NSX|V3: relocate some nsxlib apis
Change-Id: I85d6d79bb8b6494efc27136f12db02fc120afa32
This commit is contained in:
parent
b970d8cc58
commit
0d88f9b98b
|
@ -36,6 +36,8 @@ from vmware_nsxlib.v3 import policy
|
|||
LOG = logging.getLogger(__name__)
|
||||
|
||||
OS_NEUTRON_ID_SCOPE = 'os-neutron-id'
|
||||
PORT_SG_SCOPE = 'os-security-group'
|
||||
|
||||
NSX_NEUTRON_PLUGIN = 'NSX Neutron plugin'
|
||||
|
||||
|
||||
|
|
|
@ -100,7 +100,6 @@ from vmware_nsxlib.v3.policy import constants as policy_constants
|
|||
from vmware_nsxlib.v3.policy import core_defs as policy_defs
|
||||
from vmware_nsxlib.v3.policy import transaction as policy_trans
|
||||
from vmware_nsxlib.v3.policy import utils as p_utils
|
||||
from vmware_nsxlib.v3 import security
|
||||
from vmware_nsxlib.v3 import utils as nsxlib_utils
|
||||
|
||||
LOG = log.getLogger(__name__)
|
||||
|
@ -1619,7 +1618,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
|||
project_name=context.tenant_name))
|
||||
|
||||
if self._is_excluded_port(device_owner, is_psec_on):
|
||||
tags.append({'scope': security.PORT_SG_SCOPE,
|
||||
tags.append({'scope': v3_utils.PORT_SG_SCOPE,
|
||||
'tag': NSX_P_EXCLUDE_LIST_TAG})
|
||||
|
||||
if self.support_external_port_tagging:
|
||||
|
@ -3423,7 +3422,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
|||
|
||||
# Create the group membership criteria to match excluded neutron
|
||||
# ports by scope and tag
|
||||
scope_and_tag = "%s|%s" % (security.PORT_SG_SCOPE,
|
||||
scope_and_tag = "%s|%s" % (v3_utils.PORT_SG_SCOPE,
|
||||
NSX_P_EXCLUDE_LIST_TAG)
|
||||
conditions = [self.nsxpolicy.group.build_condition(
|
||||
cond_val=scope_and_tag,
|
||||
|
|
|
@ -111,7 +111,6 @@ from vmware_nsxlib.v3 import core_resources as nsx_resources
|
|||
from vmware_nsxlib.v3 import exceptions as nsx_lib_exc
|
||||
from vmware_nsxlib.v3 import nsx_constants as nsxlib_consts
|
||||
from vmware_nsxlib.v3 import router as nsxlib_router
|
||||
from vmware_nsxlib.v3 import security
|
||||
from vmware_nsxlib.v3 import utils as nsxlib_utils
|
||||
|
||||
|
||||
|
@ -553,7 +552,7 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
|||
# Create a new NSGroup for default section
|
||||
membership_criteria = (
|
||||
self.nsxlib.ns_group.get_port_tag_expression(
|
||||
security.PORT_SG_SCOPE, NSX_V3_DEFAULT_SECTION))
|
||||
common_utils.PORT_SG_SCOPE, NSX_V3_DEFAULT_SECTION))
