Merge "address group with security group rule"
This commit is contained in:
commit
40514ac534
@ -2819,10 +2819,6 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
|||||||
context, port, removed_sgs, is_delete=True)
|
context, port, removed_sgs, is_delete=True)
|
||||||
self._really_update_sg_rule_with_remote_group_set(
|
self._really_update_sg_rule_with_remote_group_set(
|
||||||
context, port, added_sgs, is_delete=False)
|
context, port, added_sgs, is_delete=False)
|
||||||
self._really_update_sg_rule_with_remote_address_group_set(
|
|
||||||
context, port, removed_sgs, is_delete=True)
|
|
||||||
self._really_update_sg_rule_with_remote_address_group_set(
|
|
||||||
context, port, added_sgs, is_delete=False)
|
|
||||||
|
|
||||||
def _really_update_sg_rule_with_remote_group_set(
|
def _really_update_sg_rule_with_remote_group_set(
|
||||||
self, context, port, security_groups, is_delete):
|
self, context, port, security_groups, is_delete):
|
||||||
@ -2872,51 +2868,6 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
|||||||
self.aim.update(aim_ctx, sg_rule_aim,
|
self.aim.update(aim_ctx, sg_rule_aim,
|
||||||
remote_ips=aim_sg_rule.remote_ips)
|
remote_ips=aim_sg_rule.remote_ips)
|
||||||
|
|
||||||
def _really_update_sg_rule_with_remote_address_group_set(
|
|
||||||
self, context, port, security_groups, is_delete):
|
|
||||||
if not security_groups:
|
|
||||||
return
|
|
||||||
session = context._plugin_context.session
|
|
||||||
aim_ctx = aim_context.AimContext(session)
|
|
||||||
|
|
||||||
query = BAKERY(lambda s: s.query(
|
|
||||||
sg_models.SecurityGroupRule,
|
|
||||||
ag_db.AddressGroup))
|
|
||||||
query += lambda q: q.filter(
|
|
||||||
sg_models.SecurityGroupRule.remote_address_group_id ==
|
|
||||||
ag_db.AddressGroup.id)
|
|
||||||
res = query(session).params(
|
|
||||||
security_groups=list(security_groups)).all()
|
|
||||||
sg_to_tenant = {}
|
|
||||||
for sg in res:
|
|
||||||
sg_rule = sg[0]
|
|
||||||
address_group = sg[1]
|
|
||||||
sg_id = sg_rule['security_group_id']
|
|
||||||
if sg_id in sg_to_tenant:
|
|
||||||
tenant_id = sg_to_tenant[sg_id]
|
|
||||||
else:
|
|
||||||
tenant_id = self._get_sg_rule_tenant_id(session, sg_rule)
|
|
||||||
sg_to_tenant[sg_id] = tenant_id
|
|
||||||
tenant_aname = self.name_mapper.project(session, tenant_id)
|
|
||||||
sg_rule_aim = aim_resource.SecurityGroupRule(
|
|
||||||
tenant_name=tenant_aname,
|
|
||||||
security_group_name=sg_rule['security_group_id'],
|
|
||||||
security_group_subject_name='default',
|
|
||||||
name=sg_rule['id'])
|
|
||||||
aim_sg_rule = self.aim.get(aim_ctx, sg_rule_aim)
|
|
||||||
if not aim_sg_rule:
|
|
||||||
continue
|
|
||||||
for ag_address in address_group['addresses']:
|
|
||||||
address = str(ag_address.address)
|
|
||||||
if is_delete:
|
|
||||||
if address in aim_sg_rule.remote_ips:
|
|
||||||
aim_sg_rule.remote_ips.remove(address)
|
|
||||||
else:
|
|
||||||
if address not in aim_sg_rule.remote_ips:
|
|
||||||
aim_sg_rule.remote_ips.append(address)
|
|
||||||
self.aim.update(aim_ctx, sg_rule_aim,
|
|
||||||
remote_ips=aim_sg_rule.remote_ips)
|
|
||||||
|
|
||||||
def _check_active_active_aap(self, context, port):
|
def _check_active_active_aap(self, context, port):
|
||||||
aap_current = port.get('allowed_address_pairs', [])
|
aap_current = port.get('allowed_address_pairs', [])
|
||||||
aap_original = []
|
aap_original = []
|
||||||
@ -3164,8 +3115,6 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
|||||||
self._check_valid_erspan_config(port)
|
self._check_valid_erspan_config(port)
|
||||||
self._really_update_sg_rule_with_remote_group_set(
|
self._really_update_sg_rule_with_remote_group_set(
|
||||||
context, port, port['security_groups'], is_delete=False)
|
context, port, port['security_groups'], is_delete=False)
|
||||||
self._really_update_sg_rule_with_remote_address_group_set(
|
|
||||||
context, port, port['security_groups'], is_delete=False)
|
|
||||||
self._insert_provisioning_block(context)
|
self._insert_provisioning_block(context)
