def add_policy_group_bind(client_session, security_policy_id,
security_group_id):
resource_id = policy_group_to_resource_id(security_group_id,
security_policy_id)
security_policy = common.nsx_read(
client_session,
'body',
'securityPolicyID',
uri_parameters={'ID': security_policy_id})
bindings = common.nsx_struct_get_list(
security_policy, 'securityPolicy/securityGroupBinding')
for bind in bindings:
if bind.get('objectId') == security_group_id:
raise cfy_exc.NonRecoverableError(
"Group %s already exists in %s policy" %
(security_group_id, security_policy['securityPolicy'].get(
'name', '*unknown*')))
bindings.append({'objectId': str(security_group_id)})
raw_result = client_session.update(
'securityPolicyID',
uri_parameters={'ID': security_policy_id},
request_body_dict=security_policy)
common.check_raw_result(raw_result)
return resource_id
def add_policy_section(client_session, security_policy_id, category, action):
security_policy = common.nsx_read(
client_session,
'body',
'securityPolicyID',
uri_parameters={'ID': security_policy_id})
actionsByCategory = common.nsx_struct_get_list(
security_policy, 'securityPolicy/actionsByCategory')
for actions in actionsByCategory:
if actions.get('category') == category:
actions['action'] = action
break
else:
actionsByCategory.append({'category': category, 'action': action})
raw_result = client_session.update(
'securityPolicyID',
uri_parameters={'ID': security_policy_id},
request_body_dict=security_policy)
common.check_raw_result(raw_result)
return "%s|%s" % (category, security_policy_id)
def del_policy_section(client_session, resource_id):
try:
category, security_policy_id = resource_id.split("|")
except Exception as ex:
raise cfy_exc.NonRecoverableError(
'Unexpected error retrieving resource ID: %s' % str(ex))
security_policy = common.nsx_read(
client_session,
'body',
'securityPolicyID',
uri_parameters={'ID': security_policy_id})
actionsByCategory = common.nsx_struct_get_list(
security_policy, 'securityPolicy/actionsByCategory')
for actions in actionsByCategory:
if actions.get('category') == category:
actionsByCategory.remove(actions)
break
else:
return
raw_result = client_session.update(
'securityPolicyID',
uri_parameters={'ID': security_policy_id},
request_body_dict=security_policy)
common.check_raw_result(raw_result)
def del_policy_group_bind(client_session, resource_id):
try:
security_group_id, security_policy_id = resource_id.split("|")
except Exception as ex:
raise cfy_exc.NonRecoverableError(
'Unexpected error retrieving resource ID: %s' % str(ex))
security_policy = common.nsx_read(
client_session,
'body',
'securityPolicyID',
uri_parameters={'ID': security_policy_id})
bindings = common.nsx_struct_get_list(
security_policy, 'securityPolicy/securityGroupBinding')
for bind in bindings:
if bind.get('objectId') == security_group_id:
bindings.remove(bind)
break
else:
return
raw_result = client_session.update(
'securityPolicyID',
uri_parameters={'ID': security_policy_id},
request_body_dict=security_policy)
common.check_raw_result(raw_result)
def add_group_exclude_member(client_session, security_group_id, member_id):
security_group = common.nsx_read(
client_session,
'body',
'secGroupObject',
uri_parameters={'objectId': security_group_id})
excludeMembers = common.nsx_struct_get_list(security_group,
'securitygroup/excludeMember')
for member in excludeMembers:
if member.get("objectId") == member_id:
raise cfy_exc.NonRecoverableError(
"Member %s already exists in %s group" %
(member_id, security_group['securitygroup'].get(
'name', '*unknown*')))
excludeMembers.append({"objectId": member_id})
raw_result = client_session.update(
'secGroupObject',
uri_parameters={'objectId': security_group_id},
request_body_dict=security_group)
common.check_raw_result(raw_result)
return "%s|%s" % (security_group_id, member_id)
def del_group_exclude_member(client_session, resource_id):
try:
security_group_id, member_id = resource_id.split("|")
except Exception as ex:
raise cfy_exc.NonRecoverableError(
'Unexpected error retrieving resource ID: %s' % str(ex))
security_group = common.nsx_read(
client_session,
'body',
'secGroupObject',
uri_parameters={'objectId': security_group_id})
excludeMembers = common.nsx_struct_get_list(security_group,
'securitygroup/excludeMember')
for member in excludeMembers:
if member.get("objectId") == member_id:
excludeMembers.remove(member)
break
else:
return
raw_result = client_session.update(
'secGroupObject',
uri_parameters={'objectId': security_group_id},
request_body_dict=security_group)
common.check_raw_result(raw_result)
def delete_tag_vm(client_session, resource_id):
ids = resource_id.split("|")
if len(ids) != 2:
raise cfy_exc.NonRecoverableError(
'Unexpected error retrieving resource ID')
# get list of attached
attached_vms_raw = common.nsx_read(client_session,
'body',
'securityTagVMsList',
uri_parameters={'tagId': ids[0]})
if not attached_vms_raw:
return
attached_vms = common.nsx_struct_get_list(attached_vms_raw,
'basicinfolist/basicinfo')
# delete only attached
for vm in attached_vms:
if vm.get('objectId') == ids[1]:
result_raw = client_session.delete('securityTagVM',
uri_parameters={
'tagId': ids[0],
'vmMoid': ids[1]
})
common.check_raw_result(result_raw)
break
def del_dynamic_member(client_session, security_group_id):
security_group = common.nsx_read(
client_session,
'body',
'secGroupObject',
uri_parameters={'objectId': security_group_id})
security_group['securitygroup']['dynamicMemberDefinition'] = {}
# it is not error!
# We need to use bulk to update dynamic members
# with use security_group_id as scope
raw_result = client_session.update(
'secGroupBulk',
uri_parameters={'scopeId': security_group_id},
request_body_dict=security_group)
common.check_raw_result(raw_result)
def set_dynamic_member(client_session, security_group_id, dynamic_set):
security_group = common.nsx_read(
client_session,
'body',
'secGroupObject',
uri_parameters={'objectId': security_group_id})
# fully overwrite previous state
security_group['securitygroup']['dynamicMemberDefinition'] = {
'dynamicSet': dynamic_set
}
# it is not error!
# We need to use bulk to update dynamic members
# with use security_group_id as scope
raw_result = client_session.update(
'secGroupBulk',
uri_parameters={'scopeId': security_group_id},
request_body_dict=security_group)
common.check_raw_result(raw_result)
return security_group_id