def __new__(cls, *args, **kwargs):
model_query.register_hook(models_v2.Network,
"external_net",
query_hook=None,
filter_hook=_network_filter_hook,
result_filters=_network_result_filter_hook)
return super(External_net_db_mixin, cls).__new__(cls, *args, **kwargs)
def __new__(cls, *args, **kwargs):
model_query.register_hook(models_v2.Port,
"portbindings_port",
query_hook=_port_model_hook,
filter_hook=None,
result_filters=_port_result_filter_hook)
return super(PortBindingMixin, cls).__new__(cls, *args, **kwargs)
def __new__(cls, *args, **kwargs):
model_query.register_hook(
BGPVPN,
"bgpvpn_filter_by_resource_association",
query_hook=None,
filter_hook=None,
result_filters=_list_bgpvpns_result_filter_hook)
return super(BGPVPNPluginDb, cls).__new__(cls, *args, **kwargs)
def __new__(cls, *args, **kwargs):
model_query.register_hook(
models_v2.Port,
"portbindings_port",
query_hook=_port_model_hook,
filter_hook=None,
result_filters=_port_result_filter_hook)
return super(PortBindingMixin, cls).__new__(cls, *args, **kwargs)
def __new__(cls, *args, **kwargs):
model_query.register_hook(
models_v2.Network,
"external_net",
query_hook=None,
filter_hook=_network_filter_hook,
result_filters=_network_result_filter_hook)
return super(External_net_db_mixin, cls).__new__(cls, *args, **kwargs)
def register_tag_hooks():
for model in resource_model_map.values():
method = functools.partial(_apply_tag_filters, model)
_filter_methods.append(method)
model_query.register_hook(model, "tag",
query_hook=None,
filter_hook=None,
result_filters=method)
def __new__(cls, *args, **kwargs):
model_query.register_hook(
models_v2.SubnetPool,
"implicit_subnetpool",
query_hook=_subnetpool_model_hook,
filter_hook=_subnetpool_filter_hook,
result_filters=_subnetpool_result_filter_hook)
return super(ImplicitSubnetpoolMixin,
cls).__new__(cls, *args, **kwargs)
def register_tag_hooks():
for model in resource_model_map.values():
method = functools.partial(_apply_tag_filters, model)
_filter_methods.append(method)
model_query.register_hook(model,
"tag",
query_hook=None,
filter_hook=None,
result_filters=method)
def __new__(cls, *args, **kwargs):
rs_model_maps = standard_attr.get_standard_attr_resource_model_map()
for model in rs_model_maps.values():
model_query.register_hook(
model,
"change_since_query",
query_hook=None,
filter_hook=None,
result_filters=_change_since_result_filter_hook)
return super(TimeStamp_db_mixin, cls).__new__(cls, *args, **kwargs)
def register_model_query_hook(model,
name,
query_hook,
filter_hook,
result_filters=None):
_model_query.register_hook(model,
name,
query_hook,
filter_hook,
result_filters=result_filters)
def __new__(cls, *args, **kwargs):
rs_model_maps = standard_attr.get_standard_attr_resource_model_map()
for model in rs_model_maps.values():
model_query.register_hook(
model,
"change_since_query",
query_hook=None,
filter_hook=None,
result_filters=_change_since_result_filter_hook)
return super(TimeStamp_db_mixin, cls).__new__(cls, *args, **kwargs)
def __new__(cls, *args, **kwargs):
inst = super(TagPlugin, cls).__new__(cls, *args, **kwargs)
inst._filter_methods = [] # prevent GC of our partial functions
for resource, model in resource_model_map.items():
resource_extend.register_funcs(
resource, [_extend_tags_dict])
method = functools.partial(tag_methods.apply_tag_filters, model)
inst._filter_methods.append(method)
model_query.register_hook(
model, "tag", None, None, method)
return inst
def __new__(cls, *args, **kwargs):
inst = super(TagPlugin, cls).__new__(cls, *args, **kwargs)
inst._filter_methods = [] # prevent GC of our partial functions
for model in resource_model_map.values():
method = functools.partial(tag_methods.apply_tag_filters, model)
inst._filter_methods.append(method)
model_query.register_hook(model, "tag",
query_hook=None,
filter_hook=None,
result_filters=method)
