mirror of https://github.com/apache/cloudstack.git
Separated out creation of ACL policy set and policy in VNMC
This commit is contained in:
Koushik Das
parent
1e38515f35
commit
124a48819d
|
|
@ -3,7 +3,7 @@
|
|||
inHierarchical="false">
|
||||
<inConfigs>
|
||||
<pair key="%espdn%" >
|
||||
<policyVirtualNetworkEdgeProfile
|
||||
<policyVirtualNetworkEdgeProfile
|
||||
connTimeoutRef=""
|
||||
descr="%descr%"
|
||||
dn="%espdn%"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,21 @@
|
|||
|
||||
<configConfMos
|
||||
cookie="%cookie%"
|
||||
inHierarchical="false">
|
||||
|
||||
<inConfigs>
|
||||
<pair key="%aclpolicyrefdn%">
|
||||
<policyPolicyNameRef
|
||||
dn="%aclpolicyrefdn%"
|
||||
order="100"
|
||||
policyName="%aclpolicyname%"
|
||||
status="created"/>
|
||||
</pair>
|
||||
|
||||
</inConfigs>
|
||||
</configConfMos>
|
||||
|
||||
<!--
|
||||
aclpolicyrefdn="org-root/org-vlan-123/org-VDC-vlan-123/pset-Ingress-ACL-Policy-Set-vlan-123/polref-aaa"
|
||||
aclpolicyname="aaa"
|
||||
--!>
|
||||
|
|
@ -3,13 +3,6 @@
|
|||
cookie="%cookie%"
|
||||
inHierarchical="false">
|
||||
<inConfigs>
|
||||
<pair key="%aclpolicyrefdn%">
|
||||
<policyPolicyNameRef
|
||||
dn="%aclpolicyrefdn%"
|
||||
order="100"
|
||||
policyName="%aclpolicyname%"
|
||||
status="created"/>
|
||||
</pair>
|
||||
<pair key="%aclpolicysetdn%">
|
||||
<policyPolicySet
|
||||
descr=""
|
||||
|
|
@ -21,8 +14,6 @@
|
|||
</configConfMos>
|
||||
|
||||
<!--
|
||||
aclpolicysetdn="org-root/org-vlan-123/org-VDC-vlan-123/pset-foo"
|
||||
aclpolicysetname="foo"
|
||||
aclpolicyrefdn="org-root/org-vlan-123/org-VDC-vlan-123/pset-foo/polref-bar"
|
||||
aclpolicyname="bar"
|
||||
aclpolicysetdn="org-root/org-vlan-123/org-VDC-vlan-123/pset-foo"
|
||||
aclpolicysetname="foo"
|
||||
--!>
|
||||
|
|
@ -170,13 +170,13 @@
|
|||
</configConfMos>
|
||||
|
||||
<!--
|
||||
aclruledn="org-root/org-vlan-123/org-VDC-vlan-123/pol-test_policy/rule-dummy"
|
||||
aclrulename="dummy"
|
||||
actiontype="drop" or "permit"
|
||||
protocolvalue = "TCP" or UDP or ICMP
|
||||
sourcestartip="source start ip"
|
||||
sourceendip="source end ip"
|
||||
startport="start port at destination"
|
||||
endport="end port at destination"
|
||||
destinationip="public ip at destination"
|
||||
aclruledn="org-root/org-vlan-123/org-VDC-vlan-123/pol-test_policy/rule-dummy"
|
||||
aclrulename="dummy"
|
||||
actiontype="drop" or "permit"
|
||||
protocolvalue = "TCP" or UDP or ICMP
|
||||
sourcestartip="source start ip"
|
||||
sourceendip="source end ip"
|
||||
startport="start port at destination"
|
||||
endport="end port at destination"
|
||||
destinationip="public ip at destination"
|
||||
--!>
|
||||
|
|
|
|||
|
|
@ -64,18 +64,23 @@ public interface CiscoVnmcConnection {
|
|||
public boolean associateNatPolicySet(String tenantName)
|
||||
throws ExecutionException;
|
||||
|
||||
public boolean createIngressAclRule(String tenantName, String identifier,
|
||||
public boolean createIngressAclRule(String tenantName,
|
||||
String identifier, String policyIdentifier,
|
||||
String protocol, String sourceStartIp, String sourceEndIp,
|
||||
String destStartPort, String destEndPort, String destIp)
|
||||
throws ExecutionException;
|
||||
|
||||
public boolean deleteAclRule(String tenantName, String identifier)
|
||||
public boolean deleteAclRule(String policyIdentifier,
|
||||
String identifier, String destIp)
|
||||
throws ExecutionException;
|
||||
|
||||
