NSX|v3: Scaling security-groups by using multiple nested groups

For Neutron security-group integration we need to be able to configure some
default FW rules which will be enforced on all logical-ports (which are
associated with at least one SG), to achieve that, we place all security-group
objects in a nested NSGroup and apply the default rules on it.
The problem with this strategy is that the nested NSGroup has a
limited capacity and can't contain the expected number of security-group which
exists simultaneously.
To address this issue, we create multiple nested NSGroup (instead of one only)
and evenly distribute security-groups between them, rules in
the default section are applied on these nested groups.

Closes-Bug: #1522021
Change-Id: I78c59a0b58bce14e04f7517e0d0db32cd105ff74

vmware_nsx/common/utils.py

@@ -26,9 +26,12 @@ import six
 from vmware_nsx._i18n import _, _LE
 
 LOG = log.getLogger(__name__)
+
 MAX_DISPLAY_NAME_LEN = 40
 MAX_RESOURCE_TYPE_LEN = 20
 NEUTRON_VERSION = version.version_info.release_string()
+NSX_NEUTRON_PLUGIN = 'NSX Neutron plugin'
+OS_NEUTRON_ID_SCOPE = 'os-neutron-id'
 
 
 # Allowed network types for the NSX Plugin
@@ -90,13 +93,24 @@ def check_and_truncate(display_name):
     return display_name or ''
 
 
+def is_internal_resource(nsx_resource):
+    """
+    Indicates whether the passed nsx-resource is owned by the plugin for
+    internal use.
+    """
+    for tag in nsx_resource['tags']:
+        if tag['scope'] == OS_NEUTRON_ID_SCOPE:
+            return tag['tag'] == NSX_NEUTRON_PLUGIN
+    return False
+
+
 def build_v3_api_version_tag():
     """
     Some resources are created on the manager that do not have a corresponding
     Neutron resource.
     """
-    return [{'scope': 'os-neutron-id',
-             'tag': 'NSX Neutron plugin'},
+    return [{'scope': OS_NEUTRON_ID_SCOPE,
+             'tag': NSX_NEUTRON_PLUGIN},
             {'scope': "os-api-version",
              'tag': version.version_info.release_string()}]