|
||||
nsgroup = self.nsxlib.ns_group.create(
|
||||
NSX_V3_FW_DEFAULT_NS_GROUP,
|
||||
'OS Default Section Port NSGroup',
|
||||
|
@ -577,7 +576,8 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
|||
# Create a new NSGroup for excluded ports.
|
||||
membership_criteria = (
|
||||
self.nsxlib.ns_group.get_port_tag_expression(
|
||||
security.PORT_SG_SCOPE, nsxlib_consts.EXCLUDE_PORT))
|
||||
common_utils.PORT_SG_SCOPE,
|
||||
nsxlib_consts.EXCLUDE_PORT))
|
||||
nsgroup = self.nsxlib.ns_group.create(
|
||||
NSX_V3_EXCLUDED_PORT_NSGROUP_NAME,
|
||||
'Neutron Excluded Port NSGroup',
|
||||
|
@ -1210,6 +1210,19 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
|||
LOG.error(err_msg)
|
||||
raise n_exc.InvalidInput(error_message=err_msg)
|
||||
|
||||
def get_lport_tags(self, secgroups):
|
||||
if len(secgroups) > nsxlib_utils.MAX_NSGROUPS_CRITERIA_TAGS:
|
||||
raise nsx_exc.NumberOfNsgroupCriteriaTagsReached(
|
||||
max_num=nsxlib_utils.MAX_NSGROUPS_CRITERIA_TAGS)
|
||||
tags = []
|
||||
for sg in secgroups:
|
||||
tags = nsxlib_utils.add_v3_tag(
|
||||
tags, common_utils.PORT_SG_SCOPE, sg)
|
||||
if not tags:
|
||||
# This port shouldn't be associated with any security-group
|
||||
tags = [{'scope': common_utils.PORT_SG_SCOPE, 'tag': None}]
|
||||
return tags
|
||||
|
||||
def _create_port_at_the_backend(self, context, port_data,
|
||||
l2gw_port_check, psec_is_on,
|
||||
is_ens_tz_port):
|
||||
|
@ -1230,19 +1243,19 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
|||
tags = nsxlib_utils.add_v3_tag(tags, resource_type, device_id)
|
||||
|
||||
if self._is_excluded_port(device_owner, psec_is_on):
|
||||
tags.append({'scope': security.PORT_SG_SCOPE,
|
||||
tags.append({'scope': common_utils.PORT_SG_SCOPE,
|
||||
'tag': nsxlib_consts.EXCLUDE_PORT})
|
||||
else:
|
||||
# If port has no security-groups then we don't need to add any
|
||||
# security criteria tag.
|
||||
if port_data[ext_sg.SECURITYGROUPS]:
|
||||
tags += self.nsxlib.ns_group.get_lport_tags(
|
||||
tags += self.get_lport_tags(
|
||||
port_data[ext_sg.SECURITYGROUPS] +
|
||||
port_data[provider_sg.PROVIDER_SECURITYGROUPS])
|
||||
# Add port to the default list
|
||||
if (device_owner != l3_db.DEVICE_OWNER_ROUTER_INTF and
|
||||
device_owner != const.DEVICE_OWNER_DHCP):
|
||||
tags.append({'scope': security.PORT_SG_SCOPE,
|
||||
tags.append({'scope': common_utils.PORT_SG_SCOPE,
|
||||
'tag': NSX_V3_DEFAULT_SECTION})
|
||||
|
||||
address_bindings = (self._build_address_bindings(port_data)
|
||||
|
@ -1646,22 +1659,22 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
|||
original_ps)
|
||||
if updated_excluded != original_excluded:
|
||||
if updated_excluded:
|
||||
tags_update.append({'scope': security.PORT_SG_SCOPE,
|
||||
tags_update.append({'scope': common_utils.PORT_SG_SCOPE,
|
||||
'tag': nsxlib_consts.EXCLUDE_PORT})
|
||||
else:
|
||||
tags_update.append({'scope': security.PORT_SG_SCOPE,
|
||||
tags_update.append({'scope': common_utils.PORT_SG_SCOPE,
|
||||
'tag': None})
|
||||
|
||||
tags_update += self.nsxlib.ns_group.get_lport_tags(
|
||||
tags_update += self.get_lport_tags(
|
||||
updated_port.get(ext_sg.SECURITYGROUPS, []) +
|
||||
updated_port.get(provider_sg.PROVIDER_SECURITYGROUPS, []))
|
||||
# Only set the default section tag if there is no port security
|
||||
if not updated_excluded:
|
||||
tags_update.append({'scope': security.PORT_SG_SCOPE,
|
||||
tags_update.append({'scope': common_utils.PORT_SG_SCOPE,
|
||||
'tag': NSX_V3_DEFAULT_SECTION})
|
||||
else:
|
||||
# Ensure that the 'exclude' tag is set
|
||||
tags_update.append({'scope': security.PORT_SG_SCOPE,
|
||||
tags_update.append({'scope': common_utils.PORT_SG_SCOPE,
|
||||
'tag': nsxlib_consts.EXCLUDE_PORT})
|
||||
|
||||
# Add availability zone profiles first (so that specific profiles will
|
||||
|
@ -2913,11 +2926,11 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
|||
tags = self.nsxlib.build_v3_tags_payload(
|
||||
secgroup, resource_type='os-neutron-secgr-id',
|
||||
project_name=secgroup['tenant_id'])
|
||||
name = self.nsxlib.ns_group.get_name(secgroup)
|
||||
name = self.get_nsgroup_name(secgroup)
|
||||
|
||||
tag_expression = (
|
||||
self.nsxlib.ns_group.get_port_tag_expression(
|
||||
security.PORT_SG_SCOPE, secgroup['id']))
|
||||
common_utils.PORT_SG_SCOPE, secgroup['id']))
|
||||
|
||||
ns_group = self.nsxlib.ns_group.create(
|
||||
name, secgroup['description'], tags, tag_expression)
|
||||
|
@ -3049,6 +3062,11 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
|||
msg = _("Cannot modify NSX internal security group")
|
||||
raise n_exc.InvalidInput(error_message=msg)
|
||||
|
||||
def get_nsgroup_name(self, security_group):
