Allow creating security rules without protocol
In order to create a rule for any protocol, the client must not specify the protocol in the API call. This is currently impossible because protocol defaults to TCP. In order not to change the default behavior, a "new" protocol name is added: "any", which makes this CLI skip sending the protocol field altogether. Change-Id: I58853d3745f3631007e5e9780c0c5c2526b730a3 Closes-Bug: 1712242
This commit is contained in:
parent
09faba2713
commit
82f45d9bd2
@ -159,8 +159,8 @@ class CreateSecurityGroupRule(common.NetworkAndComputeShowOne):
|
|||||||
help=_("IP protocol (ah, dccp, egp, esp, gre, icmp, igmp, "
|
help=_("IP protocol (ah, dccp, egp, esp, gre, icmp, igmp, "
|
||||||
"ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt, "
|
"ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt, "
|
||||||
"ipv6-opts, ipv6-route, ospf, pgm, rsvp, sctp, tcp, "
|
"ipv6-opts, ipv6-route, ospf, pgm, rsvp, sctp, tcp, "
|
||||||
"udp, udplite, vrrp and integer representations [0-255]; "
|
"udp, udplite, vrrp and integer representations [0-255] "
|
||||||
"default: tcp)")
|
"or any; default: tcp)")
|
||||||
)
|
)
|
||||||
protocol_group.add_argument(
|
protocol_group.add_argument(
|
||||||
'--proto',
|
'--proto',
|
||||||
@ -230,6 +230,8 @@ class CreateSecurityGroupRule(common.NetworkAndComputeShowOne):
|
|||||||
protocol = parsed_args.protocol
|
protocol = parsed_args.protocol
|
||||||
if parsed_args.proto is not None:
|
if parsed_args.proto is not None:
|
||||||
protocol = parsed_args.proto
|
protocol = parsed_args.proto
|
||||||
|
if protocol == 'any':
|
||||||
|
protocol = None
|
||||||
return protocol
|
return protocol
|
||||||
|
|
||||||
def _is_ipv6_protocol(self, protocol):
|
def _is_ipv6_protocol(self, protocol):
|
||||||
@ -237,7 +239,7 @@ class CreateSecurityGroupRule(common.NetworkAndComputeShowOne):
|
|||||||
# However, while the OSC CLI doesn't document the protocol,
|
# However, while the OSC CLI doesn't document the protocol,
|
||||||
# the code must still handle it. In addition, handle both
|
# the code must still handle it. In addition, handle both
|
||||||
# protocol names and numbers.
|
# protocol names and numbers.
|
||||||
if (protocol.startswith('ipv6-') or
|
if (protocol is not None and protocol.startswith('ipv6-') or
|
||||||
protocol in ['icmpv6', '41', '43', '44', '58', '59', '60']):
|
protocol in ['icmpv6', '41', '43', '44', '58', '59', '60']):
|
||||||
return True
|
return True
|
||||||
else:
|
else:
|
||||||
|
@ -211,6 +211,36 @@ class TestCreateSecurityGroupRuleNetwork(TestSecurityGroupRuleNetwork):
|
|||||||
self.assertEqual(self.expected_columns, columns)
|
self.assertEqual(self.expected_columns, columns)
|
||||||
self.assertEqual(self.expected_data, data)
|
self.assertEqual(self.expected_data, data)
|
||||||
|
|
||||||
|
def test_create_protocol_any(self):
|
||||||
|
self._setup_security_group_rule({
|
||||||
|
'protocol': None,
|
||||||
|
'remote_ip_prefix': '10.0.2.0/24',
|
||||||
|
})
|
||||||
|
arglist = [
|
||||||
|
'--proto', 'any',
|
||||||
|
'--src-ip', self._security_group_rule.remote_ip_prefix,
|
||||||
|
self._security_group.id,
|
||||||
|
]
|
||||||
|
verifylist = [
|
||||||
|
('proto', 'any'),
|
||||||
|
('protocol', None),
|
||||||
|
('src_ip', self._security_group_rule.remote_ip_prefix),
|
||||||
|
('group', self._security_group.id),
|
||||||
|
]
|
||||||
|
parsed_args = self.check_parser(self.cmd, arglist, verifylist)
|
||||||
|
|
||||||
|
columns, data = self.cmd.take_action(parsed_args)
|
||||||
|
|
||||||
|
self.network.create_security_group_rule.assert_called_once_with(**{
|
||||||
|
'direction': self._security_group_rule.direction,
|
||||||
|
'ethertype': self._security_group_rule.ether_type,
|
||||||
|
'protocol': self._security_group_rule.protocol,
|
||||||
|
'remote_ip_prefix': self._security_group_rule.remote_ip_prefix,
|
||||||
|
'security_group_id': self._security_group.id,
|
||||||
|
})
|
||||||
|
self.assertEqual(self.expected_columns, columns)
|
||||||
|
self.assertEqual(self.expected_data, data)
|
||||||
|
|
||||||
def test_create_remote_group(self):
|
def test_create_remote_group(self):
|
||||||
self._setup_security_group_rule({
|
self._setup_security_group_rule({
|
||||||
'port_range_max': 22,
|
'port_range_max': 22,
|
||||||
|
12
releasenotes/notes/bug-1712242-934bbe2f2378f5bd.yaml
Normal file
12
releasenotes/notes/bug-1712242-934bbe2f2378f5bd.yaml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Add ``any`` as a ``--protocol`` option to ``security group rule create``
|
||||||
|
command.
|
||||||
|
[Bug `1517134 <https://bugs.launchpad.net/bugs/1712242>`_]
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
It is now possible to create a security rule without specifying protocol
|
||||||
|
(using ``--protocol any``), which skips sending the protocol to the API
|
||||||
|
server entirely. Previously TCP was forced as default protocol when none
|
||||||
|
was specified.
|
Loading…
x
Reference in New Issue
Block a user