Commit Graph

113 Commits (1ac9c11b0324bbc9458b4d6d91e1e51fdd05fb6f)

Author SHA1 Message Date
Anna Khmelnitsky 1ac9c11b03 Support multiple client certificate per identity
When openstack runs in HA mode, admin might choose to assign two
separate client certificates for each openstack host. This is
possible with storage_type=none. This change allows deleting cert
and identity based not only on identity name, but on cert pem.
In addition, allow faster cluster recovery in case of certificate

Change-Id: Ia4eea874cfa2bf4befc724b719e53e936292e11f
2017-03-08 02:52:21 -08:00
Jenkins 627964757b Merge "Pass node ID and user permissions when creating NSX identity" 2017-03-05 16:18:12 +00:00
Salvatore Orlando ff8a2044e0 Pass node ID and user permissions when creating NSX identity
Ths patch simply adds 3 attributes to the request body sent to NSX
when creating principal identities for certificates, adjusts the
code in vmware_nsxlib.v3.client_cert accordingly, and removes
code that was based on "single cert per identity" assumtion.

Change-Id: Ib4e1f44e98843d7cb308c57434e3ecc68f7b8dc2
2017-03-03 17:34:29 -08:00
OpenStack Proposal Bot 677ffea3b3 Updated from global requirements
Change-Id: Id9dc4e35bb403b7c490de86054be8ee106790de4
2017-03-03 23:01:33 +00:00
OpenStack Proposal Bot aeff71c05f Updated from global requirements
Change-Id: I1357e744661b309d7755c8df9ea4c91c18564f6f
2017-02-28 05:50:11 +00:00
Anna Khmelnitsky 4b654b13af Fix FW rule dictionary
Change-Id: Ia484d0429e104cd4c366df25ebe63b111920d4b4
2017-02-27 13:42:58 -08:00
Jenkins eebd6bcb13 Merge "Replace client cert file with cert provider" 2017-02-27 19:48:59 +00:00
Anna Khmelnitsky 1270fc1a93 Replace client cert file with cert provider
In nsxlib configuration, replace client certificate file with a
broader concept of provider: apart from certificate file name, the
provider can implement __enter__ and __exit__ routines to handle
file creation and disposal

Change-Id: I0c11107324786cf0852b054f32940422dffef5bb
2017-02-27 10:03:37 -08:00
Jenkins 40437e1721 Merge "Add get_code to LogicalDhcpServer" 2017-02-21 00:26:38 +00:00
Gary Kotton 1e427ba318 Add get_code to LogicalDhcpServer
This will enable the plugin to validate the supported
DHCP extra options.

This is done via the method get_dhcp_opt_code. If a name is
not supported then None is returned.

Change-Id: Ia28c2da080d79e7e1e87db0f137963a4560862bb
2017-02-20 07:18:30 +02:00
Jenkins 05fdc812d5 Merge "Add support to search resources based on tags or resource type" 2017-02-16 19:33:05 +00:00
Gary Kotton fe8a4d4d25 Fix parameter args

Change-Id: I767ad5e09ce08c0f956b73f8e79619ea5b62615f
2017-02-13 22:15:13 -08:00
Jenkins 78243338ab Merge "Update interface about NSX IPAM and CIF API change" 2017-02-13 03:47:14 +00:00
Jenkins 5a472a83d8 Merge "IpPools: pass tags on create/update operations" 2017-02-12 06:48:58 +00:00
Jenkins 5d16f53c3b Merge "Fix logical switch name update" 2017-02-12 06:48:52 +00:00
Salvatore Orlando dc12c1af6b IpPools: pass tags on create/update operations
Change-Id: I65b77dce0a8acc99b9adcca8a0edf0cde83985c1
2017-02-11 00:29:37 +01:00
dantingl f601978eda Update interface about NSX IPAM and CIF API change
Change-Id: I224b8778cbb519ec9bc4ebebf9f1b3fbf4326b4d
2017-02-10 02:15:58 -08:00
OpenStack Proposal Bot 31b962f814 Updated from global requirements
Change-Id: I7ad08ea86a0d2f759344b6385d2d9eb578c5e6ca
2017-02-10 06:02:15 +00:00
Jenkins 96aa73b17c Merge "Add validation for client certificate subject" 2017-02-08 09:56:29 +00:00
Danting Liu 26b6466f03 Get list of IP block and IP block subnet
Change-Id: I90a1f5c7d255e29e896c375c0319cf87c273b22d
2017-02-07 20:39:26 -08:00
Anna Khmelnitsky 607cd7c1da Add validation for client certificate subject
Change-Id: Ib79e2d6ba630266181a3f81fd78819e9fcaa6636
2017-02-07 15:13:43 -08:00
Jenkins c85f1505dd Merge "Prevent downtime when client cert is regenerated" 2017-02-05 07:50:43 +00:00
Salvatore Orlando a7356bc304 Mute log for endpoint connection validation
The endpoint validation process queries transport zones.
Requests/responses for transport zones can clutter logs quite a bit and
make troubleshooting and support more complex.

