Merge "address group with security group rule"
This commit is contained in:
Zuul
Gerrit Code Review
commit
40514ac534
@ -2819,10 +2819,6 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
||||
context, port, removed_sgs, is_delete=True)
|
||||
self._really_update_sg_rule_with_remote_group_set(
|
||||
context, port, added_sgs, is_delete=False)
|
||||
self._really_update_sg_rule_with_remote_address_group_set(
|
||||
context, port, removed_sgs, is_delete=True)
|
||||
self._really_update_sg_rule_with_remote_address_group_set(
|
||||
context, port, added_sgs, is_delete=False)
|
||||
|
||||
def _really_update_sg_rule_with_remote_group_set(
|
||||
self, context, port, security_groups, is_delete):
|
||||
@ -2872,51 +2868,6 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
||||
self.aim.update(aim_ctx, sg_rule_aim,
|
||||
remote_ips=aim_sg_rule.remote_ips)
|
||||
|
||||
def _really_update_sg_rule_with_remote_address_group_set(
|
||||
self, context, port, security_groups, is_delete):
|
||||
if not security_groups:
|
||||
return
|
||||
session = context._plugin_context.session
|
||||
aim_ctx = aim_context.AimContext(session)
|
||||
|
||||
query = BAKERY(lambda s: s.query(
|
||||
sg_models.SecurityGroupRule,
|
||||
ag_db.AddressGroup))
|
||||
query += lambda q: q.filter(
|
||||
sg_models.SecurityGroupRule.remote_address_group_id ==
|
||||
ag_db.AddressGroup.id)
|
||||
res = query(session).params(
|
||||
security_groups=list(security_groups)).all()
|
||||
sg_to_tenant = {}
|
||||
for sg in res:
|
||||
sg_rule = sg[0]
|
||||
address_group = sg[1]
|
||||
sg_id = sg_rule['security_group_id']
|
||||
if sg_id in sg_to_tenant:
|
||||
tenant_id = sg_to_tenant[sg_id]
|
||||
else:
|
||||
tenant_id = self._get_sg_rule_tenant_id(session, sg_rule)
|
||||
sg_to_tenant[sg_id] = tenant_id
|
||||
tenant_aname = self.name_mapper.project(session, tenant_id)
|
||||
sg_rule_aim = aim_resource.SecurityGroupRule(
|
||||
tenant_name=tenant_aname,
|
||||
security_group_name=sg_rule['security_group_id'],
|
||||
security_group_subject_name='default',
|
||||
name=sg_rule['id'])
|
||||
aim_sg_rule = self.aim.get(aim_ctx, sg_rule_aim)
|
||||
if not aim_sg_rule:
|
||||
continue
|
||||
for ag_address in address_group['addresses']:
|
||||
address = str(ag_address.address)
|
||||
if is_delete:
|
||||
if address in aim_sg_rule.remote_ips:
|
||||
aim_sg_rule.remote_ips.remove(address)
|
||||
else:
|
||||
if address not in aim_sg_rule.remote_ips:
|
||||
aim_sg_rule.remote_ips.append(address)
|
||||
self.aim.update(aim_ctx, sg_rule_aim,
|
||||
remote_ips=aim_sg_rule.remote_ips)
|
||||
|
||||
def _check_active_active_aap(self, context, port):
|
||||
aap_current = port.get('allowed_address_pairs', [])
|
||||
aap_original = []
|
||||
@ -3164,8 +3115,6 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
||||
self._check_valid_erspan_config(port)
|
||||
self._really_update_sg_rule_with_remote_group_set(
|
||||
context, port, port['security_groups'], is_delete=False)
|
||||
self._really_update_sg_rule_with_remote_address_group_set(
|
||||
context, port, port['security_groups'], is_delete=False)
|
||||
self._insert_provisioning_block(context)
|
||||
|
||||
# Handle router gateway port creation.
|
||||
@ -3456,8 +3405,6 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
||||
self._delete_erspan_aim_config(context, port)
|
||||
self._really_update_sg_rule_with_remote_group_set(
|
||||
context, port, port['security_groups'], is_delete=True)
|
||||
self._really_update_sg_rule_with_remote_address_group_set(
|
||||
context, port, port['security_groups'], is_delete=True)
