NSX|V3: prevent user from changing the NSX internal SG
Change-Id: I57f122741807c19f131c9a22312c073f1676f716
This commit is contained in:
parent
6ed2614e9f
commit
c2bf0a65a0
|
@ -3220,10 +3220,17 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
|||
|
||||
return secgroup_db
|
||||
|
||||
def _prevent_nsx_internal_sg_modification(self, sg_id):
|
||||
if sg_id == NSX_V3_OS_DFW_UUID:
|
||||
msg = _("Cannot modify NSX internal security group")
|
||||
raise n_exc.InvalidInput(error_message=msg)
|
||||
|
||||
def update_security_group(self, context, id, security_group):
|
||||
orig_secgroup = self.get_security_group(
|
||||
context, id, fields=['id', 'name', 'description'])
|
||||
self._prevent_non_admin_edit_provider_sg(context, id)
|
||||
self._prevent_nsx_internal_sg_modification(id)
|
||||
|
||||
with db_api.CONTEXT_WRITER.using(context):
|
||||
secgroup_res = (
|
||||
super(NsxV3Plugin, self).update_security_group(context, id,
|
||||
|
@ -3248,6 +3255,7 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
|||
|
||||
def delete_security_group(self, context, id):
|
||||
self._prevent_non_admin_edit_provider_sg(context, id)
|
||||
self._prevent_nsx_internal_sg_modification(id)
|
||||
nsgroup_id, section_id = nsx_db.get_sg_mappings(
|
||||
context.session, id)
|
||||
super(NsxV3Plugin, self).delete_security_group(context, id)
|
||||
|
@ -3283,6 +3291,7 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
|||
# group. We should be validating that this is the case though...
|
||||
sg_id = sg_rules[0]['security_group_rule']['security_group_id']
|
||||
self._prevent_non_admin_edit_provider_sg(context, sg_id)
|
||||
self._prevent_nsx_internal_sg_modification(sg_id)
|
||||
|
||||
security_group = self.get_security_group(
|
||||
context, sg_id)
|
||||
|
@ -3313,6 +3322,7 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
|
|||
rule_db = self._get_security_group_rule(context, id)
|
||||
sg_id = rule_db['security_group_id']
|
||||
self._prevent_non_admin_edit_provider_sg(context, sg_id)
|
||||
self._prevent_nsx_internal_sg_modification(sg_id)
|
||||
nsgroup_id, section_id = nsx_db.get_sg_mappings(context.session, sg_id)
|
||||
fw_rule_id = nsx_db.get_sg_rule_mapping(context.session, id)
|
||||
self.nsxlib.firewall_section.delete_rule(section_id, fw_rule_id)
|
||||
|
|
Loading…
Reference in New Issue