This patch introduces the possibility of muting logging in _rest_call,
by passing a "silent" parameter to it, defaulting to False. The
_validate_connection routine will instead set this parameter to True,
thus preventing request and response for the transport zone resource to
be dumped on the log.

Change-Id: I1f4ef84d11db9ead3e23666a7c8e8b76ca30b1ec
2017-02-02 15:00:15 +01:00
Anna Khmelnitsky 2b36887f5c Prevent downtime when client cert is regenerated
When client certificate is regenerated, keepalive connection
to NSX endpoint will be broken. This patch will detect this and
invoke a callback to give nsxlib user a chance to reload the cert;
then regenerate connection pool to restore connectivity.

Change-Id: I0a334df4dd05feb784b9ff8bdc988ac41878863c
2017-02-02 12:50:27 +00:00
Jenkins 2ac012456d Merge "Support client certificate import" 2017-01-31 06:23:24 +00:00
Anna Khmelnitsky 763f024ab8 Support client certificate import
In addition, add getters for certificate fields,
and ensure certificate object has short lifespan, since
it might change in storage

Change-Id: I2abbec0e48d82d432c9cc18afaca62bae7558d7c
2017-01-30 10:58:45 -08:00
Abhishek Raut b980fdb3a2 Add support for IPSet CRUD operations
This patch adds IPSet CRUD operations under the security module.
This patch also adds a util method for IPSets to return reference
dict for IPSet objects.

Change-Id: Ie5157055e80ec1976159cabc172d8285314570c4
2017-01-17 00:37:36 -08:00
Jenkins a75193fc14 Merge "Updated from global requirements" 2017-03-02 09:43:07 +00:00
Jenkins 0e9c81922e Merge "Add in tox -s cover support" 2017-03-02 09:42:28 +00:00
OpenStack Proposal Bot f604df5f81 Updated from global requirements
Change-Id: I50748f60703226d65019db8d0a46e5008204b7aa
2017-03-02 05:09:24 +00:00
Gary Kotton 34a36b9426 Add in tox -s cover support
Enable us to do code coverage tests

Change-Id: I586c0a64d2a351b38475afbae2c49d08cb5b5d55
2017-03-01 02:28:49 -08:00
Danting Liu 576bac2ae0 Add methods for firewall section and rule
1. get logical port applyto reference
2. get rule address
3. get l4 portset nsservice
4. create section with rules

Change-Id: I02003b64f6937f1200572cb07accd8b59be19544
2017-03-01 02:06:18 -08:00
OpenStack Proposal Bot 3e5f2e324a Updated from global requirements
Change-Id: Ibdcb4388f8928649e78c8f0facbb047f452b1ecd
2017-03-01 04:18:35 +00:00
Adit Sarfaty 76b47c2bb7 Use project-id instead of tenant -id in nsxlib
Change-Id: If4782a11b74d72bcfda520fc1bd8eaddf464f5ec
2017-01-16 09:09:56 +02:00
Abhishek Raut 1cbc5d7942 Add 'applied_tos' arg while creating FirewallRule
Allow creating a firewall rule with applied_tos parameter to
specify the target for rule.

