def _validate_sgs_for_port(security_groups): if not security_groups: return if not len(set(sg.stateful for sg in security_groups)) == 1: msg = ("Cannot apply both stateful and stateless security " "groups on the same port at the same time") raise ext_sg.SecurityGroupConflict(reason=msg)
def update_security_group(self, context, id, security_group): s = security_group['security_group'] kwargs = { 'context': context, 'security_group_id': id, 'security_group': s, } # NOTE(armax): a callback exception here will prevent the request # from being processed. This is a hook point for backend's validation; # we raise to propagate the reason for the failure. try: registry.notify(resources.SECURITY_GROUP, events.BEFORE_UPDATE, self, **kwargs) except exceptions.CallbackFailure as e: raise ext_sg.SecurityGroupConflict(reason=e) with context.session.begin(subtransactions=True): sg = self._get_security_group(context, id) if sg['name'] == 'default' and 'name' in s: raise ext_sg.SecurityGroupCannotUpdateDefault() sg.update(s) sg_dict = self._make_security_group_dict(sg) kwargs['security_group'] = sg_dict registry.notify(resources.SECURITY_GROUP, events.AFTER_UPDATE, self, **kwargs) return sg_dict
def _create_security_group_rule(self, context, security_group_rule, validate=True): if validate: self._validate_security_group_rule(context, security_group_rule) self._check_for_duplicate_rules_in_db(context, security_group_rule) rule_dict = security_group_rule['security_group_rule'] kwargs = { 'context': context, 'security_group_rule': rule_dict } # NOTE(armax): a callback exception here will prevent the request # from being processed. This is a hook point for backend's validation; # we raise to propagate the reason for the failure. try: registry.notify( resources.SECURITY_GROUP_RULE, events.BEFORE_CREATE, self, **kwargs) except exceptions.CallbackFailure as e: raise ext_sg.SecurityGroupConflict(reason=e) tenant_id = self._get_tenant_id_for_create(context, rule_dict) with context.session.begin(subtransactions=True): db = SecurityGroupRule( id=(rule_dict.get('id') or uuidutils.generate_uuid()), tenant_id=tenant_id, security_group_id=rule_dict['security_group_id'], direction=rule_dict['direction'], remote_group_id=rule_dict.get('remote_group_id'), ethertype=rule_dict['ethertype'], protocol=rule_dict['protocol'], port_range_min=rule_dict['port_range_min'], port_range_max=rule_dict['port_range_max'], remote_ip_prefix=rule_dict.get('remote_ip_prefix')) context.session.add(db) res_rule_dict = self._make_security_group_rule_dict(db) kwargs['security_group_rule'] = res_rule_dict registry.notify( resources.SECURITY_GROUP_RULE, events.AFTER_CREATE, self, **kwargs) return res_rule_dict
def create_security_group_rule(self, context, security_group_rule): kwargs = { 'context': context, 'security_group_rule': security_group_rule, } # NOTE(armax): a callback exception here will prevent the request # from being processed. This is a hook point for backend's validation; # we raise to propagate the reason for the failure. try: registry.notify(resources.SECURITY_GROUP_RULE, events.BEFORE_CREATE, self, **kwargs) except exceptions.CallbackFailure as e: raise ext_sg.SecurityGroupConflict(reason=e) bulk_rule = {'security_group_rules': [security_group_rule]} sg_rule_dict = self.create_security_group_rule_bulk_native( context, bulk_rule)[0] kwargs['security_group_rule'] = sg_rule_dict registry.notify(resources.SECURITY_GROUP_RULE, events.AFTER_CREATE, self, **kwargs) return sg_rule_dict
def create_security_group(self, context, security_group, default_sg=False): """Create security group. If default_sg is true that means we are a default security group for a given tenant if it does not exist. """ s = security_group['security_group'] kwargs = { 'context': context, 'security_group': s, 'is_default': default_sg, } # NOTE(armax): a callback exception here will prevent the request # from being processed. This is a hook point for backend's validation; # we raise to propagate the reason for the failure. try: registry.notify(resources.SECURITY_GROUP, events.BEFORE_CREATE, self, **kwargs) except exceptions.CallbackFailure as e: raise ext_sg.SecurityGroupConflict(reason=e) tenant_id = self._get_tenant_id_for_create(context, s) if not default_sg: self._ensure_default_security_group(context, tenant_id) with context.session.begin(subtransactions=True): security_group_db = SecurityGroup(id=s.get('id') or (uuidutils.generate_uuid()), description=s['description'], tenant_id=tenant_id, name=s['name']) context.session.add(security_group_db) if default_sg: context.session.add( DefaultSecurityGroup( security_group=security_group_db, tenant_id=security_group_db['tenant_id'])) for ethertype in ext_sg.sg_supported_ethertypes: if default_sg: # Allow intercommunication ingress_rule = SecurityGroupRule( id=uuidutils.generate_uuid(), tenant_id=tenant_id, security_group=security_group_db, direction='ingress', ethertype=ethertype, source_group=security_group_db) context.session.add(ingress_rule) egress_rule = SecurityGroupRule( id=uuidutils.generate_uuid(), tenant_id=tenant_id, security_group=security_group_db, direction='egress', ethertype=ethertype) context.session.add(egress_rule) secgroup_dict = self._make_security_group_dict(security_group_db) kwargs['security_group'] = secgroup_dict registry.notify(resources.SECURITY_GROUP, events.AFTER_CREATE, self, **kwargs) return secgroup_dict