|
||||||
|
|
||||||
# Handle router gateway port creation.
|
# Handle router gateway port creation.
|
||||||
@ -3456,8 +3405,6 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
|||||||
self._delete_erspan_aim_config(context, port)
|
self._delete_erspan_aim_config(context, port)
|
||||||
self._really_update_sg_rule_with_remote_group_set(
|
self._really_update_sg_rule_with_remote_group_set(
|
||||||
context, port, port['security_groups'], is_delete=True)
|
context, port, port['security_groups'], is_delete=True)
|
||||||
self._really_update_sg_rule_with_remote_address_group_set(
|
|
||||||
context, port, port['security_groups'], is_delete=True)
|
|
||||||
|
|
||||||
# Set status of floating ip DOWN.
|
# Set status of floating ip DOWN.
|
||||||
self._update_floatingip_status(
|
self._update_floatingip_status(
|
||||||
@ -3661,6 +3608,32 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
|||||||
remote_ips.append(fixed_ip['ip_address'])
|
remote_ips.append(fixed_ip['ip_address'])
|
||||||
|
|
||||||
remote_group_id = sg_rule['remote_group_id']
|
remote_group_id = sg_rule['remote_group_id']
|
||||||
|
|
||||||
|
elif sg_rule.get('remote_address_group_id'):
|
||||||
|
remote_ips = []
|
||||||
|
|
||||||
|
query = BAKERY(lambda s: s.query(
|
||||||
|
ag_db.AddressAssociation))
|
||||||
|
query += lambda q: q.filter(
|
||||||
|
sg_models.SecurityGroupRule.remote_address_group_id ==
|
||||||
|
ag_db.AddressGroup.id)
|
||||||
|
|
||||||
|
addresses = query(session).params(
|
||||||
|
ag_id=sg_rule['remote_address_group_id']).all()
|
||||||
|
|
||||||
|
ip_version = 0
|
||||||
|
if sg_rule['ethertype'] == 'IPv4':
|
||||||
|
ip_version = 4
|
||||||
|
elif sg_rule['ethertype'] == 'IPv6':
|
||||||
|
ip_version = 6
|
||||||
|
|
||||||
|
for addr in addresses:
|
||||||
|
if ip_version == netaddr.IPAddress(
|
||||||
|
addr['address'].split('/')[0]).version:
|
||||||
|
remote_ips.append(addr['address'])
|
||||||
|
|
||||||
|
remote_group_id = ''
|
||||||
|
|
||||||
else:
|
else:
|
||||||
remote_ips = ([sg_rule['remote_ip_prefix']]
|
remote_ips = ([sg_rule['remote_ip_prefix']]
|
||||||
if sg_rule['remote_ip_prefix'] else '')
|
if sg_rule['remote_ip_prefix'] else '')
|
||||||
|
@ -11718,22 +11718,15 @@ class TestPortOnPhysicalNode(TestPortVlanNetwork):
|
|||||||
sg_rule1['id'], 'default', default_sg_id, tenant_aname)
|
sg_rule1['id'], 'default', default_sg_id, tenant_aname)
|
||||||
self.assertEqual(aim_sg_rule.remote_ips, [])
|
self.assertEqual(aim_sg_rule.remote_ips, [])
|
||||||
|
|
||||||
def test_update_sg_rule_with_remote_address_group_set(self):
|
def test_sg_rule_with_remote_address_group(self):
|
||||||
# Create network.
|
|
||||||
net_resp = self._make_network(self.fmt, 'net1', True)
|
net_resp = self._make_network(self.fmt, 'net1', True)
|
||||||
net = net_resp['network']
|
self._make_subnet(self.fmt, net_resp, '10.0.1.1',
|
||||||
|
'10.0.1.0/24')['subnet']
|
||||||
# Create subnet
|
|
||||||
subnet = self._make_subnet(self.fmt, net_resp, '10.0.1.1',
|
|
||||||
'10.0.1.0/24')['subnet']
|
|
||||||
subnet_id = subnet['id']
|
|
||||||
fixed_ips = [{'subnet_id': subnet_id, 'ip_address': '10.0.1.100'}]
|
|
||||||
|
|
||||||
# create port with security group having rule
|
|
||||||
# with remote_address_group_id set
|
|
||||||
sg = self._make_security_group(self.fmt, 'test',
|
sg = self._make_security_group(self.fmt, 'test',
|
||||||
'test remote address group')
|
'test remote address group')
|
||||||
sg_id = sg['security_group']['id']
|
sg_id = sg['security_group']['id']
|
||||||
|
|
||||||
|
# Create Address group
|
||||||
ag = self._test_create_address_group(name='foo',
|
ag = self._test_create_address_group(name='foo',
|
||||||
addresses=['10.0.1.0/24',
|
addresses=['10.0.1.0/24',
|
||||||
'192.168.0.1/32'])
|
'192.168.0.1/32'])
|
||||||
@ -11741,38 +11734,24 @@ class TestPortOnPhysicalNode(TestPortVlanNetwork):
|
|||||||
rule = self._build_security_group_rule(
|
rule = self._build_security_group_rule(
|
||||||
sg_id, 'ingress', n_constants.PROTO_NAME_ICMP, '33', '2',
|
sg_id, 'ingress', n_constants.PROTO_NAME_ICMP, '33', '2',
|
||||||
remote_address_group_id=ag_id, ethertype=n_constants.IPv4)
|
remote_address_group_id=ag_id, ethertype=n_constants.IPv4)
|
||||||
|
|
||||||
|
# Create security group rule with address group rule
|
||||||
rules = {'security_group_rules': [rule['security_group_rule']]}
|
rules = {'security_group_rules': [rule['security_group_rule']]}
|
||||||
sg_rule = self._make_security_group_rule(
|
sg_rule = self._make_security_group_rule(
|
||||||
self.fmt, rules)['security_group_rules'][0]
|
self.fmt, rules)['security_group_rules'][0]
|
||||||
port = self._make_port(self.fmt, net['id'], fixed_ips=fixed_ips,
|
|
||||||
security_groups=[sg_id])['port']
|
|
||||||
tenant_aname = self.name_mapper.project(None,
|
tenant_aname = self.name_mapper.project(None,
|
||||||
sg['security_group']['tenant_id'])
|
sg['security_group']['tenant_id'])
|
||||||
aim_sg_rule = self._get_sg_rule(
|
aim_sg_rule = self._get_sg_rule(
|
||||||
sg_rule['id'], 'default', sg_id, tenant_aname)
|
sg_rule['id'], 'default', sg_id, tenant_aname)
|
||||||
|
|
||||||
self.assertEqual(aim_sg_rule.remote_ips,
|
self.assertEqual(aim_sg_rule.remote_ips,
|
||||||
['10.0.1.0/24', '192.168.0.1/32'])
|
['10.0.1.0/24', '192.168.0.1/32'])
|
||||||
|
|
||||||
# delete SG group
|
# Delete security group rule referenced with address group
|
||||||
data = {'port': {'security_groups': []}}
|
self._delete('security-group-rules', sg_rule['id'])
|
||||||
port = self._update('ports', port['id'], data)['port']
|
# Delete Address group
|
||||||
aim_sg_rule = self._get_sg_rule(
|
self._delete('address-groups', ag['address_group']['id'])
|
||||||
sg_rule['id'], 'default', sg_id, tenant_aname)
|
|
||||||
self.assertEqual(aim_sg_rule.remote_ips, [])
|
|
||||||
|
|
||||||
# add security group
|
|
||||||
data = {'port': {'security_groups': [sg_id]}}
|
|
||||||
port = self._update('ports', port['id'], data)['port']
|
|
||||||
aim_sg_rule = self._get_sg_rule(
|
|
||||||
sg_rule['id'], 'default', sg_id, tenant_aname)
|
|
||||||
self.assertEqual(aim_sg_rule.remote_ips,
|
|
||||||
['10.0.1.0/24', '192.168.0.1/32'])
|
|
||||||
|
|
||||||
# Delete port
|
|
||||||
self._delete('ports', port['id'])
|
|
||||||
aim_sg_rule = self._get_sg_rule(
|
|
||||||
sg_rule['id'], 'default', sg_id, tenant_aname)
|
|
||||||
self.assertEqual(aim_sg_rule.remote_ips, [])
|
|
||||||
|
|
||||||
def test_create_sg_rule_with_remote_group_set_different_tenant(self):
|
def test_create_sg_rule_with_remote_group_set_different_tenant(self):
|
||||||
# Create network.
|
# Create network.
|
||||||
|
Loading…
Reference in New Issue
Block a user