Browse Source

Merge "Prioritize policy validation" into stable/train

stable/train
Zuul 1 week ago
committed by Gerrit Code Review
parent
commit
68c0285f37
5 changed files with 63 additions and 57 deletions
  1. +8
    -8
      octavia/api/v2/controllers/health_monitor.py
  2. +15
    -13
      octavia/api/v2/controllers/l7policy.py
  3. +15
    -16
      octavia/api/v2/controllers/l7rule.py
  4. +7
    -7
      octavia/api/v2/controllers/member.py
  5. +18
    -13
      octavia/api/v2/controllers/pool.py

+ 8
- 8
octavia/api/v2/controllers/health_monitor.py View File

@@ -199,16 +199,19 @@ class HealthMonitorController(base.BaseController):
context = pecan.request.context.get('octavia_context')
health_monitor = health_monitor_.healthmonitor

if (not CONF.api_settings.allow_ping_health_monitors and
health_monitor.type == consts.HEALTH_MONITOR_PING):
raise exceptions.DisabledOption(
option='type', value=consts.HEALTH_MONITOR_PING)

pool = self._get_db_pool(context.session, health_monitor.pool_id)

health_monitor.project_id, provider = self._get_lb_project_id_provider(
context.session, pool.load_balancer_id)

self._auth_validate_action(context, health_monitor.project_id,
consts.RBAC_POST)

if (not CONF.api_settings.allow_ping_health_monitors and
health_monitor.type == consts.HEALTH_MONITOR_PING):
raise exceptions.DisabledOption(
option='type', value=consts.HEALTH_MONITOR_PING)

if pool.protocol == consts.PROTOCOL_UDP:
self._validate_healthmonitor_request_for_udp(health_monitor)
else:
@@ -218,9 +221,6 @@ class HealthMonitorController(base.BaseController):
"%(protocol)s.") % {'type': health_monitor.type,
'protocol': consts.PROTOCOL_UDP})

self._auth_validate_action(context, health_monitor.project_id,
consts.RBAC_POST)

# Load the driver early as it also provides validation
driver = driver_factory.get_driver(provider)



+ 15
- 13
octavia/api/v2/controllers/l7policy.py View File

@@ -116,6 +116,7 @@ class L7PolicyController(base.BaseController):
"""Creates a l7policy on a listener."""
l7policy = l7policy_.l7policy
context = pecan.request.context.get('octavia_context')

# Verify the parent listener exists
listener_id = l7policy.listener_id
listener = self._get_db_listener(
@@ -123,15 +124,16 @@ class L7PolicyController(base.BaseController):
load_balancer_id = listener.load_balancer_id
l7policy.project_id, provider = self._get_lb_project_id_provider(
context.session, load_balancer_id)

self._auth_validate_action(context, l7policy.project_id,
constants.RBAC_POST)

# Make sure any pool specified by redirect_pool_id exists
if l7policy.redirect_pool_id:
db_pool = self._get_db_pool(
context.session, l7policy.redirect_pool_id)
self._validate_protocol(listener.protocol, db_pool.protocol)

self._auth_validate_action(context, l7policy.project_id,
constants.RBAC_POST)

# Load the driver early as it also provides validation
driver = driver_factory.get_driver(provider)

@@ -199,6 +201,16 @@ class L7PolicyController(base.BaseController):
def put(self, id, l7policy_):
"""Updates a l7policy."""
l7policy = l7policy_.l7policy
context = pecan.request.context.get('octavia_context')
db_l7policy = self._get_db_l7policy(context.session, id,
show_deleted=False)
load_balancer_id, listener_id = self._get_listener_and_loadbalancer_id(
db_l7policy)
project_id, provider = self._get_lb_project_id_provider(
context.session, load_balancer_id)

self._auth_validate_action(context, project_id, constants.RBAC_PUT)

l7policy_dict = validate.sanitize_l7policy_api_args(
l7policy.to_dict(render_unsets=False))
# Reset renamed attributes
@@ -206,10 +218,6 @@ class L7PolicyController(base.BaseController):
if val in l7policy_dict:
l7policy_dict[attr] = l7policy_dict.pop(val)
sanitized_l7policy = l7policy_types.L7PolicyPUT(**l7policy_dict)
context = pecan.request.context.get('octavia_context')

db_l7policy = self._get_db_l7policy(context.session, id,
show_deleted=False)
listener = self._get_db_listener(
context.session, db_l7policy.listener_id)
# Make sure any specified redirect_pool_id exists
@@ -217,12 +225,6 @@ class L7PolicyController(base.BaseController):
db_pool = self._get_db_pool(
context.session, l7policy_dict['redirect_pool_id'])
self._validate_protocol(listener.protocol, db_pool.protocol)
load_balancer_id, listener_id = self._get_listener_and_loadbalancer_id(
db_l7policy)
project_id, provider = self._get_lb_project_id_provider(
context.session, load_balancer_id)

self._auth_validate_action(context, project_id, constants.RBAC_PUT)

# Load the driver early as it also provides validation
driver = driver_factory.get_driver(provider)


+ 15
- 16
octavia/api/v2/controllers/l7rule.py View File

@@ -123,10 +123,6 @@ class L7RuleController(base.BaseController):
def post(self, rule_):
"""Creates a l7rule on an l7policy."""
l7rule = rule_.rule
try:
validate.l7rule_data(l7rule)
except Exception as e:
raise exceptions.L7RuleValidation(error=e)
context = pecan.request.context.get('octavia_context')

db_l7policy = self._get_db_l7policy(context.session, self.l7policy_id,
@@ -135,12 +131,16 @@ class L7RuleController(base.BaseController):
db_l7policy)
l7rule.project_id, provider = self._get_lb_project_id_provider(
context.session, load_balancer_id)

self._check_l7policy_max_rules(context.session)

self._auth_validate_action(context, l7rule.project_id,
constants.RBAC_POST)

try:
validate.l7rule_data(l7rule)
except Exception as e:
raise exceptions.L7RuleValidation(error=e)

self._check_l7policy_max_rules(context.session)

