Commit Graph

122 Commits (e4ef4dd59b58c7d205011071555408fcd55ecf3d)

Author SHA1 Message Date
Adit Sarfaty e4ef4dd59b Fix for hacking N536
Splitting assertEqual on a tuple with None into multiple
asserts, using aassertIsNone for expected None values.

Also fix the order of expected/observed in assertEqual calls.

Change-Id: I1c60c7d05ed8841178b6c9aabb7e1fb19d34818d
2017-03-19 11:54:35 +02:00
Gary Kotton 0c2c8c8dab Name and ID validation may be paginated
So we need to do a list instead of a get.

Change-Id: Ic18caa4bfb675a7db908b20acf86434ed47f2c49
2017-03-15 00:31:59 -07:00
Tong Liu 4fa7c0da15 Fix FIP DNAT rule match_ports bug
When we create FIP in Neutron, default DNAT is created without
passing match_ports to add_fip_nat_rules. However, when adding
nat rules, [] is not None, and it goes ahead to create default
DNAT rule only allowing TCP protocol which is wrong. We should
ANY protocol for FIP DNAT.

Closes-Bug: #1672939

Change-Id: Ib3743018646c521923bb8bbc5fad1409eb4fbe16
2017-03-14 21:59:34 +00:00
Abhishek Raut e32c31e3cc Add util method to retrieve complex expressions for NSGroup
This patch adds a utility method to create complex expressions
for NSGroups in order to create a dynamic membership criteria
to match multiple tags.

Change-Id: I8a15db52e8df889af7fb4b73579873bc86bfa30d
2017-01-18 20:56:12 -08:00
Jenkins 7c4f3e6867 Merge "Support multiple client certificate per identity" 2017-03-09 17:20:20 +00:00
Jenkins 7072ffeb53 Merge "Deprecate unused dhcp_profile_uuid from config" 2017-03-09 04:34:59 +00:00
Anna Khmelnitsky 1ac9c11b03 Support multiple client certificate per identity
When openstack runs in HA mode, admin might choose to assign two
separate client certificates for each openstack host. This is
possible with storage_type=none. This change allows deleting cert
and identity based not only on identity name, but on cert pem.
In addition, allow faster cluster recovery in case of certificate

Change-Id: Ia4eea874cfa2bf4befc724b719e53e936292e11f
2017-03-08 02:52:21 -08:00
Adit Sarfaty c6f7c2c082 Adding Optional default dns values for native dhcp
When building the native dhcp server config we use the dns domain/nameservers
from the network/subnet objects.
If not defined, we use the global values in the nsxlib config.
Now adding optional default parameters to be used instead of global ones.
This will enable using different configuration per network availability zone.

Change-Id: I38b458e2c530f29a0e5518257ed3041d0610df25
2017-03-08 12:01:12 +02:00
Adit Sarfaty 9e927a5b23 Deprecate unused dhcp_profile_uuid from config
The dhcp_profile_uuid is a part of the nsxlib configuration but it is
never used.
Adding a deprecation warning for it, and stop adding it to the config class.

Change-Id: Ib36ba0c473d66d81a99d79c691548642da34982c
2017-03-06 09:16:19 +02:00
Jenkins 627964757b Merge "Pass node ID and user permissions when creating NSX identity" 2017-03-05 16:18:12 +00:00
Salvatore Orlando ff8a2044e0 Pass node ID and user permissions when creating NSX identity
Ths patch simply adds 3 attributes to the request body sent to NSX
when creating principal identities for certificates, adjusts the
code in vmware_nsxlib.v3.client_cert accordingly, and removes
code that was based on "single cert per identity" assumtion.

Change-Id: Ib4e1f44e98843d7cb308c57434e3ecc68f7b8dc2
2017-03-03 17:34:29 -08:00
OpenStack Proposal Bot 677ffea3b3 Updated from global requirements
Change-Id: Id9dc4e35bb403b7c490de86054be8ee106790de4
2017-03-03 23:01:33 +00:00
OpenStack Proposal Bot aeff71c05f Updated from global requirements
Change-Id: I1357e744661b309d7755c8df9ea4c91c18564f6f
2017-02-28 05:50:11 +00:00
Anna Khmelnitsky 4b654b13af Fix FW rule dictionary
Change-Id: Ia484d0429e104cd4c366df25ebe63b111920d4b4
2017-02-27 13:42:58 -08:00
Jenkins eebd6bcb13 Merge "Replace client cert file with cert provider" 2017-02-27 19:48:59 +00:00
Anna Khmelnitsky 1270fc1a93 Replace client cert file with cert provider
In nsxlib configuration, replace client certificate file with a
broader concept of provider: apart from certificate file name, the
provider can implement __enter__ and __exit__ routines to handle
file creation and disposal

Change-Id: I0c11107324786cf0852b054f32940422dffef5bb
2017-02-27 10:03:37 -08:00
Jenkins 40437e1721 Merge "Add get_code to LogicalDhcpServer" 2017-02-21 00:26:38 +00:00
Gary Kotton 1e427ba318 Add get_code to LogicalDhcpServer
This will enable the plugin to validate the supported
DHCP extra options.

