5 files changed, 30 insertions, 14 deletions

diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py
index 4cf2666a5..d54562ec6 100644
--- a/nova/api/ec2/cloud.py
+++ b/nova/api/ec2/cloud.py
@@ -244,6 +244,7 @@ class CloudController(object):
         return True
 
     def describe_security_groups(self, context, group_name=None, **kwargs):
+        self._ensure_default_security_group(context)
         if context.user.is_admin():
             groups = db.security_group_get_all(context)
         else:
@@ -326,6 +327,7 @@ class CloudController(object):
         return values
 
     def revoke_security_group_ingress(self, context, group_name, **kwargs):
+        self._ensure_default_security_group(context)
         security_group = db.security_group_get_by_name(context,
                                                        context.project.id,
                                                        group_name)
@@ -351,6 +353,7 @@ class CloudController(object):
     #              for these operations, so support for newer API versions
     #              is sketchy.
     def authorize_security_group_ingress(self, context, group_name, **kwargs):
+        self._ensure_default_security_group(context)
         security_group = db.security_group_get_by_name(context,
                                                        context.project.id,
                                                        group_name)
@@ -383,6 +386,7 @@ class CloudController(object):
 
 
     def create_security_group(self, context, group_name, group_description):
+        self._ensure_default_security_group(context)
         if db.securitygroup_exists(context, context.project.id, group_name):
             raise exception.ApiError('group %s already exists' % group_name)
 
@@ -673,6 +677,18 @@ class CloudController(object):
                                             "project_id": context.project.id}})
         return db.queue_get_for(context, FLAGS.network_topic, host)
 
+    def _ensure_default_security_group(self, context):
+        try:
+            db.security_group_get_by_name(context,
+                                          context.project.id,
+                                          'default')
+        except exception.NotFound:
+            values = { 'name'        : 'default',
+                       'description' : 'default',
+                       'user_id'     : context.user.id,
+                       'project_id'  : context.project.id }
+            group = db.security_group_create({}, values)
+
     def run_instances(self, context, **kwargs):
         instance_type = kwargs.get('instance_type', 'm1.small')
         if instance_type not in INSTANCE_TYPES:
@@ -725,6 +741,7 @@ class CloudController(object):
             security_group_arg = [security_group_arg]
 
         security_groups = []
+        self._ensure_default_security_group(context)
         for security_group_name in security_group_arg:
             group = db.security_group_get_by_name(context,
                                                   context.project.id,
diff --git a/nova/auth/manager.py b/nova/auth/manager.py
index 7075070cf..bea4c7933 100644
--- a/nova/auth/manager.py
+++ b/nova/auth/manager.py
@@ -491,11 +491,6 @@ class AuthManager(object):
                     drv.delete_project(project.id)
                     raise
 
-                values = { 'name'        : 'default',
-                           'description' : 'default',
-                           'user_id'     : User.safe_id(manager_user),
-                           'project_id'  : project.id }
-                db.security_group_create({}, values)
                 return project
 
     def modify_project(self, project, manager_user=None, description=None):
@@ -571,15 +566,6 @@ class AuthManager(object):
         except:
             logging.exception('Could not destroy network for %s',
                               project)
-        try:
-            project_id = Project.safe_id(project)
-            groups = db.security_group_get_by_project(context={},
-                                                      project_id=project_id)
-            for group in groups:
-                db.security_group_destroy({}, group['id'])
-        except:
-            logging.exception('Could not destroy security groups for %s',
-                              project)
 
         with self.driver() as drv:
             drv.delete_project(Project.safe_id(project))
diff --git a/nova/db/api.py b/nova/db/api.py
index 602c3cf09..5e033b59d 100644
--- a/nova/db/api.py
+++ b/nova/db/api.py
@@ -604,6 +604,11 @@ def security_group_destroy(context, security_group_id):
     return IMPL.security_group_destroy(context, security_group_id)
 
 
+def security_group_destroy_all(context):
+    """Deletes a security group"""
+    return IMPL.security_group_destroy_all(context)
+
+
 ####################
 
 
diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py
index d2847506e..07ea5d145 100644
--- a/nova/db/sqlalchemy/api.py
+++ b/nova/db/sqlalchemy/api.py
@@ -947,6 +947,12 @@ def security_group_destroy(_context, security_group_id):
                         'where group_id=:id',
                         {'id': security_group_id})
 
+def security_group_destroy_all(_context):
+    session = get_session()
+    with session.begin():
+        # TODO(vish): do we have to use sql here?
+        session.execute('update security_group set deleted=1')
+        session.execute('update security_group_rules set deleted=1')
 
 ###################
 
diff --git a/nova/test.py b/nova/test.py
index c392c8a84..5ed0c73d3 100644
--- a/nova/test.py
+++ b/nova/test.py
@@ -31,6 +31,7 @@ from tornado import ioloop
 from twisted.internet import defer
 from twisted.trial import unittest
 
+from nova import db
 from nova import fakerabbit
 from nova import flags
 
@@ -74,6 +75,7 @@ class TrialTestCase(unittest.TestCase):
 
         if FLAGS.fake_rabbit:
             fakerabbit.reset_all()
+        db.security_group_destroy_all(None)
 
     def flags(self, **kw):
         """Override flag variables for a test"""