def setUp(self):
super(SecurityGroupRBACDbObjectTestCase, self).setUp()
for obj in self.db_objs:
sg_obj = securitygroup.SecurityGroup(self.context,
id=obj['object_id'],
project_id=obj['project_id'])
sg_obj.create()
def setUp(self):
super(SecurityGroupRuleDbObjTestCase, self).setUp()
sg_fields = self.get_random_object_fields(securitygroup.SecurityGroup)
self.sg_obj = securitygroup.SecurityGroup(self.context, **sg_fields)
self.sg_obj.create()
self.update_obj_fields({'security_group_id': self.sg_obj['id'],
'remote_group_id': self.sg_obj['id']})
def setUp(self):
super(DefaultSecurityGroupDbObjTestCase, self).setUp()
sg_db_obj = self.get_random_fields(securitygroup.SecurityGroup)
sg_fields = securitygroup.SecurityGroup.modify_fields_from_db(
sg_db_obj)
self.sg_obj = securitygroup.SecurityGroup(self.context, **sg_fields)
self.sg_obj.create()
self.update_obj_fields({'security_group_id': self.sg_obj['id']})
def setUp(self):
super(DefaultSecurityGroupDbObjTestCase, self).setUp()
sg_db_obj = self.get_random_fields(securitygroup.SecurityGroup)
sg_fields = securitygroup.SecurityGroup.modify_fields_from_db(
sg_db_obj)
self.sg_obj = securitygroup.SecurityGroup(self.context, **sg_fields)
self.sg_obj.create()
for obj in itertools.chain(self.db_objs, self.obj_fields, self.objs):
obj['security_group_id'] = self.sg_obj['id']
def setUp(self):
super(SecurityGroupRuleDbObjTestCase, self).setUp()
sg_db_obj = self.get_random_fields(securitygroup.SecurityGroup)
sg_fields = securitygroup.SecurityGroup.modify_fields_from_db(
sg_db_obj)
self.sg_obj = securitygroup.SecurityGroup(
self.context, **test_base.remove_timestamps_from_fields(sg_fields))
self.sg_obj.create()
for obj in itertools.chain(self.db_objs, self.obj_fields, self.objs):
obj['security_group_id'] = self.sg_obj['id']
obj['remote_group_id'] = self.sg_obj['id']
def _make_security_group_ovo(self, **kwargs):
attrs = {'id': uuidutils.generate_uuid(), 'revision_number': 1}
sg_rule = securitygroup.SecurityGroupRule(
id=uuidutils.generate_uuid(),
security_group_id=attrs['id'],
direction='ingress',
ethertype='IPv4', protocol='tcp',
port_range_min=400,
remote_group_id=attrs['id'],
revision_number=1,
)
attrs['rules'] = [sg_rule]
attrs.update(**kwargs)
sg = securitygroup.SecurityGroup(self.ctx, **attrs)
self.rcache.record_resource_update(self.ctx, 'SecurityGroup', sg)
return sg
def create_security_group_without_rules(self, context, security_group,
default_sg, is_provider):
"""Create a neutron security group, without any default rules.
This method creates a security group that does not by default
enable egress traffic which normal neutron security groups do.
"""
s = security_group['security_group']
kwargs = {
'context': context,
'security_group': s,
'is_default': default_sg,
}
self._registry_notify(resources.SECURITY_GROUP,
events.BEFORE_CREATE,
exc_cls=ext_sg.SecurityGroupConflict,
**kwargs)
tenant_id = s['tenant_id']
if not default_sg:
self._ensure_default_security_group(context, tenant_id)
with db_api.context_manager.writer.using(context):
sg = sg_obj.SecurityGroup(context,
id=s.get('id')
or uuidutils.generate_uuid(),
description=s.get('description', ''),
project_id=tenant_id,
name=s.get('name', ''),
is_default=default_sg)
sg.create()
secgroup_dict = self._make_security_group_dict(sg)
secgroup_dict[sg_policy.POLICY] = s.get(sg_policy.POLICY)
secgroup_dict[provider_sg.PROVIDER] = is_provider
kwargs['security_group'] = secgroup_dict
registry.notify(resources.SECURITY_GROUP, events.AFTER_CREATE, self,
**kwargs)
return secgroup_dict
def create_security_group(self, context, security_group, default_sg=False):
"""Create security group.
