except n_exc.NeutronClientException as e:
  400. exc_info = sys.exc_info()
  401. if e.status_code == 404:
  402. msg = (_("Security group %(name)s is not found for "
  403. "project %(project)s") %
  404. {'name': security_group_name,
  405. 'project': context.project_id})
  406. self.raise_not_found(msg)
  407. else:
  408. six.reraise(*exc_info)
  409. params = {'device_id': instance.uuid}
  410. try:
  411. ports = neutron.list_ports(**params).get('ports')
  412. except n_exc.NeutronClientException:
  413. with excutils.save_and_reraise_exception():
  414. LOG.exception("Neutron Error:")
  415. if not ports:
  416. msg = (_("instance_id %s could not be found as device id on"
  417. " any ports") % instance.uuid)
  418. self.raise_not_found(msg)
  419. for port in ports:
  420. if not self._has_security_group_requirements(port):
  421. LOG.warning("Cannot add security group %(name)s to "
  422. "%(instance)s since the port %(port_id)s "
  423. "does not meet security requirements",
  424. {'name': security_group_name,
  425. 'instance': instance.uuid,
  426. 'port_id': port['id']})
  427. raise exception.SecurityGroupCannotBeApplied()
  428. if 'security_groups' not in port:
  429. port['security_groups'] = []
  430. port['security_groups'].append(security_group_id)
  431. updated_port = {'security_groups': port['security_groups']}
  432. try:
  433. LOG.info("Adding security group %(security_group_id)s to "
  434. "port %(port_id)s",
  435. {'security_group_id': security_group_id,
  436. 'port_id': port['id']})
  437. neutron.update_port(port['id'], {'port': updated_port})
  438. except n_exc.NeutronClientException as e:
  439. exc_info = sys.exc_info()
  440. if e.status_code == 400:
  441. raise exception.SecurityGroupCannotBeApplied(
  442. six.text_type(e))
  443. else:
  444. six.reraise(*exc_info)
  445. except Exception:
  446. with excutils.save_and_reraise_exception():
  447. LOG.exception("Neutron Error:")
  448. def remove_from_instance(self, context, instance, security_group_name):
  449. """Remove the security group associated with the instance."""
  450. neutron = neutronapi.get_client(context)
  451. try:
  452. security_group_id = neutronv20.find_resourceid_by_name_or_id(
  453. neutron, 'security_group',
  454. security_group_name,
  455. context.project_id)
  456. except n_exc.NeutronClientException as e:
  457. exc_info = sys.exc_info()
  458. if e.status_code == 404:
  459. msg = (_("Security group %(name)s is not found for "
  460. "project %(project)s") %
  461. {'name': security_group_name,
  462. 'project': context.project_id})
  463. self.raise_not_found(msg)
  464. else:
  465. six.reraise(*exc_info)
  466. params = {'device_id': instance.uuid}
  467. try:
  468. ports = neutron.list_ports(**params).get('ports')
  469. except n_exc.NeutronClientException:
  470. with excutils.save_and_reraise_exception():
  471. LOG.exception("Neutron Error:")
  472. if not ports:
  473. msg = (_("instance_id %s could not be found as device id on"
  474. " any ports") % instance.uuid)
  475. self.raise_not_found(msg)
  476. found_security_group = False
  477. for port in ports:
  478. try:
  479. port.get('security_groups', []).remove(security_group_id)
  480. except ValueError:
  481. # When removing a security group from an instance the security
  482. # group should be on both ports since it was added this way if
  483. # done through the nova api. In case it is not a 404 is only
  484. # raised if the security group is not found on any of the
  485. # ports on the instance.
  486. continue
  487. updated_port = {'security_groups': port['security_groups']}
  488. try:
  489. LOG.info("Removing security group %(security_group_id)s from "
  490. "port %(port_id)s",
  491. {'security_group_id': security_group_id,
  492. 'port_id': port['id']})
  493. neutron.update_port(port['id'], {'port': updated_port})
  494. found_security_group = True
  495. except Exception:
  496. with excutils.save_and_reraise_exception():
  497. LOG.exception("Neutron Error:")
  498. if not found_security_group:
  499. msg = (_("Security group %(security_group_name)s not associated "
  500. "with the instance %(instance)s") %
  501. {'security_group_name': security_group_name,
  502. 'instance': instance.uuid})
  503. self.raise_not_found(msg)
  504. def get_default_rule(self, context, id):
  505. msg = _("Network driver does not support this function.")
  506. raise exc.HTTPNotImplemented(explanation=msg)
  507. def get_all_default_rules(self, context):
  508. msg = _("Network driver does not support this function.")
  509. raise exc.HTTPNotImplemented(explanation=msg)
  510. def add_default_rules(self, context, vals):
  511. msg = _("Network driver does not support this function.")
  512. raise exc.HTTPNotImplemented(explanation=msg)
  513. def remove_default_rules(self, context, rule_ids):
  514. msg = _("Network driver does not support this function.")
  515. raise exc.HTTPNotImplemented(explanation=msg)
  516. def default_rule_exists(self, context, values):
  517. msg = _("Network driver does not support this function.")
  518. raise exc.HTTPNotImplemented(explanation=msg)