|
||||
|
||||
# Set status of floating ip DOWN.
|
||||
self._update_floatingip_status(
|
||||
@ -3661,6 +3608,32 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
||||
remote_ips.append(fixed_ip['ip_address'])
|
||||
|
||||
remote_group_id = sg_rule['remote_group_id']
|
||||
|
||||
elif sg_rule.get('remote_address_group_id'):
|
||||
remote_ips = []
|
||||
|
||||
query = BAKERY(lambda s: s.query(
|
||||
ag_db.AddressAssociation))
|
||||
query += lambda q: q.filter(
|
||||
sg_models.SecurityGroupRule.remote_address_group_id ==
|
||||
ag_db.AddressGroup.id)
|
||||
|
||||
addresses = query(session).params(
|
||||
ag_id=sg_rule['remote_address_group_id']).all()
|
||||
|
||||
ip_version = 0
|
||||
if sg_rule['ethertype'] == 'IPv4':
|
||||
ip_version = 4
|
||||
elif sg_rule['ethertype'] == 'IPv6':
|
||||
ip_version = 6
|
||||
|
||||
for addr in addresses:
|
||||
if ip_version == netaddr.IPAddress(
|
||||
addr['address'].split('/')[0]).version:
|
||||
remote_ips.append(addr['address'])
|
||||
|
||||
remote_group_id = ''
|
||||
|
||||
else:
|
||||
remote_ips = ([sg_rule['remote_ip_prefix']]
|
||||
if sg_rule['remote_ip_prefix'] else '')
|
||||
|
||||
@ -11718,22 +11718,15 @@ class TestPortOnPhysicalNode(TestPortVlanNetwork):
|
||||
sg_rule1['id'], 'default', default_sg_id, tenant_aname)
|
||||
self.assertEqual(aim_sg_rule.remote_ips, [])
|
||||
|
||||
def test_update_sg_rule_with_remote_address_group_set(self):
|
||||
# Create network.
|
||||
def test_sg_rule_with_remote_address_group(self):
|
||||
net_resp = self._make_network(self.fmt, 'net1', True)
|
||||
net = net_resp['network']
|
||||
|
||||
# Create subnet
|
||||
subnet = self._make_subnet(self.fmt, net_resp, '10.0.1.1',
|
||||
'10.0.1.0/24')['subnet']
|
||||
subnet_id = subnet['id']
|
||||
fixed_ips = [{'subnet_id': subnet_id, 'ip_address': '10.0.1.100'}]
|
||||
|
||||
# create port with security group having rule
|
||||
# with remote_address_group_id set
|
||||
self._make_subnet(self.fmt, net_resp, '10.0.1.1',
|
||||
'10.0.1.0/24')['subnet']
|
||||
sg = self._make_security_group(self.fmt, 'test',
|
||||
'test remote address group')
|
||||
sg_id = sg['security_group']['id']
|
||||
|
||||
# Create Address group
|
||||
ag = self._test_create_address_group(name='foo',
|
||||
addresses=['10.0.1.0/24',
|
||||
'192.168.0.1/32'])
|
||||
@ -11741,38 +11734,24 @@ class TestPortOnPhysicalNode(TestPortVlanNetwork):
|
||||
rule = self._build_security_group_rule(
|
||||
sg_id, 'ingress', n_constants.PROTO_NAME_ICMP, '33', '2',
|
||||
remote_address_group_id=ag_id, ethertype=n_constants.IPv4)
|
||||
|
||||
# Create security group rule with address group rule
|
||||
rules = {'security_group_rules': [rule['security_group_rule']]}
|
||||
sg_rule = self._make_security_group_rule(
|
||||
self.fmt, rules)['security_group_rules'][0]
|
||||
port = self._make_port(self.fmt, net['id'], fixed_ips=fixed_ips,
|
||||
security_groups=[sg_id])['port']
|
||||
|
||||
tenant_aname = self.name_mapper.project(None,
|
||||
sg['security_group']['tenant_id'])
|
||||
aim_sg_rule = self._get_sg_rule(
|
||||
sg_rule['id'], 'default', sg_id, tenant_aname)
|
||||
|
||||
self.assertEqual(aim_sg_rule.remote_ips,
|
||||
['10.0.1.0/24', '192.168.0.1/32'])
|
||||
|
||||
# delete SG group
|
||||
data = {'port': {'security_groups': []}}
|
||||
port = self._update('ports', port['id'], data)['port']
|
||||
aim_sg_rule = self._get_sg_rule(
|
||||
sg_rule['id'], 'default', sg_id, tenant_aname)
|
||||
self.assertEqual(aim_sg_rule.remote_ips, [])
|
||||
|
||||
# add security group
|
||||
data = {'port': {'security_groups': [sg_id]}}
|
||||
port = self._update('ports', port['id'], data)['port']
|
||||
aim_sg_rule = self._get_sg_rule(
|
||||
sg_rule['id'], 'default', sg_id, tenant_aname)
|
||||
self.assertEqual(aim_sg_rule.remote_ips,
|
||||
['10.0.1.0/24', '192.168.0.1/32'])
|
||||
|
||||
# Delete port
|
||||
self._delete('ports', port['id'])
|
||||
aim_sg_rule = self._get_sg_rule(
|
||||
sg_rule['id'], 'default', sg_id, tenant_aname)
|
||||
self.assertEqual(aim_sg_rule.remote_ips, [])
|
||||
# Delete security group rule referenced with address group
|
||||
self._delete('security-group-rules', sg_rule['id'])
|
||||
# Delete Address group
|
||||
self._delete('address-groups', ag['address_group']['id'])
|
||||
|
||||
def test_create_sg_rule_with_remote_group_set_different_tenant(self):
|
||||
# Create network.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user