Exemplo n.º 1
0
def get_security_group_rule(context, id, fields=None):
    LOG.info("get_security_group_rule %s for tenant %s" %
             (id, context.tenant_id))
    rule = db_api.security_group_rule_find(context, id=id, scope=db_api.ONE)
    if not rule:
        raise sg_ext.SecurityGroupRuleNotFound(rule_id=id)
    return v._make_security_group_rule_dict(rule, fields)
Exemplo n.º 2
0
def get_security_group_rules(context, filters=None, fields=None,
                             sorts=None, limit=None, marker=None,
                             page_reverse=False):
    LOG.info("get_security_group_rules for tenant %s" %
             (context.tenant_id))
    rules = db_api.security_group_rule_find(context, **filters)
    return [v._make_security_group_rule_dict(rule) for rule in rules]
Exemplo n.º 3
0
def update_security_group_rule(context, id, security_group_rule):
    '''Updates a rule and updates the ports'''
    LOG.info("update_security_group_rule for tenant %s" % (context.tenant_id))
    new_rule = security_group_rule["security_group_rule"]
    # Only allow updatable fields
    new_rule = _filter_update_security_group_rule(new_rule)

    with context.session.begin():
        rule = db_api.security_group_rule_find(context,
                                               id=id,
                                               scope=db_api.ONE)
        if not rule:
            raise sg_ext.SecurityGroupRuleNotFound(id=id)

        db_rule = db_api.security_group_rule_update(context, rule, **new_rule)

        group_id = db_rule.group_id
        group = db_api.security_group_find(context,
                                           id=group_id,
                                           scope=db_api.ONE)
        if not group:
            raise sg_ext.SecurityGroupNotFound(id=group_id)

    if group:
        _perform_async_update_rule(context, group_id, group, rule.id,
                                   RULE_UPDATE)

    return v._make_security_group_rule_dict(db_rule)
Exemplo n.º 4
0
def get_security_group_rule(context, id, fields=None):
    LOG.info("get_security_group_rule %s for tenant %s" %
             (id, context.tenant_id))
    rule = db_api.security_group_rule_find(context, id=id,
                                           scope=db_api.ONE)
    if not rule:
        raise sg_ext.SecurityGroupRuleNotFound(id=id)
    return v._make_security_group_rule_dict(rule, fields)
Exemplo n.º 5
0
def get_security_group_rules(context,
                             filters=None,
                             fields=None,
                             sorts=None,
                             limit=None,
                             marker=None,
                             page_reverse=False):
    LOG.info("get_security_group_rules for tenant %s" % (context.tenant_id))
    rules = db_api.security_group_rule_find(context, **filters)
    return [v._make_security_group_rule_dict(rule) for rule in rules]
Exemplo n.º 6
0
def delete_security_group_rule(context, id):
    LOG.info("delete_security_group %s for tenant %s" % (id, context.tenant_id))
    with context.session.begin():
        rule = db_api.security_group_rule_find(context, id=id, scope=db_api.ONE)
        if not rule:
            raise sg_ext.SecurityGroupRuleNotFound(id=id)

        group = db_api.security_group_find(context, id=rule["group_id"], scope=db_api.ONE)
        if not group:
            raise sg_ext.SecurityGroupNotFound(id=id)

        rule["id"] = id
        db_api.security_group_rule_delete(context, rule)
Exemplo n.º 7
0
def delete_security_group_rule(context, id):
    LOG.info("delete_security_group %s for tenant %s" %
             (id, context.tenant_id))
    with context.session.begin():
        rule = db_api.security_group_rule_find(context,
                                               id=id,
                                               scope=db_api.ONE)
        if not rule:
            raise sg_ext.SecurityGroupRuleNotFound(group_id=id)

        group = db_api.security_group_find(context,
                                           id=rule["group_id"],
                                           scope=db_api.ONE)
        if not group:
            raise sg_ext.SecurityGroupNotFound(id=id)

