def setUp(self): super(SecurityGroupRBACDbObjectTestCase, self).setUp() for obj in self.db_objs: sg_obj = securitygroup.SecurityGroup(self.context, id=obj['object_id'], project_id=obj['project_id']) sg_obj.create()
def setUp(self): super(SecurityGroupRuleDbObjTestCase, self).setUp() sg_fields = self.get_random_object_fields(securitygroup.SecurityGroup) self.sg_obj = securitygroup.SecurityGroup(self.context, **sg_fields) self.sg_obj.create() self.update_obj_fields({'security_group_id': self.sg_obj['id'], 'remote_group_id': self.sg_obj['id']})
def setUp(self): super(DefaultSecurityGroupDbObjTestCase, self).setUp() sg_db_obj = self.get_random_fields(securitygroup.SecurityGroup) sg_fields = securitygroup.SecurityGroup.modify_fields_from_db( sg_db_obj) self.sg_obj = securitygroup.SecurityGroup(self.context, **sg_fields) self.sg_obj.create() self.update_obj_fields({'security_group_id': self.sg_obj['id']})
def setUp(self): super(DefaultSecurityGroupDbObjTestCase, self).setUp() sg_db_obj = self.get_random_fields(securitygroup.SecurityGroup) sg_fields = securitygroup.SecurityGroup.modify_fields_from_db( sg_db_obj) self.sg_obj = securitygroup.SecurityGroup(self.context, **sg_fields) self.sg_obj.create() for obj in itertools.chain(self.db_objs, self.obj_fields, self.objs): obj['security_group_id'] = self.sg_obj['id']
def setUp(self): super(SecurityGroupRuleDbObjTestCase, self).setUp() sg_db_obj = self.get_random_fields(securitygroup.SecurityGroup) sg_fields = securitygroup.SecurityGroup.modify_fields_from_db( sg_db_obj) self.sg_obj = securitygroup.SecurityGroup( self.context, **test_base.remove_timestamps_from_fields(sg_fields)) self.sg_obj.create() for obj in itertools.chain(self.db_objs, self.obj_fields, self.objs): obj['security_group_id'] = self.sg_obj['id'] obj['remote_group_id'] = self.sg_obj['id']
def _make_security_group_ovo(self, **kwargs): attrs = {'id': uuidutils.generate_uuid(), 'revision_number': 1} sg_rule = securitygroup.SecurityGroupRule( id=uuidutils.generate_uuid(), security_group_id=attrs['id'], direction='ingress', ethertype='IPv4', protocol='tcp', port_range_min=400, remote_group_id=attrs['id'], revision_number=1, ) attrs['rules'] = [sg_rule] attrs.update(**kwargs) sg = securitygroup.SecurityGroup(self.ctx, **attrs) self.rcache.record_resource_update(self.ctx, 'SecurityGroup', sg) return sg
def create_security_group_without_rules(self, context, security_group, default_sg, is_provider): """Create a neutron security group, without any default rules. This method creates a security group that does not by default enable egress traffic which normal neutron security groups do. """ s = security_group['security_group'] kwargs = { 'context': context, 'security_group': s, 'is_default': default_sg, } self._registry_notify(resources.SECURITY_GROUP, events.BEFORE_CREATE, exc_cls=ext_sg.SecurityGroupConflict, **kwargs) tenant_id = s['tenant_id'] if not default_sg: self._ensure_default_security_group(context, tenant_id) with db_api.context_manager.writer.using(context): sg = sg_obj.SecurityGroup(context, id=s.get('id') or uuidutils.generate_uuid(), description=s.get('description', ''), project_id=tenant_id, name=s.get('name', ''), is_default=default_sg) sg.create() secgroup_dict = self._make_security_group_dict(sg) secgroup_dict[sg_policy.POLICY] = s.get(sg_policy.POLICY) secgroup_dict[provider_sg.PROVIDER] = is_provider kwargs['security_group'] = secgroup_dict registry.notify(resources.SECURITY_GROUP, events.AFTER_CREATE, self, **kwargs) return secgroup_dict
