Raise if sec-groups and port id are provided on boot

Currently in case port_id is provided on instance boot security groups parameter is ignored. Need to clearly state that specifying both parameters is not allowed and that Neutron should be used for configuring security groups on port Closes-bug: #1373774 Change-Id: I701faba1b37a7106cf86f7abf8e55f7289e1ff3b
openstack · Jan 26, 2015 · d8cafb9 · d8cafb9
1 parent 4511c8e
commit d8cafb9
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 0 deletions.
diff --git a/nova/exception.py b/nova/exception.py
@@ -991,6 +991,12 @@ class SecurityGroupRuleExists(Invalid):
     msg_fmt = _("Rule already exists in group: %(rule)s")
 
 
+class SecurityGroupNotAllowedTogetherWithPort(Invalid):
+    msg_fmt = _("It's not allowed to specify security groups if port_id "
+                "is provided on instance boot. Neutron should be used to "
+                "configure security groups on port.")
+
+
 class NoUniqueMatch(NovaException):
     msg_fmt = _("No Unique Match Found.")
     code = 409

diff --git a/nova/network/neutronv2/api.py b/nova/network/neutronv2/api.py
@@ -453,6 +453,9 @@ def allocate_for_instance(self, context, instance, **kwargs):
         ports_in_requested_order = []
         nets_in_requested_order = []
         for request in ordered_networks:
+            if security_groups and request.port_id:
+                raise exception.SecurityGroupNotAllowedTogetherWithPort()
+
             # Network lookup for available network_id
             network = None
             for net in nets:

diff --git a/nova/tests/unit/network/test_neutronv2.py b/nova/tests/unit/network/test_neutronv2.py
@@ -339,6 +339,8 @@ def setUp(self):
                                'port_id': self.port_data2[1]['id'],
                                'fixed_ip_address': fixed_ip_address,
                                'router_id': 'router_id1'}
+        self.sec_group_data = [{'id': 'test_secgroup_id1',
+                                'name': 'test_secgroup_name'}]
         self._returned_nw_info = []
         self.mox.StubOutWithMock(neutronapi, 'get_client')
         self.moxed_client = self.mox.CreateMock(client.Client)
@@ -455,9 +457,20 @@ def _stub_allocate_for_instance(self, net_idx=1, **kwargs):
                 self.mox.ReplayAll()
                 return api
 
+        security_groups = kwargs.get('security_groups')
+        if security_groups:
+            search_opts = {'tenant_id': self.instance.project_id}
+            self.moxed_client.list_security_groups(
+                **search_opts).AndReturn(
+                    {'security_groups': self.sec_group_data})
+
         ports_in_requested_net_order = []
         nets_in_requested_net_order = []
         for request in ordered_networks:
+            if (request.port_id and security_groups):
+                self.mox.ReplayAll()
+                return api
+
             port_req_body = {
                 'port': {
                     'device_id': self.instance.uuid,
@@ -511,6 +524,8 @@ def _stub_allocate_for_instance(self, net_idx=1, **kwargs):
                 res_port = {'port': {'id': 'fake'}}
                 if has_extra_dhcp_opts:
                     port_req_body['port']['extra_dhcp_opts'] = dhcp_options
+                if security_groups:
+                    port_req_body['port']['security_groups'] = security_groups
                 if kwargs.get('_break') == 'mac' + request.network_id:
                     self.mox.ReplayAll()
                     return api
@@ -879,6 +894,25 @@ def test_allocate_for_instance_accepts_only_portid(self):
                 objects=[objects.NetworkRequest(port_id='my_portid1')]))
         self.assertEqual(self.port_data1, result)
 
+    def test_allocate_for_instance_with_sec_groups(self):
+        # Test that allocate_for_instance handles security groups if provided
+        self._allocate_for_instance(
+            1, security_groups=[self.sec_group_data[0]['id']])
+
+    def test_allocate_for_instance_with_sec_groups_and_port_id(self):
+        # Test that allocate_for_instance raises if security groups are
+        # provided together with port_id
+        requested_networks = objects.NetworkRequestList(
+            objects=[objects.NetworkRequest(port_id='my_portid1')])
+        security_groups = [self.sec_group_data[0]['id']]
+        api = self._stub_allocate_for_instance(
+            requested_networks=requested_networks,
+            security_groups=security_groups)
+        self.assertRaises(exception.SecurityGroupNotAllowedTogetherWithPort,
+                          api.allocate_for_instance, self.context,
+                          self.instance, requested_networks=requested_networks,
+                          security_groups=security_groups)
+
     def test_allocate_for_instance_not_enough_macs_via_ports(self):
         # using a hypervisor MAC via a pre-created port will stop it being
         # used to dynamically create a port on a network. We put the network