This is done via the method get_dhcp_opt_code. If a name is
not supported then None is returned.

Change-Id: Ia28c2da080d79e7e1e87db0f137963a4560862bb
2017-02-20 07:18:30 +02:00
Jenkins 05fdc812d5 Merge "Add support to search resources based on tags or resource type" 2017-02-16 19:33:05 +00:00
Gary Kotton fe8a4d4d25 Fix parameter args

Change-Id: I767ad5e09ce08c0f956b73f8e79619ea5b62615f
2017-02-13 22:15:13 -08:00
Jenkins 78243338ab Merge "Update interface about NSX IPAM and CIF API change" 2017-02-13 03:47:14 +00:00
Jenkins 5a472a83d8 Merge "IpPools: pass tags on create/update operations" 2017-02-12 06:48:58 +00:00
Jenkins 5d16f53c3b Merge "Fix logical switch name update" 2017-02-12 06:48:52 +00:00
Salvatore Orlando dc12c1af6b IpPools: pass tags on create/update operations
Change-Id: I65b77dce0a8acc99b9adcca8a0edf0cde83985c1
2017-02-11 00:29:37 +01:00
dantingl f601978eda Update interface about NSX IPAM and CIF API change
Change-Id: I224b8778cbb519ec9bc4ebebf9f1b3fbf4326b4d
2017-02-10 02:15:58 -08:00
OpenStack Proposal Bot 31b962f814 Updated from global requirements
Change-Id: I7ad08ea86a0d2f759344b6385d2d9eb578c5e6ca
2017-02-10 06:02:15 +00:00
Jenkins 96aa73b17c Merge "Add validation for client certificate subject" 2017-02-08 09:56:29 +00:00
Danting Liu 26b6466f03 Get list of IP block and IP block subnet
Change-Id: I90a1f5c7d255e29e896c375c0319cf87c273b22d
2017-02-07 20:39:26 -08:00
Anna Khmelnitsky 607cd7c1da Add validation for client certificate subject
Change-Id: Ib79e2d6ba630266181a3f81fd78819e9fcaa6636
2017-02-07 15:13:43 -08:00
Jenkins c85f1505dd Merge "Prevent downtime when client cert is regenerated" 2017-02-05 07:50:43 +00:00
Salvatore Orlando a7356bc304 Mute log for endpoint connection validation
The endpoint validation process queries transport zones.
Requests/responses for transport zones can clutter logs quite a bit and
make troubleshooting and support more complex.

This patch introduces the possibility of muting logging in _rest_call,
by passing a "silent" parameter to it, defaulting to False. The
_validate_connection routine will instead set this parameter to True,
thus preventing request and response for the transport zone resource to
be dumped on the log.

Change-Id: I1f4ef84d11db9ead3e23666a7c8e8b76ca30b1ec
2017-02-02 15:00:15 +01:00
Anna Khmelnitsky 2b36887f5c Prevent downtime when client cert is regenerated
When client certificate is regenerated, keepalive connection
to NSX endpoint will be broken. This patch will detect this and
invoke a callback to give nsxlib user a chance to reload the cert;
then regenerate connection pool to restore connectivity.

Change-Id: I0a334df4dd05feb784b9ff8bdc988ac41878863c
2017-02-02 12:50:27 +00:00
Jenkins 2ac012456d Merge "Support client certificate import" 2017-01-31 06:23:24 +00:00
Anna Khmelnitsky 763f024ab8 Support client certificate import
In addition, add getters for certificate fields,
and ensure certificate object has short lifespan, since
it might change in storage

Change-Id: I2abbec0e48d82d432c9cc18afaca62bae7558d7c
2017-01-30 10:58:45 -08:00
Abhishek Raut f20ebba9ef [NSX Search]: Append resource_type while limiting scope for a resource
Currently the search API accepts resource_type as an optional param
which is used to limit the scope of the search to a given type of
resource. This in turn searches the backend for all fields of all
For example, a search for LogicalSwitch resource_type may return
NSGroups which contain a membership criteria for LogicalSwitch.
In this case NSGroups are returned since the target_type field for
the NSGroup is set to LogicalSwitch.
In order to correctly return only objects of type LogicalSwitch, the
query must have resource_type:LogicalSwitch instead of LogicalSwitch.