Change-Id: I0c5f1989c97b99978a57972cac05258126c4cff3
2017-01-14 18:22:02 -08:00
Jenkins 7e88aca146 Merge "Allow passing args of type list for NSGroup and firewall rule methods" 2017-02-22 11:11:21 +00:00
Abhishek Raut 53b0dde52b Add support to update tags for FirewallSections
Allow tags to be updated on firewall sections.

Change-Id: I72085fde86288f0432e08356a41e4de721016e70
2017-01-14 09:05:57 -08:00
Abhishek Raut 0294780a4d Allow passing args of type list for NSGroup and firewall rule methods
The current NSGroup create method does not allow for passing a
list of membership criterias. Similarly the source, destination
and service arguments of Firewall rule method does not allow for
passing a list. This patch provides a fix for it and updates
all occurences of get_rule_dict with appropriate values.

This patch also adds a new arg to get_rule_dict to allow creation
of firewall rules with the disabled=True or False. The default
value of this arg is False, which means rules are enabled.

Change-Id: I6b16d37bf3ca61f3c9f02688f9548ea4b3b6adb6
2017-01-14 06:47:00 -08:00
Abhishek Raut 9fd59f7880 Add support to search resources based on tags or resource type
This patch adds a new util method to the NsxLib class.
NsxLib will expose a search method to retrieve objects from
backend based on their tags and resource type. Tags argument
must be present in order to search.
Tags are supplied in the following form:
    [{'scope': <scope_val>, 'tag': <tag_value>}, ...]

Change-Id: I304e9c44e55657e652b2a8236e85602c295cf22b
2017-01-12 23:25:03 -08:00
Abhishek Raut 4e3f17b422 Fix logical switch name update
If user does not intend to update the name of the logical switch,
the name should remain the same on backend. The logical switch
update method will now first get the resource from the backend
and retain the display name previously configured if name is not
updated. This allows the caller to no longer send the name of the
LS even if it is not updated.

Change-Id: Iee42c59ff1edd1fb822184535a8c0943a94e334e
2017-01-12 03:10:12 -08:00
Abhishek Raut ec454a10a1 Add method to security module
This patch adds a method to security module to further expose
more options available from firewall APIs on the backend.

Specifically this patch adds the following:
    1. A method to build tag expression for LogicalSwitch targets
       to create dynamic NSGroups.

Change-Id: I9bbacfe14076d9ff92b0f45e9a85335876302f72
2017-01-12 00:37:04 -08:00
Abhishek Raut bc1b7744c6 Fix address bindings in logical port update
During port updates, if the user does not pass address bindings,
nsxlib should perform a LP GET on the backend and use the
existing address bindings.
The response body returns address bindings in a dict format
which breaks the update in _build_attrs method. This patch
adds a new method which will convert the address bindings
dict into PacketAddressClassifier namedtuple.

Change-Id: I660cc63264d1458d17d587555889974571960bd5
2017-01-09 01:57:15 -08:00
Jenkins f438d502c3 Merge "Disable uRPF check on lrp on container LS" 2017-01-27 22:38:59 +00:00
Jenkins 04ee1b3512 Merge "Add match_ports argument while adding NAT rule" 2017-01-27 22:34:50 +00:00
Jenkins fe1816d4c4 Merge "Add IP POOL ID during port create/update" 2017-01-27 16:54:59 +00:00
Jenkins 55f15b61b3 Merge "Add support to create/delete ip block subnet on backend" 2017-01-27 16:53:21 +00:00
Jenkins 7e92de7cf7 Merge "Allow setting QoS shaper values to 0" 2017-01-27 00:11:20 +00:00
Adit Sarfaty 1e760fe4f5 Allow setting QoS shaper values to 0
Change-Id: I751fcb61adf0a18a82c961a6fede4656b2643660
2017-01-19 12:22:29 +02:00
OpenStack Proposal Bot df9ff05e75 Updated from global requirements
Change-Id: I8170983c8051ac4240d524f394ac0e9f616c1fbf
2017-01-18 01:25:39 +00:00
Jenkins 4ce55c8608 Merge "Fix bugs in certificate management exceptions" 2017-01-17 21:43:44 +00:00