diff --git a/neutron/plugins/ml2/plugin.py b/neutron/plugins/ml2/plugin.py index aa51991d78f..dd3554a22c4 100644 --- a/neutron/plugins/ml2/plugin.py +++ b/neutron/plugins/ml2/plugin.py @@ -1257,6 +1257,8 @@ class Ml2Plugin(db_base_plugin_v2.NeutronDbPluginV2, raise psec.PortSecurityAndIPRequiredForSecurityGroups() elif (not self._check_update_deletes_security_groups(port)): + if not utils.is_extension_supported(self, 'security-group'): + return # Update did not have security groups passed in. Check # that port does not have any security groups already on it. filters = {'port_id': [id]} diff --git a/neutron/tests/unit/plugins/ml2/test_plugin.py b/neutron/tests/unit/plugins/ml2/test_plugin.py index cf602fb22e6..488a6617242 100644 --- a/neutron/tests/unit/plugins/ml2/test_plugin.py +++ b/neutron/tests/unit/plugins/ml2/test_plugin.py @@ -1997,6 +1997,28 @@ class TestMl2AllowedAddressPairs(Ml2PluginV2TestCase, plugin=PLUGIN_NAME) +class TestMl2PortSecurity(Ml2PluginV2TestCase): + + def setUp(self): + config.cfg.CONF.set_override('extension_drivers', + ['port_security'], + group='ml2') + config.cfg.CONF.set_override('enable_security_group', + False, + group='SECURITYGROUP') + super(TestMl2PortSecurity, self).setUp() + + def test_port_update_without_security_groups(self): + with self.port() as port: + plugin = manager.NeutronManager.get_plugin() + ctx = context.get_admin_context() + self.assertTrue(port['port']['port_security_enabled']) + updated_port = plugin.update_port( + ctx, port['port']['id'], + {'port': {'port_security_enabled': False}}) + self.assertFalse(updated_port['port_security_enabled']) + + class TestMl2HostsNetworkAccess(Ml2PluginV2TestCase): _mechanism_drivers = ['openvswitch', 'logger']