[AWS] Fixed Security Group Creation Issues
Issues: 1. Security Group created using Openstack API, creates 2 outbound rules (1 for IPv4 and 1 for IPv6) and no inbound rules. Hence the rule_dict that was getting created contained same data for both outbound rules. Hence while authorization of egress direction, it was throwing error "ClientError: The same permission must not appear multiple times" 2. Since there are no inbound rules in security group, empty list was passed to AuthorizeSecurityGroupIngress operation. Hence it was raising "ClientError: Missing source specification: include source security group or CIDR information". 3. While updating the security group which was created using API, I was seeing error: "ClientError: Missing source specification: include source security group or CIDR information" as there were no inbound rules. Fixes: 1. Added a check for IPv4 ether type in "_convert_openstack_rules_to_vpc()" 2. Moved authorization for ingress inside if block 3. Added checks in "_update_sec_group()" Closes-Bug: #1709545 Change-Id: I4e4acad4da3b095e7a8951abbfb94f1b0d9c7e41
This commit is contained in:
parent
8241e8da95
commit
d444a9511b
@ -47,8 +47,7 @@ def _process_exception(e, dry_run):
|
|||||||
if dry_run:
|
if dry_run:
|
||||||
error_code = e.response['Code']
|
error_code = e.response['Code']
|
||||||
if not error_code == 'DryRunOperation':
|
if not error_code == 'DryRunOperation':
|
||||||
raise AwsException(
|
raise AwsException(error_code='AuthFailure',
|
||||||
error_code='AuthFailure',
|
|
||||||
message='Check your AWS authorization')
|
message='Check your AWS authorization')
|
||||||
else:
|
else:
|
||||||
if isinstance(e, botocore.exceptions.ClientError):
|
if isinstance(e, botocore.exceptions.ClientError):
|
||||||
@ -433,6 +432,7 @@ class AwsUtils(object):
|
|||||||
rule_dict['ToPort'] = 65535
|
rule_dict['ToPort'] = 65535
|
||||||
else:
|
else:
|
||||||
rule_dict['ToPort'] = rule['port_range_max']
|
rule_dict['ToPort'] = rule['port_range_max']
|
||||||
|
if rule['ethertype'] == "IPv4":
|
||||||
rule_dict['IpRanges'] = []
|
rule_dict['IpRanges'] = []
|
||||||
if rule['remote_group_id'] is not None:
|
if rule['remote_group_id'] is not None:
|
||||||
rule_dict['IpRanges'].append({
|
rule_dict['IpRanges'].append({
|
||||||
@ -449,6 +449,8 @@ class AwsUtils(object):
|
|||||||
rule_dict['IpRanges'].append({
|
rule_dict['IpRanges'].append({
|
||||||
'CidrIp': '0.0.0.0/0'
|
'CidrIp': '0.0.0.0/0'
|
||||||
})
|
})
|
||||||
|
elif rule['ethertype'] == "IPv6":
|
||||||
|
LOG.warning("Ethertype IPv6 is supported only for EC2-VPC")
|
||||||
if rule['direction'] == 'egress':
|
if rule['direction'] == 'egress':
|
||||||
egress_rules.append(rule_dict)
|
egress_rules.append(rule_dict)
|
||||||
else:
|
else:
|
||||||
@ -462,7 +464,9 @@ class AwsUtils(object):
|
|||||||
secgrp.revoke_ingress(IpPermissions=old_ingress)
|
secgrp.revoke_ingress(IpPermissions=old_ingress)
|
||||||
if old_egress:
|
if old_egress:
|
||||||
secgrp.revoke_egress(IpPermissions=old_egress)
|
secgrp.revoke_egress(IpPermissions=old_egress)
|
||||||
|
if ingress:
|
||||||
secgrp.authorize_ingress(IpPermissions=ingress)
|
secgrp.authorize_ingress(IpPermissions=ingress)
|
||||||
|
if egress:
|
||||||
secgrp.authorize_egress(IpPermissions=egress)
|
secgrp.authorize_egress(IpPermissions=egress)
|
||||||
|
|
||||||
def _create_sec_grp_rules(self, secgrp, rules):
|
def _create_sec_grp_rules(self, secgrp, rules):
|
||||||
@ -496,7 +500,7 @@ class AwsUtils(object):
|
|||||||
secgrp = self._get_ec2_resource().create_security_group(
|
secgrp = self._get_ec2_resource().create_security_group(
|
||||||
GroupName=name, Description=description, VpcId=vpc_id)
|
GroupName=name, Description=description, VpcId=vpc_id)
|
||||||
if self._create_sec_grp_tags(secgrp, tags) is False:
|
if self._create_sec_grp_tags(secgrp, tags) is False:
|
||||||
delete_sec_grp(secgrp.id) # noqa
|
self.delete_security_group_by_id(secgrp.id)
|
||||||
raise AwsException(
|
raise AwsException(
|
||||||
message='Timed out creating tags on security group',
|
message='Timed out creating tags on security group',
|
||||||
error_code='Time Out')
|
error_code='Time Out')
|
||||||
@ -531,13 +535,18 @@ class AwsUtils(object):
|
|||||||
def _update_sec_group(self, ec2_id, old_ingress, old_egress, new_ingress,
|
def _update_sec_group(self, ec2_id, old_ingress, old_egress, new_ingress,
|
||||||
new_egress):
|
new_egress):
|
||||||
sg = self._get_ec2_resource().SecurityGroup(ec2_id)
|
sg = self._get_ec2_resource().SecurityGroup(ec2_id)
|
||||||
|
if old_ingress:
|
||||||
sg.revoke_ingress(IpPermissions=old_ingress)
|
sg.revoke_ingress(IpPermissions=old_ingress)
|
||||||
time.sleep(1)
|
time.sleep(1)
|
||||||
|
if old_egress:
|
||||||
sg.revoke_egress(IpPermissions=old_egress)
|
sg.revoke_egress(IpPermissions=old_egress)
|
||||||
time.sleep(1)
|
time.sleep(1)
|
||||||
|
if new_ingress:
|
||||||
sg.authorize_ingress(IpPermissions=new_ingress)
|
sg.authorize_ingress(IpPermissions=new_ingress)
|
||||||
time.sleep(1)
|
time.sleep(1)
|
||||||
|
if new_egress:
|
||||||
sg.authorize_egress(IpPermissions=new_egress)
|
sg.authorize_egress(IpPermissions=new_egress)
|
||||||
|
time.sleep(1)
|
||||||
|
|
||||||
@aws_exception
|
@aws_exception
|
||||||
def update_sec_group(self, openstack_id, rules):
|
def update_sec_group(self, openstack_id, rules):
|
||||||
|
Loading…
Reference in New Issue
Block a user