Merge "NSXv: Fine grained control for logging security-group rules"

2016-03-29 16:39:39 +00:00 · 2016-03-29 16:39:39 +00:00 · c65a8fe1d7
parent 83addfaa77 1f9d16fe8d
commit c65a8fe1d7
12 changed files with 286 additions and 25 deletions
--- a/etc/nsx.ini
+++ b/etc/nsx.ini
@ -191,6 +191,14 @@
 # (Optional) DHCP lease time
 # dhcp_lease_time = 86400

+# (Optional) Indicates whether distributed-firewall rule for security-groups
+# blocked traffic is logged.
+# log_security_groups_blocked_traffic = False
+
+# (Optional) Indicates whether distributed-firewall security-groups rules are
+# logged.
+# log_security_groups_allowed_traffic = False
+
 [nsx]
 # Maximum number of ports for each bridged logical switch
 # The recommended value for this parameter varies with NSX version
--- a/etc/policy.json
+++ b/etc/policy.json
@ -139,5 +139,9 @@

    "get_service_provider": "rule:regular_user",
    "get_lsn": "rule:admin_only",
-    "create_lsn": "rule:admin_only"
+    "create_lsn": "rule:admin_only",
+
+    "create_security_group:logging": "rule:admin_only",
+    "update_security_group:logging": "rule:admin_only",
+    "get_security_group:logging": "rule:admin_only"
 }
--- a/vmware_nsx/common/config.py
+++ b/vmware_nsx/common/config.py
@ -401,6 +401,14 @@ nsxv_opts = [
                       'involves configuring the dvs backing nsx_v directly. '
                       'If False, only features exposed via nsx_v will be '
                       'supported')),
+    cfg.BoolOpt('log_security_groups_blocked_traffic',
+                default=False,
+                help=_("Indicates whether distributed-firewall rule for "
+                       "security-groups blocked traffic is logged")),
+    cfg.BoolOpt('log_security_groups_allowed_traffic',
+                default=False,
+                help=_("Indicates whether distributed-firewall "
+                       "security-groups allowed traffic is logged")),
 ]

 # Register the configuration options
--- a/vmware_nsx/db/migration/alembic_migrations/versions/EXPAND_HEAD
+++ b/vmware_nsx/db/migration/alembic_migrations/versions/EXPAND_HEAD
@ -1 +1 @@
-4c45bcadccf9
+2c87aedb206f
--- a/vmware_nsx/db/migration/alembic_migrations/versions/newton/expand/2c87aedb206f_nsxv_security_group_logging.py
+++ b/vmware_nsx/db/migration/alembic_migrations/versions/newton/expand/2c87aedb206f_nsxv_security_group_logging.py
@ -0,0 +1,34 @@
+# Copyright 2016 OpenStack Foundation
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+
+"""nsxv_security_group_logging
+
+Revision ID: 2c87aedb206f
+Revises: 4c45bcadccf9
+Create Date: 2016-03-15 06:06:06.680092
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '2c87aedb206f'
+down_revision = '4c45bcadccf9'
+
+from alembic import op
+import sqlalchemy as sa
+
+
+def upgrade():
+    op.add_column('nsxv_security_group_section_mappings',
+                  sa.Column('logging', sa.Boolean(), nullable=False))
--- a/vmware_nsx/db/nsxv_db.py
+++ b/vmware_nsx/db/nsxv_db.py
@ -366,10 +366,10 @@ def delete_nsxv_internal_edge(session, ext_ip_address):
                filter_by(ext_ip_address=ext_ip_address).delete())


-def add_neutron_nsx_section_mapping(session, neutron_id, ip_section_id):
+def add_neutron_nsx_section_mapping(session, neutron_id, section_id, logging):
    with session.begin(subtransactions=True):
        mapping = nsxv_models.NsxvSecurityGroupSectionMapping(
-            neutron_id=neutron_id, ip_section_id=ip_section_id)
+            neutron_id=neutron_id, ip_section_id=section_id, logging=logging)
        session.add(mapping)
    return mapping

