x/vmware-nsx
Code Issues Proposed changes

Tempest: admin-policy scenario basic operation test

Browse Source 
The admin-policy scenario test configures test topology
that allows VMs at 2 tenants to talk to each other or rejected
based on the NSX policy being applied to their security-group.

Traffic forwarding is validated using different policy-ID assigned
to tenant VMs' security-group.

Ping-test uses CONF.scenario.waitfor_connectivity for how long it
should wait for ping test to PASS or FAIL. If ping not in
expected condition, additinoal ping-test will be conducted.

All three router types are tested.

policy-AA and policy-BB blueprint to be imported to NSX.

Change-Id: I6960a1bbccdb6c4664a36a22ec4ccc28b368f2c0
This commit is contained in:
Alex Kang
2016-12-08 14:50:56 -08:00
committed by Adit Sarfaty
parent 1fbbadb65a
commit f3669228d9
5 changed files with 1359 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
vmware_nsx_tempest/doc/README-AdminPolicy.rst Normal file
View File

@@ -0,0 +1,90 @@
Admin Policy
============
Admin policy, neutron extension secuirty-group-policy provides organization
to enforce traffic forwarding utilizing NSX security policy.
The "Admin Policy" feature is admin priviledge, normal project/tenant is not
able to create security-group-policy.
This feature can be enabled from devstack or manually.
Enable security-group-policy extention at bring up devstack
===========================================================
You can enable security-group-policy when starting up devstack.
However, if the policy-id does not exist, starting will fail.
To enable it, add the following tokens to local.conf:
NSXV_USE_NSX_POLICIES=True
NSXV_DEFAULT_POLICY_ID=policy-11
NSXV_ALLOW_TENANT_RULES_WITH_POLICY=True
Change values according to your needs though.
Enable security-group-policy extention manually
===============================================
Instruction is from the view of devstack
#. Add following items to /etc/neutron/policy.json::
"create_security_group:logging": "rule:admin_only",
"update_security_group:logging": "rule:admin_only",
"get_security_group:logging": "rule:admin_only",
"create_security_group:provider": "rule:admin_only",
"create_port:provider_security_groups": "rule:admin_only",
"create_security_group:policy": "rule:admin_only",
"update_security_group:policy": "rule:admin_only",
#. Add following key=value pair to session [nsxv] of /etc/neutron/plugin/vmware/nsx.ini::
use_nsx_policies = True
default_policy_id = policy-11
allow_tenant_rules_with_policy = False
# NOTE: For automation, set allow_tenant_rules_with_policy to True
tempest.conf
============
At session [nsxv] add the following 3 key=value pair:
default_policy_id = policy-11
alt_policy_id = policy-22
allow_tenant_rules_with_policy = False
# NOTE: default_policy_id and allow_tenant_rules_with_policy need to match nsx.ini
default_policy_id and alt_policy_id:
For API tests, both must exist at NSX.
For scenario tests, please refer to nsxv/scenario/test_admin_policy_basic_ops.py
In short::
policy-11 (policy-AA at script & test-plan) firewall rules::
action-1: dhcp-in/any/policy-security-groups/dhcp/Allow
action-2: dhcp-out/policy-security-groups/dhcp/Allow
action-3: ping-in/any/policy-security-groups/ICMP/Allow
action-4: ping-out/policy-security-groups/any/ICMP/Allow/
action-5: ssh-in/any/policy-security-groups/SSH/Allow/
action-6: ssh-in/any/policy-security-groups/SSH/Allow/
action-7: http-ok/any/policy-security-groups/HTTP,HTTPS/Allow/
action-8: sorry-nothing-allowed/any/policy-security-groups/Any/Reject
You can import policy-AA to NSX using the admin-policy-AA.blueprint
policy-22 (policy-BB at script & test-plan) firewall rules::
action-1: dhcp-in/any/policy-security-groups/dhcp/Allow
action-2: dhcp-out/policy-security-groups/dhcp/Allow
action-3: group-ping/policy-security-groups/policy-security-groups/ICMP/Allow/
action-4: ssh-in/any/policy-security-groups/SSH/Allow/
action-5: ssh-in/any/policy-security-groups/SSH/Allow/
action-6: http-ok/any/policy-security-groups/HTTP,HTTPS/Allow/
pction-7: sorry-nothing-allowed/any/policy-security-groups/Any/Reject
NOTE on ping: same as policy-11 but only allowed from policy-security-groups
You can import policy-BB to NSX using the admin-policy-BB.blueprint

