From 4cbd19255d44d22f6959cbd93b6997a2af08de18 Mon Sep 17 00:00:00 2001
From: Anna Khmelnitsky <akhmelnitsky@vmware.com>
Date: Wed, 29 Mar 2017 14:57:41 -0700
Subject: [PATCH] NSXv3: Fix init of default firewall section

Default firewall section for neutron is created once and serves all
openstack deployments on same backend. Rules for this section are
updated on each neutron init.
This section is not deleted with devstack unstack. If the section was
created with client auth (=in protected mode), next stack with same
backend may fail due to identity conflict.
This change forces the update, assuming current user is a superuser.

Change-Id: I0ad20fb15d760d56a792e9fd94fcc0efcc38449a
---
 vmware_nsxlib/v3/security.py | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/vmware_nsxlib/v3/security.py b/vmware_nsxlib/v3/security.py
index 51d0734a..cb51889c 100644
--- a/vmware_nsxlib/v3/security.py
+++ b/vmware_nsxlib/v3/security.py
@@ -339,7 +339,7 @@ class NsxLibFirewallSection(utils.NsxLibApiBase):
         return self.client.create(resource, body)
 
     def update(self, section_id, display_name=None, description=None,
-               applied_tos=None, rules=None, tags_update=None):
+               applied_tos=None, rules=None, tags_update=None, force=False):
         # Using internal method so we can access max_attempts in the decorator
         @utils.retry_upon_exception(
             exceptions.StaleRevision,
@@ -361,11 +361,20 @@ class NsxLibFirewallSection(utils.NsxLibApiBase):
             if tags_update is not None:
                 section['tags'] = utils.update_v3_tags(section.get('tags', []),
                                                        tags_update)
+            headers = None
+            if force:
+                # shared sections (like default section) can serve multiple
+                # openstack deployments. If some operate under protected
+                # identities, force-owerwrite is needed.
+                # REVISIT(annak): find better solution for shared sections
+                headers = {'X-Allow-Overwrite': 'true'}
+
             if rules is not None:
-                return self.client.create(resource, section)
+                return self.client.create(resource, section, headers=headers)
+
             elif any(p is not None for p in (display_name, description,
                                              applied_tos)):
-                return self.client.update(resource, section)
+                return self.client.update(resource, section, headers=headers)
 
         return _do_update()
 
@@ -554,7 +563,8 @@ class NsxLibFirewallSection(utils.NsxLibApiBase):
                     applied_tos=nested_groups,
                     rules=[dhcp_client_rule_out,
                            dhcp_client_rule_in,
-                           block_rule])
+                           block_rule],
+                    force=True)
         return section['id']