        rule["id"] = id
        db_api.security_group_rule_delete(context, rule)
Exemplo n.º 8
0
def delete_security_group_rule(context, id):
    LOG.info("delete_security_group %s for tenant %s" %
            (id, context.tenant_id))
    rule = db_api.security_group_rule_find(context, id=id,
                                           scope=db_api.ONE)
    if not rule:
        raise sg_ext.SecurityGroupRuleNotFound(group_id=id)

    group = db_api.security_group_find(context, id=rule["group_id"],
                                       scope=db_api.ONE)
    if not group:
        raise sg_ext.SecurityGroupNotFound(id=id)

    net_driver.delete_security_group_rule(
        context, group.id, v._make_security_group_rule_dict(rule))

    rule["id"] = id
    db_api.security_group_rule_delete(context, rule)
Exemplo n.º 9
0
def delete_security_group_rule(context, id):
    LOG.info("delete_security_group %s for tenant %s" %
             (id, context.tenant_id))
    rule = db_api.security_group_rule_find(context, id=id, scope=db_api.ONE)
    if not rule:
        raise sg_ext.SecurityGroupRuleNotFound(group_id=id)

    group = db_api.security_group_find(context,
                                       id=rule["group_id"],
                                       scope=db_api.ONE)
    if not group:
        raise sg_ext.SecurityGroupNotFound(id=id)

    net_driver.delete_security_group_rule(
        context, group.id, v._make_security_group_rule_dict(rule))

    rule["id"] = id
    db_api.security_group_rule_delete(context, rule)
Exemplo n.º 10
0
def delete_security_group_rule(context, id):
    """Deletes a rule and updates the ports (async) if enabled."""
    LOG.info("delete_security_group %s for tenant %s" %
             (id, context.tenant_id))
    with context.session.begin():
        rule = db_api.security_group_rule_find(context, id=id,
                                               scope=db_api.ONE)
        if not rule:
            raise sg_ext.SecurityGroupRuleNotFound(id=id)

        group = db_api.security_group_find(context, id=rule["group_id"],
                                           scope=db_api.ONE)
        if not group:
            raise sg_ext.SecurityGroupNotFound(id=id)

        rule["id"] = id
        db_api.security_group_rule_delete(context, rule)
    if group:
        _perform_async_update_rule(context, group.id, group, id, RULE_DELETE)
Exemplo n.º 11
0
def delete_security_group_rule(context, id):
    """Deletes a rule and updates the ports (async) if enabled."""
    LOG.info("delete_security_group %s for tenant %s" %
             (id, context.tenant_id))
    with context.session.begin():
        rule = db_api.security_group_rule_find(context,
                                               id=id,
                                               scope=db_api.ONE)
        if not rule:
            raise sg_ext.SecurityGroupRuleNotFound(id=id)

        group = db_api.security_group_find(context,
                                           id=rule["group_id"],
                                           scope=db_api.ONE)
        if not group:
            raise sg_ext.SecurityGroupNotFound(id=id)

        rule["id"] = id
        db_api.security_group_rule_delete(context, rule)
    if group:
        _perform_async_update_rule(context, group.id, group, id, RULE_DELETE)
Exemplo n.º 12
0
    def write_groups(self, dryrun=False):
        client = self._get_connection(use_master=not dryrun)
        ctx = neutron.context.get_admin_context()
        ports_with_groups = db_api.ports_with_security_groups_find(ctx).all()
        if dryrun:
            print()
            print("Writing groups in dry run mode. Existing rules in Redis "
                  "will be checked against those in the database, with a "
                  "running report generated of all those that will be "
                  "overwritten.\n\nTo actually apply the groups, re-run "
                  "with the --yarly flag.")
            print()
            print("Found %s ports with security groups" %
                  len(ports_with_groups))

        if dryrun:
            vifs = len(client.vif_keys())
            if vifs > 0:
                print("There are %d VIFs with rules in Redis, some of which "
                      "may be overwritten!" % vifs)
                print()

        overwrite_count = 0
        for port in ports_with_groups:
            mac = netaddr.EUI(port["mac_address"])