--- a/vmware_nsx/db/nsxv_models.py
+++ b/vmware_nsx/db/nsxv_models.py
@ -114,6 +114,7 @@ class NsxvSecurityGroupSectionMapping(model_base.BASEV2):
                                         ondelete="CASCADE"),
                           primary_key=True)
    ip_section_id = sa.Column(sa.String(100))
+    logging = sa.Column(sa.Boolean, default=False, nullable=False)


 class NsxvRuleMapping(model_base.BASEV2):
--- a/vmware_nsx/extensions/securitygrouplogging.py
+++ b/vmware_nsx/extensions/securitygrouplogging.py
@ -0,0 +1,67 @@
+# Copyright 2016 VMware, Inc.  All rights reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from neutron.api import extensions
+from neutron.api.v2 import attributes
+
+RESOURCE_ATTRIBUTE_MAP = {
+    'security_groups': {
+        'logging': {
+            'allow_post': True,
+            'allow_put': True,
+            'convert_to': attributes.convert_to_boolean,
+            'default': False,
+            'enforce_policy': True,
+            'is_visible': True}
+    }
+}
+
+
+class Securitygrouplogging(extensions.ExtensionDescriptor):
+    """Security group logging extension."""
+
+    @classmethod
+    def get_name(cls):
+        return "Security group logging"
+
+    @classmethod
+    def get_alias(cls):
+        return "security-group-logging"
+
+    @classmethod
+    def get_description(cls):
+        return "Security group logging extension."
+
+    @classmethod
+    def get_namespace(cls):
+        # todo
+        return "http://docs.openstack.org/ext/security_group_logging/api/v2.0"
+
+    @classmethod
+    def get_updated(cls):
+        return "2015-04-13T10:00:00-00:00"
+
+    def get_required_extensions(self):
+        return ["security-group"]
+
+    @classmethod
+    def get_resources(cls):
+        """Returns Ext Resources."""
+        return []
+
+    def get_extended_resources(self, version):
+        if version == "2.0":
+            return RESOURCE_ATTRIBUTE_MAP
+        else:
+            return {}
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@ -31,6 +31,7 @@ from neutron.api.v2 import attributes as attr
 from neutron.callbacks import events
 from neutron.callbacks import registry
 from neutron.callbacks import resources
+from neutron import context as n_context
 from neutron.db import agents_db
 from neutron.db import allowedaddresspairs_db as addr_pair_db
 from neutron.db import db_base_plugin_v2
@ -122,6 +123,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                                   "router",
                                   "security-group",
                                   "secgroup-rule-local-ip-prefix",
+                                   "security-group-logging",
                                   "nsxv-router-type",
                                   "nsxv-router-size",
                                   "vnic-index",
@ -170,6 +172,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
        self._validate_config()
        self.sg_container_id = self._create_security_group_container()
        self.default_section = self._create_cluster_default_fw_section()
+        self._process_security_groups_rules_logging()
        self._router_managers = managers.RouterTypeManager(self)

        if cfg.CONF.nsxv.use_dvs_features:
@ -264,7 +267,8 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,

        # Default security-group rules
        block_rule = self.nsx_sg_utils.get_rule_config(
-            [self.sg_container_id], 'Block All', 'deny')
+            [self.sg_container_id], 'Block All', 'deny',
+            logged=cfg.CONF.nsxv.log_security_groups_blocked_traffic)
        rule_list.append(block_rule)

        with locking.LockManager.get_lock('default-section-init'):
@ -282,6 +286,38 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                section_id = self.nsx_sg_utils.parse_and_get_section_id(c)
        return section_id

+    def _process_security_groups_rules_logging(self):
+
+        with locking.LockManager.get_lock('nsx-dfw-section',
+                                          lock_file_prefix='dfw-section',
+                                          external=True):
+            context = n_context.get_admin_context()
+            log_all_rules = cfg.CONF.nsxv.log_security_groups_allowed_traffic
+
+            for sg in self.get_security_groups(context, fields=['id']):
+                fw_section = self._get_section(context.session, sg['id'])
+                # If the section/sg is already logged, then no action is
+                # required.
+                if fw_section is None or fw_section['logging']:
+                    continue
+
+                # Section/sg is not logged, update rules logging according to
+                # the 'log_security_groups_allowed_traffic' config option.
+                try:
+                    section_uri = fw_section['ip_section_id']
+                    h, c = self.nsx_v.vcns.get_section(section_uri)
+                    section = self.nsx_sg_utils.parse_section(c)
+                    section_needs_update = (
+                        self.nsx_sg_utils.set_rules_logged_option(
+                            section, log_all_rules))
+                    if section_needs_update:
+                        self.nsx_v.vcns.update_section(
+                            section_uri,
+                            self.nsx_sg_utils.to_xml_string(section), h)
+                except Exception as exc:
+                    LOG.error(_LE('Unable to update section for logging. %s'),
+                              exc)
+
    def _create_dhcp_static_binding(self, context, neutron_port_db):

        network_id = neutron_port_db['network_id']
@ -1926,6 +1962,22 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
        if mapping is not None:
            return mapping['ip_section_id']

