diff options
| author | Aaron Rosen <arosen@nicira.com> | 2013-02-15 10:41:00 -0800 |
|---|---|---|
| committer | Aaron Rosen <arosen@nicira.com> | 2013-02-20 11:27:01 -0800 |
| commit | d562012f34eadfe6b68dd5ebe06a2fa565de3b2e (patch) | |
| tree | 77cc228f6ea5588219e7038d00507b6b3a9d1294 /nova/api | |
| parent | 51055262c2e354d3ad69f7ce6470a6b549881aad (diff) | |
| download | nova-d562012f34eadfe6b68dd5ebe06a2fa565de3b2e.tar.gz nova-d562012f34eadfe6b68dd5ebe06a2fa565de3b2e.tar.xz nova-d562012f34eadfe6b68dd5ebe06a2fa565de3b2e.zip | |
Make nova security groups more pluggable
This patch moves the nova security group code out of nova/compute/api.py
into nova/network/security_group. It also removes any query to the database
from security group api into the nova security group driver. This allows
security group drivers the ability to decouple themselves from storing
security group information in the nova_db.
Change-Id: Ib183515a0418203c8bcc88176e3a1498d7333300
Diffstat (limited to 'nova/api')
| -rw-r--r-- | nova/api/ec2/cloud.py | 18 | ||||
| -rw-r--r-- | nova/api/openstack/compute/contrib/security_group_default_rules.py | 10 | ||||
| -rw-r--r-- | nova/api/openstack/compute/contrib/security_groups.py | 71 |
3 files changed, 58 insertions, 41 deletions
diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py index 03bf9f890..b3f9bd099 100644 --- a/nova/api/ec2/cloud.py +++ b/nova/api/ec2/cloud.py @@ -214,7 +214,7 @@ class CloudController(object): self.image_service = s3.S3ImageService() self.network_api = network.API() self.volume_api = volume.API() - self.security_group_api = CloudSecurityGroupAPI() + self.security_group_api = get_cloud_security_group_api() self.compute_api = compute.API(network_api=self.network_api, volume_api=self.volume_api, security_group_api=self.security_group_api) @@ -712,8 +712,8 @@ class CloudController(object): self.security_group_api.validate_property(group_name, 'name', allowed) - group_ref = self.security_group_api.create(context, group_name, - group_description) + group_ref = self.security_group_api.create_security_group( + context, group_name, group_description) return {'securityGroupSet': [self._format_security_group(context, group_ref)]} @@ -1662,7 +1662,7 @@ class CloudController(object): return {'imageId': ec2_id} -class CloudSecurityGroupAPI(compute_api.SecurityGroupAPI): +class EC2SecurityGroupExceptions(object): @staticmethod def raise_invalid_property(msg): raise exception.InvalidParameterValue(err=msg) @@ -1689,3 +1689,13 @@ class CloudSecurityGroupAPI(compute_api.SecurityGroupAPI): @staticmethod def raise_not_found(msg): pass + + +class CloudSecurityGroupNovaAPI(compute_api.SecurityGroupAPI, + EC2SecurityGroupExceptions): + pass + + +def get_cloud_security_group_api(): + if cfg.CONF.security_group_api.lower() == 'nova': + return CloudSecurityGroupNovaAPI() diff --git a/nova/api/openstack/compute/contrib/security_group_default_rules.py b/nova/api/openstack/compute/contrib/security_group_default_rules.py index fed1468a8..e2bba8127 100644 --- a/nova/api/openstack/compute/contrib/security_group_default_rules.py +++ b/nova/api/openstack/compute/contrib/security_group_default_rules.py @@ -24,6 +24,7 @@ from nova.api.openstack import extensions from nova.api.openstack import wsgi from nova.api.openstack import xmlutil from nova import exception +from nova.network.security_group import openstack_driver from nova.openstack.common import log as logging @@ -104,6 +105,10 @@ class SecurityGroupDefaultRulesXMLDeserializer(wsgi.MetadataXMLDeserializer): class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase): + def __init__(self): + self.security_group_api = ( + openstack_driver.get_openstack_security_group_driver()) + @wsgi.serializers(xml=SecurityGroupDefaultRuleTemplate) @wsgi.deserializers(xml=SecurityGroupDefaultRulesXMLDeserializer) def create(self, req, body): @@ -144,7 +149,8 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase): context = self._authorize_context(req) authorize(context) - id = self._validate_id(id) + id = self.security_group_api.validate_id(id) + LOG.debug(_("Showing security_group_default_rule with id %s") % id) try: rule = self.security_group_api.get_default_rule(context, id) @@ -158,7 +164,7 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase): context = self._authorize_context(req) authorize(context) - id = self._validate_id(id) + id = self.security_group_api.validate_id(id) rule = self.security_group_api.get_default_rule(context, id) diff --git a/nova/api/openstack/compute/contrib/security_groups.py b/nova/api/openstack/compute/contrib/security_groups.py index d42dc1b0a..3f48176cc 100644 --- a/nova/api/openstack/compute/contrib/security_groups.py +++ b/nova/api/openstack/compute/contrib/security_groups.py @@ -27,10 +27,12 @@ from nova import compute from nova.compute import api as compute_api from nova import db from nova import exception +from nova.network.security_group import openstack_driver from nova.openstack.common import log as logging from nova import utils from nova.virt import netutils + LOG = logging.getLogger(__name__) authorize = extensions.extension_authorizer('compute', 'security_groups') softauth = extensions.soft_extension_authorizer('compute', 'security_groups') @@ -175,7 +177,8 @@ class SecurityGroupControllerBase(object): """Base class for Security Group controllers.""" def __init__(self): - self.security_group_api = NativeSecurityGroupAPI() + self.security_group_api = ( + openstack_driver.get_openstack_security_group_driver()) self.compute_api = compute.API( security_group_api=self.security_group_api) @@ -214,13 +217,6 @@ class SecurityGroupControllerBase(object): authorize(context) return context - def _validate_id(self, id): - try: - return int(id) - except ValueError: - msg = _("Security group id should be integer") - raise exc.HTTPBadRequest(explanation=msg) - def _from_body(self, body, key): if not body: raise exc.HTTPUnprocessableEntity() @@ -238,7 +234,7 @@ class SecurityGroupController(SecurityGroupControllerBase): """Return data about the given security group.""" context = self._authorize_context(req) - id = self._validate_id(id) + id = self.security_group_api.validate_id(id) security_group = self.security_group_api.get(context, None, id, map_exception=True) @@ -250,7 +246,7 @@ class SecurityGroupController(SecurityGroupControllerBase): """Delete a security group.""" context = self._authorize_context(req) - id = self._validate_id(id) + id = self.security_group_api.validate_id(id) security_group = self.security_group_api.get(context, None, id, map_exception=True) @@ -273,7 +269,7 @@ class SecurityGroupController(SecurityGroupControllerBase): limited_list = common.limited(raw_groups, req) result = [self._format_security_group(context, group) - for group in limited_list] + for group in limited_list] return {'security_groups': list(sorted(result, @@ -294,11 +290,11 @@ class SecurityGroupController(SecurityGroupControllerBase): self.security_group_api.validate_property(group_description, 'description', None) - group_ref = self.security_group_api.create(context, group_name, - group_description) + group_ref = self.security_group_api.create_security_group( + context, group_name, group_description) return {'security_group': self._format_security_group(context, - group_ref)} + group_ref)} class SecurityGroupRulesController(SecurityGroupControllerBase): @@ -310,14 +306,13 @@ class SecurityGroupRulesController(SecurityGroupControllerBase): sg_rule = self._from_body(body, 'security_group_rule') - parent_group_id = self._validate_id(sg_rule.get('parent_group_id', - None)) + parent_group_id = self.security_group_api.validate_id( + sg_rule.get('parent_group_id', None)) security_group = self.security_group_api.get(context, None, parent_group_id, map_exception=True) - try: - values = self._rule_args_to_dict(context, + new_rule = self._rule_args_to_dict(context, to_port=sg_rule.get('to_port'), from_port=sg_rule.get('from_port'), ip_protocol=sg_rule.get('ip_protocol'), @@ -326,24 +321,21 @@ class SecurityGroupRulesController(SecurityGroupControllerBase): except Exception as exp: raise exc.HTTPBadRequest(explanation=unicode(exp)) - if values is None: + if new_rule is None: msg = _("Not enough parameters to build a valid rule.") raise exc.HTTPBadRequest(explanation=msg) - values['parent_group_id'] = security_group.id + new_rule['parent_group_id'] = security_group['id'] - if 'cidr' in values: - net, prefixlen = netutils.get_net_and_prefixlen(values['cidr']) + if 'cidr' in new_rule: + net, prefixlen = netutils.get_net_and_prefixlen(new_rule['cidr']) if net != '0.0.0.0' and prefixlen == '0': - msg = _("Bad prefix for network in cidr %s") % values['cidr'] + msg = _("Bad prefix for network in cidr %s") % new_rule['cidr'] raise exc.HTTPBadRequest(explanation=msg) - if self.security_group_api.rule_exists(security_group, values): - msg = _('This rule already exists in group %s') % parent_group_id - raise exc.HTTPBadRequest(explanation=msg) - - security_group_rule = self.security_group_api.add_rules( - context, parent_group_id, security_group['name'], [values])[0] + security_group_rule = ( + self.security_group_api.create_security_group_rule( + context, security_group, new_rule)) return {"security_group_rule": self._format_security_group_rule( context, @@ -353,8 +345,9 @@ class SecurityGroupRulesController(SecurityGroupControllerBase): ip_protocol=None, cidr=None, group_id=None): if group_id is not None: - group_id = self._validate_id(group_id) - #check if groupId exists + group_id = self.security_group_api.validate_id(group_id) + + # check if groupId exists self.security_group_api.get(context, id=group_id) return self.security_group_api.new_group_ingress_rule( group_id, ip_protocol, from_port, to_port) @@ -366,11 +359,11 @@ class SecurityGroupRulesController(SecurityGroupControllerBase): def delete(self, req, id): context = self._authorize_context(req) - id = self._validate_id(id) + id = self.security_group_api.validate_id(id) rule = self.security_group_api.get_rule(context, id) - group_id = rule.parent_group_id + group_id = rule['parent_group_id'] security_group = self.security_group_api.get(context, None, group_id, map_exception=True) @@ -408,7 +401,8 @@ class ServerSecurityGroupController(SecurityGroupControllerBase): class SecurityGroupActionController(wsgi.Controller): def __init__(self, *args, **kwargs): super(SecurityGroupActionController, self).__init__(*args, **kwargs) - self.security_group_api = NativeSecurityGroupAPI() + self.security_group_api = ( + openstack_driver.get_openstack_security_group_driver()) self.compute_api = compute.API( security_group_api=self.security_group_api) @@ -467,6 +461,8 @@ class SecurityGroupsOutputController(wsgi.Controller): def __init__(self, *args, **kwargs): super(SecurityGroupsOutputController, self).__init__(*args, **kwargs) self.compute_api = compute.API() + self.security_group_api = ( + openstack_driver.get_openstack_security_group_driver()) def _extend_servers(self, req, servers): key = "security_groups" @@ -562,7 +558,7 @@ class Security_groups(extensions.ExtensionDescriptor): return resources -class NativeSecurityGroupAPI(compute_api.SecurityGroupAPI): +class NativeSecurityGroupExceptions(object): @staticmethod def raise_invalid_property(msg): raise exc.HTTPBadRequest(explanation=msg) @@ -586,3 +582,8 @@ class NativeSecurityGroupAPI(compute_api.SecurityGroupAPI): @staticmethod def raise_not_found(msg): raise exc.HTTPNotFound(explanation=msg) + + +class NativeNovaSecurityGroupAPI(compute_api.SecurityGroupAPI, + NativeSecurityGroupExceptions): + pass |