def _get_security_groups_on_port(self, context, port): """Check that all security groups on port belong to tenant. :returns: all security groups IDs on port belonging to tenant. """ p = port['port'] if not attr.is_attr_set(p.get(ext_sg.SECURITYGROUPS)): return if p.get('device_owner') and p['device_owner'].startswith('network:'): return port_sg = p.get(ext_sg.SECURITYGROUPS, []) filters = {'id': port_sg} tenant_id = p.get('tenant_id') if tenant_id: filters['tenant_id'] = [tenant_id] valid_groups = set(g['id'] for g in self.get_security_groups( context, fields=['id'], filters=filters)) requested_groups = set(port_sg) port_sg_missing = requested_groups - valid_groups if port_sg_missing: raise ext_sg.SecurityGroupNotFound(id=str(port_sg_missing[0])) return requested_groups
def update_security_group_rule(context, id, security_group_rule): '''Updates a rule and updates the ports''' LOG.info("update_security_group_rule for tenant %s" % (context.tenant_id)) new_rule = security_group_rule["security_group_rule"] # Only allow updatable fields new_rule = _filter_update_security_group_rule(new_rule) with context.session.begin(): rule = db_api.security_group_rule_find(context, id=id, scope=db_api.ONE) if not rule: raise sg_ext.SecurityGroupRuleNotFound(id=id) db_rule = db_api.security_group_rule_update(context, rule, **new_rule) group_id = db_rule.group_id group = db_api.security_group_find(context, id=group_id, scope=db_api.ONE) if not group: raise sg_ext.SecurityGroupNotFound(id=group_id) if group: _perform_async_update_rule(context, group_id, group, rule.id, RULE_UPDATE) return v._make_security_group_rule_dict(db_rule)
def delete_security_group(self, context, sg_id): """Delete a security group Delete security group from Neutron and PLUMgrid Platform :param sg_id: security group ID of the rule to be removed """ with context.session.begin(subtransactions=True): sg = super(NeutronPluginPLUMgridV2, self).get_security_group(context, sg_id) if not sg: raise sec_grp.SecurityGroupNotFound(id=sg_id) if sg['name'] == 'default' and not context.is_admin: raise sec_grp.SecurityGroupCannotRemoveDefault() sec_grp_ip = sg['id'] filters = {'security_group_id': [sec_grp_ip]} if super(NeutronPluginPLUMgridV2, self)._get_port_security_group_bindings(context, filters): raise sec_grp.SecurityGroupInUse(id=sec_grp_ip) sec_db = super(NeutronPluginPLUMgridV2, self).delete_security_group(context, sg_id) try: LOG.debug("PLUMgrid Library: delete_security_group()" " called") self._plumlib.delete_security_group(sg) except Exception as err_message: raise plum_excep.PLUMgridException(err_msg=err_message) return sec_db
def _get_security_groups_on_port(self, context, port): """Check that all security groups on port belong to tenant. :returns: all security groups IDs on port belonging to tenant. """ port = port['port'] if not attributes.is_attr_set(port.get(ext_sg.SECURITYGROUPS)): return if port.get('device_owner') and utils.is_port_trusted(port): return port_sg = port.get(ext_sg.SECURITYGROUPS, []) filters = {'id': port_sg} tenant_id = port.get('tenant_id') if tenant_id: filters['tenant_id'] = [tenant_id] valid_groups = set(g['id'] for g in self.get_security_groups( context, fields=['id'], filters=filters)) requested_groups = set(port_sg) port_sg_missing = requested_groups - valid_groups if port_sg_missing: raise ext_sg.SecurityGroupNotFound(id=', '.join(port_sg_missing)) return requested_groups
def create_security_group_rule(context, security_group_rule): """Creates a rule and updates the ports (async) if enabled.""" LOG.info("create_security_group for tenant %s" % (context.tenant_id)) with context.session.begin(): rule = _validate_security_group_rule( context, security_group_rule["security_group_rule"]) rule["id"] = uuidutils.generate_uuid() group_id = rule["security_group_id"] group = db_api.security_group_find(context, id=group_id, scope=db_api.ONE) if not group: raise sg_ext.SecurityGroupNotFound(id=group_id) quota.QUOTAS.limit_check( context, context.tenant_id, security_rules_per_group=len(group.get("rules", [])) + 1) new_rule = db_api.security_group_rule_create(context, **rule) if group: _perform_async_update_rule(context, group_id, group, new_rule.id, RULE_CREATE) return v._make_security_group_rule_dict(new_rule)
def delete_security_group(self, context, id): """Delete chains for Neutron security group.""" LOG.debug(_("MidonetPluginV2.delete_security_group called: id=%s"), id) with context.session.begin(subtransactions=True): sg = super(MidonetPluginV2, self).get_security_group(context, id) if not sg: raise ext_sg.SecurityGroupNotFound(id=id) if sg["name"] == 'default' and not context.is_admin: raise ext_sg.SecurityGroupCannotRemoveDefault() sg_id = sg['id'] filters = {'security_group_id': [sg_id]} if super(MidonetPluginV2, self)._get_port_security_group_bindings( context, filters): raise ext_sg.SecurityGroupInUse(id=sg_id) # Delete MidoNet Chains and portgroup for the SG tenant_id = sg['tenant_id'] self.client.delete_chains_by_names( tenant_id, _sg_chain_names(sg["id"]).values()) self.client.delete_port_group_by_name( tenant_id, _sg_port_group_name(sg["id"])) super(MidonetPluginV2, self).delete_security_group(context, id)
def delete_security_group(self, context, id): """Delete chains for Neutron security group.""" LOG.debug(_("Ml2Plugin.delete_security_group called: id=%s"), id) with context.session.begin(subtransactions=True): sg = super(plugin.Ml2Plugin, self).get_security_group(context, id) if not sg: raise ext_sg.SecurityGroupNotFound(id=id) if sg["name"] == 'default' and not context.is_admin: raise ext_sg.SecurityGroupCannotRemoveDefault() sg_id = sg['id'] filters = {'security_group_id': [sg_id]} if super(plugin.Ml2Plugin, self)._get_port_security_group_bindings(context, filters): raise ext_sg.SecurityGroupInUse(id=sg_id) super(plugin.Ml2Plugin, self).delete_security_group(context, id) mech_context = driver_context.SecurityGroupContext( self, context, sg) self.mechanism_manager.delete_security_group_precommit( mech_context) try: self.mechanism_manager.delete_security_group_postcommit( mech_context) except ml2_exc.MechanismDriverError: with excutils.save_and_reraise_exception(): LOG.error( _("mechanism_manager." "delete_security_group_postcommit " "failed, deleting security group '%s'"), sg)
def delete_security_group(self, context, id): """Delete chains for Neutron security group.""" LOG.debug(_("MidonetPluginV2.delete_security_group called: id=%s"), id) with context.session.begin(subtransactions=True): sg_db_entry = super(MidonetPluginV2, self).get_security_group( context, id) if not sg_db_entry: raise ext_sg.SecurityGroupNotFound(id=id) sg_name = sg_db_entry['name'] sg_id = sg_db_entry['id'] tenant_id = sg_db_entry['tenant_id'] if sg_name == 'default' and not context.is_admin: raise ext_sg.SecurityGroupCannotRemoveDefault() filters = {'security_group_id': [sg_id]} if super(MidonetPluginV2, self)._get_port_security_group_bindings( context, filters): raise ext_sg.SecurityGroupInUse(id=sg_id) # Delete MidoNet Chains and portgroup for the SG self.client.delete_for_sg(tenant_id, sg_id, sg_name) return super(MidonetPluginV2, self).delete_security_group( context, id)
def create_security_group_rule_bulk_native(self, context, security_group_rule): r = security_group_rule['security_group_rules'] scoped_session(context.session) security_group_id = self._validate_security_group_rules( context, security_group_rule) with context.session.begin(subtransactions=True): if not self.get_security_group(context, security_group_id): raise ext_sg.SecurityGroupNotFound(id=security_group_id) self._check_for_duplicate_rules(context, r) ret = [] for rule_dict in r: rule = rule_dict['security_group_rule'] tenant_id = self._get_tenant_id_for_create(context, rule) db = SecurityGroupRule( id=uuidutils.generate_uuid(), tenant_id=tenant_id, security_group_id=rule['security_group_id'], direction=rule['direction'], remote_group_id=rule.get('remote_group_id'), ethertype=rule['ethertype'], protocol=rule['protocol'], port_range_min=rule['port_range_min'], port_range_max=rule['port_range_max'], remote_ip_prefix=rule.get('remote_ip_prefix')) context.session.add(db) ret.append(self._make_security_group_rule_dict(db)) return ret
def _get_security_groups_on_port(self, context, port): """Check that all security groups on port belong to tenant. :returns: all security groups on port belonging to tenant) """ port = port['port'] if not validators.is_attr_set(port.get(ext_sg.SECURITYGROUPS)): return if port.get('device_owner') and net.is_port_trusted(port): return port_sg = port.get(ext_sg.SECURITYGROUPS, []) tenant_id = port.get('tenant_id') sg_objs = sg_obj.SecurityGroup.get_objects(context, id=port_sg) valid_groups = set( g.id for g in sg_objs if (context.is_admin or not tenant_id or g.tenant_id == tenant_id or sg_obj.SecurityGroup.is_shared_with_tenant( context, g.id, tenant_id))) requested_groups = set(port_sg) port_sg_missing = requested_groups - valid_groups if port_sg_missing: raise ext_sg.SecurityGroupNotFound(id=', '.join(port_sg_missing)) return sg_objs
def _get_security_group(self, context, id): try: query = self._model_query(context, SecurityGroup) sg = query.filter(SecurityGroup.id == id).one() except exc.NoResultFound: raise ext_sg.SecurityGroupNotFound(id=id) return sg
def _get_security_group_properties(self, context, security_group_id): with db_api.context_manager.reader.using(context): try: prop = context.session.query( NsxExtendedSecurityGroupProperties).filter_by( security_group_id=security_group_id).one() except exc.NoResultFound: raise ext_sg.SecurityGroupNotFound(id=security_group_id) return prop
def _get_security_group(self, context, id): try: query = model_query.query_with_hooks(context, sg_models.SecurityGroup) sg = query.filter(sg_models.SecurityGroup.id == id).one() except exc.NoResultFound: raise ext_sg.SecurityGroupNotFound(id=id) return sg
def _get_security_group(self, context, group_id): with self.get_connection() as connection: query = connection.securityprofile().query() query.tagscopes(['os_tid', 'neutron_group_id']) query.tags([context.tenant_id, group_id]) query = query.results() if query['result_count'] != 1: raise sg_ext.SecurityGroupNotFound(id=group_id) return query['results'][0]
def _get_security_group_properties(self, context, security_group_id): with context.session.begin(subtransactions=True): try: prop = context.session.query( NsxExtendedSecurityGroupProperties).filter_by( security_group_id=security_group_id).one() except exc.NoResultFound: raise ext_sg.SecurityGroupNotFound(id=security_group_id) return prop
def make_security_group_list(context, group_ids): if not group_ids or not utils.attr_specified(group_ids): return ([], []) group_ids = list(set(group_ids)) groups = [] for gid in group_ids: group = db_api.security_group_find(context, id=gid, scope=db_api.ONE) if not group: raise sg_ext.SecurityGroupNotFound(id=gid) groups.append(group) return (group_ids, groups)
def _check_security_group(self, context, id, tenant_id=None): if tenant_id: tmp_context_tenant_id = context.tenant_id context.tenant_id = tenant_id try: if not sg_obj.SecurityGroup.objects_exist(context, id=id): raise ext_sg.SecurityGroupNotFound(id=id) finally: if tenant_id: context.tenant_id = tmp_context_tenant_id
def get_security_group(self, context, _id, fields=None, tenant_id=None): try: return self.core_plugin.get_security_group(context, _id, fields, tenant_id) except q_exceptions.NotFound: t_ctx = t_context.get_context_from_neutron_context(context) t_sg = self.neutron_handle.handle_get(t_ctx, 'security_group', _id) if not t_sg: raise ext_sg.SecurityGroupNotFound(id=_id) self.core_plugin.create_security_group(context, {'security_group': t_sg}) return self.core_plugin.get_security_group(context, _id, fields, tenant_id)
