Merge "NSX|V3: prevent user from changing the NSX internal SG"

2019-02-20 07:00:26 +00:00 · 2019-02-20 07:00:26 +00:00 · ac4ae19268
parent 7997fdbd65 c2bf0a65a0
commit ac4ae19268
1 changed files with 10 additions and 0 deletions
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@ -3220,10 +3220,17 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,

        return secgroup_db

+    def _prevent_nsx_internal_sg_modification(self, sg_id):
+        if sg_id == NSX_V3_OS_DFW_UUID:
+            msg = _("Cannot modify NSX internal security group")
+            raise n_exc.InvalidInput(error_message=msg)
+
    def update_security_group(self, context, id, security_group):
        orig_secgroup = self.get_security_group(
            context, id, fields=['id', 'name', 'description'])
        self._prevent_non_admin_edit_provider_sg(context, id)
+        self._prevent_nsx_internal_sg_modification(id)
+
        with db_api.CONTEXT_WRITER.using(context):
            secgroup_res = (
                super(NsxV3Plugin, self).update_security_group(context, id,
@ -3248,6 +3255,7 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,

    def delete_security_group(self, context, id):
        self._prevent_non_admin_edit_provider_sg(context, id)
+        self._prevent_nsx_internal_sg_modification(id)
        nsgroup_id, section_id = nsx_db.get_sg_mappings(
            context.session, id)
        super(NsxV3Plugin, self).delete_security_group(context, id)
@ -3283,6 +3291,7 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
            # group. We should be validating that this is the case though...
            sg_id = sg_rules[0]['security_group_rule']['security_group_id']
            self._prevent_non_admin_edit_provider_sg(context, sg_id)
+            self._prevent_nsx_internal_sg_modification(sg_id)

            security_group = self.get_security_group(
                context, sg_id)
@ -3313,6 +3322,7 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
        rule_db = self._get_security_group_rule(context, id)
        sg_id = rule_db['security_group_id']
        self._prevent_non_admin_edit_provider_sg(context, sg_id)
+        self._prevent_nsx_internal_sg_modification(sg_id)
        nsgroup_id, section_id = nsx_db.get_sg_mappings(context.session, sg_id)
        fw_rule_id = nsx_db.get_sg_rule_mapping(context.session, id)
        self.nsxlib.firewall_section.delete_rule(section_id, fw_rule_id)