Skip to content

Commit

Permalink
Rename source_(group_id/ip_prefix) to remote_(group_id/ip_prefix)
Browse files Browse the repository at this point in the history 
Fixes bug 1144426

Change-Id: I8b62044b6e679d923fffef69a49f4fd55751f116
  • Loading branch information
@aaronorosen
aaronorosen authored and Nachi Ueno committed Mar 5, 2013
1 parent 6f696b2 commit 375535e
Show file tree
Hide file tree
Showing 10 changed files with 126 additions and 127 deletions.
14 changes: 8 additions & 6 deletions quantum/agent/firewall.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,17 +37,19 @@ class FirewallDriver(object):
the rule may contain security_group_id,
protocol, port_min, port_max
source_ip_prefix, source_port_min,
source_port_max, dest_ip_prefix,
source_port_max, dest_ip_prefix, and
remote_group_id
Note: source_group_ip in REST API should be converted by this rule
if direction is ingress:
source_group_ip will be a soruce_prefix_ip
remote_group_ip will be a source_ip_prefix
if direction is egress:
source_group_ip will be a dest_prefix_ip
Note: source_group_id in REST API should be converted by this rule
remote_group_ip will be a dest_ip_prefix
Note: remote_group_id in REST API should be converted by this rule
if direction is ingress:
source_group_id will be a list of soruce_prefix_ip
remote_group_id will be a list of source_ip_prefix
if direction is egress:
source_group_id will be a list of dest_prefix_ip
remote_group_id will be a list of dest_ip_prefix
remote_group_id will also remaining membership update management
"""

__metaclass__ = abc.ABCMeta
Expand Down
6 changes: 3 additions & 3 deletions quantum/db/migration/alembic_migrations/versions/3cb5d900c5de_security_groups.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ def upgrade(active_plugin=None, options=None):
sa.Column('tenant_id', sa.String(length=255), nullable=True),
sa.Column('id', sa.String(length=36), nullable=False),
sa.Column('security_group_id', sa.String(length=36), nullable=False),
sa.Column('source_group_id', sa.String(length=36), nullable=True),
sa.Column('remote_group_id', sa.String(length=36), nullable=True),
sa.Column('direction',
sa.Enum('ingress', 'egress',
name='securitygrouprules_direction'),
Expand All @@ -70,10 +70,10 @@ def upgrade(active_plugin=None, options=None):
sa.Column('protocol', sa.String(length=40), nullable=True),
sa.Column('port_range_min', sa.Integer(), nullable=True),
sa.Column('port_range_max', sa.Integer(), nullable=True),
sa.Column('source_ip_prefix', sa.String(length=255), nullable=True),
sa.Column('remote_ip_prefix', sa.String(length=255), nullable=True),
sa.ForeignKeyConstraint(['security_group_id'], ['securitygroups.id'],
ondelete='CASCADE'),
sa.ForeignKeyConstraint(['source_group_id'], ['securitygroups.id'],
sa.ForeignKeyConstraint(['remote_group_id'], ['securitygroups.id'],
ondelete='CASCADE'),
sa.PrimaryKeyConstraint('id')
)
Expand Down
32 changes: 16 additions & 16 deletions quantum/db/securitygroups_db.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ class SecurityGroupRule(model_base.BASEV2, models_v2.HasId,
ondelete="CASCADE"),
nullable=False)

source_group_id = sa.Column(sa.String(36),
remote_group_id = sa.Column(sa.String(36),
sa.ForeignKey("securitygroups.id",
ondelete="CASCADE"),
nullable=True)
Expand All @@ -64,15 +64,15 @@ class SecurityGroupRule(model_base.BASEV2, models_v2.HasId,
protocol = sa.Column(sa.String(40))
port_range_min = sa.Column(sa.Integer)
port_range_max = sa.Column(sa.Integer)
source_ip_prefix = sa.Column(sa.String(255))
remote_ip_prefix = sa.Column(sa.String(255))
security_group = orm.relationship(
SecurityGroup,
backref=orm.backref('rules', cascade='all,delete'),
primaryjoin="SecurityGroup.id==SecurityGroupRule.security_group_id")
source_group = orm.relationship(
SecurityGroup,
backref=orm.backref('source_rules', cascade='all,delete'),
primaryjoin="SecurityGroup.id==SecurityGroupRule.source_group_id")
primaryjoin="SecurityGroup.id==SecurityGroupRule.remote_group_id")


