NSXv3: Fix init of default firewall section
Default firewall section for neutron is created once and serves all openstack deployments on same backend. Rules for this section are updated on each neutron init. This section is not deleted with devstack unstack. If the section was created with client auth (=in protected mode), next stack with same backend may fail due to identity conflict. This change forces the update, assuming current user is a superuser. Change-Id: I0ad20fb15d760d56a792e9fd94fcc0efcc38449a
This commit is contained in:
parent
946a2c4881
commit
4cbd19255d
|
@ -339,7 +339,7 @@ class NsxLibFirewallSection(utils.NsxLibApiBase):
|
||||||
return self.client.create(resource, body)
|
return self.client.create(resource, body)
|
||||||
|
|
||||||
def update(self, section_id, display_name=None, description=None,
|
def update(self, section_id, display_name=None, description=None,
|
||||||
applied_tos=None, rules=None, tags_update=None):
|
applied_tos=None, rules=None, tags_update=None, force=False):
|
||||||
# Using internal method so we can access max_attempts in the decorator
|
# Using internal method so we can access max_attempts in the decorator
|
||||||
@utils.retry_upon_exception(
|
@utils.retry_upon_exception(
|
||||||
exceptions.StaleRevision,
|
exceptions.StaleRevision,
|
||||||
|
@ -361,11 +361,20 @@ class NsxLibFirewallSection(utils.NsxLibApiBase):
|
||||||
if tags_update is not None:
|
if tags_update is not None:
|
||||||
section['tags'] = utils.update_v3_tags(section.get('tags', []),
|
section['tags'] = utils.update_v3_tags(section.get('tags', []),
|
||||||
tags_update)
|
tags_update)
|
||||||
|
headers = None
|
||||||
|
if force:
|
||||||
|
# shared sections (like default section) can serve multiple
|
||||||
|
# openstack deployments. If some operate under protected
|
||||||
|
# identities, force-owerwrite is needed.
|
||||||
|
# REVISIT(annak): find better solution for shared sections
|
||||||
|
headers = {'X-Allow-Overwrite': 'true'}
|
||||||
|
|
||||||
if rules is not None:
|
if rules is not None:
|
||||||
return self.client.create(resource, section)
|
return self.client.create(resource, section, headers=headers)
|
||||||
|
|
||||||
elif any(p is not None for p in (display_name, description,
|
elif any(p is not None for p in (display_name, description,
|
||||||
applied_tos)):
|
applied_tos)):
|
||||||
return self.client.update(resource, section)
|
return self.client.update(resource, section, headers=headers)
|
||||||
|
|
||||||
return _do_update()
|
return _do_update()
|
||||||
|
|
||||||
|
@ -554,7 +563,8 @@ class NsxLibFirewallSection(utils.NsxLibApiBase):
|
||||||
applied_tos=nested_groups,
|
applied_tos=nested_groups,
|
||||||
rules=[dhcp_client_rule_out,
|
rules=[dhcp_client_rule_out,
|
||||||
dhcp_client_rule_in,
|
dhcp_client_rule_in,
|
||||||
block_rule])
|
block_rule],
|
||||||
|
force=True)
|
||||||
return section['id']
|
return section['id']
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue