NSXv3: Fix init of default firewall section

Default firewall section for neutron is created once and serves all openstack deployments on same backend. Rules for this section are updated on each neutron init. This section is not deleted with devstack unstack. If the section was created with client auth (=in protected mode), next stack with same backend may fail due to identity conflict. This change forces the update, assuming current user is a superuser. Change-Id: I0ad20fb15d760d56a792e9fd94fcc0efcc38449a
2017-03-29 14:57:41 -07:00 · 2017-03-29 14:57:41 -07:00 · 4cbd19255d
parent 946a2c4881
commit 4cbd19255d
1 changed files with 14 additions and 4 deletions
--- a/vmware_nsxlib/v3/security.py
+++ b/vmware_nsxlib/v3/security.py
@ -339,7 +339,7 @@ class NsxLibFirewallSection(utils.NsxLibApiBase):
        return self.client.create(resource, body)

    def update(self, section_id, display_name=None, description=None,
-               applied_tos=None, rules=None, tags_update=None):
+               applied_tos=None, rules=None, tags_update=None, force=False):
        # Using internal method so we can access max_attempts in the decorator
        @utils.retry_upon_exception(
            exceptions.StaleRevision,
@ -361,11 +361,20 @@ class NsxLibFirewallSection(utils.NsxLibApiBase):
            if tags_update is not None:
                section['tags'] = utils.update_v3_tags(section.get('tags', []),
                                                       tags_update)
+            headers = None
+            if force:
+                # shared sections (like default section) can serve multiple
+                # openstack deployments. If some operate under protected
+                # identities, force-owerwrite is needed.
+                # REVISIT(annak): find better solution for shared sections
+                headers = {'X-Allow-Overwrite': 'true'}
+
            if rules is not None:
-                return self.client.create(resource, section)
+                return self.client.create(resource, section, headers=headers)
+
            elif any(p is not None for p in (display_name, description,
                                             applied_tos)):
-                return self.client.update(resource, section)
+                return self.client.update(resource, section, headers=headers)

        return _do_update()

@ -554,7 +563,8 @@ class NsxLibFirewallSection(utils.NsxLibApiBase):
                    applied_tos=nested_groups,
                    rules=[dhcp_client_rule_out,
                           dhcp_client_rule_in,
-                           block_rule])
+                           block_rule],
+                    force=True)
        return section['id']