class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
Expand Down Expand Up @@ -234,12 +234,12 @@ def create_security_group_rule_bulk_native(self, context,
id=uuidutils.generate_uuid(), tenant_id=tenant_id,
security_group_id=rule['security_group_id'],
direction=rule['direction'],
source_group_id=rule.get('source_group_id'),
remote_group_id=rule.get('remote_group_id'),
ethertype=rule['ethertype'],
protocol=rule['protocol'],
port_range_min=rule['port_range_min'],
port_range_max=rule['port_range_max'],
source_ip_prefix=rule.get('source_ip_prefix'))
remote_ip_prefix=rule.get('remote_ip_prefix'))
context.session.add(db)
ret.append(self._make_security_group_rule_dict(db))
return ret
Expand All @@ -251,7 +251,7 @@ def create_security_group_rule(self, context, security_group_rule):

def _validate_security_group_rules(self, context, security_group_rule):
"""Check that rules being installed all belong to the same security
group, source_group_id/security_group_id belong to the same tenant,
group, remote_group_id/security_group_id belong to the same tenant,
and rules are valid.
"""
new_rules = set()
Expand All @@ -271,15 +271,15 @@ def _validate_security_group_rules(self, context, security_group_rule):
else:
raise ext_sg.SecurityGroupInvalidPortRange()

if rule['source_ip_prefix'] and rule['source_group_id']:
raise ext_sg.SecurityGroupSourceGroupAndIpPrefix()
if rule['remote_ip_prefix'] and rule['remote_group_id']:
raise ext_sg.SecurityGroupRemoteGroupAndRemoteIpPrefix()

if rule['tenant_id'] not in tenant_ids:
tenant_ids.add(rule['tenant_id'])
source_group_id = rule.get('source_group_id')
# Check that source_group_id exists for tenant
if source_group_id:
self.get_security_group(context, source_group_id,
remote_group_id = rule.get('remote_group_id')
# Check that remote_group_id exists for tenant
if remote_group_id:
self.get_security_group(context, remote_group_id,
tenant_id=rule['tenant_id'])
if len(new_rules) > 1:
raise ext_sg.SecurityGroupNotSingleGroupRules()
Expand All @@ -303,8 +303,8 @@ def _make_security_group_rule_dict(self, security_group_rule, fields=None):
'protocol': security_group_rule['protocol'],
'port_range_min': security_group_rule['port_range_min'],
'port_range_max': security_group_rule['port_range_max'],
'source_ip_prefix': security_group_rule['source_ip_prefix'],
'source_group_id': security_group_rule['source_group_id']}
'remote_ip_prefix': security_group_rule['remote_ip_prefix'],
'remote_group_id': security_group_rule['remote_group_id']}

return self._fields(res, fields)

Expand All @@ -315,8 +315,8 @@ def _make_security_group_rule_filter_dict(self, security_group_rule):
'direction': [sgr['direction']]}

include_if_present = ['protocol', 'port_range_max', 'port_range_min',
'ethertype', 'source_ip_prefix',
'source_group_id']
'ethertype', 'remote_ip_prefix',
'remote_group_id']
for key in include_if_present:
value = sgr.get(key)
if value:
Expand Down
49 changes: 25 additions & 24 deletions quantum/db/securitygroups_rpc_base.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,8 +111,8 @@ class SecurityGroupServerRpcCallbackMixin(object):
def security_group_rules_for_devices(self, context, **kwargs):
""" return security group rules for each port
also convert source_group_id rule
to source_ip_prefix rule
also convert remote_group_id rule
to source_ip_prefix and dest_ip_prefix rule
:params devices: list of devices
:returns: port correspond to the devices with security group rules
Expand Down Expand Up @@ -144,12 +144,12 @@ def _select_rules_for_ports(self, context, ports):
query = query.filter(sg_binding_port.in_(ports.keys()))
return query.all()

def _select_ips_for_source_group(self, context, source_group_ids):
def _select_ips_for_remote_group(self, context, remote_group_ids):
ips_by_group = {}
if not source_group_ids:
if not remote_group_ids:
return ips_by_group
for source_group_id in source_group_ids:
ips_by_group[source_group_id] = []
for remote_group_id in remote_group_ids:
ips_by_group[remote_group_id] = []

ip_port = models_v2.IPAllocation.port_id
sg_binding_port = sg_db.SecurityGroupPortBinding.port_id
Expand All @@ -159,20 +159,20 @@ def _select_ips_for_source_group(self, context, source_group_ids):
models_v2.IPAllocation.ip_address)
query = query.join(models_v2.IPAllocation,
ip_port == sg_binding_port)
query = query.filter(sg_binding_sgid.in_(source_group_ids))
query = query.filter(sg_binding_sgid.in_(remote_group_ids))
ip_in_db = query.all()
for security_group_id, ip_address in ip_in_db:
ips_by_group[security_group_id].append(ip_address)
return ips_by_group

def _select_source_group_ids(self, ports):
source_group_ids = []
def _select_remote_group_ids(self, ports):
remote_group_ids = []
for port in ports.values():
for rule in port.get('security_group_rules'):
source_group_id = rule.get('source_group_id')
if source_group_id:
source_group_ids.append(source_group_id)
return source_group_ids
remote_group_id = rule.get('remote_group_id')
if remote_group_id:
remote_group_ids.append(remote_group_id)
return remote_group_ids