341
vmware_nsx_tempest/doc/admin-policy-AA.blueprint Normal file
View File

@@ -0,0 +1,341 @@
<securityPolicyHierarchy>
<name>admin-policy-AA</name>
<description>8 firewall rules - ping, ssh from anywhere are OK</description>
<securityPolicy>
<revision>0</revision>
<name>security-policy-AA</name>
<description>Security Policy AA</description>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>false</inheritanceAllowed>
<precedence>5500</precedence>
<actionsByCategory>
<category>firewall</category>
<action class="firewallSecurityAction">
<revision>0</revision>
<name>dhcp-in</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<category>firewall</category>
<executionOrder>1</executionOrder>
<isEnabled>true</isEnabled>
<isActionEnforced>false</isActionEnforced>
<invalidSecondaryContainers>false</invalidSecondaryContainers>
<applications>
<application>
<revision>0</revision>
<name>DHCP-Client</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>UDP</applicationProtocol>
<value>68</value>
</element>
</application>
<application>
<revision>0</revision>
<name>DHCP-Server</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>UDP</applicationProtocol>
<value>67</value>
</element>
</application>
</applications>
<invalidApplications>false</invalidApplications>
<logged>false</logged>
<action>allow</action>
<direction>inbound</direction>
<outsideSecondaryContainer>false</outsideSecondaryContainer>
</action>
<action class="firewallSecurityAction">
<revision>0</revision>
<name>dhcp-out</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<category>firewall</category>
<executionOrder>2</executionOrder>
<isEnabled>true</isEnabled>
<isActionEnforced>false</isActionEnforced>
<invalidSecondaryContainers>false</invalidSecondaryContainers>
<applications>
<application>
<revision>0</revision>
<name>DHCP-Client</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>UDP</applicationProtocol>
<value>68</value>
</element>
</application>
<application>
<revision>0</revision>
<name>DHCP-Server</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>UDP</applicationProtocol>
<value>67</value>
</element>
</application>
</applications>
<invalidApplications>false</invalidApplications>
<logged>false</logged>
<action>allow</action>
<direction>outbound</direction>
<outsideSecondaryContainer>false</outsideSecondaryContainer>
</action>
<action class="firewallSecurityAction">
<revision>0</revision>
<name>ping-in</name>
<description>Everyone can ping me</description>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<category>firewall</category>
<executionOrder>3</executionOrder>
<isEnabled>true</isEnabled>
<isActionEnforced>false</isActionEnforced>
<invalidSecondaryContainers>false</invalidSecondaryContainers>
<applications>
<application>
<revision>0</revision>
<name>ICMP Echo</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>ICMP</applicationProtocol>
<value>echo-request</value>
</element>
</application>
<application>
<revision>0</revision>
<name>ICMP Redirect</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>ICMP</applicationProtocol>
<value>redirect</value>
</element>
</application>
<application>
<revision>0</revision>
<name>ICMP Echo Reply</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>ICMP</applicationProtocol>
<value>echo-reply</value>
</element>
</application>
</applications>
<invalidApplications>false</invalidApplications>
<logged>false</logged>
<action>allow</action>
<direction>inbound</direction>
<outsideSecondaryContainer>false</outsideSecondaryContainer>
</action>
<action class="firewallSecurityAction">
<revision>0</revision>
<name>ping-out</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<category>firewall</category>
<executionOrder>4</executionOrder>
<isEnabled>true</isEnabled>
<isActionEnforced>false</isActionEnforced>
<invalidSecondaryContainers>false</invalidSecondaryContainers>
<applications>
<application>
<revision>0</revision>
<name>ICMP Echo</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>ICMP</applicationProtocol>
<value>echo-request</value>
</element>
</application>
<application>
<revision>0</revision>
<name>ICMP Redirect</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>ICMP</applicationProtocol>
<value>redirect</value>
</element>
</application>
<application>
<revision>0</revision>
<name>ICMP Echo Reply</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>ICMP</applicationProtocol>
<value>echo-reply</value>
</element>
</application>
</applications>
<invalidApplications>false</invalidApplications>
<logged>false</logged>
<action>allow</action>
<direction>outbound</direction>
<outsideSecondaryContainer>false</outsideSecondaryContainer>
</action>
<action class="firewallSecurityAction">
<revision>0</revision>
<name>ssh-in-ok</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<category>firewall</category>
<executionOrder>5</executionOrder>
<isEnabled>true</isEnabled>
<isActionEnforced>false</isActionEnforced>
<invalidSecondaryContainers>false</invalidSecondaryContainers>
<applications>
<application>
<revision>0</revision>
<name>SSH</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>TCP</applicationProtocol>
<value>22</value>
</element>
</application>
</applications>
<invalidApplications>false</invalidApplications>
<logged>false</logged>
<action>allow</action>
<direction>inbound</direction>
<outsideSecondaryContainer>false</outsideSecondaryContainer>
</action>
<action class="firewallSecurityAction">
<revision>0</revision>
<name>ssh-out-ok</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<category>firewall</category>
<executionOrder>6</executionOrder>
<isEnabled>true</isEnabled>
<isActionEnforced>false</isActionEnforced>
<invalidSecondaryContainers>false</invalidSecondaryContainers>
<applications>
<application>
<revision>0</revision>
<name>SSH</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>TCP</applicationProtocol>
<value>22</value>
</element>
</application>
</applications>
<invalidApplications>false</invalidApplications>
<logged>false</logged>
<action>allow</action>
<direction>outbound</direction>
<outsideSecondaryContainer>false</outsideSecondaryContainer>
</action>
<action class="firewallSecurityAction">
<revision>0</revision>
<name>HTTP-ok</name>
<description>All can http(s) me</description>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<category>firewall</category>
<executionOrder>7</executionOrder>
<isEnabled>true</isEnabled>
<isActionEnforced>false</isActionEnforced>
<invalidSecondaryContainers>false</invalidSecondaryContainers>
<applications>
<application>
<revision>0</revision>
<name>HTTP</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>TCP</applicationProtocol>
<value>80</value>
</element>
</application>
<application>
<revision>0</revision>
<name>HTTPS</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>TCP</applicationProtocol>
<value>443</value>
</element>
</application>
</applications>
<invalidApplications>false</invalidApplications>
<logged>false</logged>
<action>allow</action>
<direction>inbound</direction>
<outsideSecondaryContainer>false</outsideSecondaryContainer>
</action>
<action class="firewallSecurityAction">
<revision>0</revision>
<name>sorry-nothing-allowed</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<category>firewall</category>
<executionOrder>8</executionOrder>
<isEnabled>true</isEnabled>
<isActionEnforced>false</isActionEnforced>
<invalidSecondaryContainers>false</invalidSecondaryContainers>
<invalidApplications>false</invalidApplications>
<logged>false</logged>
<action>reject</action>
<direction>inbound</direction>
<outsideSecondaryContainer>false</outsideSecondaryContainer>
</action>
</actionsByCategory>
<statusesByCategory>
<category>firewall</category>
<status>in_sync</status>
</statusesByCategory>
</securityPolicy>
</securityPolicyHierarchy>

