From 368dbbe96dfecec6796c79cee76d91bd78a57573 Mon Sep 17 00:00:00 2001
From: Kobi Samoray <ksamoray@vmware.com>
Date: Tue, 6 Apr 2021 16:05:37 +0300
Subject: [PATCH] NSXV: handle missing SG mapping

When creating rules, the plugin fetches the SG mapping from Neutron DB.
If this mapping is missing, the plugin should issue a proper error and
fail.

Change-Id: Icd00116dc6e81949513db18f16eced8a2b125c7d
---
 vmware_nsx/plugins/nsx_v/plugin.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/vmware_nsx/plugins/nsx_v/plugin.py b/vmware_nsx/plugins/nsx_v/plugin.py
index b8d9c8f6ea..928336675d 100644
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@@ -4803,6 +4803,9 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
         with locking.LockManager.get_lock('rule-update-%s' % sg_id):
             # Querying DB for associated dfw section id
             section_uri = self._get_section_uri(context.session, sg_id)
+            if not section_uri:
+                error = "NSX mapping for security group %s not found" % sg_id
+                raise nsx_exc.NsxPluginException(err_msg=error)
             logged = self._is_security_group_logged(context, sg_id)
             provider = self._is_provider_security_group(context, sg_id)
             log_all_rules = cfg.CONF.nsxv.log_security_groups_allowed_traffic