+    def _get_section(self, session, security_group_id):
+        return nsxv_db.get_nsx_section(session, security_group_id)
+
+    def _update_section_logging(self, session, section, section_db):
+        logging = not section_db['logging']
+        # Update the DB for the new logging settings.
+        with session.begin(subtransactions=True):
+            section_db['logging'] = logging
+        # Update section rules logging only if we are not already logging them.
+        log_all_rules = cfg.CONF.nsxv.log_security_groups_allowed_traffic
+        section_needs_update = False
+        if not log_all_rules:
+            section_needs_update = (
+                self.nsx_sg_utils.set_rules_logged_option(section, logging))
+        return section_needs_update
+
    def create_security_group(self, context, security_group,
                              default_sg=False):
        """Create a security group."""
@ -1934,6 +1986,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,

        new_security_group = super(NsxVPluginV2, self).create_security_group(
            context, security_group, default_sg)
+        sg_id = new_security_group['id']

        nsx_sg_name = self.nsx_sg_utils.get_nsx_sg_name(sg_data)
        # NSX security-group config
@ -1943,12 +1996,17 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
        # Translate Neutron rules to NSXv fw rules and construct the fw section
        nsx_sg_id = section_uri = None
        try:
+            log_all_rules = cfg.CONF.nsxv.log_security_groups_allowed_traffic
            # Create the nsx security group
            h, nsx_sg_id = self.nsx_v.vcns.create_security_group(sg_dict)

            section_name = self.nsx_sg_utils.get_nsx_section_name(nsx_sg_name)
-            nsx_rules = [self._create_nsx_rule(context, rule, nsx_sg_id) for
-                         rule in new_security_group['security_group_rules']]
+            logging = sg_data.get('logging', False)
+            nsx_rules = []
+            for rule in new_security_group['security_group_rules']:
+                nsx_rule = self._create_nsx_rule(
+                    context, rule, nsx_sg_id, logged=log_all_rules or logging)
+                nsx_rules.append(nsx_rule)
            section = self.nsx_sg_utils.get_section_with_rules(
                section_name, nsx_rules)

@ -1961,10 +2019,10 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,

            # Save moref in the DB for future access
            nsx_db.add_neutron_nsx_security_group_mapping(
-                context.session, new_security_group['id'], nsx_sg_id)
+                context.session, sg_id, nsx_sg_id)
            # Add database associations for fw section and rules
            nsxv_db.add_neutron_nsx_section_mapping(
-                context.session, new_security_group['id'], section_uri)
+                context.session, sg_id, section_uri, logging)
            for pair in rule_pairs:
                # Save nsx rule id in the DB for future access
                nsxv_db.add_neutron_nsx_rule_mapping(context.session,
@ -1979,31 +2037,46 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                # Only admin can delete the default security-group
                if default_sg:
                    context = context.elevated()
-                super(NsxVPluginV2, self).delete_security_group(
-                    context, new_security_group['id'])
+                super(NsxVPluginV2, self).delete_security_group(context, sg_id)
                # Delete the created nsx security-group and the fw section
                self._delete_section(section_uri)
                self._delete_nsx_security_group(nsx_sg_id)
                LOG.exception(_LE('Failed to create security group'))
+        if context.is_admin:
+            new_security_group['logging'] = logging
        return new_security_group

    def update_security_group(self, context, id, security_group):
        s = security_group['security_group']
        nsx_sg_id = nsx_db.get_nsx_security_group_id(context.session, id)
-        section_uri = self._get_section_uri(context.session, id)
-        h, c = self.nsx_v.vcns.get_section(section_uri)
-        section = self.nsx_sg_utils.parse_section(c)
+        section_db = self._get_section(context.session, id)
+        section_uri = section_db['ip_section_id']
+        section_needs_update = False