return inst
def __new__(cls, *args, **kwargs):
inst = super(TagPlugin, cls).__new__(cls, *args, **kwargs)
inst._filter_methods = [] # prevent GC of our partial functions
for model in resource_model_map.values():
method = functools.partial(tag_methods.apply_tag_filters, model)
inst._filter_methods.append(method)
model_query.register_hook(model, "tag",
query_hook=None,
filter_hook=None,
result_filters=method)
return inst
def __init__(self):
super(TimeStampPlugin, self).__init__()
self.register_db_events()
rs_model_maps = standard_attr.get_standard_attr_resource_model_map()
for rsmap, model in rs_model_maps.items():
resource_extend.register_funcs(
rsmap, [self.extend_resource_dict_timestamp])
model_query.register_hook(model, "change_since_query", None, None,
self._change_since_result_filter_hook)
# TODO(jlibosva): Move this to register_model_query_hook
base_obj.register_filter_hook_on_model(models_v2.SubnetPool,
ts_db.CHANGED_SINCE)
def __new__(cls, *args, **kwargs):
model_query.register_hook(
FirewallGroup,
"firewall_group_v2_filter_by_port_association",
query_hook=None,
filter_hook=None,
result_filters=_list_firewall_groups_result_filter_hook)
model_query.register_hook(
FirewallPolicy,
"firewall_policy_v2_filter_by_firewall_rule_association",
query_hook=None,
filter_hook=None,
result_filters=_list_firewall_policies_result_filter_hook)
return super(FirewallPluginDb, cls).__new__(cls, *args, **kwargs)
class External_net_db_mixin(object):
"""Mixin class to add external network methods to db_base_plugin_v2."""
@staticmethod
def _network_filter_hook(context, original_model, conditions):
if conditions is not None and not hasattr(conditions, '__iter__'):
conditions = (conditions, )
# Apply the external network filter only in non-admin and non-advsvc
# context
if db_utils.model_query_scope_is_project(context, original_model):
# the table will already be joined to the rbac entries for the
# shared check so we don't need to worry about ensuring that
rbac_model = original_model.rbac_entries.property.mapper.class_
tenant_allowed = ((rbac_model.action == 'access_as_external') &
(rbac_model.target_tenant == context.tenant_id) |
(rbac_model.target_tenant == '*'))
conditions = expr.or_(tenant_allowed, *conditions)
return conditions
def _network_result_filter_hook(self, query, filters):
vals = filters and filters.get(external_net.EXTERNAL, [])
if not vals:
return query
if vals[0]:
return query.filter(models_v2.Network.external.has())
return query.filter(~models_v2.Network.external.has())
model_query.register_hook(models_v2.Network, "external_net", None,
'_network_filter_hook',
'_network_result_filter_hook')
def _network_is_external(self, context, net_id):
return net_obj.ExternalNetwork.objects_exist(context,
network_id=net_id)
def _extend_network_dict_l3(self, network_res, network_db):
# Comparing with None for converting uuid into bool
network_res[external_net.EXTERNAL] = network_db.external is not None
return network_res
resource_extend.register_funcs(attributes.NETWORKS,
['_extend_network_dict_l3'])
def _process_l3_create(self, context, net_data, req_data):
external = req_data.get(external_net.EXTERNAL)
external_set = validators.is_attr_set(external)
if not external_set:
return
if external:
net_obj.ExternalNetwork(context,
network_id=net_data['id']).create()
context.session.add(
rbac_db.NetworkRBAC(object_id=net_data['id'],
action='access_as_external',
target_tenant='*',
tenant_id=net_data['tenant_id']))
try:
registry.notify(resources.EXTERNAL_NETWORK,
events.PRECOMMIT_CREATE,
self,
context=context,
request=req_data,
network=net_data)
except c_exc.CallbackFailure as e:
# raise the underlying exception
raise e.errors[0].error
net_data[external_net.EXTERNAL] = external
def _process_l3_update(self, context, net_data, req_data, allow_all=True):
try:
registry.notify(resources.EXTERNAL_NETWORK,
events.BEFORE_UPDATE,
self,
context=context,
request=req_data,
network=net_data)
except c_exc.CallbackFailure as e:
# raise the underlying exception
raise e.errors[0].error
new_value = req_data.get(external_net.EXTERNAL)
net_id = net_data['id']
if not validators.is_attr_set(new_value):
return
if net_data.get(external_net.EXTERNAL) == new_value:
return
if new_value:
net_obj.ExternalNetwork(context, network_id=net_id).create()
net_data[external_net.EXTERNAL] = True
if allow_all:
context.session.add(
rbac_db.NetworkRBAC(object_id=net_id,
action='access_as_external',
target_tenant='*',
tenant_id=net_data['tenant_id']))
else:
# must make sure we do not have any external gateway ports
# (and thus, possible floating IPs) on this network before
# allow it to be update to external=False
port = context.session.query(
models_v2.Port).filter_by(device_owner=DEVICE_OWNER_ROUTER_GW,
network_id=net_data['id']).first()
if port:
raise external_net.ExternalNetworkInUse(net_id=net_id)
net_obj.ExternalNetwork.delete_objects(context, network_id=net_id)
for rbdb in (context.session.query(rbac_db.NetworkRBAC).filter_by(
object_id=net_id, action='access_as_external')):
context.session.delete(rbdb)
net_data[external_net.EXTERNAL] = False
def _process_l3_delete(self, context, network_id):
l3plugin = directory.get_plugin(constants.L3)
if l3plugin:
l3plugin.delete_disassociated_floatingips(context, network_id)
def get_external_network_id(self, context):
nets = self.get_networks(context, {external_net.EXTERNAL: [True]})
if len(nets) > 1:
raise n_exc.TooManyExternalNetworks()
else:
return nets[0]['id'] if nets else None
@registry.receives('rbac-policy', [events.BEFORE_CREATE])
def _process_ext_policy_create(self, resource, event, trigger, context,
object_type, policy, **kwargs):
if (object_type != 'network'
or policy['action'] != 'access_as_external'):
return
net = self.get_network(context, policy['object_id'])
if not context.is_admin and net['tenant_id'] != context.tenant_id:
msg = _("Only admins can manipulate policies on networks they "
"do not own")
raise n_exc.InvalidInput(error_message=msg)
if not self._network_is_external(context, policy['object_id']):
# we automatically convert the network into an external network
self._process_l3_update(context,
net, {external_net.EXTERNAL: True},
allow_all=False)
@registry.receives('rbac-policy',
(events.BEFORE_UPDATE, events.BEFORE_DELETE))
def _validate_ext_not_in_use_by_tenant(self, resource, event, trigger,
context, object_type, policy,
**kwargs):
if (object_type != 'network'
or policy['action'] != 'access_as_external'):
return
new_tenant = None
if event == events.BEFORE_UPDATE:
new_tenant = kwargs['policy_update']['target_tenant']
if new_tenant == policy['target_tenant']:
# nothing to validate if the tenant didn't change
return
ports = context.session.query(models_v2.Port.id).filter_by(
device_owner=DEVICE_OWNER_ROUTER_GW,
network_id=policy['object_id'])
router = context.session.query(l3_models.Router).filter(
l3_models.Router.gw_port_id.in_(ports))
rbac = rbac_db.NetworkRBAC
if policy['target_tenant'] != '*':
router = router.filter(
l3_models.Router.tenant_id == policy['target_tenant'])
# if there is a wildcard entry we can safely proceed without the
# router lookup because they will have access either way
if context.session.query(rbac_db.NetworkRBAC).filter(
rbac.object_id == policy['object_id'],
rbac.action == 'access_as_external',
rbac.target_tenant == '*').count():
return
else:
# deleting the wildcard is okay as long as the tenants with
# attached routers have their own entries and the network is
# not the default external network.
if net_obj.ExternalNetwork.objects_exist(
context, network_id=policy['object_id'], is_default=True):
msg = _("Default external networks must be shared to "
"everyone.")
raise rbac_ext.RbacPolicyInUse(object_id=policy['object_id'],
details=msg)
tenants_with_entries = (context.session.query(
rbac.target_tenant).filter(
rbac.object_id == policy['object_id'],
rbac.action == 'access_as_external',
rbac.target_tenant != '*'))
router = router.filter(
~l3_models.Router.tenant_id.in_(tenants_with_entries))
if new_tenant:
# if this is an update we also need to ignore any router
# interfaces that belong to the new target.
router = router.filter(
l3_models.Router.tenant_id != new_tenant)
if router.count():
msg = _("There are routers attached to this network that "
"depend on this policy for access.")
raise rbac_ext.RbacPolicyInUse(object_id=policy['object_id'],
details=msg)
@registry.receives(resources.NETWORK, [events.BEFORE_DELETE])
def _before_network_delete_handler(self, resource, event, trigger, context,
network_id, **kwargs):
self._process_l3_delete(context, network_id)
class PortBindingMixin(portbindings_base.PortBindingBaseMixin):
extra_binding_dict = None
def _port_model_hook(self, context, original_model, query):
query = query.outerjoin(
pmodels.PortBindingPort,
(original_model.id == pmodels.PortBindingPort.port_id))
return query
def _port_result_filter_hook(self, query, filters):
values = filters and filters.get(portbindings.HOST_ID, [])
if not values:
return query
query = query.filter(pmodels.PortBindingPort.host.in_(values))
return query
model_query.register_hook(
models_v2.Port,
"portbindings_port",
'_port_model_hook',
None,
'_port_result_filter_hook')
def _process_portbindings_create_and_update(self, context, port_data,
port):
binding_profile = port.get(portbindings.PROFILE)
binding_profile_set = validators.is_attr_set(binding_profile)
if not binding_profile_set and binding_profile is not None:
del port[portbindings.PROFILE]
binding_vnic = port.get(portbindings.VNIC_TYPE)
binding_vnic_set = validators.is_attr_set(binding_vnic)
if not binding_vnic_set and binding_vnic is not None:
del port[portbindings.VNIC_TYPE]
# REVISIT(irenab) Add support for vnic_type for plugins that
# can handle more than one type.
# Currently implemented for ML2 plugin that does not use
# PortBindingMixin.
host = port_data.get(portbindings.HOST_ID)
host_set = validators.is_attr_set(host)
with context.session.begin(subtransactions=True):
bind_port = context.session.query(
pmodels.PortBindingPort).filter_by(port_id=port['id']).first()
if host_set:
if not bind_port:
context.session.add(
pmodels.PortBindingPort(port_id=port['id'], host=host))
else:
bind_port.host = host
else:
host = bind_port.host if bind_port else None
self._extend_port_dict_binding_host(port, host)
def get_port_host(self, context, port_id):
with context.session.begin(subtransactions=True):
bind_port = (
context.session.query(pmodels.PortBindingPort).
filter_by(port_id=port_id).
first()
)
return bind_port.host if bind_port else None
def _extend_port_dict_binding_host(self, port_res, host):
super(PortBindingMixin, self).extend_port_dict_binding(
port_res, None)
port_res[portbindings.HOST_ID] = host
def extend_port_dict_binding(self, port_res, port_db):
host = port_db.portbinding.host if port_db.portbinding else None
self._extend_port_dict_binding_host(port_res, host)
def register_model_query_hook(model, name, query_hook, filter_hook,
result_filters=None):
_model_query.register_hook(
model, name, query_hook, filter_hook,
result_filters=result_filters)
