Tenant network sg toggle

JIRA:NCP-1734

Conflicts:

	quark/plugin_modules/ports.py

quark/environment.py

@@ -22,6 +22,7 @@ CONF = cfg.CONF
 class Capabilities(object):
     SECURITY_GROUPS = "security_groups"
     EGRESS = "egress"
+    TENANT_NETWORK_SG = "tenant_network_sg"
 
 
 quark_opts = [

quark/exceptions.py

@@ -121,6 +121,11 @@ class SecurityGroupsNotImplemented(exceptions.InvalidInput):
                 "create")
 
 
+class TenantNetworkSecurityGroupRulesNotEnabled(exceptions.InvalidInput):
+    message = _("Tenant network security group rules are not currently "
+                "allowed by environment_capabilities configuration.")
+
+
 class EgressSecurityGroupRulesNotEnabled(exceptions.InvalidInput):
     message = _("Egress security group rules are not currently allowed "
                 "by environment_capabilities configuration.")

quark/plugin_modules/ports.py

@@ -297,10 +297,11 @@ def update_port(context, id, port):
                                  fixed_ips_per_port=len(fixed_ips))
 
     new_security_groups = utils.pop_param(port_dict, "security_groups")
-    if Capabilities.SECURITY_GROUPS not in CONF.QUARK.environment_capabilities:
     if new_security_groups is not None:
+        if (Capabilities.TENANT_NETWORK_SG not in
+                CONF.QUARK.environment_capabilities):
             if not STRATEGY.is_provider_network(port_db["network_id"]):
-                raise q_exc.TenantNetworkSecurityGroupsNotImplemented()
+                raise q_exc.TenantNetworkSecurityGroupRulesNotEnabled()
 
     if new_security_groups is not None and not port_db["device_id"]:
         raise q_exc.SecurityGroupsRequireDevice()