def _select_network_ids(self, ports):
return set((port['network_id'] for port in ports.values()))
Expand All @@ -195,22 +195,22 @@ def _select_dhcp_ips_for_network_ids(self, context, network_ids):
ips[port['network_id']].append(ip)
return ips

def _convert_source_group_id_to_ip_prefix(self, context, ports):
source_group_ids = self._select_source_group_ids(ports)
ips = self._select_ips_for_source_group(context, source_group_ids)
def _convert_remote_group_id_to_ip_prefix(self, context, ports):
remote_group_ids = self._select_remote_group_ids(ports)
ips = self._select_ips_for_remote_group(context, remote_group_ids)
for port in ports.values():
updated_rule = []
for rule in port.get('security_group_rules'):
source_group_id = rule.get('source_group_id')
remote_group_id = rule.get('remote_group_id')
direction = rule.get('direction')
direction_ip_prefix = DIRECTION_IP_PREFIX[direction]
if not source_group_id:
if not remote_group_id:
updated_rule.append(rule)
continue

port['security_group_source_groups'].append(source_group_id)
port['security_group_source_groups'].append(remote_group_id)
base_rule = rule
for ip in ips[source_group_id]:
for ip in ips[remote_group_id]:
if ip in port.get('fixed_ips', []):
continue
ip_rule = base_rule.copy()
Expand Down Expand Up @@ -290,12 +290,13 @@ def _security_group_rules_for_ports(self, context, ports):
'ethertype': rule_in_db['ethertype'],
}
for key in ('protocol', 'port_range_min', 'port_range_max',
'source_ip_prefix', 'source_group_id'):
'remote_ip_prefix', 'remote_group_id'):
if rule_in_db.get(key):
if key == 'source_ip_prefix' and direction == 'egress':
rule_dict['dest_ip_prefix'] = rule_in_db[key]
if key == 'remote_ip_prefix':
direction_ip_prefix = DIRECTION_IP_PREFIX[direction]
rule_dict[direction_ip_prefix] = rule_in_db[key]
continue
rule_dict[key] = rule_in_db[key]
port['security_group_rules'].append(rule_dict)
self._apply_provider_rule(context, ports)
return self._convert_source_group_id_to_ip_prefix(context, ports)
return self._convert_remote_group_id_to_ip_prefix(context, ports)
12 changes: 4 additions & 8 deletions quantum/extensions/securitygroup.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,8 +61,8 @@ class SecurityGroupRulesNotSingleTenant(qexception.InvalidInput):
" not allowed")


class SecurityGroupSourceGroupAndIpPrefix(qexception.InvalidInput):
message = _("Only source_ip_prefix or source_group_id may "
class SecurityGroupRemoteGroupAndRemoteIpPrefix(qexception.InvalidInput):
message = _("Only remote_ip_prefix or remote_group_id may "
"be provided.")


Expand All @@ -75,10 +75,6 @@ class SecurityGroupNotSingleGroupRules(qexception.InvalidInput):
"one security profile at a time")


class SecurityGroupSourceGroupNotFound(qexception.NotFound):
message = _("Source group id %(id)s does not exist")


class SecurityGroupNotFound(qexception.NotFound):
message = _("Security group %(id)s does not exist")

Expand Down Expand Up @@ -171,7 +167,7 @@ def _validate_name_not_default(data, valid_values=None):
'primary_key': True},
'security_group_id': {'allow_post': True, 'allow_put': False,
'is_visible': True, 'required_by_policy': True},
'source_group_id': {'allow_post': True, 'allow_put': False,
'remote_group_id': {'allow_post': True, 'allow_put': False,
'default': None, 'is_visible': True},
'direction': {'allow_post': True, 'allow_put': True,
'is_visible': True,
Expand All @@ -190,7 +186,7 @@ def _validate_name_not_default(data, valid_values=None):
'is_visible': True, 'default': 'IPv4',
'convert_to': convert_ethertype_to_case_insensitive,
'validate': {'type:values': sg_supported_ethertypes}},
'source_ip_prefix': {'allow_post': True, 'allow_put': False,
'remote_ip_prefix': {'allow_post': True, 'allow_put': False,
'default': None, 'is_visible': True},
'tenant_id': {'allow_post': True, 'allow_put': False,
'required_by_policy': True,
Expand Down
12 changes: 6 additions & 6 deletions quantum/plugins/midonet/midonet_lib.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -220,8 +220,8 @@ def create_for_sg_rule(self, rule):
rule_id = rule['id']
ethertype = rule['ethertype']
security_group_id = rule['security_group_id']
source_group_id = rule['source_group_id']
source_ip_prefix = rule['source_ip_prefix'] # watch out. not validated
remote_group_id = rule['remote_group_id']
remote_ip_prefix = rule['remote_ip_prefix'] # watch out. not validated
tenant_id = rule['tenant_id']
port_range_min = rule['port_range_min']
external_id = rule['external_id']
Expand All @@ -234,10 +234,10 @@ def create_for_sg_rule(self, rule):
port_group_id = None