public boolean createTenantVDCAclPolicy(String tenantName, boolean ingress)
|
||||
throws ExecutionException;
|
||||
public boolean createTenantVDCAclPolicy(String tenantName, String identifier,
|
||||
boolean ingress) throws ExecutionException;
|
||||
|
||||
public boolean deleteTenantVDCAclPolicy(String tenantName, boolean ingress)
|
||||
public boolean createTenantVDCAclPolicyRef(String tenantName, String identifier,
|
||||
boolean ingress) throws ExecutionException;
|
||||
|
||||
public boolean deleteTenantVDCAclPolicy(String tenantName, String identifier)
|
||||
throws ExecutionException;
|
||||
|
||||
public boolean createTenantVDCAclPolicySet(String tenantName, boolean ingress)
|
||||
|
|
|
|||
|
|
@ -66,6 +66,7 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
|
|||
DELETE_ACL_RULE("delete-acl-rule.xml", "policy-mgr"),
|
||||
CREATE_ACL_POLICY("create-acl-policy.xml", "policy-mgr"),
|
||||
DELETE_ACL_POLICY("delete-acl-policy.xml", "policy-mgr"),
|
||||
CREATE_ACL_POLICY_REF("create-acl-policy-ref.xml", "policy-mgr"),
|
||||
CREATE_ACL_POLICY_SET("create-acl-policy-set.xml", "policy-mgr"),
|
||||
RESOLVE_ACL_POLICY_SET("associate-acl-policy-set.xml", "policy-mgr"),
|
||||
CREATE_EDGE_FIREWALL("create-edge-firewall.xml", "resource-mgr"),
|
||||
|
|
@ -566,37 +567,38 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
|
|||
return getDnForTenantVDC(tenantName) + "/pset-" + getNameForAclPolicySet(tenantName, ingress) ;
|
||||
}
|
||||
|
||||
private String getNameForAclPolicy(String tenantName, boolean ingress) {
|
||||
return (ingress ? "Ingress-" : "Egress-") + "ACL-For-" + tenantName;
|
||||
private String getNameForAclPolicy(String tenantName, String identifier) {
|
||||
return "Policy-" + tenantName + "-" + identifier;
|
||||
}
|
||||
|
||||
private String getDnForAclPolicy(String tenantName, boolean ingress) {
|
||||
return getDnForTenantVDC(tenantName) + "/pol-" + getNameForAclPolicy(tenantName, ingress);
|
||||
private String getDnForAclPolicy(String tenantName, String identifier) {
|
||||
return getDnForTenantVDC(tenantName) + "/pol-" + getNameForAclPolicy(tenantName, identifier);
|
||||
}
|
||||
|
||||
private String getDnForAclPolicyRef(String tenantName, boolean ingress) {
|
||||
return getDnForAclPolicySet(tenantName, ingress) + "/polref-" + getNameForAclPolicy(tenantName, ingress);
|
||||
private String getDnForAclPolicyRef(String tenantName, String identifier, boolean ingress) {
|
||||
return getDnForAclPolicySet(tenantName, ingress) + "/polref-" + getNameForAclPolicy(tenantName, identifier);
|
||||
}
|
||||
|
||||
private String getNameForAclRule(String tenantName, String identifier, boolean ingress) {
|
||||
return (ingress ? "Ingress-" : "Egress-") + "ACL-Rule-For-" + tenantName + "-" + identifier;
|
||||
private String getNameForAclRule(String tenantName, String identifier) {
|
||||
return "Rule-" + tenantName + "-" + identifier;
|
||||
}
|
||||
|
||||
private String getDnForAclRule(String tenantName, String identifier, boolean ingress) {
|
||||
return getDnForAclPolicy(tenantName, ingress) + "/rule-" + getNameForAclRule(tenantName, identifier, ingress);
|
||||
private String getDnForAclRule(String tenantName, String identifier, String policyIdentifier) {
|
||||
return getDnForAclPolicy(tenantName, policyIdentifier) + "/rule-" + getNameForAclRule(tenantName, identifier);
|
||||
}
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see com.cloud.network.resource.CiscoVnmcConnection#createTenantVDCAclPolicy(java.lang.String)
