From 2afbbab23a9d845cde511baa1e574fdcf5ab5171 Mon Sep 17 00:00:00 2001 From: David McNally Date: Wed, 1 Aug 2012 15:51:29 +0100 Subject: Making security group refresh more specific Fixes bug 1029495 The trigger_members_refresh method in compute.api.py specifies a group id in the call to refresh_security_group_members. This is just the last group id seen and ignores the fact that a refresh may impact members of multiple groups. This is masked by the fact that on the host the group id is ignored and all instances have their security rules refreshed regardless of if they are part of the changed group or not. This change modifies the logic surrounding refreshes so we send a refresh request for each instance which is affected by a security group change, this ensures we aren't spending time refreshing unaffected instances and also removes the possibility of refreshing an instance multiple times if it is a member of more than one group. Also changed to be instance-centric is the refresh carried out when a rule is added/removed to a security group. Change-Id: Iec98e9aed818fdc4ecc88c8dcdd4ee5fa9386e00 --- nova/tests/compute/test_compute.py | 129 +++++++++++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) (limited to 'nova/tests') diff --git a/nova/tests/compute/test_compute.py b/nova/tests/compute/test_compute.py index 08242c2f5..da3f8c1e1 100644 --- a/nova/tests/compute/test_compute.py +++ b/nova/tests/compute/test_compute.py @@ -52,6 +52,7 @@ import nova.policy from nova import quota from nova.scheduler import driver as scheduler_driver from nova import test +from nova.tests.db.fakes import FakeModel from nova.tests import fake_network from nova.tests.image import fake as fake_image from nova import utils @@ -3918,6 +3919,134 @@ class ComputeAPITestCase(BaseTestCase): "/tmp/test", "File Contents") db.instance_destroy(self.context, instance['uuid']) + def test_secgroup_refresh(self): + instance = self._create_fake_instance() + + def rule_get(*args, **kwargs): + mock_rule = FakeModel({'parent_group_id': 1}) + return [mock_rule] + + def group_get(*args, **kwargs): + mock_group = FakeModel({'instances': [instance]}) + return mock_group + + self.stubs.Set( + self.compute_api.db, + 'security_group_rule_get_by_security_group_grantee', + rule_get) + self.stubs.Set(self.compute_api.db, 'security_group_get', group_get) + + self.mox.StubOutWithMock(rpc, 'cast') + topic = rpc.queue_get_for(self.context, FLAGS.compute_topic, + instance['host']) + rpc.cast(self.context, topic, + {"method": "refresh_instance_security_rules", + "args": {'instance': jsonutils.to_primitive(instance)}, + "version": '1.41'}) + self.mox.ReplayAll() + + self.security_group_api.trigger_members_refresh(self.context, [1]) + + def test_secgroup_refresh_once(self): + instance = self._create_fake_instance() + + def rule_get(*args, **kwargs): + mock_rule = FakeModel({'parent_group_id': 1}) + return [mock_rule] + + def group_get(*args, **kwargs): + mock_group = FakeModel({'instances': [instance]}) + return mock_group + + self.stubs.Set( + self.compute_api.db, + 'security_group_rule_get_by_security_group_grantee', + rule_get) + self.stubs.Set(self.compute_api.db, 'security_group_get', group_get) + + self.mox.StubOutWithMock(rpc, 'cast') + topic = rpc.queue_get_for(self.context, FLAGS.compute_topic, + instance['host']) + rpc.cast(self.context, topic, + {"method": "refresh_instance_security_rules", + "args": {'instance': jsonutils.to_primitive(instance)}, + "version": '1.41'}) + self.mox.ReplayAll() + + self.security_group_api.trigger_members_refresh(self.context, [1, 2]) + + def test_secgroup_refresh_none(self): + def rule_get(*args, **kwargs): + mock_rule = FakeModel({'parent_group_id': 1}) + return [mock_rule] + + def group_get(*args, **kwargs): + mock_group = FakeModel({'instances': []}) + return mock_group + + self.stubs.Set( + self.compute_api.db, + 'security_group_rule_get_by_security_group_grantee', + rule_get) + self.stubs.Set(self.compute_api.db, 'security_group_get', group_get) + + self.mox.StubOutWithMock(rpc, 'cast') + self.mox.ReplayAll() + + self.security_group_api.trigger_members_refresh(self.context, [1]) + + def test_secrule_refresh(self): + instance = self._create_fake_instance() + + def group_get(*args, **kwargs): + mock_group = FakeModel({'instances': [instance]}) + return mock_group + + self.stubs.Set(self.compute_api.db, 'security_group_get', group_get) + + self.mox.StubOutWithMock(rpc, 'cast') + topic = rpc.queue_get_for(self.context, FLAGS.compute_topic, + instance['host']) + rpc.cast(self.context, topic, + {"method": "refresh_instance_security_rules", + "args": {'instance': jsonutils.to_primitive(instance)}, + "version": '1.41'}) + self.mox.ReplayAll() + + self.security_group_api.trigger_rules_refresh(self.context, [1]) + + def test_secrule_refresh_once(self): + instance = self._create_fake_instance() + + def group_get(*args, **kwargs): + mock_group = FakeModel({'instances': [instance]}) + return mock_group + + self.stubs.Set(self.compute_api.db, 'security_group_get', group_get) + + self.mox.StubOutWithMock(rpc, 'cast') + topic = rpc.queue_get_for(self.context, FLAGS.compute_topic, + instance['host']) + rpc.cast(self.context, topic, + {"method": "refresh_instance_security_rules", + "args": {'instance': jsonutils.to_primitive(instance)}, + "version": '1.41'}) + self.mox.ReplayAll() + + self.security_group_api.trigger_rules_refresh(self.context, [1, 2]) + + def test_secrule_refresh_none(self): + def group_get(*args, **kwargs): + mock_group = FakeModel({'instances': []}) + return mock_group + + self.stubs.Set(self.compute_api.db, 'security_group_get', group_get) + + self.mox.StubOutWithMock(rpc, 'cast') + self.mox.ReplayAll() + + self.security_group_api.trigger_rules_refresh(self.context, [1, 2]) + def fake_rpc_method(context, topic, msg, do_cast=True): pass -- cgit