# handle source
if not source_ip_prefix is None:
nw_src_address, nw_src_length = source_ip_prefix.split('/')
elif not source_group_id is None: # security group as a srouce
source_pg = self.pg_manager.get_for_sg(tenant_id, source_group_id)
if not remote_ip_prefix is None:
nw_src_address, nw_src_length = remote_ip_prefix.split('/')
elif not remote_group_id is None: # security group as a srouce
source_pg = self.pg_manager.get_for_sg(tenant_id, remote_group_id)
port_group_id = source_pg.get_id()
else:
raise Exception(_("Don't know what to do with rule=%r"), rule)
Expand Down
24 changes: 12 additions & 12 deletions quantum/plugins/nicira/nicira_nvp_plugin/common/securitygroups.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,8 @@ class NVPSecurityGroups(object):
def _convert_to_nvp_rule(self, rule, with_id=False):
"""Converts Quantum API security group rule to NVP API."""
nvp_rule = {}
params = ['source_ip_prefix', 'protocol',
'source_group_id', 'port_range_min',
params = ['remote_ip_prefix', 'protocol',
'remote_group_id', 'port_range_min',
'port_range_max', 'ethertype']
if with_id:
params.append('id')
Expand All @@ -40,10 +40,10 @@ def _convert_to_nvp_rule(self, rule, with_id=False):
nvp_rule[param] = value
elif not value:
pass
elif param == 'source_ip_prefix':
nvp_rule['ip_prefix'] = rule['source_ip_prefix']
elif param == 'source_group_id':
nvp_rule['profile_uuid'] = rule['source_group_id']
elif param == 'remote_ip_prefix':
nvp_rule['ip_prefix'] = rule['remote_ip_prefix']
elif param == 'remote_group_id':
nvp_rule['profile_uuid'] = rule['remote_group_id']
elif param == 'protocol':
nvp_rule['protocol'] = protocol_num_look_up[rule['protocol']]
else:
Expand All @@ -65,7 +65,7 @@ def _get_security_group_rules_nvp_format(self, context, security_group_id,
with_id=False):
"""Query quantum db for security group rules.
"""
fields = ['source_ip_prefix', 'source_group_id', 'protocol',
fields = ['remote_ip_prefix', 'remote_group_id', 'protocol',
'port_range_min', 'port_range_max', 'protocol', 'ethertype']
if with_id:
fields.append('id')
Expand All @@ -80,11 +80,11 @@ def _get_security_group_rules_nvp_format(self, context, security_group_id,
'logical_port_egress_rules': ingress_rules}
return self._convert_to_nvp_rules(rules, with_id)

def _get_profile_uuid(self, context, source_group_id):
def _get_profile_uuid(self, context, remote_group_id):
"""Return profile id from novas group id. """
security_group = self.get_security_group(context, source_group_id)
security_group = self.get_security_group(context, remote_group_id)
if not security_group:
raise ext_sg.SecurityGroupNotFound(id=source_group_id)
raise ext_sg.SecurityGroupNotFound(id=remote_group_id)
return security_group['id']

def _merge_security_group_rules_with_current(self, context, new_rules,
Expand All @@ -95,8 +95,8 @@ def _merge_security_group_rules_with_current(self, context, new_rules,
rule = new_rule['security_group_rule']
rule['security_group_id'] = security_group_id
if rule.get('souce_group_id'):
rule['source_group_id'] = self._get_profile_uuid(
context, rule['source_group_id'])
rule['remote_group_id'] = self._get_profile_uuid(
context, rule['remote_group_id'])
if rule['direction'] == 'ingress':
merged_rules['logical_port_egress_rules'].append(
self._convert_to_nvp_rule(rule))
Expand Down
2 changes: 1 addition & 1 deletion quantum/tests/unit/midonet/test_midonet_lib.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,7 @@ def _create_test_rule(self, tenant_id, sg_id, rule_id, direction="egress",
return {"tenant_id": tenant_id, "security_group_id": sg_id,
"rule_id": rule_id, "direction": direction,
"protocol": protocol,
"source_ip_prefix": src_ip, "source_group_id": src_group_id,
"remote_ip_prefix": src_ip, "remote_group_id": src_group_id,
"port_range_min": port_min, "port_range_max": port_max,
"ethertype": ethertype, "id": rule_id, "external_id": None}

Expand Down

0 comments on commit 375535e

Please sign in to comment.