|
||||
*/
|
||||
@Override
|
||||
public boolean createTenantVDCAclPolicy(String tenantName, boolean ingress) throws ExecutionException {
|
||||
public boolean createTenantVDCAclPolicy(String tenantName, String identifier, boolean ingress) throws ExecutionException {
|
||||
String xml = VnmcXml.CREATE_ACL_POLICY.getXml();
|
||||
String service = VnmcXml.CREATE_ACL_POLICY.getService();
|
||||
xml = replaceXmlValue(xml, "cookie", _cookie);
|
||||
//xml = replaceXmlValue(xml, "descr", "ACL Policy for Tenant VDC " + tenantName);
|
||||
xml = replaceXmlValue(xml, "aclpolicyname", getNameForAclPolicy(tenantName, ingress));
|
||||
xml = replaceXmlValue(xml, "aclpolicydn", getDnForAclPolicy(tenantName, ingress));
|
||||
xml = replaceXmlValue(xml, "aclpolicyname", getNameForAclPolicy(tenantName, identifier));
|
||||
xml = replaceXmlValue(xml, "aclpolicydn", getDnForAclPolicy(tenantName, identifier));
|
||||
xml = replaceXmlValue(xml, "aclpolicyrefdn", getDnForAclPolicyRef(tenantName, identifier, ingress));
|
||||
|
||||
String response = sendRequest(service, xml);
|
||||
|
||||
|
|
@ -607,12 +609,29 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
|
|||
* @see com.cloud.network.resource.CiscoVnmcConnection#deleteTenantVDCAclPolicy(java.lang.String)
|
||||
*/
|
||||
@Override
|
||||
public boolean deleteTenantVDCAclPolicy(String tenantName, boolean ingress) throws ExecutionException {
|
||||
public boolean deleteTenantVDCAclPolicy(String tenantName, String identifier) throws ExecutionException {
|
||||
String xml = VnmcXml.DELETE_ACL_POLICY.getXml();
|
||||
String service = VnmcXml.DELETE_ACL_POLICY.getService();
|
||||
xml = replaceXmlValue(xml, "cookie", _cookie);
|
||||
xml = replaceXmlValue(xml, "aclpolicyname", getNameForAclPolicy(tenantName, ingress));
|
||||
xml = replaceXmlValue(xml, "aclpolicydn", getDnForAclPolicy(tenantName, ingress));
|
||||
xml = replaceXmlValue(xml, "aclpolicyname", getNameForAclPolicy(tenantName, identifier));
|
||||
xml = replaceXmlValue(xml, "aclpolicydn", getDnForAclPolicy(tenantName, identifier));
|
||||
|
||||
String response = sendRequest(service, xml);
|
||||
|
||||
return verifySuccess(response);
|
||||
}
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see com.cloud.network.resource.CiscoVnmcConnection#createTenantVDCAclPolicySet(java.lang.String)
|
||||
*/
|
||||
@Override
|
||||
public boolean createTenantVDCAclPolicyRef(String tenantName, String identifier, boolean ingress) throws ExecutionException {
|
||||
String xml = VnmcXml.CREATE_ACL_POLICY_REF.getXml();
|
||||
String service = VnmcXml.CREATE_ACL_POLICY_REF.getService();
|
||||
xml = replaceXmlValue(xml, "cookie", _cookie);
|
||||
xml = replaceXmlValue(xml, "aclpolicyname", getNameForAclPolicy(tenantName, identifier));
|
||||
xml = replaceXmlValue(xml, "aclpolicydn", getDnForAclPolicy(tenantName, identifier));
|
||||
xml = replaceXmlValue(xml, "aclpolicyrefdn", getDnForAclPolicyRef(tenantName, identifier, ingress));
|
||||
|
||||
String response = sendRequest(service, xml);
|
||||
|
||||
|
|
@ -628,10 +647,8 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
|
|||
String service = VnmcXml.CREATE_ACL_POLICY_SET.getService();
|
||||
xml = replaceXmlValue(xml, "cookie", _cookie);
|
||||
//xml = replaceXmlValue(xml, "descr", "ACL Policy Set for Tenant VDC " + tenantName);
|
||||
xml = replaceXmlValue(xml, "aclpolicyname", getNameForAclPolicy(tenantName, ingress));
|