# Load the driver early as it also provides validation
driver = driver_factory.get_driver(provider)

@@ -192,15 +192,6 @@ class L7RuleController(base.BaseController):
context = pecan.request.context.get('octavia_context')
db_l7rule = self._get_db_l7rule(context.session, id,
show_deleted=False)

# Handle the invert unset
if l7rule.invert is None:
l7rule.invert = False

new_l7rule = db_l7rule.to_dict()
new_l7rule.update(l7rule.to_dict())
new_l7rule = data_models.L7Rule.from_dict(new_l7rule)

db_l7policy = self._get_db_l7policy(context.session, self.l7policy_id,
show_deleted=False)
load_balancer_id, listener_id = self._get_listener_and_loadbalancer_id(
@@ -210,6 +201,14 @@ class L7RuleController(base.BaseController):

self._auth_validate_action(context, project_id, constants.RBAC_PUT)

# Handle the invert unset
if l7rule.invert is None:
l7rule.invert = False

new_l7rule = db_l7rule.to_dict()
new_l7rule.update(l7rule.to_dict())
new_l7rule = data_models.L7Rule.from_dict(new_l7rule)

try:
validate.l7rule_data(new_l7rule)
except Exception as e:


+ 7
- 7
octavia/api/v2/controllers/member.py View File

@@ -146,12 +146,6 @@ class MemberController(base.BaseController):
member = member_.member
context = pecan.request.context.get('octavia_context')

validate.ip_not_reserved(member.address)

# Validate member subnet
if (member.subnet_id and
not validate.subnet_exists(member.subnet_id, context=context)):
raise exceptions.NotFound(resource='Subnet', id=member.subnet_id)
pool = self.repositories.pool.get(context.session, id=self.pool_id)
member.project_id, provider = self._get_lb_project_id_provider(
context.session, pool.load_balancer_id)
@@ -159,6 +153,13 @@ class MemberController(base.BaseController):
self._auth_validate_action(context, member.project_id,
constants.RBAC_POST)

validate.ip_not_reserved(member.address)

# Validate member subnet
if (member.subnet_id and
not validate.subnet_exists(member.subnet_id, context=context)):
raise exceptions.NotFound(resource='Subnet', id=member.subnet_id)

# Load the driver early as it also provides validation
driver = driver_factory.get_driver(provider)

@@ -232,7 +233,6 @@ class MemberController(base.BaseController):
context = pecan.request.context.get('octavia_context')
db_member = self._get_db_member(context.session, id,
show_deleted=False)

pool = self.repositories.pool.get(context.session,
id=db_member.pool_id)
project_id, provider = self._get_lb_project_id_provider(


+ 18
- 13
octavia/api/v2/controllers/pool.py View File

@@ -189,22 +189,13 @@ class PoolsController(base.BaseController):
# pool_dict:
pool = pool_.pool
context = pecan.request.context.get('octavia_context')
if pool.protocol == constants.PROTOCOL_UDP:
self._validate_pool_request_for_udp(pool)
else:
if (pool.session_persistence and (
pool.session_persistence.persistence_timeout or
pool.session_persistence.persistence_granularity)):
raise exceptions.ValidationException(detail=_(
"persistence_timeout and persistence_granularity "
"is only for UDP protocol pools."))
listener = None
if pool.loadbalancer_id:
pool.project_id, provider = self._get_lb_project_id_provider(
context.session, pool.loadbalancer_id)
elif pool.listener_id:
listener = self.repositories.listener.get(
context.session, id=pool.listener_id)
self._validate_protocol(listener.protocol, pool.protocol)
pool.loadbalancer_id = listener.load_balancer_id
pool.project_id, provider = self._get_lb_project_id_provider(
context.session, pool.loadbalancer_id)
@@ -216,6 +207,19 @@ class PoolsController(base.BaseController):
self._auth_validate_action(context, pool.project_id,
constants.RBAC_POST)

if pool.listener_id and listener:
self._validate_protocol(listener.protocol, pool.protocol)

if pool.protocol == constants.PROTOCOL_UDP:
self._validate_pool_request_for_udp(pool)
else:
if (pool.session_persistence and (
pool.session_persistence.persistence_timeout or
pool.session_persistence.persistence_granularity)):
raise exceptions.ValidationException(detail=_(
"persistence_timeout and persistence_granularity "
"is only for UDP protocol pools."))

if pool.session_persistence:
sp_dict = pool.session_persistence.to_dict(render_unsets=False)
validate.check_session_persistence(sp_dict)
@@ -431,15 +435,16 @@ class PoolsController(base.BaseController):
"""Deletes a pool from a load balancer."""
context = pecan.request.context.get('octavia_context')
db_pool = self._get_db_pool(context.session, id, show_deleted=False)
if db_pool.l7policies:
raise exceptions.PoolInUseByL7Policy(
id=db_pool.id, l7policy_id=db_pool.l7policies[0].id)

project_id, provider = self._get_lb_project_id_provider(
context.session, db_pool.load_balancer_id)

self._auth_validate_action(context, project_id, constants.RBAC_DELETE)

if db_pool.l7policies:
raise exceptions.PoolInUseByL7Policy(
id=db_pool.id, l7policy_id=db_pool.l7policies[0].id)

# Load the driver early as it also provides validation
driver = driver_factory.get_driver(provider)



Loading…
Cancel
Save