def delete_security_group(context, id): LOG.info("delete_security_group %s for tenant %s" % (id, context.tenant_id)) with context.session.begin(): group = db_api.security_group_find(context, id=id, scope=db_api.ONE) # TODO(anyone): name and ports are lazy-loaded. Could be good op later if not group: raise sg_ext.SecurityGroupNotFound(group_id=id) if id == DEFAULT_SG_UUID or group.name == "default": raise sg_ext.SecurityGroupCannotRemoveDefault() if group.ports: raise sg_ext.SecurityGroupInUse(id=id) db_api.security_group_delete(context, group)
def delete_security_group(self, context, id): LOG.debug("MidonetPluginV2.delete_security_group called: id=%s", id) sg = super(MidonetPluginV2, self).get_security_group(context, id) if not sg: raise ext_sg.SecurityGroupNotFound(id=id) if sg["name"] == 'default' and not context.is_admin: raise ext_sg.SecurityGroupCannotRemoveDefault() with context.session.begin(subtransactions=True): super(MidonetPluginV2, self).delete_security_group(context, id) self.client.delete_security_group_precommit(context, id) self.client.delete_security_group_postcommit(id) LOG.debug("MidonetPluginV2.delete_security_group exiting: id=%r", id)
def create_security_group_rule_bulk_native(self, context, security_group_rules): rules = security_group_rules['security_group_rules'] scoped_session(context.session) security_group_id = self._validate_security_group_rules( context, security_group_rules) with context.session.begin(subtransactions=True): if not self.get_security_group(context, security_group_id): raise ext_sg.SecurityGroupNotFound(id=security_group_id) self._check_for_duplicate_rules(context, rules) ret = [] for rule_dict in rules: res_rule_dict = self._create_security_group_rule( context, rule_dict, validate=False) ret.append(res_rule_dict) return ret
def delete_security_group_rule(context, id): LOG.info("delete_security_group %s for tenant %s" % (id, context.tenant_id)) with context.session.begin(): rule = db_api.security_group_rule_find(context, id=id, scope=db_api.ONE) if not rule: raise sg_ext.SecurityGroupRuleNotFound(group_id=id) group = db_api.security_group_find(context, id=rule["group_id"], scope=db_api.ONE) if not group: raise sg_ext.SecurityGroupNotFound(id=id) rule["id"] = id db_api.security_group_rule_delete(context, rule)
def _get_security_groups_on_port(self, context, port): """Check that all security groups on port belong to tenant. :returns: all security groups IDs on port belonging to tenant. """ p = port['port'] if not attr.is_attr_set(p.get(ext_sg.SECURITYGROUPS)): return if p.get('device_owner') and p['device_owner'].startswith('network:'): return valid_groups = self.get_security_groups(context, fields=['id']) valid_group_map = dict((g['id'], g['id']) for g in valid_groups) try: return set([valid_group_map[sg_id] for sg_id in p.get(ext_sg.SECURITYGROUPS, [])]) except KeyError as e: raise ext_sg.SecurityGroupNotFound(id=str(e))
def delete_security_group_rule(context, id): LOG.info("delete_security_group %s for tenant %s" % (id, context.tenant_id)) rule = db_api.security_group_rule_find(context, id=id, scope=db_api.ONE) if not rule: raise sg_ext.SecurityGroupRuleNotFound(group_id=id) group = db_api.security_group_find(context, id=rule["group_id"], scope=db_api.ONE) if not group: raise sg_ext.SecurityGroupNotFound(id=id) net_driver.delete_security_group_rule( context, group.id, v._make_security_group_rule_dict(rule)) rule["id"] = id db_api.security_group_rule_delete(context, rule)
def create_security_group_rule(context, security_group_rule): LOG.info("create_security_group for tenant %s" % (context.tenant_id)) rule = _validate_security_group_rule( context, security_group_rule["security_group_rule"]) rule["id"] = uuidutils.generate_uuid() group_id = rule["security_group_id"] group = db_api.security_group_find(context, id=group_id, scope=db_api.ONE) if not group: raise sg_ext.SecurityGroupNotFound(group_id=group_id) quota.QUOTAS.limit_check( context, context.tenant_id, security_rules_per_group=len(group.get("rules", [])) + 1) net_driver.create_security_group_rule(context, group_id, rule) return v._make_security_group_rule_dict( db_api.security_group_rule_create(context, **rule))
def delete_security_group(self, context, id): """Delete chains for Neutron security group.""" LOG.info(_LI("MidonetMixin.delete_security_group called: id=%s"), id) sg = super(MidonetMixin, self).get_security_group(context, id) if not sg: raise ext_sg.SecurityGroupNotFound(id=id) if sg["name"] == 'default' and not context.is_admin: raise ext_sg.SecurityGroupCannotRemoveDefault() with context.session.begin(subtransactions=True): super(MidonetMixin, self).delete_security_group(context, id) task.create_task(context, task.DELETE, data_type=task.SECURITY_GROUP, resource_id=id) self.api_cli.delete_security_group(id) LOG.info(_LI("MidonetMixin.delete_security_group exiting: id=%r"), id)
def delete_security_group_rule(context, id): """Deletes a rule and updates the ports (async) if enabled.""" LOG.info("delete_security_group %s for tenant %s" % (id, context.tenant_id)) with context.session.begin(): rule = db_api.security_group_rule_find(context, id=id, scope=db_api.ONE) if not rule: raise sg_ext.SecurityGroupRuleNotFound(id=id) group = db_api.security_group_find(context, id=rule["group_id"], scope=db_api.ONE) if not group: raise sg_ext.SecurityGroupNotFound(id=id) rule["id"] = id db_api.security_group_rule_delete(context, rule) if group: _perform_async_update_rule(context, group.id, group, id, RULE_DELETE)
def create_security_group_rule_bulk_native(self, context, security_group_rules): rules = security_group_rules['security_group_rules'] scoped_session(context.session) security_group_id = self._validate_security_group_rules( context, security_group_rules) with context.session.begin(subtransactions=True): if not self.get_security_group(context, security_group_id): raise ext_sg.SecurityGroupNotFound(id=security_group_id) self._check_for_duplicate_rules(context, rules) ret = [] for rule_dict in rules: res_rule_dict = self._create_security_group_rule( context, rule_dict, validate=False) ret.append(res_rule_dict) for rdict in ret: registry.notify( resources.SECURITY_GROUP_RULE, events.AFTER_CREATE, self, context=context, security_group_rule=rdict) return ret
def create_security_group_rule_bulk(self, context, security_group_rule): """Create security group rules Create security group rules in Neutron and PLUMgrid Platform :param security_group_rule: list of rules to create """ sg_rules = security_group_rule.get('security_group_rules') with context.session.begin(subtransactions=True): sg_id = super(NeutronPluginPLUMgridV2, self)._validate_security_group_rules( context, security_group_rule) # Check to make sure security group exists security_group = super(NeutronPluginPLUMgridV2, self).get_security_group(context, sg_id) if not security_group: raise sec_grp.SecurityGroupNotFound(id=sg_id) # Check for duplicate rules self._check_for_duplicate_rules(context, sg_rules) sec_db = (super(NeutronPluginPLUMgridV2, self).create_security_group_rule_bulk_native( context, security_group_rule)) try: LOG.debug(_("PLUMgrid Library: create_security_" "group_rule_bulk() called")) self._plumlib.create_security_group_rule_bulk(sec_db) except Exception as err_message: raise plum_excep.PLUMgridException(err_msg=err_message) return sec_db
def _get_security_group(self, context, id, fields=None): sg = sg_obj.SecurityGroup.get_object(context, fields=fields, id=id) if sg is None: raise ext_sg.SecurityGroupNotFound(id=id) return sg