||||
xml = replaceXmlValue(xml, "aclpolicysetname", getNameForAclPolicySet(tenantName, ingress));
|
||||
xml = replaceXmlValue(xml, "aclpolicysetdn", getDnForAclPolicySet(tenantName, ingress));
|
||||
xml = replaceXmlValue(xml, "aclpolicyrefdn", getDnForAclPolicyRef(tenantName, ingress));
|
||||
|
||||
String response = sendRequest(service, xml);
|
||||
|
||||
|
|
@ -663,15 +680,16 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
|
|||
* @see com.cloud.network.resource.CiscoVnmcConnection#createIngressAclRule(java.lang.String)
|
||||
*/
|
||||
@Override
|
||||
public boolean createIngressAclRule(String tenantName, String identifier,
|
||||
public boolean createIngressAclRule(String tenantName,
|
||||
String identifier, String policyIdentifier,
|
||||
String protocol, String sourceStartIp, String sourceEndIp,
|
||||
String destStartPort, String destEndPort, String destIp) throws ExecutionException {
|
||||
String xml = VnmcXml.CREATE_INGRESS_ACL_RULE.getXml();
|
||||
String service = VnmcXml.CREATE_INGRESS_ACL_RULE.getService();
|
||||
xml = replaceXmlValue(xml, "cookie", _cookie);
|
||||
//xml = replaceXmlValue(xml, "descr", "Ingress ACL Policy for Tenant VDC" + tenantName);
|
||||
xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, true));
|
||||
xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier, true));
|
||||
xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, policyIdentifier));
|
||||
xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier));
|
||||
xml = replaceXmlValue(xml, "actiontype", "permit");
|
||||
xml = replaceXmlValue(xml, "protocolvalue", protocol);
|
||||
xml = replaceXmlValue(xml, "sourcestartip", sourceStartIp);
|
||||
|
|
@ -689,12 +707,12 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
|
|||
* @see com.cloud.network.resource.CiscoVnmcConnection#deleteAclRule(java.lang.String)
|
||||
*/
|
||||
@Override
|
||||
public boolean deleteAclRule(String tenantName, String identifier) throws ExecutionException {
|
||||
public boolean deleteAclRule(String tenantName, String identifier, String policyIdentifier) throws ExecutionException {
|
||||
String xml = VnmcXml.DELETE_ACL_RULE.getXml();
|
||||
String service = VnmcXml.DELETE_ACL_RULE.getService();
|
||||
xml = replaceXmlValue(xml, "cookie", _cookie);
|
||||
xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, true));
|
||||
xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier, true));
|
||||
xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, policyIdentifier));
|
||||
xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier));
|
||||
|
||||
String response = sendRequest(service, xml);
|
||||
|
||||
|
|
|
|||
|
|
@ -147,7 +147,6 @@ public class CiscoVnmcElement extends AdapterBase implements SourceNatServicePro
|
|||
CiscoAsa1000vDao _ciscoAsa1000vDao;
|
||||
@Inject
|
||||
NetworkAsa1000vMapDao _networkAsa1000vMapDao;
|
||||
|
||||
|
||||
private boolean canHandle(Network network) {
|
||||
if (network.getBroadcastDomainType() != BroadcastDomainType.Vlan) {
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@
|
|||
package com.cloud.network.resource;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
|
|
@ -319,39 +320,53 @@ public class CiscoVnmcResource implements ServerResource{
|
|||
private Answer execute(SetFirewallRulesCommand cmd, int numRetries) {
|
||||
String vlanId = cmd.getContextParam(NetworkElementCommand.GUEST_VLAN_TAG);
|
||||
String tenant = "vlan-" + vlanId;
|
||||
|