def create_security_group(self, context, security_group, default_sg=False): """Create security group. If default_sg is true that means we are a default security group for a given tenant if it does not exist. """ s = security_group['security_group'] kwargs = { 'context': context, 'security_group': s, 'is_default': default_sg, } self._registry_notify(resources.SECURITY_GROUP, events.BEFORE_CREATE, exc_cls=ext_sg.SecurityGroupConflict, payload=events.DBEventPayload( context, metadata={'is_default': default_sg}, request_body=security_group, desired_state=s)) tenant_id = s['tenant_id'] stateful = s.get('stateful', True) if not default_sg: self._ensure_default_security_group(context, tenant_id) else: existing_def_sg_id = self._get_default_sg_id(context, tenant_id) if existing_def_sg_id is not None: # default already exists, return it return self.get_security_group(context, existing_def_sg_id) with db_api.CONTEXT_WRITER.using(context): delta = len(ext_sg.sg_supported_ethertypes) delta = delta * 2 if default_sg else delta reservation = quota.QUOTAS.make_reservation( context, tenant_id, {'security_group_rule': delta}, self) sg = sg_obj.SecurityGroup(context, id=s.get('id') or uuidutils.generate_uuid(), description=s['description'], project_id=tenant_id, name=s['name'], is_default=default_sg, stateful=stateful) sg.create() for ethertype in ext_sg.sg_supported_ethertypes: if default_sg: # Allow intercommunication ingress_rule = sg_obj.SecurityGroupRule( context, id=uuidutils.generate_uuid(), project_id=tenant_id, security_group_id=sg.id, direction='ingress', ethertype=ethertype, remote_group_id=sg.id) ingress_rule.create() sg.rules.append(ingress_rule) egress_rule = sg_obj.SecurityGroupRule( context, id=uuidutils.generate_uuid(), project_id=tenant_id, security_group_id=sg.id, direction='egress', ethertype=ethertype) egress_rule.create() sg.rules.append(egress_rule) sg.obj_reset_changes(['rules']) quota.QUOTAS.commit_reservation(context, reservation.reservation_id) # fetch sg from db to load the sg rules with sg model. sg = sg_obj.SecurityGroup.get_object(context, id=sg.id) secgroup_dict = self._make_security_group_dict(sg) kwargs['security_group'] = secgroup_dict self._registry_notify(resources.SECURITY_GROUP, events.PRECOMMIT_CREATE, exc_cls=ext_sg.SecurityGroupConflict, **kwargs) registry.notify(resources.SECURITY_GROUP, events.AFTER_CREATE, self, **kwargs) return secgroup_dict
def create_security_group(self, context, security_group, default_sg=False): """Create security group. If default_sg is true that means we are a default security group for a given tenant if it does not exist. """ s = security_group['security_group'] kwargs = { 'context': context, 'security_group': s, 'is_default': default_sg, } self._registry_notify(resources.SECURITY_GROUP, events.BEFORE_CREATE, exc_cls=ext_sg.SecurityGroupConflict, **kwargs) tenant_id = s['tenant_id'] if not default_sg: self._ensure_default_security_group(context, tenant_id) else: existing_def_sg_id = self._get_default_sg_id(context, tenant_id) if existing_def_sg_id is not None: # default already exists, return it return self.get_security_group(context, existing_def_sg_id) with db_api.context_manager.writer.using(context): sg = sg_obj.SecurityGroup(context, id=s.get('id') or uuidutils.generate_uuid(), description=s['description'], project_id=tenant_id, name=s['name'], is_default=default_sg) sg.create() for ethertype in ext_sg.sg_supported_ethertypes: if default_sg: # Allow intercommunication ingress_rule = sg_obj.SecurityGroupRule( context, id=uuidutils.generate_uuid(), project_id=tenant_id, security_group_id=sg.id, direction='ingress', ethertype=ethertype, remote_group_id=sg.id) ingress_rule.create() sg.rules.append(ingress_rule) egress_rule = sg_obj.SecurityGroupRule( context, id=uuidutils.generate_uuid(), project_id=tenant_id, security_group_id=sg.id, direction='egress', ethertype=ethertype) egress_rule.create() sg.rules.append(egress_rule) sg.obj_reset_changes(['rules']) # fetch sg from db to load the sg rules with sg model. sg = sg_obj.SecurityGroup.get_object(context, id=sg.id) secgroup_dict = self._make_security_group_dict(sg) kwargs['security_group'] = secgroup_dict self._registry_notify(resources.SECURITY_GROUP, events.PRECOMMIT_CREATE, exc_cls=ext_sg.SecurityGroupConflict, **kwargs) registry.notify(resources.SECURITY_GROUP, events.AFTER_CREATE, self, **kwargs) return secgroup_dict
def create_security_group(self, context, security_group, default_sg=False): """Create security group. If default_sg is true that means we are a default security group for a given tenant if it does not exist. """ s = security_group['security_group'] self._registry_publish(resources.SECURITY_GROUP, events.BEFORE_CREATE, exc_cls=ext_sg.SecurityGroupConflict, payload=events.DBEventPayload( context, metadata={'is_default': default_sg}, request_body=security_group, desired_state=s)) tenant_id = s['tenant_id'] stateful = s.get('stateful', True) if not default_sg: self._ensure_default_security_group(context, tenant_id) else: existing_def_sg_id = self._get_default_sg_id(context, tenant_id) if existing_def_sg_id is not None: # default already exists, return it return self.get_security_group(context, existing_def_sg_id) with db_api.CONTEXT_WRITER.using(context): delta = len(ext_sg.sg_supported_ethertypes) delta = delta * 2 if default_sg else delta quota.QUOTAS.quota_limit_check(context, tenant_id, security_group_rule=delta) sg = sg_obj.SecurityGroup( context, id=s.get('id') or uuidutils.generate_uuid(), description=s['description'], project_id=tenant_id, name=s['name'], is_default=default_sg, stateful=stateful) sg.create() for ethertype in ext_sg.sg_supported_ethertypes: if default_sg: # Allow intercommunication ingress_rule = sg_obj.SecurityGroupRule( context, id=uuidutils.generate_uuid(), project_id=tenant_id, security_group_id=sg.id, direction='ingress', ethertype=ethertype, remote_group_id=sg.id) ingress_rule.create() sg.rules.append(ingress_rule) egress_rule = sg_obj.SecurityGroupRule( context, id=uuidutils.generate_uuid(), project_id=tenant_id, security_group_id=sg.id, direction='egress', ethertype=ethertype) egress_rule.create() sg.rules.append(egress_rule) sg.obj_reset_changes(['rules']) # fetch sg from db to load the sg rules with sg model. # NOTE(slaweq): With new system/project scopes it may happen that # project admin will try to list security groups for different # project and during that call Neutron will ensure that default # security group is created. In such case elevated context needs to # be used here otherwise, SG will not be found and error 500 will # be returned through the API get_context = context.elevated() if default_sg else context sg = sg_obj.SecurityGroup.get_object(get_context, id=sg.id) secgroup_dict = self._make_security_group_dict(sg) self._registry_publish(resources.SECURITY_GROUP, events.PRECOMMIT_CREATE, exc_cls=ext_sg.SecurityGroupConflict, payload=events.DBEventPayload( context, resource_id=sg.id, metadata={'is_default': default_sg}, states=(secgroup_dict,))) registry.publish(resources.SECURITY_GROUP, events.AFTER_CREATE, self, payload=events.DBEventPayload( context, resource_id=secgroup_dict['id'], metadata={'is_default': default_sg}, states=(secgroup_dict,))) return secgroup_dict
def _create_test_security_group(self): sg_fields = self.get_random_object_fields(securitygroup.SecurityGroup) sg_obj = securitygroup.SecurityGroup(self.context, **sg_fields) return sg_obj