If default_sg is true that means we are a default security group for
a given tenant if it does not exist.
"""
s = security_group['security_group']
kwargs = {
'context': context,
'security_group': s,
'is_default': default_sg,
}
self._registry_notify(resources.SECURITY_GROUP,
events.BEFORE_CREATE,
exc_cls=ext_sg.SecurityGroupConflict,
payload=events.DBEventPayload(
context,
metadata={'is_default': default_sg},
request_body=security_group,
desired_state=s))
tenant_id = s['tenant_id']
stateful = s.get('stateful', True)
if not default_sg:
self._ensure_default_security_group(context, tenant_id)
else:
existing_def_sg_id = self._get_default_sg_id(context, tenant_id)
if existing_def_sg_id is not None:
# default already exists, return it
return self.get_security_group(context, existing_def_sg_id)
with db_api.CONTEXT_WRITER.using(context):
delta = len(ext_sg.sg_supported_ethertypes)
delta = delta * 2 if default_sg else delta
reservation = quota.QUOTAS.make_reservation(
context, tenant_id, {'security_group_rule': delta}, self)
sg = sg_obj.SecurityGroup(context,
id=s.get('id')
or uuidutils.generate_uuid(),
description=s['description'],
project_id=tenant_id,
name=s['name'],
is_default=default_sg,
stateful=stateful)
sg.create()
for ethertype in ext_sg.sg_supported_ethertypes:
if default_sg:
# Allow intercommunication
ingress_rule = sg_obj.SecurityGroupRule(
context,
id=uuidutils.generate_uuid(),
project_id=tenant_id,
security_group_id=sg.id,
direction='ingress',
ethertype=ethertype,
remote_group_id=sg.id)
ingress_rule.create()
sg.rules.append(ingress_rule)
egress_rule = sg_obj.SecurityGroupRule(
context,
id=uuidutils.generate_uuid(),
project_id=tenant_id,
security_group_id=sg.id,
direction='egress',
ethertype=ethertype)
egress_rule.create()
sg.rules.append(egress_rule)
sg.obj_reset_changes(['rules'])
quota.QUOTAS.commit_reservation(context,
reservation.reservation_id)
# fetch sg from db to load the sg rules with sg model.
sg = sg_obj.SecurityGroup.get_object(context, id=sg.id)
secgroup_dict = self._make_security_group_dict(sg)
kwargs['security_group'] = secgroup_dict
self._registry_notify(resources.SECURITY_GROUP,
events.PRECOMMIT_CREATE,
exc_cls=ext_sg.SecurityGroupConflict,
**kwargs)
registry.notify(resources.SECURITY_GROUP, events.AFTER_CREATE, self,
**kwargs)
return secgroup_dict
def create_security_group(self, context, security_group, default_sg=False):
"""Create security group.
If default_sg is true that means we are a default security group for
a given tenant if it does not exist.
"""
s = security_group['security_group']
kwargs = {
'context': context,
'security_group': s,
'is_default': default_sg,
}
self._registry_notify(resources.SECURITY_GROUP,
events.BEFORE_CREATE,
exc_cls=ext_sg.SecurityGroupConflict,
**kwargs)
tenant_id = s['tenant_id']
if not default_sg:
self._ensure_default_security_group(context, tenant_id)
else:
existing_def_sg_id = self._get_default_sg_id(context, tenant_id)
if existing_def_sg_id is not None:
# default already exists, return it
return self.get_security_group(context, existing_def_sg_id)
with db_api.context_manager.writer.using(context):
sg = sg_obj.SecurityGroup(context,
id=s.get('id')
or uuidutils.generate_uuid(),
description=s['description'],
project_id=tenant_id,
name=s['name'],
is_default=default_sg)
sg.create()
for ethertype in ext_sg.sg_supported_ethertypes:
if default_sg:
# Allow intercommunication
ingress_rule = sg_obj.SecurityGroupRule(
context,
id=uuidutils.generate_uuid(),
project_id=tenant_id,
security_group_id=sg.id,
direction='ingress',
ethertype=ethertype,
remote_group_id=sg.id)
ingress_rule.create()
sg.rules.append(ingress_rule)
egress_rule = sg_obj.SecurityGroupRule(
context,
id=uuidutils.generate_uuid(),
project_id=tenant_id,
security_group_id=sg.id,
direction='egress',
ethertype=ethertype)
egress_rule.create()
sg.rules.append(egress_rule)
sg.obj_reset_changes(['rules'])
