x/vmware-nsx
Code Issues Proposed changes

Merge "[Admin-util] NSX|V admin util to use a policy in a security group"

Browse Source
This commit is contained in:
Jenkins 2016-11-16 14:07:32 +00:00 committed by Gerrit Code Review
commit b873bff2c4
4 changed files with 96 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/source/admin_util.rst
View File

@ -137,6 +137,10 @@ Security Groups, Firewall and Spoofguard
nsxadmin -r spoofguard-policy -o clean --property policy-id=spoofguardpolicy-10
nsxadmin -r spoofguard-policy -o list --property reverse (entries defined on NSXv and not in Neutron)
- Migrate a security group from using rules to using a policy
nsxadmin -r security-groups -o migrate-to-policy --property policy-id=policy-10 --property security-group-id=733f0741-fa2c-4b32-811c-b78e4dc8ec39
Metadata
~~~~~~~~

6
vmware_nsx/db/nsxv_db.py
View File

@ -448,6 +448,12 @@ def get_nsx_section(session, neutron_id):
"stored in Neutron DB", neutron_id)
def delete_neutron_nsx_section_mapping(session, neutron_id):
with session.begin(subtransactions=True):
return (session.query(nsxv_models.NsxvSecurityGroupSectionMapping).
filter_by(neutron_id=neutron_id).delete())
def get_nsx_rule_id(session, neutron_id):
try:
mapping = (session.query(nsxv_models.NsxvRuleMapping).

83
vmware_nsx/shell/admin/plugins/nsxv/resources/securitygroups.py
View File

@ -16,18 +16,24 @@
import logging
import xml.etree.ElementTree as et
from neutron.callbacks import registry
from neutron import context
from neutron.db.models import securitygroup as sg_models
from neutron.db import models_v2
from neutron.db import securitygroups_db
from neutron.extensions import securitygroup as ext_sg
from vmware_nsx._i18n import _LE, _LI, _LW
from vmware_nsx.db import db as nsx_db
from vmware_nsx.db import nsx_models
from vmware_nsx.db import nsxv_db
from vmware_nsx.db import nsxv_models
from vmware_nsx.extensions import securitygrouppolicy as sg_policy
from vmware_nsx.shell.admin.plugins.common import constants
from vmware_nsx.shell.admin.plugins.common import formatters
from vmware_nsx.shell.admin.plugins.common import utils as admin_utils
from vmware_nsx.shell.admin.plugins.nsxv.resources import utils
from vmware_nsx.shell import resources as shell
LOG = logging.getLogger(__name__)
@ -242,3 +248,80 @@ def fix_security_groups(resource, event, trigger, **kwargs):
nsx_id = nsx_db.get_nsx_security_group_id(context_.session, sg_id)
for vnic_id in neutron_sg.get_vnics_in_security_group(sg_id):
plugin._add_member_to_security_group(nsx_id, vnic_id)
@admin_utils.output_header
def migrate_sg_to_policy(resource, event, trigger, **kwargs):
"""Change the mode of a security group from rules to NSX policy"""
if not kwargs.get('property'):
LOG.error(_LE("Need to specify security-group-id and policy-id "
"parameters"))
return
# input validation
properties = admin_utils.parse_multi_keyval_opt(kwargs['property'])
sg_id = properties.get('security-group-id')
if not sg_id:
LOG.error(_LE("Need to specify security-group-id parameter"))
return
policy_id = properties.get('policy-id')
if not policy_id:
LOG.error(_LE("Need to specify policy-id parameter"))
return
# validate that the security group exist and contains rules and no policy
context_ = context.get_admin_context()
plugin = utils.NsxVPluginWrapper()
try:
secgroup = plugin.get_security_group(context_, sg_id)
except ext_sg.SecurityGroupNotFound:
LOG.error(_LE("Security group %s was not found"), sg_id)
return
if secgroup.get('policy'):
LOG.error(_LE("Security group %s already uses a policy"), sg_id)
return
# validate that the policy exists
if not plugin.nsx_v.vcns.validate_inventory(policy_id):
LOG.error(_LE("NSX policy %s was not found"), policy_id)
return
# Delete the rules from the security group
LOG.info(_LI("Deleting the rules of security group: %s"), sg_id)
for rule in secgroup.get('security_group_rules', []):
try:
plugin.delete_security_group_rule(context_, rule['id'])
except Exception as e:
LOG.warning(_LW("Failed to delete rule %(r)s from security group "
"%(sg)s: %(e)s"),
{'r': rule['id'], 'sg': sg_id, 'e': e})
# continue anyway
# Delete the security group FW section
LOG.info(_LI("Deleting the section of security group: %s"), sg_id)
try:
section_uri = plugin._get_section_uri(context_.session, sg_id)
plugin._delete_section(section_uri)
nsxv_db.delete_neutron_nsx_section_mapping(context_.session, sg_id)
except Exception as e:
LOG.warning(_LW("Failed to delete firewall section of security group "
"%(sg)s: %(e)s"),
{'sg': sg_id, 'e': e})
# continue anyway
# bind this security group to the policy in the backend and DB
nsx_sg_id = nsx_db.get_nsx_security_group_id(context_.session, sg_id)
LOG.info(_LI("Binding the NSX security group %(nsx)s to policy %(pol)s"),
{'nsx': nsx_sg_id, 'pol': policy_id})
plugin._update_nsx_security_group_policies(
policy_id, None, nsx_sg_id)
prop = plugin._get_security_group_properties(context_, sg_id)
with context_.session.begin(subtransactions=True):
prop.update({sg_policy.POLICY: policy_id})
LOG.info(_LI("Done."))
registry.subscribe(migrate_sg_to_policy,
constants.SECURITY_GROUPS,
shell.Operations.MIGRATE_TO_POLICY.value)

4
vmware_nsx/shell/resources.py
View File

@ -48,6 +48,7 @@ class Operations(enum.Enum):
NSX_RECREATE = 'nsx-recreate'
MIGRATE_TO_DYNAMIC_CRITERIA = 'migrate-to-dynamic-criteria'
NSX_MIGRATE_V_V3 = 'nsx-migrate-v-v3'
MIGRATE_TO_POLICY = 'migrate-to-policy'
STATUS = 'status'
ops = [op.value for op in Operations]
@ -124,7 +125,8 @@ nsxv_resources = {
Operations.NSX_CLEAN.value]),
constants.SECURITY_GROUPS: Resource(constants.SECURITY_GROUPS,
[Operations.LIST.value,
Operations.FIX_MISMATCH.value]),
Operations.FIX_MISMATCH.value,
Operations.MIGRATE_TO_POLICY.value]),
constants.FIREWALL_SECTIONS: Resource(constants.FIREWALL_SECTIONS,
[Operations.LIST.value,
Operations.LIST_MISMATCHES.value]),