Alright, first hole poked all the way through. We can now create security groups and read them back.

3 files changed, 113 insertions, 1 deletions

diff --git a/nova/db/api.py b/nova/db/api.py
index b49707392..b67e3afe0 100644
--- a/nova/db/api.py
+++ b/nova/db/api.py
@@ -442,3 +442,25 @@ def volume_update(context, volume_id, values):
 
     """
     return IMPL.volume_update(context, volume_id, values)
+
+####################
+
+
+def security_group_create(context, values):
+    """Create a new security group"""
+    return IMPL.security_group_create(context, values)
+
+
+def security_group_get_by_instance(context, instance_id):
+    """Get security groups to which the instance is assigned"""
+    return IMPL.security_group_get_by_instance(context, instance_id)
+
+
+def security_group_get_by_user(context, user_id):
+    """Get security groups owned by the given user"""
+    return IMPL.security_group_get_by_user(context, user_id)
+
+
+def security_group_destroy(context, security_group_id):
+    """Deletes a security group"""
+    return IMPL.security_group_destroy(context, security_group_id)
diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py
index 5172b87b3..d790d3fac 100644
--- a/nova/db/sqlalchemy/api.py
+++ b/nova/db/sqlalchemy/api.py
@@ -581,3 +581,41 @@ def volume_update(context, volume_id, values):
     for (key, value) in values.iteritems():
         volume_ref[key] = value
     volume_ref.save()
+
+
+###################
+
+
+def security_group_create(_context, values):
+    security_group_ref = models.SecurityGroup()
+    for (key, value) in values.iteritems():
+        security_group_ref[key] = value
+    security_group_ref.save()
+    return security_group_ref
+
+
+def security_group_get_by_instance(_context, instance_id):
+    with managed_session() as session:
+        return session.query(models.Instance) \
+                      .get(instance_id) \
+                      .security_groups \
+                      .all()
+
+
+def security_group_get_by_user(_context, user_id):
+    with managed_session() as session:
+        return session.query(models.SecurityGroup) \
+                             .filter_by(user_id=user_id) \
+                             .filter_by(deleted=False) \
+                             .all()
+
+def security_group_destroy(_context, security_group_id):
+    with managed_session() as session:
+        security_group = session.query(models.SecurityGroup) \
+                                .get(security_group_id)
+        security_group.delete(session=session)
+
+def security_group_get_all(_context):
+    return models.SecurityGroup.all()
+
+
diff --git a/nova/db/sqlalchemy/models.py b/nova/db/sqlalchemy/models.py
index 310d4640e..28c25bfbc 100644
--- a/nova/db/sqlalchemy/models.py
+++ b/nova/db/sqlalchemy/models.py
@@ -26,7 +26,7 @@ import datetime
 # TODO(vish): clean up these imports
 from sqlalchemy.orm import relationship, backref, validates, exc
 from sqlalchemy.sql import func
-from sqlalchemy import Column, Integer, String
+from sqlalchemy import Column, Integer, String, Table
 from sqlalchemy import ForeignKey, DateTime, Boolean, Text
 from sqlalchemy.ext.declarative import declarative_base
 
@@ -292,6 +292,58 @@ class ExportDevice(BASE, NovaBase):
                                                   uselist=False))
 
 
+security_group_instance_association = Table('security_group_instance_association',
+                                            BASE.metadata,
+                                            Column('security_group_id', Integer,
+                                                   ForeignKey('security_group.id')),
+                                            Column('instance_id', Integer,
+                                                   ForeignKey('instances.id')))
+
+class SecurityGroup(BASE, NovaBase):
+    """Represents a security group"""
+    __tablename__ = 'security_group'
+    id = Column(Integer, primary_key=True)
+
+    name = Column(String(255))
+    description = Column(String(255))
+
+    user_id = Column(String(255))
+    project_id = Column(String(255))
+
+    instances = relationship(Instance,
+                             secondary=security_group_instance_association,
+                             backref='security_groups')
+
+    @property
+    def user(self):
+        return auth.manager.AuthManager().get_user(self.user_id)
+
+    @property
+    def project(self):
+        return auth.manager.AuthManager().get_project(self.project_id)
+
+
+class SecurityGroupIngressRule(BASE, NovaBase):
+    """Represents a rule in a security group"""
+    __tablename__ = 'security_group_rules'
+    id = Column(Integer, primary_key=True)
+
+    parent_security_group = Column(Integer, ForeignKey('security_group.id'))
+    protocol = Column(String(5)) # "tcp", "udp", or "icmp"
+    fromport = Column(Integer)
+    toport = Column(Integer)
+
+    # Note: This is not the parent SecurityGroup's owner. It's the owner of
+    # the SecurityGroup we're granting access.
+    user_id = Column(String(255))
+    group_id = Column(Integer, ForeignKey('security_group.id'))
+
+    @property
+    def user(self):
+        return auth.manager.AuthManager().get_user(self.user_id)
+
+    cidr = Column(String(255))
+
 class Network(BASE, NovaBase):
     """Represents a network"""
     __tablename__ = 'networks'