285
vmware_nsx_tempest/doc/admin-policy-BB.blueprint Normal file
View File

@@ -0,0 +1,285 @@
<securityPolicyHierarchy>
<name>admin-policy-BB</name>
<description>policy-BB, ssh from anywhere are OK, but ping limited to same security-group</description>
<securityPolicy>
<revision>0</revision>
<name>security-policy-BB</name>
<description>Security Policy BB</description>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>false</inheritanceAllowed>
<precedence>5600</precedence>
<actionsByCategory>
<category>firewall</category>
<action class="firewallSecurityAction">
<revision>0</revision>
<name>dhcp-in</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<category>firewall</category>
<executionOrder>1</executionOrder>
<isEnabled>true</isEnabled>
<isActionEnforced>false</isActionEnforced>
<invalidSecondaryContainers>false</invalidSecondaryContainers>
<applications>
<application>
<revision>0</revision>
<name>DHCP-Client</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>UDP</applicationProtocol>
<value>68</value>
</element>
</application>
<application>
<revision>0</revision>
<name>DHCP-Server</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>UDP</applicationProtocol>
<value>67</value>
</element>
</application>
</applications>
<invalidApplications>false</invalidApplications>
<logged>false</logged>
<action>allow</action>
<direction>inbound</direction>
<outsideSecondaryContainer>false</outsideSecondaryContainer>
</action>
<action class="firewallSecurityAction">
<revision>0</revision>
<name>dhcp-out</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<category>firewall</category>
<executionOrder>2</executionOrder>
<isEnabled>true</isEnabled>
<isActionEnforced>false</isActionEnforced>
<invalidSecondaryContainers>false</invalidSecondaryContainers>
<applications>
<application>
<revision>0</revision>
<name>DHCP-Client</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>UDP</applicationProtocol>
<value>68</value>
</element>
</application>
<application>
<revision>0</revision>
<name>DHCP-Server</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>UDP</applicationProtocol>
<value>67</value>
</element>
</application>
</applications>
<invalidApplications>false</invalidApplications>
<logged>false</logged>
<action>allow</action>
<direction>outbound</direction>
<outsideSecondaryContainer>false</outsideSecondaryContainer>
</action>
<action class="firewallSecurityAction">
<revision>0</revision>
<name>group-ping-ok</name>
<description>icmp only allowed from VM with same security-policy</description>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<category>firewall</category>
<executionOrder>3</executionOrder>
<isEnabled>true</isEnabled>
<isActionEnforced>false</isActionEnforced>
<invalidSecondaryContainers>false</invalidSecondaryContainers>
<applications>
<application>
<revision>0</revision>
<name>ICMP Echo</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>ICMP</applicationProtocol>
<value>echo-request</value>
</element>
</application>
<application>
<revision>0</revision>
<name>ICMP Redirect</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>ICMP</applicationProtocol>
<value>redirect</value>
</element>
</application>
<application>
<revision>0</revision>
<name>ICMP Echo Reply</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>ICMP</applicationProtocol>
<value>echo-reply</value>
</element>
</application>
</applications>
<invalidApplications>false</invalidApplications>
<logged>false</logged>
<action>allow</action>
<direction>intra</direction>
<outsideSecondaryContainer>false</outsideSecondaryContainer>
</action>
<action class="firewallSecurityAction">
<revision>0</revision>
<name>ssh-in-ok</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<category>firewall</category>
<executionOrder>4</executionOrder>
<isEnabled>true</isEnabled>
<isActionEnforced>false</isActionEnforced>
<invalidSecondaryContainers>false</invalidSecondaryContainers>
<applications>
<application>
<revision>0</revision>
<name>SSH</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>TCP</applicationProtocol>
<value>22</value>
</element>
</application>
</applications>
<invalidApplications>false</invalidApplications>
<logged>false</logged>
<action>allow</action>
<direction>inbound</direction>
<outsideSecondaryContainer>false</outsideSecondaryContainer>
</action>
<action class="firewallSecurityAction">
<revision>0</revision>
<name>ssh-out-ok</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<category>firewall</category>
<executionOrder>5</executionOrder>
<isEnabled>true</isEnabled>
<isActionEnforced>false</isActionEnforced>
<invalidSecondaryContainers>false</invalidSecondaryContainers>
<applications>
<application>
<revision>0</revision>
<name>SSH</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>TCP</applicationProtocol>
<value>22</value>
</element>
</application>
</applications>
<invalidApplications>false</invalidApplications>
<logged>false</logged>
<action>allow</action>
<direction>outbound</direction>
<outsideSecondaryContainer>false</outsideSecondaryContainer>
</action>
<action class="firewallSecurityAction">
<revision>0</revision>
<name>group-HTTP</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<category>firewall</category>
<executionOrder>6</executionOrder>
<isEnabled>true</isEnabled>
<isActionEnforced>false</isActionEnforced>
<invalidSecondaryContainers>false</invalidSecondaryContainers>
<applications>
<application>
<revision>0</revision>
<name>HTTP</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>TCP</applicationProtocol>
<value>80</value>
</element>
</application>
<application>
<revision>0</revision>
<name>HTTPS</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<inheritanceAllowed>true</inheritanceAllowed>
<element>
<applicationProtocol>TCP</applicationProtocol>
<value>443</value>
</element>
</application>
</applications>
<invalidApplications>false</invalidApplications>
<logged>false</logged>
<action>allow</action>
<direction>intra</direction>
<outsideSecondaryContainer>false</outsideSecondaryContainer>
</action>
<action class="firewallSecurityAction">
<revision>0</revision>
<name>sorry-nothing-allowed</name>
<clientHandle></clientHandle>
<isUniversal>false</isUniversal>
<universalRevision>0</universalRevision>
<category>firewall</category>
<executionOrder>7</executionOrder>
<isEnabled>true</isEnabled>
<isActionEnforced>false</isActionEnforced>
<invalidSecondaryContainers>false</invalidSecondaryContainers>
<invalidApplications>false</invalidApplications>
<logged>false</logged>
<action>reject</action>
<direction>inbound</direction>
<outsideSecondaryContainer>false</outsideSecondaryContainer>
</action>
</actionsByCategory>
<statusesByCategory>
<category>firewall</category>
<status>in_sync</status>
</statusesByCategory>
</securityPolicy>
</securityPolicyHierarchy>

