From 6078fdccda896f035cbbd4735690a06ace551a30 Mon Sep 17 00:00:00 2001 From: tikitavi Date: Fri, 10 Feb 2017 21:39:08 +0300 Subject: [PATCH] Changes in security groups in default VPC mode create-security-group create security-group in default vpc if not specified delete-security-group can delete from default vpc by group-name authorize_security_group_ingress with group-name specified create rule in the appropriate group in default vpc Change-Id: Ibdf5b508f9d8a042ceaba4570d4573b741adaf9f --- ec2api/api/security_group.py | 22 ++++++++++++++++++---- ec2api/api/vpc.py | 4 ++-- ec2api/tests/unit/test_vpc.py | 7 ++++--- 3 files changed, 24 insertions(+), 9 deletions(-) diff --git a/ec2api/api/security_group.py b/ec2api/api/security_group.py index 198fc00e..34d83bd8 100644 --- a/ec2api/api/security_group.py +++ b/ec2api/api/security_group.py @@ -69,6 +69,8 @@ def create_security_group(context, group_name, group_description, raise exception.InvalidGroupReserved(group_name=group_name) filter = [{'name': 'group-name', 'value': [group_name]}] + if not vpc_id and CONF.disable_ec2_classic: + vpc_id = ec2utils.get_default_vpc(context)['id'] if vpc_id and group_name != vpc_id: filter.append({'name': 'vpc-id', 'value': [vpc_id]}) @@ -115,15 +117,15 @@ def _create_default_security_group(context, vpc): # NOTE(Alex): OpenStack doesn't allow creation of another group # named 'default' hence vpc-id is used. try: - _create_security_group(context, vpc['id'], + sg_id = _create_security_group(context, vpc['id'], 'Default VPC security group', vpc['id'], - default=True) + default=True)['groupId'] except (exception.EC2DBDuplicateEntry, exception.InvalidVpcIDNotFound): # NOTE(andrey-mp): when this thread tries to recreate default group # but another thread tries to delete vpc we should pass vpc not found LOG.exception('Failed to create default security group.') - return False - return True + return None + return sg_id def delete_security_group(context, group_name=None, group_id=None, @@ -211,6 +213,12 @@ def describe_security_groups(context, group_name=None, group_id=None, def authorize_security_group_ingress(context, group_id=None, group_name=None, ip_permissions=None): + if group_name and not group_id and CONF.disable_ec2_classic: + sg = describe_security_groups( + context, + group_name=[group_name])['securityGroupInfo'][0] + group_id = sg['groupId'] + group_name = None return _authorize_security_group(context, group_id, group_name, ip_permissions, 'ingress') @@ -472,6 +480,12 @@ class SecurityGroupEngineNeutron(object): def delete_group(self, context, group_name=None, group_id=None, delete_default=False): neutron = clients.neutron(context) + if CONF.disable_ec2_classic and group_name: + sg = describe_security_groups( + context, + group_name=[group_name])['securityGroupInfo'][0] + group_id = sg['groupId'] + group_name = None if group_id is None or not group_id.startswith('sg-'): return SecurityGroupEngineNova().delete_group(context, group_name, diff --git a/ec2api/api/vpc.py b/ec2api/api/vpc.py index fcad3b6f..3346b196 100644 --- a/ec2api/api/vpc.py +++ b/ec2api/api/vpc.py @@ -141,9 +141,9 @@ def _create_vpc(context, cidr_block, is_default=False): vpc['route_table_id'] = route_table['id'] db_api.update_item(context, vpc) neutron.update_router(os_router['id'], {'router': {'name': vpc['id']}}) - security_group_api._create_default_security_group(context, vpc) + sg_id = security_group_api._create_default_security_group(context, vpc) cleaner.addCleanup(security_group_api.delete_security_group, context, - group_name=vpc['id'], delete_default=True) + group_id=sg_id, delete_default=True) if is_default: igw_id = internet_gateway_api.create_internet_gateway( context)['internetGateway']['internetGatewayId'] diff --git a/ec2api/tests/unit/test_vpc.py b/ec2api/tests/unit/test_vpc.py index e667b868..91506d2f 100644 --- a/ec2api/tests/unit/test_vpc.py +++ b/ec2api/tests/unit/test_vpc.py @@ -343,8 +343,6 @@ class VpcPrivateTestCase(base.BaseTestCase): self.neutron.create_router.side_effect = ( tools.get_neutron_create('router', fakes.ID_OS_ROUTER_DEFAULT)) - self.nova.security_groups.list.return_value = ( - [fakes.NovaSecurityGroup(fakes.OS_SECURITY_GROUP_DEFAULT)]) self.db_api.add_item.side_effect = ( tools.get_db_api_add_item({'vpc': fakes.ID_EC2_VPC_DEFAULT})) @@ -356,11 +354,14 @@ class VpcPrivateTestCase(base.BaseTestCase): self.db_api.get_item_by_id.side_effect = ( tools.get_db_api_get_item_by_id(fakes.DB_VPC_DEFAULT, fakes.DB_SUBNET_DEFAULT, + fakes.DB_SECURITY_GROUP_DEFAULT, DB_IGW_DEFAULT_DETACHED)) create_route_table.return_value = fakes.DB_ROUTE_TABLE_DEFAULT create_internet_gateway.return_value = {'internetGateway': fakes.EC2_IGW_DEFAULT} create_subnet.return_value = {'subnet': fakes.EC2_SUBNET_DEFAULT} + create_default_security_group.return_value = ( + fakes.ID_EC2_SECURITY_GROUP_DEFAULT) # exception during attaching internet gateway create_route.side_effect = Exception() @@ -374,7 +375,7 @@ class VpcPrivateTestCase(base.BaseTestCase): fakes.ID_EC2_SUBNET_DEFAULT) self.db_api.delete_item.assert_any_call(mock.ANY, fakes.ID_EC2_IGW_DEFAULT) - self.nova.security_groups.delete.assert_any_call( + self.neutron.delete_security_group.assert_any_call( fakes.ID_OS_SECURITY_GROUP_DEFAULT) self.db_api.delete_item.assert_any_call(mock.ANY, fakes.ID_EC2_ROUTE_TABLE_DEFAULT)