Change-Id: I0418c0a758b28ec46b77a7adaf2dbc3addac6da3
2017-01-17 13:45:21 -08:00
Abhishek Raut b980fdb3a2 Add support for IPSet CRUD operations
This patch adds IPSet CRUD operations under the security module.
This patch also adds a util method for IPSets to return reference
dict for IPSet objects.

Change-Id: Ie5157055e80ec1976159cabc172d8285314570c4
2017-01-17 00:37:36 -08:00
Jenkins a75193fc14 Merge "Updated from global requirements" 2017-03-02 09:43:07 +00:00
Jenkins 0e9c81922e Merge "Add in tox -s cover support" 2017-03-02 09:42:28 +00:00
OpenStack Proposal Bot f604df5f81 Updated from global requirements
Change-Id: I50748f60703226d65019db8d0a46e5008204b7aa
2017-03-02 05:09:24 +00:00
Gary Kotton 34a36b9426 Add in tox -s cover support
Enable us to do code coverage tests

Change-Id: I586c0a64d2a351b38475afbae2c49d08cb5b5d55
2017-03-01 02:28:49 -08:00
Danting Liu 576bac2ae0 Add methods for firewall section and rule
1. get logical port applyto reference
2. get rule address
3. get l4 portset nsservice
4. create section with rules

Change-Id: I02003b64f6937f1200572cb07accd8b59be19544
2017-03-01 02:06:18 -08:00
OpenStack Proposal Bot 3e5f2e324a Updated from global requirements
Change-Id: Ibdcb4388f8928649e78c8f0facbb047f452b1ecd
2017-03-01 04:18:35 +00:00
Adit Sarfaty 76b47c2bb7 Use project-id instead of tenant -id in nsxlib
Change-Id: If4782a11b74d72bcfda520fc1bd8eaddf464f5ec
2017-01-16 09:09:56 +02:00
Abhishek Raut 1cbc5d7942 Add 'applied_tos' arg while creating FirewallRule
Allow creating a firewall rule with applied_tos parameter to
specify the target for rule.

Change-Id: I0c5f1989c97b99978a57972cac05258126c4cff3
2017-01-14 18:22:02 -08:00
Jenkins 7e88aca146 Merge "Allow passing args of type list for NSGroup and firewall rule methods" 2017-02-22 11:11:21 +00:00
Abhishek Raut 53b0dde52b Add support to update tags for FirewallSections
Allow tags to be updated on firewall sections.

Change-Id: I72085fde86288f0432e08356a41e4de721016e70
2017-01-14 09:05:57 -08:00
Abhishek Raut 0294780a4d Allow passing args of type list for NSGroup and firewall rule methods
The current NSGroup create method does not allow for passing a
list of membership criterias. Similarly the source, destination
and service arguments of Firewall rule method does not allow for
passing a list. This patch provides a fix for it and updates
all occurences of get_rule_dict with appropriate values.

This patch also adds a new arg to get_rule_dict to allow creation
of firewall rules with the disabled=True or False. The default
value of this arg is False, which means rules are enabled.

Change-Id: I6b16d37bf3ca61f3c9f02688f9548ea4b3b6adb6
2017-01-14 06:47:00 -08:00
Abhishek Raut 9fd59f7880 Add support to search resources based on tags or resource type
This patch adds a new util method to the NsxLib class.
NsxLib will expose a search method to retrieve objects from
backend based on their tags and resource type. Tags argument
must be present in order to search.
Tags are supplied in the following form:
    [{'scope': <scope_val>, 'tag': <tag_value>}, ...]

Change-Id: I304e9c44e55657e652b2a8236e85602c295cf22b
2017-01-12 23:25:03 -08:00
Abhishek Raut 4e3f17b422 Fix logical switch name update
If user does not intend to update the name of the logical switch,
the name should remain the same on backend. The logical switch
update method will now first get the resource from the backend
and retain the display name previously configured if name is not
updated. This allows the caller to no longer send the name of the
LS even if it is not updated.

Change-Id: Iee42c59ff1edd1fb822184535a8c0943a94e334e
2017-01-12 03:10:12 -08:00
Abhishek Raut ec454a10a1 Add method to security module
This patch adds a method to security module to further expose
more options available from firewall APIs on the backend.

Specifically this patch adds the following:
    1. A method to build tag expression for LogicalSwitch targets
       to create dynamic NSGroups.

Change-Id: I9bbacfe14076d9ff92b0f45e9a85335876302f72
2017-01-12 00:37:04 -08:00