||||
FirewallRuleTO[] rules = cmd.getRules();
|
||||
Map<String, List<FirewallRuleTO>> publicIpRulesMap = new HashMap<String, List<FirewallRuleTO>>();
|
||||
for (FirewallRuleTO rule : rules) {
|
||||
String publicIp = rule.getSrcIp();
|
||||
if (!publicIpRulesMap.containsKey(publicIp)) {
|
||||
List<FirewallRuleTO> publicIpRulesList = new ArrayList<FirewallRuleTO>();
|
||||
publicIpRulesMap.put(publicIp, publicIpRulesList);
|
||||
}
|
||||
publicIpRulesMap.get(publicIp).add(rule);
|
||||
}
|
||||
|
||||
try {
|
||||
// create-acl-policy-set for ingress
|
||||
_connection.createTenantVDCAclPolicySet(tenant, true);
|
||||
|
||||
// delete-acl-policy for ingress
|
||||
_connection.deleteTenantVDCAclPolicy(tenant, true);
|
||||
// delete-acl-policy for egress
|
||||
|
||||
// create-acl-policy for ingress
|
||||
_connection.createTenantVDCAclPolicy(tenant, true);
|
||||
|
||||
// create-acl-policy-set for egress
|
||||
// create-acl-policy for egress
|
||||
|
||||
FirewallRuleTO[] rules = cmd.getRules();
|
||||
for (FirewallRuleTO rule : rules) {
|
||||
if (rule.revoked()) {
|
||||
// delete-acl-rule
|
||||
//_connection.deleteAclRule(tenant, Long.toString(rule.getId()));
|
||||
} else {
|
||||
String cidr = rule.getSourceCidrList().get(0);
|
||||
String[] result = cidr.split("\\/");
|
||||
assert (result.length == 2) : "Something is wrong with source cidr " + cidr;
|
||||
long size = Long.valueOf(result[1]);
|
||||
String startIp = NetUtils.getIpRangeStartIpFromCidr(result[0], size);
|
||||
String endIp = NetUtils.getIpRangeEndIpFromCidr(result[0], size);
|
||||
// create-ingress-acl-rule
|
||||
_connection.createIngressAclRule(tenant,
|
||||
Long.toString(rule.getId()), rule.getProtocol().toUpperCase(), startIp, endIp,
|
||||
Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]), rule.getSrcIp());
|
||||
for (String publicIp : publicIpRulesMap.keySet()) {
|
||||
String policyIdentifier = publicIp.replace('.', '-');
|
||||
// delete-acl-policy for ingress
|
||||
_connection.deleteTenantVDCAclPolicy(tenant, policyIdentifier);
|
||||
// delete-acl-policy for egress
|
||||
|
||||
// create-acl-policy for ingress
|
||||
_connection.createTenantVDCAclPolicy(tenant, policyIdentifier, true);
|
||||
_connection.createTenantVDCAclPolicyRef(tenant, policyIdentifier, true);
|
||||
// create-acl-policy for egress
|
||||
|
||||
for (FirewallRuleTO rule : publicIpRulesMap.get(publicIp)) {
|
||||
if (rule.revoked()) {
|
||||
// delete-acl-rule
|
||||
//_connection.deleteAclRule(tenant, Long.toString(rule.getId()), publicIp);
|
||||
} else {
|
||||
String cidr = rule.getSourceCidrList().get(0);
|
||||
String[] result = cidr.split("\\/");
|
||||
assert (result.length == 2) : "Something is wrong with source cidr " + cidr;
|
||||
long size = Long.valueOf(result[1]);
|
||||
String externalStartIp = NetUtils.getIpRangeStartIpFromCidr(result[0], size);
|
||||
String externalEndIp = NetUtils.getIpRangeEndIpFromCidr(result[0], size);
|
||||
// create-ingress-acl-rule
|
||||
_connection.createIngressAclRule(tenant,
|
||||
Long.toString(rule.getId()), policyIdentifier,
|
||||
rule.getProtocol().toUpperCase(), externalStartIp, externalEndIp,
|
||||
Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]), publicIp);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// associate-acl-policy-set
|
||||
_connection.associateAclPolicySet(tenant);
|
||||
} catch (Throwable e) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue