def resource_list(self, context, filters=None, fields=None): ret_list = [] # collect phase all_sgs = [] if filters and 'tenant_id' in filters: project_ids = self._validate_project_ids(context, filters['tenant_id']) for p_id in project_ids: project_sgs = sg_handler.SecurityGroupHandler( self._vnc_lib).resource_list_by_project(p_id) all_sgs.append(project_sgs) else: # no filters p_id = None if context and not context['is_admin']: p_id = self._project_id_neutron_to_vnc(context['tenant']) project_sgs = sg_handler.SecurityGroupHandler( self._vnc_lib).resource_list_by_project(p_id) all_sgs.append(project_sgs) # prune phase for project_sgs in all_sgs: for sg_obj in project_sgs: # TODO() implement same for name specified in filter sgr_info = self.security_group_rules_read(sg_obj, fields=fields, filters=filters) if sgr_info: ret_list.extend(sgr_info) return ret_list
def _security_group_rule_delete(self, sg_obj, sg_rule): rules = sg_obj.get_security_group_entries() rules.get_policy_rule().remove(sg_rule) sg_obj.set_security_group_entries(rules) sg_handler.SecurityGroupHandler( self._vnc_lib).resource_update_obj(sg_obj) return
def _create_vmi_obj(self, port_q, vn_obj): project_id = self._project_id_neutron_to_vnc(port_q['tenant_id']) try: proj_obj = self._project_read(proj_id=project_id) except vnc_exc.NoIdError: self._raise_contrail_exception( 'ProjectNotFound', projec_id=project_id, resource='port') id_perms = vnc_api.IdPermsType(enable=True) vmi_uuid = str(uuid.uuid4()) if port_q.get('name'): vmi_name = port_q['name'] else: vmi_name = vmi_uuid vmi_obj = vnc_api.VirtualMachineInterface(vmi_name, proj_obj, id_perms=id_perms) vmi_obj.uuid = vmi_uuid vmi_obj.set_virtual_network(vn_obj) vmi_obj.set_security_group_list([]) if ('security_groups' not in port_q or port_q['security_groups'].__class__ is object): sg_obj = vnc_api.SecurityGroup("default", proj_obj) uid = sg_handler.SecurityGroupHandler( self._vnc_lib)._ensure_default_security_group_exists( proj_obj.uuid) sg_obj.uuid = uid vmi_obj.add_security_group(sg_obj) return vmi_obj
def _security_group_rule_neutron_to_vnc(self, sgr_q): port_min = 0 port_max = 65535 if sgr_q['port_range_min'] is not None: port_min = sgr_q['port_range_min'] if sgr_q['port_range_max'] is not None: port_max = sgr_q['port_range_max'] endpt = [vnc_api.AddressType(security_group='any')] if sgr_q['remote_ip_prefix']: cidr = sgr_q['remote_ip_prefix'].split('/') pfx = cidr[0] pfx_len = int(cidr[1]) endpt = [vnc_api.AddressType( subnet=vnc_api.SubnetType(pfx, pfx_len))] elif sgr_q['remote_group_id']: try: sg_obj = sg_handler.SecurityGroupHandler( self._vnc_lib).get_sg_obj(id=sgr_q['remote_group_id']) except vnc_exc.NoIdError: self._raise_contrail_exception('SecurityGroupNotFound', id=sgr_q['remote_group_id'], resource='security_group_rule') if sgr_q.get('tenant_id') and ( sg_obj.parent_uuid != sgr_q['tenant_id']): self._raise_contrail_exception("NotFound") endpt = [vnc_api.AddressType( security_group=sg_obj.get_fq_name_str())] if sgr_q['direction'] == 'ingress': dir = '>' local = endpt remote = [vnc_api.AddressType(security_group='local')] else: dir = '>' remote = endpt local = [vnc_api.AddressType(security_group='local')] if not sgr_q['protocol']: sgr_q['protocol'] = 'any' if not sgr_q['remote_ip_prefix'] and not sgr_q['remote_group_id']: if not sgr_q['ethertype']: sgr_q['ethertype'] = 'IPv4' sgr_uuid = str(uuid.uuid4()) if 'id' not in sgr_q else sgr_q['id'] rule = vnc_api.PolicyRuleType( rule_uuid=sgr_uuid, direction=dir, protocol=sgr_q['protocol'], src_addresses=local, src_ports=[vnc_api.PortType(0, 65535)], dst_addresses=remote, dst_ports=[vnc_api.PortType(port_min, port_max)], ethertype=sgr_q['ethertype']) return rule
def _security_group_rule_find(self, sgr_id, project_uuid=None): dom_projects = [] if not project_uuid: dom_projects = self._project_list_domain(None) else: dom_projects = [{'uuid': project_uuid}] for project in dom_projects: proj_id = project['uuid'] project_sgs = sg_handler.SecurityGroupHandler( self._vnc_lib).resource_list_by_project(proj_id) for sg_obj in project_sgs: sgr_entries = sg_obj.get_security_group_entries() if sgr_entries is None: continue for sg_rule in sgr_entries.get_policy_rule(): if sg_rule.get_rule_uuid() == sgr_id: return sg_obj, sg_rule return None, None