# fetch sg from db to load the sg rules with sg model.
sg = sg_obj.SecurityGroup.get_object(context, id=sg.id)
secgroup_dict = self._make_security_group_dict(sg)
kwargs['security_group'] = secgroup_dict
self._registry_notify(resources.SECURITY_GROUP,
events.PRECOMMIT_CREATE,
exc_cls=ext_sg.SecurityGroupConflict,
**kwargs)
registry.notify(resources.SECURITY_GROUP, events.AFTER_CREATE, self,
**kwargs)
return secgroup_dict
def create_security_group(self, context, security_group, default_sg=False):
"""Create security group.
If default_sg is true that means we are a default security group for
a given tenant if it does not exist.
"""
s = security_group['security_group']
self._registry_publish(resources.SECURITY_GROUP, events.BEFORE_CREATE,
exc_cls=ext_sg.SecurityGroupConflict,
payload=events.DBEventPayload(
context,
metadata={'is_default': default_sg},
request_body=security_group,
desired_state=s))
tenant_id = s['tenant_id']
stateful = s.get('stateful', True)
if not default_sg:
self._ensure_default_security_group(context, tenant_id)
else:
existing_def_sg_id = self._get_default_sg_id(context, tenant_id)
if existing_def_sg_id is not None:
# default already exists, return it
return self.get_security_group(context, existing_def_sg_id)
with db_api.CONTEXT_WRITER.using(context):
delta = len(ext_sg.sg_supported_ethertypes)
delta = delta * 2 if default_sg else delta
quota.QUOTAS.quota_limit_check(context, tenant_id,
security_group_rule=delta)
sg = sg_obj.SecurityGroup(
context, id=s.get('id') or uuidutils.generate_uuid(),
description=s['description'], project_id=tenant_id,
name=s['name'], is_default=default_sg, stateful=stateful)
sg.create()
for ethertype in ext_sg.sg_supported_ethertypes:
if default_sg:
# Allow intercommunication
ingress_rule = sg_obj.SecurityGroupRule(
context, id=uuidutils.generate_uuid(),
project_id=tenant_id, security_group_id=sg.id,
direction='ingress', ethertype=ethertype,
remote_group_id=sg.id)
ingress_rule.create()
sg.rules.append(ingress_rule)
egress_rule = sg_obj.SecurityGroupRule(
context, id=uuidutils.generate_uuid(),
project_id=tenant_id, security_group_id=sg.id,
direction='egress', ethertype=ethertype)
egress_rule.create()
sg.rules.append(egress_rule)
sg.obj_reset_changes(['rules'])
# fetch sg from db to load the sg rules with sg model.
# NOTE(slaweq): With new system/project scopes it may happen that
# project admin will try to list security groups for different
# project and during that call Neutron will ensure that default
# security group is created. In such case elevated context needs to
# be used here otherwise, SG will not be found and error 500 will
# be returned through the API
get_context = context.elevated() if default_sg else context
sg = sg_obj.SecurityGroup.get_object(get_context, id=sg.id)
secgroup_dict = self._make_security_group_dict(sg)
self._registry_publish(resources.SECURITY_GROUP,
events.PRECOMMIT_CREATE,
exc_cls=ext_sg.SecurityGroupConflict,
payload=events.DBEventPayload(
context,
resource_id=sg.id,
metadata={'is_default': default_sg},
states=(secgroup_dict,)))
registry.publish(resources.SECURITY_GROUP, events.AFTER_CREATE,
self, payload=events.DBEventPayload(
context,
resource_id=secgroup_dict['id'],
metadata={'is_default': default_sg},
states=(secgroup_dict,)))
return secgroup_dict
def _create_test_security_group(self):
sg_fields = self.get_random_object_fields(securitygroup.SecurityGroup)
sg_obj = securitygroup.SecurityGroup(self.context, **sg_fields)
return sg_obj