            # Rather than loading everything in one giant chunk, we'll make
            # trips per port.
            group_ids = [g["id"] for g in port.security_groups]
            rules = db_api.security_group_rule_find(ctx, group_id=group_ids,
                                                    scope=db_api.ALL)

            if dryrun:
                existing_rules = client.get_rules_for_port(port["device_id"],
                                                           port["mac_address"])
                if existing_rules:
                    overwrite_count += 1
                    db_len = len(rules)
                    existing_len = len(existing_rules["rules"])
                    print("== Port ID:%s - MAC:%s - Device ID:%s - "
                          "Redis Rules:%d - DB Rules:%d" %
                          (port["id"], mac, port["device_id"], existing_len,
                           db_len))

            if not dryrun:
                for retry in xrange(self._retries):
                    try:
                        payload = client.serialize_rules(rules)
                        client.apply_rules(
                            port["device_id"], port["mac_address"], payload)
                        break
                    except q_exc.RedisConnectionFailure:
                        time.sleep(self._retry_delay)
                        client = self._get_connection(use_master=True,
                                                      giveup=False)

        if dryrun:
            print()
            print("Total number of VIFs to overwrite/were overwritten: %s" %
                  overwrite_count)
            diff = vifs - overwrite_count
            if diff > 0:
                print("Orphaned VIFs in Redis:", diff)
                print("Run purge-orphans to clean then up")

        if dryrun:
            print("Total number of VIFs to write: %d" %
                  len(ports_with_groups))

        if dryrun:
            print('=' * 80)
            print("Re-run with --yarly to apply changes")
        print("Done!")
Exemplo n.º 13
0
    def write_groups(self, dryrun=False):
        client = self._get_connection(use_master=not dryrun)
        ctx = neutron.context.get_admin_context()
        ports_with_groups = db_api.ports_with_security_groups_find(ctx).all()
        if dryrun:
            print()
            print("Writing groups in dry run mode. Existing rules in Redis "
                  "will be checked against those in the database, with a "
                  "running report generated of all those that will be "
                  "overwritten.\n\nTo actually apply the groups, re-run "
                  "with the --yarly flag.")
            print()
            print("Found %s ports with security groups" %
                  len(ports_with_groups))

        if dryrun:
            vifs = len(client.vif_keys())
            if vifs > 0:
                print("There are %d VIFs with rules in Redis, some of which "
                      "may be overwritten!" % vifs)
                print()

        overwrite_count = 0
        for port in ports_with_groups:
            mac = netaddr.EUI(port["mac_address"])

            # Rather than loading everything in one giant chunk, we'll make
            # trips per port.
            group_ids = [g["id"] for g in port.security_groups]
            rules = db_api.security_group_rule_find(ctx,
                                                    group_id=group_ids,
                                                    scope=db_api.ALL)

            if dryrun:
                existing_rules = client.get_rules_for_port(
                    port["device_id"], port["mac_address"])
                if existing_rules:
                    overwrite_count += 1
                    db_len = len(rules)
                    existing_len = len(existing_rules["rules"])
                    print("== Port ID:%s - MAC:%s - Device ID:%s - "
                          "Redis Rules:%d - DB Rules:%d" %
                          (port["id"], mac, port["device_id"], existing_len,
                           db_len))

            if not dryrun:
                for retry in xrange(self._retries):
                    try:
                        payload = client.serialize_rules(rules)
                        client.apply_rules(port["device_id"],
                                           port["mac_address"], payload)
                        break
                    except q_exc.RedisConnectionFailure:
                        time.sleep(self._retry_delay)
                        client = self._get_connection(use_master=True,
                                                      giveup=False)

        if dryrun:
            print()
            print("Total number of VIFs to overwrite/were overwritten: %s" %
                  overwrite_count)
            diff = vifs - overwrite_count
            if diff > 0:
                print("Orphaned VIFs in Redis:", diff)
                print("Run purge-orphans to clean then up")

        if dryrun:
            print("Total number of VIFs to write: %d" % len(ports_with_groups))

        if dryrun:
            print('=' * 80)
            print("Re-run with --yarly to apply changes")
        print("Done!")