def _process_sg_notification(self, resource, event, trigger, **kwargs): sg_id = None sg_rule = None is_add_acl = True admin_context = n_context.get_admin_context() if resource == resources.SECURITY_GROUP: sg_id = kwargs.get('security_group_id') elif resource == resources.SECURITY_GROUP_RULE: if event == events.AFTER_CREATE: sg_rule = kwargs.get('security_group_rule') sg_id = sg_rule['security_group_id'] elif event == events.BEFORE_DELETE: sg_rule = self._plugin.get_security_group_rule( admin_context, kwargs.get('security_group_rule_id')) sg_id = sg_rule['security_group_id'] is_add_acl = False # TODO(russellb) It's possible for Neutron and OVN to get out of sync # here. If updating ACls fails somehow, we're out of sync until another # change causes another refresh attempt. ovn_acl.update_acls_for_security_group(self._plugin, admin_context, self._nb_ovn, sg_id, rule=sg_rule, is_add_acl=is_add_acl)
def test_update_acls_for_security_group(self): sg = fakes.FakeSecurityGroup.create_one_security_group().info() remote_sg = fakes.FakeSecurityGroup.create_one_security_group().info() sg_rule = fakes.FakeSecurityGroupRule.create_one_security_group_rule({ 'security_group_id': sg['id'], 'remote_group_id': remote_sg['id'] }).info() port = fakes.FakePort.create_one_port({ 'security_groups': [sg['id']] }).info() self.plugin.get_ports.return_value = [port] sg_ports_cache = {sg['id']: [{'port_id': port['id']}], remote_sg['id']: []} # Build ACL for validation. expected_acl = ovn_acl._add_sg_rule_acl_for_port(port, sg_rule) expected_acl.pop('lport') expected_acl.pop('lswitch') # Validate ACLs when port has security groups. ovn_acl.update_acls_for_security_group(self.plugin, self.admin_context, self.driver._nb_ovn, sg['id'], sg_rule, sg_ports_cache=sg_ports_cache) self.driver._nb_ovn.update_acls.assert_called_once_with( [port['network_id']], mock.ANY, {port['id']: expected_acl}, need_compare=False, is_add_acl=True )
def test_update_acls_for_security_group(self): sg = fakes.FakeSecurityGroup.create_one_security_group().info() remote_sg = fakes.FakeSecurityGroup.create_one_security_group().info() sg_rule = fakes.FakeSecurityGroupRule.create_one_security_group_rule({ 'security_group_id': sg['id'], 'remote_group_id': remote_sg['id'] }).info() port = fakes.FakePort.create_one_port({ 'security_groups': [sg['id']] }).info() self.plugin.get_ports.return_value = [port] sg_ports_cache = { sg['id']: [{ 'port_id': port['id'] }], remote_sg['id']: [] } # Validate no ACLs to update when remote security group # doesn't have any ports. ovn_acl.update_acls_for_security_group(self.plugin, self.admin_context, self.driver._nb_ovn, sg['id'], sg_ports_cache=sg_ports_cache, rule=sg_rule) self.driver._nb_ovn.update_acls.assert_called_once_with( [port['network_id']], mock.ANY, {}, need_compare=False, is_add_acl=True)
def test_update_acls_for_security_group(self): sg = fakes.FakeSecurityGroup.create_one_security_group().info() remote_sg = fakes.FakeSecurityGroup.create_one_security_group().info() sg_rule = fakes.FakeSecurityGroupRule.create_one_security_group_rule({ 'security_group_id': sg['id'], 'remote_group_id': remote_sg['id'] }).info() port = fakes.FakePort.create_one_port({ 'security_groups': [sg['id']] }).info() self.plugin.get_ports.return_value = [port] sg_ports_cache = {sg['id']: [{'port_id': port['id']}], remote_sg['id']: []} # Validate no ACLs to update when remote security group # doesn't have any ports. ovn_acl.update_acls_for_security_group(self.plugin, self.admin_context, self.driver._nb_ovn, sg['id'], sg_ports_cache=sg_ports_cache, rule=sg_rule) self.driver._nb_ovn.update_acls.assert_called_once_with( [port['network_id']], mock.ANY, {}, need_compare=False, is_add_acl=True )