53
vmware_nsx_tempest/tests/nsxv/scenario/manager_topo_deployment.py
View File

@@ -399,15 +399,21 @@ class TopoDeployScenarioManager(manager.NetworkScenarioTest):
if port_id:
# attached to port, will not check ip assignement & reachability
return net_floatingip
serv_fip = net_floatingip['floating_ip_address']
# in some condiction, remove the serv_fip from your local known_hosts
# can solve the ssh "Connection refused" problem.
rm_sshkey(serv_fip)
if not and_check_assigned:
# caller will do the floatingip assigned to server and ping tests
return net_floatingip
self._waitfor_floatingip_assigned_to_server(client_mgr.servers_client,
server.get('id'))
server_pingable = self._waitfor_associated_floatingip(net_floatingip)
STEPINTO_DEBUG_IF_TRUE(not server_pingable)
self.assertTrue(
server_pingable,
msg="Expect server to be reachable after floatingip assigned.")
msg=("Expect server to be reachable after"
" floating-ip[%s] assigned." % serv_fip))
return net_floatingip
def _waitfor_floatingip_assigned_to_server(self, server_client, server_id,
@@ -526,7 +532,8 @@ class TopoDeployScenarioManager(manager.NetworkScenarioTest):
def _check_floatingip_connectivity(self, floating_ip, server,
should_connect=True,
msg=None, ping_timeout=30):
msg=None, ping_timeout=30,
floating_ips_client=None):
ip_address = floating_ip['floating_ip_address']
floatingip_status = 'ACTIVE' if should_connect else 'DOWN'
is_pingable = self.ping_ip_address(ip_address,
@@ -537,7 +544,37 @@ class TopoDeployScenarioManager(manager.NetworkScenarioTest):
self.assertTrue(is_pingable, msg=msg)
else:
self.assertFalse(is_pingable, msg=msg)
self.check_floating_ip_status(floating_ip, floatingip_status)
self.check_floating_ip_status(floating_ip, floatingip_status,
floating_ips_client)
def check_floating_ip_status(self, floating_ip, status,
floating_ips_client=None):
"""Verifies floatingip reaches the given status
:param dict floating_ip: floating IP dict to check status
:param status: target status
:raises: AssertionError if status doesn't match
"""
floating_ips_client = floating_ips_client or self.floating_ips_client
floatingip_id = floating_ip['id']
def refresh():
result = (floating_ips_client.
show_floatingip(floatingip_id)['floatingip'])
return status == result['status']
test_utils.call_until_true(refresh,
CONF.network.build_timeout,
CONF.network.build_interval)
floating_ip = floating_ips_client.show_floatingip(
floatingip_id)['floatingip']
self.assertEqual(status, floating_ip['status'],
message="FloatingIP: {fp} is at status: {cst}. "
"failed to reach status: {st}"
.format(fp=floating_ip, cst=floating_ip['status'],
st=status))
LOG.info("FloatingIP: {fp} is at status: {st}"
.format(fp=floating_ip, st=status))
def get_image_userpass(self):
return (CONF.validation.image_ssh_user,
@@ -769,3 +806,13 @@ def copy_file_to_host(file_from, dest, host, username, pkey):
stdout,
stderr)
return stdout
def STEPINTO_DEBUG_IF_TRUE(want2debug=False):
"""Betting you are not set OS_TEST_TIMEOUT=24-hours running tempest"""
t_timeout = int(os.environ.get('OS_TEST_TIMEOUT', 0))
if want2debug and t_timeout > 86400:
# uncomment following statements to turn on debuggging
# import pdb
# pdb.set_trace()
pass

593
vmware_nsx_tempest/tests/nsxv/scenario/test_admin_policy_basic_ops.py Normal file
View File