|
||||
# Adding the security-group id to the NSGroup name,
|
||||
# for usability purposes.
|
||||
return '%(name)s - %(id)s' % security_group
|
||||
|
||||
def update_security_group(self, context, id, security_group):
|
||||
orig_secgroup = self.get_security_group(
|
||||
context, id, fields=['id', 'name', 'description'])
|
||||
|
@ -3064,8 +3082,12 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
|||
try:
|
||||
nsgroup_id, section_id = nsx_db.get_sg_mappings(
|
||||
context.session, id)
|
||||
nsgroup_name = self.get_nsgroup_name(secgroup_res)
|
||||
self.nsxlib.ns_group.update_nsgroup_and_section(
|
||||
secgroup_res, nsgroup_id, section_id,
|
||||
nsgroup_name,
|
||||
secgroup_res['description'],
|
||||
secgroup_res.get(sg_logging.LOGGING, False),
|
||||
nsgroup_id, section_id,
|
||||
cfg.CONF.nsx_v3.log_security_groups_allowed_traffic)
|
||||
except nsx_lib_exc.ManagerError:
|
||||
with excutils.save_and_reraise_exception():
|
||||
|
|
|
@ -14,9 +14,20 @@
|
|||
|
||||
from oslo_log import log as logging
|
||||
|
||||
from neutron.db import allowedaddresspairs_db as addr_pair_db
|
||||
from neutron.db import db_base_plugin_v2
|
||||
from neutron.db import l3_db
|
||||
from neutron.db import portsecurity_db
|
||||
from neutron_lib.callbacks import registry
|
||||
from neutron_lib import constants as const
|
||||
from neutron_lib import context as neutron_context
|
||||
from neutron_lib.plugins import constants as plugin_constants
|
||||
from neutron_lib.plugins import directory
|
||||
|
||||
from vmware_nsx.common import utils as nsx_utils
|
||||
from vmware_nsx.db import db as nsx_db
|
||||
from vmware_nsx.dvs import dvs
|
||||
from vmware_nsx.plugins.common_v3 import utils as common_utils
|
||||
from vmware_nsx.plugins.nsx_v3 import plugin
|
||||
from vmware_nsx.plugins.nsx_v3 import utils as plugin_utils
|
||||
from vmware_nsx.shell.admin.plugins.common import constants
|
||||
|
@ -27,17 +38,6 @@ from vmware_nsx.shell import resources as shell
|
|||
from vmware_nsxlib.v3 import exceptions as nsx_exc
|
||||
from vmware_nsxlib.v3 import nsx_constants as nsxlib_consts
|
||||
from vmware_nsxlib.v3 import resources
|
||||
from vmware_nsxlib.v3 import security
|
||||
|
||||
from neutron.db import allowedaddresspairs_db as addr_pair_db
|
||||
from neutron.db import db_base_plugin_v2
|
||||
from neutron.db import l3_db
|
||||
from neutron.db import portsecurity_db
|
||||
from neutron_lib.callbacks import registry
|
||||
from neutron_lib import constants as const
|
||||
from neutron_lib import context as neutron_context
|
||||
from neutron_lib.plugins import constants as plugin_constants
|
||||
from neutron_lib.plugins import directory
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
@ -232,7 +232,7 @@ def migrate_exclude_ports(resource, event, trigger, **kwargs):
|
|||
LOG.info("Port %s is not defined in DB", neutron_port_id)
|
||||
continue
|
||||
# Update tag for the port
|
||||
tags_update = [{'scope': security.PORT_SG_SCOPE,
|
||||
tags_update = [{'scope': common_utils.PORT_SG_SCOPE,
|
||||
'tag': nsxlib_consts.EXCLUDE_PORT}]
|
||||
_port_client.update(port_id, None,
|
||||
tags_update=tags_update)
|
||||
|
@ -271,7 +271,7 @@ def tag_default_ports(resource, event, trigger, **kwargs):
|
|||
except nsx_exc.ResourceNotFound:
|
||||
continue
|
||||
tags_update = nsx_port['tags']
|
||||
tags_update += [{'scope': security.PORT_SG_SCOPE,
|
||||
tags_update += [{'scope': common_utils.PORT_SG_SCOPE,
|
||||
'tag': plugin.NSX_V3_DEFAULT_SECTION}]
|
||||
nsxlib.logical_port.update(nsx_id, None,
|
||||
tags_update=tags_update)
|
||||
|
|
Loading…
Reference in New Issue