        sg_data = super(NsxVPluginV2, self).update_security_group(
            context, id, security_group)
+
+        # Reflect security-group name or description changes in the backend,
+        # dfw section name needs to be updated as well.
+        h, c = self.nsx_v.vcns.get_section(section_uri)
+        section = self.nsx_sg_utils.parse_section(c)
        if set(['name', 'description']) & set(s.keys()):
            nsx_sg_name = self.nsx_sg_utils.get_nsx_sg_name(sg_data)
+            section_name = self.nsx_sg_utils.get_nsx_section_name(nsx_sg_name)
            self.nsx_v.vcns.update_security_group(
                nsx_sg_id, nsx_sg_name, sg_data['description'])
-            section_name = self.nsx_sg_utils.get_nsx_section_name(nsx_sg_name)
            section.attrib['name'] = section_name
+            section_needs_update = True
+        # Update the dfw section if security-group logging option has changed.
+        # TBD: enforce admin only?
+        if 'logging' in s and s['logging'] != section_db['logging']:
+            section_needs_update = self._update_section_logging(
+                context.session, section, section_db)
+        if section_needs_update:
            self.nsx_v.vcns.update_section(
                section_uri, self.nsx_sg_utils.to_xml_string(section), h)
+        if context.is_admin:
+            sg_data['logging'] = section_db['logging']
        return sg_data

    def delete_security_group(self, context, id):
@ -2028,7 +2101,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
            with excutils.save_and_reraise_exception():
                LOG.exception(_LE("Failed to delete security group"))

-    def _create_nsx_rule(self, context, rule, nsx_sg_id=None):
+    def _create_nsx_rule(self, context, rule, nsx_sg_id=None, logged=False):
        src = None
        dest = None
        port = None
@ -2089,7 +2162,8 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
            source=src,
            destination=dest,
            services=services,
-            flags=flags)
+            flags=flags,
+            logged=logged)
        return nsx_rule

    def create_security_group_rule(self, context, security_group_rule):
@ -2103,10 +2177,18 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
        :param security_group_rules: list of rules to create
        """
        sg_rules = security_group_rules['security_group_rules']
+        sg_id = sg_rules[0]['security_group_rule']['security_group_id']
        ruleids = set()
        nsx_rules = []

        self._validate_security_group_rules(context, security_group_rules)
+
+        # Fetching the the dfw section associated with the security-group
+        section_db = self._get_section(context.session, sg_id)
+        section_uri = section_db['ip_section_id']
+        logging = section_db['logging']
+        log_all_rules = cfg.CONF.nsxv.log_security_groups_allowed_traffic
+
        # Translating Neutron rules to Nsx DFW rules
        for r in sg_rules:
            rule = r['security_group_rule']
@ -2114,12 +2196,9 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                rule[ext_loip.LOCAL_IP_PREFIX] = None
            rule['id'] = uuidutils.generate_uuid()
            ruleids.add(rule['id'])
-            nsx_rules.append(self._create_nsx_rule(context, rule))
+            nsx_rules.append(self._create_nsx_rule(
+                context, rule, logged=log_all_rules or logging))