@@ -0,0 +1,593 @@
# Copyright 2016 VMware Inc
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import six
import time
from tempest.common import waiters
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest import test
from vmware_nsx_tempest.tests.nsxv.scenario import (
manager_topo_deployment as dmgr)
from vmware_nsx_tempest.tests.nsxv.scenario import (
network_addon_methods as HELO)
CONF = config.CONF
LOG = dmgr.manager.log.getLogger(__name__)
class TestAdminPolicyBasicOps(dmgr.TopoDeployScenarioManager):
"""Test VMs with security-group-policy traffic is managed by NSX
Test topology:
TOPO:
logical-router nasa-router] -- [ public GW]
|
+--- [Tenant jpl interface/subnet x.y.34.0/24]
| | |
| + [vm-nasa-jpl-3] + [vm-nasa-jpl-4]
|
+--- [Tenant ames interface/subnet x.y.12.0/24]
| | |
| + [vm-nasa-ames-1] + [vm-nasa-ames-2]
Test topology setup and traffic forwarding validation:
1. 2 tenants (ames, jpl) each tenant has 2 VMs, and boot with
security-group with policy==policy_AA which must allow
ping and ssh services as automation relys on this to make
sure test environment network connectivity is an OK.
NOTE:
primary user: ames -- NASA Ames Research Center
alt user: jpl -- NASA Jet Propulsion Laboratory
2. Admin create router (nasa-router) with both tenants' network
so tenant:ames and tenant:jpl can talk to each other
according to policy_AA.
3. under policy_AA, all servers can be ping and ssh from anywhere
4. Admin change tenant:jpl's policy to policy_BB
5. Tenant jpl's VMs are not pingable, ssh still OK
Tenant ames's MVs, both ping and ssh are OK
6. Admin change tenant:ames's policy to policy_BB
VMs from ames and jpl are not pingalbe; ssh is OK
ATTENTION:
config nsxv.default_policy_id is policy_AA
config nsxv.alt_policy_is is policy_BB
The testbed needs to have policy_AA and policy_BB created
and matched with the default_policy_id & alt_plicy_id under
session nsxv of tempest.conf or devstack local.conf.
Test Configuration setup:
please refer to vmware_nsx_tempest/doc/README-AdminPolicy.rst
"""
@classmethod
def skip_checks(cls):
super(TestAdminPolicyBasicOps, cls).skip_checks()
if not test.is_extension_enabled('security-group-policy', 'network'):
msg = "Extension security-group-policy is not enabled."
raise cls.skipException(msg)
if not (CONF.nsxv.alt_policy_id.startswith('policy-') and
CONF.nsxv.default_policy_id.startswith('policy-')):
msg = "default and alt policy ids not set correctly."
raise cls.skipException(msg)
@classmethod
def setup_clients(cls):
super(TestAdminPolicyBasicOps, cls).setup_clients()
cls.cmgr_adm = cls.get_client_manager('admin')
cls.cmgr_ames = cls.get_client_manager('primary')
cls.cmgr_jpl = cls.get_client_manager('alt')
@classmethod
def resource_setup(cls):
super(TestAdminPolicyBasicOps, cls).resource_setup()
cls.policy_AA = CONF.nsxv.default_policy_id
cls.policy_BB = CONF.nsxv.alt_policy_id
cls.conn_timeout = CONF.scenario.waitfor_connectivity
@classmethod
def resource_cleanup(cls):
super(TestAdminPolicyBasicOps, cls).resource_cleanup()
def setUp(self):
super(TestAdminPolicyBasicOps, self).setUp()
self.server_id_list = []
self.exc_step = 0
self.exc_msg = ("Admin-Policy-Traffic-Forwarding"
" Validation Steps:\n")
def tearDown(self):
# delete all servers and make sure they are terminated
servers_client = self.cmgr_adm.servers_client
server_id_list = getattr(self, 'server_id_list', [])
for server_id in server_id_list:
servers_client.delete_server(server_id)
for server_id in server_id_list:
waiters.wait_for_server_termination(servers_client, server_id)
# delete all floating-ips
if hasattr(self, 'fip_nasa_ames_1'):
self.delete_floatingip(self.cmgr_ames, self.fip_nasa_ames_1)
if hasattr(self, 'fip_nasa_jpl_3'):
self.delete_floatingip(self.cmgr_jpl, self.fip_nasa_jpl_3)
super(TestAdminPolicyBasicOps, self).tearDown()
def log_exc_msg(self, msg):
self.exc_step += 1
self.exc_msg += ("#%02d %s %s\n" %
(self.exc_step, time.strftime("%H:%M:%S"), msg))
def delete_floatingip(self, cmgr, net_floatingip):
test_utils.call_and_ignore_notfound_exc(
cmgr.floating_ips_client.delete_floatingip,
net_floatingip.get('id'))
def delete_security_group(self, sg_client, sg_id):
sg_client.delete_security_group(sg_id)
def update_security_group_policy(self, sg_id, policy_id):
sg_client = self.cmgr_adm.security_groups_client
sg = sg_client.update_security_group(sg_id, policy=policy_id)
sg = sg.get('security_group', sg)
self.assertEqual(policy_id, sg.get('policy'))
return sg
def create_security_group_policy(self, policy_id, tenant_id,
name_prefix=None):
sg_name = data_utils.rand_name(name_prefix or 'admin-policy')
sg_client = self.cmgr_adm.security_groups_client
sg_dict = dict(name=sg_name, policy=policy_id)
if tenant_id:
sg_dict['tenant_id'] = tenant_id
sg = sg_client.create_security_group(**sg_dict)
sg = sg.get('security_group', sg)
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.delete_security_group,
sg_client, sg.get('id'))
return sg
def create_networks(self, cmgr,
name_prefix=None, cidr_offset=0):
net_name = data_utils.rand_name(name_prefix or 'admin-policy')
network = self.create_network(client=cmgr.networks_client,
name=net_name)
network = network.get('network', network)