def _process_sg_rule_notification(self, resource, event, trigger, **kwargs): sg_id = None sg_rule = None is_add_acl = True admin_context = n_context.get_admin_context() if event == events.AFTER_CREATE: sg_rule = kwargs.get('security_group_rule') sg_id = sg_rule['security_group_id'] elif event == events.BEFORE_DELETE: sg_rule = self._plugin.get_security_group_rule( admin_context, kwargs.get('security_group_rule_id')) sg_id = sg_rule['security_group_id'] is_add_acl = False # TODO(russellb) It's possible for Neutron and OVN to get out of sync # here. If updating ACls fails somehow, we're out of sync until another # change causes another refresh attempt. ovn_acl.update_acls_for_security_group(self._plugin, admin_context, self._nb_ovn, sg_id, sg_rule, is_add_acl=is_add_acl)
def _test_update_acls_for_security_group(self, use_cache=True): sg = fakes.FakeSecurityGroup.create_one_security_group().info() remote_sg = fakes.FakeSecurityGroup.create_one_security_group().info() sg_rule = fakes.FakeSecurityGroupRule.create_one_security_group_rule({ 'security_group_id': sg['id'], 'remote_group_id': remote_sg['id'] }).info() port = fakes.FakePort.create_one_port({ 'security_groups': [sg['id']] }).info() self.plugin.get_ports.return_value = [port] if use_cache: sg_ports_cache = { sg['id']: [{ 'port_id': port['id'] }], remote_sg['id']: [] } else: sg_ports_cache = None self.plugin._get_port_security_group_bindings.return_value = \ [{'port_id': port['id']}] # Build ACL for validation. expected_acl = ovn_acl._add_sg_rule_acl_for_port(port, sg_rule) expected_acl.pop('lport') expected_acl.pop('lswitch') # Validate ACLs when port has security groups. ovn_acl.update_acls_for_security_group(self.plugin, self.admin_context, self.driver._nb_ovn, sg['id'], sg_rule, sg_ports_cache=sg_ports_cache) self.driver._nb_ovn.update_acls.assert_called_once_with( [port['network_id']], mock.ANY, {port['id']: expected_acl}, need_compare=False, is_add_acl=True)
def test_sg_disabled(self): sg = fakes.FakeSecurityGroup.create_one_security_group().info() port = fakes.FakePort.create_one_port({ 'security_groups': [sg['id']] }).info() with mock.patch('networking_ovn.common.acl.is_sg_enabled', return_value=False): acl_list = ovn_acl.add_acls(self.plugin, self.admin_context, port, {}, {}, self.driver._ovn) self.assertEqual([], acl_list) ovn_acl.update_acls_for_security_group(self.plugin, self.admin_context, self.driver._ovn, sg['id'], None) self.driver._ovn.update_acls.assert_not_called() addresses = ovn_acl.acl_port_ips(port) self.assertEqual({'ip4': [], 'ip6': []}, addresses)
def test_sg_disabled(self): sg = fakes.FakeSecurityGroup.create_one_security_group().info() port = fakes.FakePort.create_one_port({ 'security_groups': [sg['id']] }).info() with mock.patch('networking_ovn.common.acl.is_sg_enabled', return_value=False): acl_list = ovn_acl.add_acls(self.plugin, self.admin_context, port, {}, {}) self.assertEqual([], acl_list) ovn_acl.update_acls_for_security_group(self.plugin, self.admin_context, self.driver._ovn, sg['id']) self.driver._ovn.update_acls.assert_not_called() addresses = ovn_acl.acl_port_ips(port) self.assertEqual({'ip4': [], 'ip6': []}, addresses)