-        # Find section uri for the security group, retrieve it and update with
-        # the new rules
-        section_uri = self._get_section_uri(
-            context.session, rule['security_group_id'])
        _h, _c = self.nsx_v.vcns.get_section(section_uri)
        section = self.nsx_sg_utils.parse_section(_c)
        self.nsx_sg_utils.extend_section_with_rules(section, nsx_rules)
--- a/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py
+++ b/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py
@ -58,9 +58,10 @@ class NsxSecurityGroupUtils(object):
    def get_rule_config(self, applied_to_ids, name, action='allow',
                        applied_to='SecurityGroup',
                        source=None, destination=None, services=None,
-                        flags=None):
+                        flags=None, logged=False):
        """Helper method to create a nsx rule dict."""
        ruleTag = et.Element('rule')
+        ruleTag.attrib['logged'] = 'true' if logged else 'false'
        nameTag = et.SubElement(ruleTag, 'name')
        nameTag.text = name
        actionTag = et.SubElement(ruleTag, 'action')
@ -146,3 +147,21 @@ class NsxSecurityGroupUtils(object):
    def parse_and_get_section_id(self, section_xml):
        section = et.fromstring(section_xml)
        return section.attrib['id']
+
+    def is_section_logged(self, section):
+        # Determine if this section rules are being logged by the first rule
+        # 'logged' value.
+        rule = section.find('rule')
+        if rule is not None:
+            return rule.attrib.get('logged') == 'true'
+        return False
+
+    def set_rules_logged_option(self, section, logged):
+        value = 'true' if logged else 'false'
+        rules = section.findall('rule')
+        updated = False
+        for rule in rules:
+            if rule.attrib['logged'] != value:
+                rule.attrib['logged'] = value
+                updated = True
+        return updated
--- a/vmware_nsx/tests/unit/extensions/test_secgroup_rule_local_ip_prefix.py
+++ b/vmware_nsx/tests/unit/extensions/test_secgroup_rule_local_ip_prefix.py
@ -120,5 +120,6 @@ class TestNsxVExtendedSGRule(test_nsxv_plugin.NsxVSecurityGroupsTestCase,
        super(TestNsxVExtendedSGRule,
              self).test_create_rule_with_local_ip_prefix()
        plugin.nsx_sg_utils.get_rule_config.assert_called_with(
-            destination=dest, applied_to_ids=mock.ANY, name=mock.ANY,
-            services=mock.ANY, source=mock.ANY, flags=mock.ANY)
+            source=mock.ANY, destination=dest, services=mock.ANY,
+            name=mock.ANY, applied_to_ids=mock.ANY, flags=mock.ANY,
+            logged=mock.ANY)
--- a/vmware_nsx/tests/unit/nsx_v/test_plugin.py
+++ b/vmware_nsx/tests/unit/nsx_v/test_plugin.py
@ -50,6 +50,7 @@ from vmware_nsx.common import nsx_constants
 from vmware_nsx.db import nsxv_db
 from vmware_nsx.extensions import routersize as router_size
 from vmware_nsx.extensions import routertype as router_type
+from vmware_nsx.extensions import securitygrouplogging
 from vmware_nsx.extensions import vnicindex as ext_vnic_idx
 from vmware_nsx.plugins.nsx_v.vshield.common import constants as vcns_const
 from vmware_nsx.plugins.nsx_v.vshield import edge_utils
@ -2381,6 +2382,8 @@ class NsxVSecurityGroupsTestCase(ext_sg.SecurityGroupDBTestCase):
              ext_mgr=None,
              service_plugins=None):
        test_utils.override_nsx_ini_test()
+        attributes.RESOURCE_ATTRIBUTE_MAP.update(
+            securitygrouplogging.RESOURCE_ATTRIBUTE_MAP)
        mock_vcns = mock.patch(vmware.VCNS_NAME, autospec=True)
        mock_vcns_instance = mock_vcns.start()
        self.fc2 = fake_vcns.FakeVcns()
@ -2523,6 +2526,43 @@ class NsxVTestSecurityGroup(ext_sg.TestSecurityGroups,
        # This test is aimed to test the security-group db mixin
        pass

+    def _plugin_update_security_group(self, context, id, logging):
+        data = {'security_group': {'logging': logging}}
+        security_group = (
+            self.plugin.update_security_group(context, id, data))
+        return security_group
+
+    def _plugin_create_security_group(self, context, logging=False):
+        data = {'security_group': {'name': 'SG',
+                                   'tenant_id': 'tenant_id',
+                                   'description': ''}}
+        if logging:
+            data['security_group']['logging'] = True
+        security_group = (
+            self.plugin.create_security_group(context, data, False))
+        return security_group
+
+    def test_create_security_group_default_logging(self):
+        _context = context.get_admin_context()
+        sg = self._plugin_create_security_group(_context)
+        self.assertFalse(sg['logging'])
+
+    def test_create_security_group_with_logging(self):
+        _context = context.get_admin_context()
+        sg = self._plugin_create_security_group(_context, logging=True)
+        self.assertTrue(sg['logging'])
+
+    def test_update_security_group_with_logging(self):
+        _context = context.get_admin_context()
+        sg = self._plugin_create_security_group(_context)
+        sg = self._plugin_update_security_group(_context, sg['id'], True)
+        self.assertTrue(sg['logging'])
+
+    def test_security_group_logging_not_visible_for_user(self):
+        _context = context.Context('user', 'tenant_id')
+        sg = self._plugin_create_security_group(_context)
+        self.assertFalse('logging' in sg)
+

 class TestVdrTestCase(L3NatTest, L3NatTestCaseBase,
                      test_l3_plugin.L3NatDBIntTestCase,