subnet_kwargs = dict(name=net_name, cidr_offset=cidr_offset)
subnet = self.create_subnet(network,
client=cmgr.subnets_client,
**subnet_kwargs)
subnet = subnet.get('subnet', subnet)
return (network, subnet)
def create_router_by_type(self, router_type, client=None, **kwargs):
routers_client = client or self.cmgr_adm.routers_client
create_kwargs = dict(namestart='nasa-router', external_gateway_info={
"network_id": CONF.network.public_network_id})
if router_type in ('shared', 'exclusive'):
create_kwargs['router_type'] = router_type
elif router_type in ('distributed'):
create_kwargs['distributed'] = True
create_kwargs.update(**kwargs)
router = HELO.router_create(self, client=routers_client,
**create_kwargs)
return router
def create_router_and_add_interfaces(self, router_type, subnet_list):
routers_client = self.cmgr_adm.routers_client
router = self.create_router_by_type(router_type)
for subnet in subnet_list:
HELO.router_interface_add(self, router['id'], subnet['id'],
client=routers_client)
# check interfaces/subnets are added to router
router_port_list = self.get_router_port_list(self.cmgr_adm,
router['id'])
for subnet in subnet_list:
added = self.rports_have_subnet_id(router_port_list, subnet['id'])
self.assertTrue(
added,
"subnet_id:%s is not added to router" % subnet['id'])
return router
def rports_have_subnet_id(self, router_port_list, subnet_id):
for rport in router_port_list:
for fips in rport.get('fixed_ips', []):
if subnet_id == fips['subnet_id']:
return True
return False
def get_router_port_list(self, cmgr, router_id):
device_owner = u'network:router_interface'
ports_client = cmgr.ports_client
port_list = ports_client.list_ports(device_id=router_id,
device_owner=device_owner)
port_list = port_list.get('ports', port_list)
return port_list
def create_servers_on_networks(self, cmgr, sv_name, networks_info):
network = networks_info.get('network')
security_group = networks_info.get('security_group')
security_groups = [{'name': security_group['id']}]
svr = self.create_server_on_network(
network, security_groups, name=sv_name,
wait_on_boot=False,
servers_client=cmgr.servers_client)
self.server_id_list.append(svr.get('id'))
return svr
def get_server_info(self, cmgr, server_id):
"""Get server's ip addresses"""
svr = cmgr.servers_client.show_server(server_id)
svr = svr.get('server', svr)
sinfo = dict(id=svr['id'], name=svr['name'],
security_gropus=svr['security_groups'],
fixed_ip_address=None, floating_ip_address=None)
addresses = svr.get('addresses')
for n_addresses in six.itervalues(addresses):
for n_addr in n_addresses:
if n_addr['OS-EXT-IPS:type'] == 'fixed':
if not sinfo['fixed_ip_address']:
sinfo['fixed_ip_address'] = n_addr['addr']
elif n_addr['OS-EXT-IPS:type'] == 'floating':
if not sinfo['floating_ip_address']:
sinfo['floating_ip_address'] = n_addr['addr']
return sinfo
def create_floatingip_for_server(self, cmgr, server):
username, password = self.get_image_userpass()
try:
floatingip = super(
TestAdminPolicyBasicOps,
self).create_floatingip_for_server(
server, client_mgr=cmgr, and_check_assigned=True)
except Exception as ex:
floatingip = None
msg = (self.exc_msg +
("\n**FAIL to associate floatingip to server[%s]\n%s"
% (server['name'], str(ex))))
self.assertTrue(floatingip, msg)
fix_ip = floatingip['fixed_ip_address']
float_ip = floatingip['floating_ip_address']
self.log_exc_msg((" floatingip[%s] created for server[%s,%s]"
" and is pingable." %
(float_ip, server.get('name'), fix_ip)))
return floatingip
def wait_for_servers_become_active(self):
servers_client = self.cmgr_adm.servers_client
for server_id in self.server_id_list:
waiters.wait_for_server_status(
servers_client, server_id, 'ACTIVE')
def find_servers_ips(self):
self.server_ips = {}
self.jpl_ips = {}
self.server_ips['1'] = self.get_server_info(
self.cmgr_ames, self.vm_nasa_ames_1['id'])
self.server_ips['2'] = self.get_server_info(
self.cmgr_ames, self.vm_nasa_ames_2['id'])
self.server_ips['3'] = self.get_server_info(
self.cmgr_jpl, self.vm_nasa_jpl_3['id'])
self.server_ips['4'] = self.get_server_info(
self.cmgr_jpl, self.vm_nasa_jpl_4['id'])
def create_nasa_ames_network_and_servers(self, security_group=None):
sg = security_group or self.sg_ames
net, subnet = self.create_networks(self.cmgr_ames, 'nasa-ames', 1)
self.netinfo_ames = dict(network=net, subnet=subnet,
security_group=sg)
self.vm_nasa_ames_1 = self.create_servers_on_networks(
self.cmgr_ames, 'vm-nasa-ames-1', self.netinfo_ames)
self.vm_nasa_ames_2 = self.create_servers_on_networks(
self.cmgr_ames, 'vm-nasa-ames-2', self.netinfo_ames)
def create_nasa_jpl_network_and_servers(self, security_group=None):
sg = security_group or self.sg_jpl
# jpl and ames attached to the same router, CIDR cannot overlap
net, subnet = self.create_networks(self.cmgr_jpl, 'nasa-jpl', 3)
self.netinfo_jpl = dict(network=net, subnet=subnet,
security_group=sg)
self.vm_nasa_jpl_3 = self.create_servers_on_networks(
self.cmgr_jpl, 'vm-nasa-jpl-3', self.netinfo_jpl)
self.vm_nasa_jpl_4 = self.create_servers_on_networks(
self.cmgr_jpl, 'vm-nasa-jpl-4', self.netinfo_jpl)
def create_nasa_topo(self, router_type=None):
router_type = router_type or 'shared'
self.sg_ames = self.create_security_group_policy(
self.policy_AA,
self.cmgr_ames.networks_client.tenant_id,