def _security_group_rule_create(self, sg_id, sg_rule, project_id): sghandler = sg_handler.SecurityGroupHandler(self._vnc_lib) try: sg_vnc = sghandler.get_sg_obj(id=sg_id) except vnc_exc.NoIdError: self._raise_contrail_exception('SecurityGroupNotFound', id=sg_id, resource='security_group') if project_id and sg_vnc.parent_uuid != self._project_id_neutron_to_vnc( project_id): self._raise_contrail_exception('NotFound') rules = sg_vnc.get_security_group_entries() if rules is None: rules = vnc_api.PolicyEntriesType([sg_rule]) else: rules.add_policy_rule(sg_rule) sg_vnc.set_security_group_entries(rules) try: sghandler.resource_update_obj(sg_vnc) except vnc_exc.PermissionDenied as e: self._raise_contrail_exception('BadRequest', resource='security_group_rule', msg=str(e)) except vnc_exc.BadRequest as e: self._raise_contrail_exception('BadRequest', resource='security_group_rule', msg=str(e.content)) except vnc_exc.RefsExistError as e: try: rule_uuid = str(e).split(':')[1].strip() except IndexError: rule_uuid = None self._raise_contrail_exception('SecurityGroupRuleExists', resource='security_group_rule', id=rule_uuid) return
def _security_group_rule_create(self, sg_id, sg_rule, project_id): sghandler = sg_handler.SecurityGroupHandler(self._vnc_lib) try: sg_vnc = sghandler.get_sg_obj(id=sg_id) except vnc_exc.NoIdError: self._raise_contrail_exception('SecurityGroupNotFound', id=sg_id, resource='security_group') if project_id and sg_vnc.parent_uuid != project_id: self._raise_contrail_exception('NotFound') rules = sg_vnc.get_security_group_entries() if rules is None: rules = vnc_api.PolicyEntriesType([sg_rule]) else: rules.add_policy_rule(sg_rule) sg_vnc.set_security_group_entries(rules) try: sghandler.resource_update_obj(sg_vnc) except vnc_exc.PermissionDenied as e: self._raise_contrail_exception( 'BadRequest', resource='security_group_rule', msg=str(e)) return
def _security_group_rule_vnc_to_neutron(self, sg_id, sg_rule, sg_obj=None, fields=None): sgr_q_dict = {} if sg_id is None: return sgr_q_dict if not sg_obj: try: sg_obj = sg_handler.SecurityGroupHandler( self._vnc_lib).get_sg_obj(id=sg_id) except vnc_exc.NoIdError: self._raise_contrail_exception( 'SecurityGroupNotFound', id=sg_id, resource='security_group_rule') remote_cidr = None remote_sg_uuid = None saddr = sg_rule.get_src_addresses()[0] daddr = sg_rule.get_dst_addresses()[0] if saddr.get_security_group() == 'local': direction = 'egress' addr = daddr elif daddr.get_security_group() == 'local': direction = 'ingress' addr = saddr else: self._raise_contrail_exception( 'SecurityGroupRuleNotFound', id=sg_rule.get_rule_uuid(), resource='security_group_rule') if addr.get_subnet(): remote_cidr = '%s/%s' % (addr.get_subnet().get_ip_prefix(), addr.get_subnet().get_ip_prefix_len()) elif addr.get_security_group(): if addr.get_security_group() != 'any' and ( addr.get_security_group() != 'local'): remote_sg = addr.get_security_group() if remote_sg != ':'.join(sg_obj.get_fq_name()): try: remote_sg_uuid = self._vnc_lib.fq_name_to_id( 'security-group', remote_sg.split(':')) except vnc_exc.NoIdError: # Filter rule out as the remote security group does not # exist anymore return sgr_q_dict else: remote_sg_uuid = sg_obj.uuid sgr_q_dict['id'] = sg_rule.get_rule_uuid() sgr_q_dict['tenant_id'] = self._project_id_vnc_to_neutron( sg_obj.parent_uuid) sgr_q_dict['security_group_id'] = sg_obj.uuid if hasattr(sg_rule, 'get_ethertype'): sgr_q_dict['ethertype'] = sg_rule.get_ethertype() else: sgr_q_dict['ethertype'] = 'IPv4' sgr_q_dict['direction'] = direction proto = sg_rule.get_protocol() sgr_q_dict['protocol'] = None if proto == 'any' else proto port_min = sg_rule.get_dst_ports()[0].get_start_port() if sgr_q_dict['protocol'] in (constants.PROTO_NAME_ICMP, str(constants.PROTO_NUM_ICMP)): sgr_q_dict['port_range_min'] = port_min else: sgr_q_dict['port_range_min'] = None if port_min == 0 else port_min port_max = (sg_rule.get_dst_ports()[0].get_end_port()) sgr_q_dict['port_range_max'] = None if port_max == 65535 else port_max sgr_q_dict['remote_ip_prefix'] = remote_cidr sgr_q_dict['remote_group_id'] = remote_sg_uuid if fields: sgr_q_dict = self._filter_res_dict(sgr_q_dict, fields) return sgr_q_dict