Merge "address group with security group rule"

This commit is contained in:
Zuul 2023-10-16 13:30:56 +00:00 committed by Gerrit Code Review
commit 40514ac534
2 changed files with 39 additions and 87 deletions

View File

@ -2819,10 +2819,6 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
context, port, removed_sgs, is_delete=True) context, port, removed_sgs, is_delete=True)
self._really_update_sg_rule_with_remote_group_set( self._really_update_sg_rule_with_remote_group_set(
context, port, added_sgs, is_delete=False) context, port, added_sgs, is_delete=False)
self._really_update_sg_rule_with_remote_address_group_set(
context, port, removed_sgs, is_delete=True)
self._really_update_sg_rule_with_remote_address_group_set(
context, port, added_sgs, is_delete=False)
def _really_update_sg_rule_with_remote_group_set( def _really_update_sg_rule_with_remote_group_set(
self, context, port, security_groups, is_delete): self, context, port, security_groups, is_delete):
@ -2872,51 +2868,6 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
self.aim.update(aim_ctx, sg_rule_aim, self.aim.update(aim_ctx, sg_rule_aim,
remote_ips=aim_sg_rule.remote_ips) remote_ips=aim_sg_rule.remote_ips)
def _really_update_sg_rule_with_remote_address_group_set(
self, context, port, security_groups, is_delete):
if not security_groups:
return
session = context._plugin_context.session
aim_ctx = aim_context.AimContext(session)
query = BAKERY(lambda s: s.query(
sg_models.SecurityGroupRule,
ag_db.AddressGroup))
query += lambda q: q.filter(
sg_models.SecurityGroupRule.remote_address_group_id ==
ag_db.AddressGroup.id)
res = query(session).params(
security_groups=list(security_groups)).all()
sg_to_tenant = {}
for sg in res:
sg_rule = sg[0]
address_group = sg[1]
sg_id = sg_rule['security_group_id']
if sg_id in sg_to_tenant:
tenant_id = sg_to_tenant[sg_id]
else:
tenant_id = self._get_sg_rule_tenant_id(session, sg_rule)
sg_to_tenant[sg_id] = tenant_id
tenant_aname = self.name_mapper.project(session, tenant_id)
sg_rule_aim = aim_resource.SecurityGroupRule(
tenant_name=tenant_aname,
security_group_name=sg_rule['security_group_id'],
security_group_subject_name='default',
name=sg_rule['id'])
aim_sg_rule = self.aim.get(aim_ctx, sg_rule_aim)
if not aim_sg_rule:
continue
for ag_address in address_group['addresses']:
address = str(ag_address.address)
if is_delete:
if address in aim_sg_rule.remote_ips:
aim_sg_rule.remote_ips.remove(address)
else:
if address not in aim_sg_rule.remote_ips:
aim_sg_rule.remote_ips.append(address)
self.aim.update(aim_ctx, sg_rule_aim,
remote_ips=aim_sg_rule.remote_ips)
def _check_active_active_aap(self, context, port): def _check_active_active_aap(self, context, port):
aap_current = port.get('allowed_address_pairs', []) aap_current = port.get('allowed_address_pairs', [])
aap_original = [] aap_original = []
@ -3164,8 +3115,6 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
self._check_valid_erspan_config(port) self._check_valid_erspan_config(port)
self._really_update_sg_rule_with_remote_group_set( self._really_update_sg_rule_with_remote_group_set(
context, port, port['security_groups'], is_delete=False) context, port, port['security_groups'], is_delete=False)
self._really_update_sg_rule_with_remote_address_group_set(
context, port, port['security_groups'], is_delete=False)
self._insert_provisioning_block(context) self._insert_provisioning_block(context)
# Handle router gateway port creation. # Handle router gateway port creation.
@ -3456,8 +3405,6 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
self._delete_erspan_aim_config(context, port) self._delete_erspan_aim_config(context, port)
self._really_update_sg_rule_with_remote_group_set( self._really_update_sg_rule_with_remote_group_set(
context, port, port['security_groups'], is_delete=True) context, port, port['security_groups'], is_delete=True)
self._really_update_sg_rule_with_remote_address_group_set(
context, port, port['security_groups'], is_delete=True)
# Set status of floating ip DOWN. # Set status of floating ip DOWN.
self._update_floatingip_status( self._update_floatingip_status(
@ -3661,6 +3608,32 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
remote_ips.append(fixed_ip['ip_address']) remote_ips.append(fixed_ip['ip_address'])
remote_group_id = sg_rule['remote_group_id'] remote_group_id = sg_rule['remote_group_id']
elif sg_rule.get('remote_address_group_id'):
remote_ips = []
query = BAKERY(lambda s: s.query(
ag_db.AddressAssociation))
query += lambda q: q.filter(
sg_models.SecurityGroupRule.remote_address_group_id ==
ag_db.AddressGroup.id)
addresses = query(session).params(
ag_id=sg_rule['remote_address_group_id']).all()
ip_version = 0
if sg_rule['ethertype'] == 'IPv4':
ip_version = 4
elif sg_rule['ethertype'] == 'IPv6':
ip_version = 6
for addr in addresses:
if ip_version == netaddr.IPAddress(
addr['address'].split('/')[0]).version:
remote_ips.append(addr['address'])
remote_group_id = ''
else: else:
remote_ips = ([sg_rule['remote_ip_prefix']] remote_ips = ([sg_rule['remote_ip_prefix']]
if sg_rule['remote_ip_prefix'] else '') if sg_rule['remote_ip_prefix'] else '')

View File

@ -11718,22 +11718,15 @@ class TestPortOnPhysicalNode(TestPortVlanNetwork):
sg_rule1['id'], 'default', default_sg_id, tenant_aname) sg_rule1['id'], 'default', default_sg_id, tenant_aname)
self.assertEqual(aim_sg_rule.remote_ips, []) self.assertEqual(aim_sg_rule.remote_ips, [])
def test_update_sg_rule_with_remote_address_group_set(self): def test_sg_rule_with_remote_address_group(self):
# Create network.
net_resp = self._make_network(self.fmt, 'net1', True) net_resp = self._make_network(self.fmt, 'net1', True)
net = net_resp['network'] self._make_subnet(self.fmt, net_resp, '10.0.1.1',
'10.0.1.0/24')['subnet']
# Create subnet
subnet = self._make_subnet(self.fmt, net_resp, '10.0.1.1',
'10.0.1.0/24')['subnet']
subnet_id = subnet['id']
fixed_ips = [{'subnet_id': subnet_id, 'ip_address': '10.0.1.100'}]
# create port with security group having rule
# with remote_address_group_id set
sg = self._make_security_group(self.fmt, 'test', sg = self._make_security_group(self.fmt, 'test',
'test remote address group') 'test remote address group')
sg_id = sg['security_group']['id'] sg_id = sg['security_group']['id']
# Create Address group
ag = self._test_create_address_group(name='foo', ag = self._test_create_address_group(name='foo',
addresses=['10.0.1.0/24', addresses=['10.0.1.0/24',
'192.168.0.1/32']) '192.168.0.1/32'])
@ -11741,38 +11734,24 @@ class TestPortOnPhysicalNode(TestPortVlanNetwork):
rule = self._build_security_group_rule( rule = self._build_security_group_rule(
sg_id, 'ingress', n_constants.PROTO_NAME_ICMP, '33', '2', sg_id, 'ingress', n_constants.PROTO_NAME_ICMP, '33', '2',
remote_address_group_id=ag_id, ethertype=n_constants.IPv4) remote_address_group_id=ag_id, ethertype=n_constants.IPv4)
# Create security group rule with address group rule
rules = {'security_group_rules': [rule['security_group_rule']]} rules = {'security_group_rules': [rule['security_group_rule']]}
sg_rule = self._make_security_group_rule( sg_rule = self._make_security_group_rule(
self.fmt, rules)['security_group_rules'][0] self.fmt, rules)['security_group_rules'][0]
port = self._make_port(self.fmt, net['id'], fixed_ips=fixed_ips,
security_groups=[sg_id])['port']
tenant_aname = self.name_mapper.project(None, tenant_aname = self.name_mapper.project(None,
sg['security_group']['tenant_id']) sg['security_group']['tenant_id'])
aim_sg_rule = self._get_sg_rule( aim_sg_rule = self._get_sg_rule(
sg_rule['id'], 'default', sg_id, tenant_aname) sg_rule['id'], 'default', sg_id, tenant_aname)
self.assertEqual(aim_sg_rule.remote_ips, self.assertEqual(aim_sg_rule.remote_ips,
['10.0.1.0/24', '192.168.0.1/32']) ['10.0.1.0/24', '192.168.0.1/32'])
# delete SG group # Delete security group rule referenced with address group
data = {'port': {'security_groups': []}} self._delete('security-group-rules', sg_rule['id'])
port = self._update('ports', port['id'], data)['port'] # Delete Address group
aim_sg_rule = self._get_sg_rule( self._delete('address-groups', ag['address_group']['id'])
sg_rule['id'], 'default', sg_id, tenant_aname)
self.assertEqual(aim_sg_rule.remote_ips, [])
# add security group
data = {'port': {'security_groups': [sg_id]}}
port = self._update('ports', port['id'], data)['port']
aim_sg_rule = self._get_sg_rule(
sg_rule['id'], 'default', sg_id, tenant_aname)
self.assertEqual(aim_sg_rule.remote_ips,
['10.0.1.0/24', '192.168.0.1/32'])
# Delete port
self._delete('ports', port['id'])
aim_sg_rule = self._get_sg_rule(
sg_rule['id'], 'default', sg_id, tenant_aname)
self.assertEqual(aim_sg_rule.remote_ips, [])
def test_create_sg_rule_with_remote_group_set_different_tenant(self): def test_create_sg_rule_with_remote_group_set_different_tenant(self):
# Create network. # Create network.