name_prefix='nasa-ames')
self.sg_jpl = self.create_security_group_policy(
self.policy_AA,
self.cmgr_jpl.networks_client.tenant_id,
name_prefix='nasa-jpl')
self.create_nasa_ames_network_and_servers(self.sg_ames)
self.create_nasa_jpl_network_and_servers(self.sg_jpl)
subnet_list = [self.netinfo_ames.get('subnet'),
self.netinfo_jpl.get('subnet')]
self.nasa_router = self.create_router_and_add_interfaces(
router_type, subnet_list)
self.wait_for_servers_become_active()
# associate floating-ip to servers and pingable
self.fip_nasa_ames_1 = self.create_floatingip_for_server(
self.cmgr_ames, self.vm_nasa_ames_1)
self.fip_nasa_jpl_3 = self.create_floatingip_for_server(
self.cmgr_jpl, self.vm_nasa_jpl_3)
self.find_servers_ips()
def host_ssh_reachable(self, host_id, host_ip):
username, password = self.get_image_userpass()
try:
ssh_client = dmgr.get_remote_client_by_password(
host_ip, username, password)
except Exception as ex:
ssh_client = None
msg = (self.exc_msg +
("\n**FAIL to ssh to host[%s=%s]\n%s" %
(host_id, str(ex))))
self.assertTrue(ssh_client, msg)
self.log_exc_msg(
(" SSH host[%s] floatingip[%s] OK" % (host_id, host_ip)))
return ssh_client
def host_can_reach_ips(self, host_id, host_ssh, ip_type, ip_list):
for dest_ip in ip_list:
reachable = dmgr.is_reachable(host_ssh, dest_ip,
time_out=self.conn_timeout)
msg = (self.exc_msg +
("\n *FAILURE* VM[%s] cannot PING %s[%s]" %
(host_id, ip_type, dest_ip)))
if not reachable:
reachable = dmgr.is_reachable(host_ssh, dest_ip,
time_out=self.conn_timeout)
dmgr.STEPINTO_DEBUG_IF_TRUE(not reachable)
self.assertTrue(reachable, msg)
self.log_exc_msg(
(" VM[%s] can PING %s[%s]" % (host_id, ip_type, dest_ip)))
def host_cannot_reach_ips(self, host_id, host_ssh, ip_type, ip_list):
for dest_ip in ip_list:
not_reachable = dmgr.isnot_reachable(host_ssh, dest_ip,
time_out=self.conn_timeout,
ping_timeout=5.0)
msg = (self.exc_msg +
("\n *FAILURE* VM[%s] shouldn't able to PING %s[%s]" %
(host_id, ip_type, dest_ip)))
if not not_reachable:
not_reachable = dmgr.isnot_reachable(
host_ssh, dest_ip, time_out=self.conn_timeout,
ping_timeout=5.0)
dmgr.STEPINTO_DEBUG_IF_TRUE(not not_reachable)
self.assertTrue(not_reachable, msg)
self.log_exc_msg(
(" VM[%s] is not able to PING %s[%s]" %
(host_id, ip_type, dest_ip)))
def ican_reach_ip(self, ip_addr, ping_timeout=5):
ip_type = 'floating-ip'
for x in range(int(self.conn_timeout / ping_timeout)):
reachable = self.ping_ip_address(ip_addr,
ping_timeout=ping_timeout)
if reachable:
break
time.sleep(2.0)
msg = (self.exc_msg +
("\n *FAILURE* Tempest cannot PING %s[%s]" %
(ip_type, ip_addr)))
if not reachable:
reachable = self.ping_ip_address(ip_addr,
ping_timeout=ping_timeout)
dmgr.STEPINTO_DEBUG_IF_TRUE(not reachable)
self.assertTrue(reachable, msg)
self.log_exc_msg(" Tempest can PING %s[%s]" % (ip_type, ip_addr))
def icannot_reach_ip(self, ip_addr, ping_timeout=5):
ip_type = 'floating-ip'
for x in range(int(self.conn_timeout / ping_timeout)):
reachable = self.ping_ip_address(ip_addr,
ping_timeout=ping_timeout)
if not reachable:
break
time.sleep(ping_timeout)
msg = (self.exc_msg +
("\n *FAILURE* Tempest should not PING %s[%s]" %
(ip_type, ip_addr)))
if reachable:
reachable = self.ping_ip_address(ip_addr,
ping_timeout=ping_timeout)
dmgr.STEPINTO_DEBUG_IF_TRUE(reachable)
self.assertFalse(reachable, msg)
self.log_exc_msg((" Tempest isnot able to PING %s[%s]" %
(ip_type, ip_addr)))
def run_admin_policy_op_scenario(self, router_type):
self.log_exc_msg(("Setup admin-policy test with router-type[%s]" %
router_type))
self.create_nasa_topo(router_type)
self.jpl_private_ips = [y['fixed_ip_address']
for x, y in six.iteritems(self.server_ips)
if x > '2']
self.ames_private_ips = [y['fixed_ip_address']
for x, y in six.iteritems(self.server_ips)
if x < '3']
self.run_policy_AA_on_ames_AA_on_jpl()
self.run_policy_AA_on_ames_BB_on_jpl()
self.run_policy_BB_on_ames_BB_on_jpl()
dmgr.LOG.debug(self.exc_msg)
def run_policy_AA_on_ames_AA_on_jpl(self):
self.log_exc_msg(("### tenant:jpl=policy_AA[%s]"
", tenant:ames=policy_AA[%s]" %
(self.policy_AA, self.policy_AA)))
# at the beginning, can ssh to VM with floating-ip
self.log_exc_msg(
"Tempest can ping & ssh vm-nasa-ames-1's floatingip")
self.ican_reach_ip(self.fip_nasa_ames_1['floating_ip_address'])
ames_1_ssh = self.host_ssh_reachable(
"nasa-ames-1",
self.fip_nasa_ames_1['floating_ip_address'])
# from vm-nasa-ames-1 can ping all other private-ips
self.log_exc_msg(("vm-nasa-ames-1[%s] can ping all private-ips"
% (self.server_ips['1']['fixed_ip_address'])))
self.host_can_reach_ips('nasa-ames-1', ames_1_ssh,
'ame-private-ip', self.ames_private_ips)
self.host_can_reach_ips('nasa-ames-1', ames_1_ssh,
'jp-private-ip', self.jpl_private_ips)
# from vm-nasa-jpl_3 can ping all other private-ips
self.log_exc_msg(
"Tempest can ping & ssh vm-nasa-jpl-3's floatingip")
self.ican_reach_ip(self.fip_nasa_jpl_3['floating_ip_address'])
jpl_3_ssh = self.host_ssh_reachable(
"nasa-jpl-3",
self.fip_nasa_jpl_3['floating_ip_address'])
self.log_exc_msg(("vm-nasa-jpl-3[%s] can ping all private-ips"
% (self.server_ips['3']['fixed_ip_address'])))
self.host_can_reach_ips('nasa-jpl-3', jpl_3_ssh,
'jp-private-ip', self.jpl_private_ips)
self.host_can_reach_ips('nasa-jpl-3', jpl_3_ssh,
'ames-private-ip', self.ames_private_ips)
# within VM can ping both tanants' floating-ips
self.log_exc_msg(
"vm-nasa-ames-1 can ping vm-nasa-jpl-1's floatingip")
self.host_can_reach_ips(
'nasa-ames-1', ames_1_ssh, 'jpl-floating-ip',
[self.fip_nasa_jpl_3['floating_ip_address']])
self.log_exc_msg(
"vm-nasa-jpl-3 can ping vm-nasa-ames-3's floatingip")
self.host_can_reach_ips(
'nasa-jpl-3', jpl_3_ssh, 'nasa-floating-ip',
[self.fip_nasa_ames_1['floating_ip_address']])
def run_policy_AA_on_ames_BB_on_jpl(self):
# from vm-nasa-ames-1 can ping all other private-ips
self.log_exc_msg(
("Update tenant:jpl to use policy_BB[%s] with group-ping"
% self.policy_BB))
# admin update jpl to policy_BB_GP
self.update_security_group_policy(self.sg_jpl['id'], self.policy_BB)
# cannot ping vm-nasa-jpl-3, can ssh to both tenants' floating-ips
self.log_exc_msg(("### tenant:jpl=policy_BB[%s]"
", tenant:ames=policy_AA[%s]" %
(self.policy_BB, self.policy_AA)))
self.log_exc_msg(
"Tempest can ping & ssh vm-nasa-ames-1's floatingip")
self.ican_reach_ip(self.fip_nasa_ames_1['floating_ip_address'])
ames_1_ssh = self.host_ssh_reachable(
"nasa-ames-1",
self.fip_nasa_ames_1['floating_ip_address'])
self.log_exc_msg("Tempest can ssh vm-nasa-jpl-3's floatingip"
", but not ping")
self.icannot_reach_ip(self.fip_nasa_jpl_3['floating_ip_address'])
jpl_3_ssh = self.host_ssh_reachable(
"nasa-jpl-3",
self.fip_nasa_jpl_3['floating_ip_address'])
# vm-nasa-jpl_3 can ping its private-ips, not other tenants
self.log_exc_msg(("vm-nasa-jpl-3[%s] can reach all private-ips"
% (self.server_ips['3']['fixed_ip_address'])))
self.host_can_reach_ips('nasa-jpl-3', jpl_3_ssh,
'jpl-private-ip', self.jpl_private_ips)
self.host_can_reach_ips('nasa-jpl-3', jpl_3_ssh,
'ames-private-ip', self.ames_private_ips)
# nasa_ames_1 can not ping private-ips of tenant jpl
# as policy_BB:ping only allowed from the same security-group
self.log_exc_msg(("vm-nasa-ames-1[%s] can reach ames's rivate-ips"
", not jpl's private-ips"
% (self.server_ips['1']['fixed_ip_address'])))
self.host_can_reach_ips('nasa-ames-1', ames_1_ssh,
'ames-private-ip', self.ames_private_ips)
self.host_cannot_reach_ips('nasa-ames-1', ames_1_ssh,
'jpl-private-ip', self.jpl_private_ips)
self.log_exc_msg(
"vm-nasa-ames-1 cannot ping vm-nasa-jpl-1's floatingip")
self.host_cannot_reach_ips(
'nasa-ames-1', ames_1_ssh, 'jpl-floating-ip',
[self.fip_nasa_jpl_3['floating_ip_address']])
self.log_exc_msg(
"vm-nasa-jpl-3 cannot ping vm-nasa-ames-3's floatingip")
self.host_cannot_reach_ips(
'nasa-jpl-3', jpl_3_ssh, 'ames-floating-ip',
[self.fip_nasa_ames_1['floating_ip_address']])
def run_policy_BB_on_ames_BB_on_jpl(self):
### tenant jpl:policy_BB_GP, tenant ames:policy_BB_GP
self.log_exc_msg(
("Update tenant:ames to use policy_BB[%s] with group-ping"
% self.policy_BB))
# admin update ames to policy_BB
self.update_security_group_policy(self.sg_ames['id'], self.policy_BB)
# cannot ping all VMs, but can ssh to both tenants' floating-ips
self.log_exc_msg(("### tenant:jpl=policy_BB[%s]"
", tenant:ames=policy_BB[%s]" %
(self.policy_BB, self.policy_BB)))
self.log_exc_msg("Tempest can ssh vvm-nasa-ames-1's floatingip &"
" vm-nasa-jpl-3's floatingip, but not ping.")
self.icannot_reach_ip(self.fip_nasa_ames_1['floating_ip_address'])
self.icannot_reach_ip(self.fip_nasa_jpl_3['floating_ip_address'])
ames_1_ssh = self.host_ssh_reachable(
"nasa-ames-1",
self.fip_nasa_ames_1['floating_ip_address'])
jpl_3_ssh = self.host_ssh_reachable(
"nasa-jpl-3",
self.fip_nasa_jpl_3['floating_ip_address'])
self.log_exc_msg(("vm-nasa-jpl-3[%s] can reach jpl private-ips"
", not ames"
% (self.server_ips['3']['fixed_ip_address'])))
self.host_can_reach_ips('nasa-jpl-3', jpl_3_ssh,
'private-ip', self.jpl_private_ips)
self.host_cannot_reach_ips('nasa-jpl-3', jpl_3_ssh,
'private-ip', self.ames_private_ips)
self.log_exc_msg(("vm-nasa-ames-1[%s] can reach ames private-ips"
", not jpl"
% (self.server_ips['1']['fixed_ip_address'])))
self.host_can_reach_ips('nasa-ames-1', ames_1_ssh,
'private-ip', self.ames_private_ips)
self.host_cannot_reach_ips('nasa-ames-1', ames_1_ssh,
'private-ip', self.jpl_private_ips)
self.log_exc_msg(
"vm-nasa-ames-1 cannot ping vm-nasa-jpl-1's floatingip")
self.host_cannot_reach_ips(
'nasa-ames-1', ames_1_ssh, 'floating-ip',
[self.fip_nasa_jpl_3['floating_ip_address']])
self.log_exc_msg(
"vm-nasa-jpl-3 cannot ping vm-nasa-ames-3's floatingip")
self.host_cannot_reach_ips(
'nasa-jpl-3', jpl_3_ssh, 'floating-ip',
[self.fip_nasa_ames_1['floating_ip_address']])
class TestAdminPolicySharedRouter(TestAdminPolicyBasicOps):
@test.idempotent_id('78f45717-5f95-4ef5-b2a4-a1b4700ef688')
def test_admin_policy_ops_with_shared_router(self):
self.run_admin_policy_op_scenario('shared')
class TestAdminPolicyExclusiveRouter(TestAdminPolicyBasicOps):
@test.idempotent_id('68345852-da2e-4f46-816b-0afc59470a45')
def test_admin_policy_ops_with_exclusive_router(self):
self.run_admin_policy_op_scenario('exclusive')
class TestAdminPolicyDistributedRouter(TestAdminPolicyBasicOps):
@test.idempotent_id('76adbfbb-a2e5-40fa-8930-84e7ece87bd5')
def test_admin_policy_ops_with_distributed_router(self):
self.run_admin_policy_op_scenario('distributed')