mirror of https://github.com/apache/cloudstack.git
Don't allow enabling securityGroup service for Isolated networks
This commit is contained in:
alena
parent
346a6fe80a
commit
be21a5e37c
|
|
@ -288,5 +288,6 @@ public class ApiConstants {
|
|||
public static final String KVM_NETWORK_LABEL = "kvmnetworklabel";
|
||||
public static final String VMWARE_NETWORK_LABEL = "vmwarenetworklabel";
|
||||
public static final String NETWORK_SERVICE_PROVIDER_ID = "nspid";
|
||||
public static final String SECURITY_GROUP_SERVICE = "securitygroupservice";
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ public class CreateNetworkOfferingCmd extends BaseCmd {
|
|||
@Parameter(name=ApiConstants.TAGS, type=CommandType.STRING, description="the tags for the network offering.")
|
||||
private String tags;
|
||||
|
||||
@Parameter(name=ApiConstants.SPECIFY_VLAN, type=CommandType.BOOLEAN, description="true is network offering supports vlans")
|
||||
@Parameter(name=ApiConstants.SPECIFY_VLAN, type=CommandType.BOOLEAN, description="true if network offering supports vlans")
|
||||
private Boolean specifyVlan;
|
||||
|
||||
@Parameter(name=ApiConstants.AVAILABILITY, type=CommandType.STRING, description="the availability of network offering. Default value is Required")
|
||||
|
|
@ -70,30 +70,33 @@ public class CreateNetworkOfferingCmd extends BaseCmd {
|
|||
@Parameter(name=ApiConstants.NETWORKRATE, type=CommandType.INTEGER, description="data transfer rate in megabits per second allowed.")
|
||||
private Integer networkRate;
|
||||
|
||||
@Parameter(name=ApiConstants.DHCP_SERVICE, type=CommandType.BOOLEAN, description="true is network offering supports dhcp service")
|
||||
@Parameter(name=ApiConstants.DHCP_SERVICE, type=CommandType.BOOLEAN, description="true if network offering supports dhcp service")
|
||||
private Boolean dhcpService;
|
||||
|
||||
@Parameter(name=ApiConstants.DNS_SERVICE, type=CommandType.BOOLEAN, description="true is network offering supports dns service")
|
||||
@Parameter(name=ApiConstants.DNS_SERVICE, type=CommandType.BOOLEAN, description="true if network offering supports dns service")
|
||||
private Boolean dnsService;
|
||||
|
||||
@Parameter(name=ApiConstants.GATEWAY_SERVICE, type=CommandType.BOOLEAN, description="true is network offering supports gateway service")
|
||||
@Parameter(name=ApiConstants.GATEWAY_SERVICE, type=CommandType.BOOLEAN, description="true if network offering supports gateway service")
|
||||
private Boolean gatewayService;
|
||||
|
||||
@Parameter(name=ApiConstants.FIREWALL_SERVICE, type=CommandType.BOOLEAN, description="true is network offering supports firewall service")
|
||||
@Parameter(name=ApiConstants.FIREWALL_SERVICE, type=CommandType.BOOLEAN, description="true if network offering supports firewall service")
|
||||
private Boolean firewallService;
|
||||
|
||||
@Parameter(name=ApiConstants.LB_SERVICE, type=CommandType.BOOLEAN, description="true is network offering supports lb service")
|
||||
@Parameter(name=ApiConstants.LB_SERVICE, type=CommandType.BOOLEAN, description="true if network offering supports lb service")
|
||||
private Boolean lbService;
|
||||
|
||||
@Parameter(name=ApiConstants.USERDATA_SERVICE, type=CommandType.BOOLEAN, description="true is network offering supports user data service")
|
||||
@Parameter(name=ApiConstants.USERDATA_SERVICE, type=CommandType.BOOLEAN, description="true if network offering supports user data service")
|
||||
private Boolean userdataService;
|
||||
|
||||
@Parameter(name=ApiConstants.SOURCE_NAT_SERVICE, type=CommandType.BOOLEAN, description="true is network offering supports source nat service")
|
||||
@Parameter(name=ApiConstants.SOURCE_NAT_SERVICE, type=CommandType.BOOLEAN, description="true if network offering supports source nat service")
|
||||
private Boolean sourceNatService;
|
||||
|
||||
@Parameter(name=ApiConstants.VPN_SERVICE, type=CommandType.BOOLEAN, description="true is network offering supports vpn service")
|
||||
@Parameter(name=ApiConstants.VPN_SERVICE, type=CommandType.BOOLEAN, description="true if network offering supports vpn service")
|
||||
private Boolean vpnService;
|
||||
|
||||
@Parameter(name=ApiConstants.SECURITY_GROUP_SERVICE, type=CommandType.BOOLEAN, description="true if network offering supports security service")
|
||||
private Boolean securityGroupService;
|
||||
|
||||
@Parameter(name = ApiConstants.SERVICE_PROVIDER_LIST, type = CommandType.MAP, description = "provider to service mapping. If not specified, the provider for the service will be mapped to the default provider on the physical network")
|
||||
private Map serviceProviderList;
|
||||
|
||||
|
|
@ -176,6 +179,10 @@ public class CreateNetworkOfferingCmd extends BaseCmd {
|
|||
return vpnService == null ? false : vpnService;
|
||||
}
|
||||
|
||||
public Boolean getSecurityGroupService() {
|
||||
return securityGroupService == null ? false : securityGroupService;
|
||||
}
|
||||
|
||||
public String getGuestIpType() {
|
||||
return guestIptype;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -83,6 +83,9 @@ public class UpdateNetworkOfferingCmd extends BaseCmd {
|
|||
@Parameter(name=ApiConstants.VPN_SERVICE, type=CommandType.BOOLEAN, description="true is network offering supports vpn service")
|
||||
private Boolean vpnService;
|
||||
|
||||
@Parameter(name=ApiConstants.SECURITY_GROUP_SERVICE, type=CommandType.BOOLEAN, description="true if network offering supports security service")
|
||||
private Boolean securityGroupService;
|
||||
|
||||
@Parameter(name = ApiConstants.SERVICE_PROVIDER_LIST, type = CommandType.MAP, description = "provider to service mapping. If not specified, the provider for the service will be mapped to the default provider on the physical network")
|
||||
private Map serviceProviderList;
|
||||
|
||||
|
|
@ -140,6 +143,10 @@ public class UpdateNetworkOfferingCmd extends BaseCmd {
|
|||
public Boolean getVpnService() {
|
||||
return vpnService == null ? false : vpnService;
|
||||
}
|
||||
|
||||
public Boolean getSecurityGroupService() {
|
||||
return securityGroupService == null ? false : securityGroupService;
|
||||
}
|
||||
|
||||
public Map<String, List<String>> getServiceProviders() {
|
||||
Map<String, List<String>> serviceProviderMap = null;
|
||||
|
|
|
|||
|
|
@ -2799,7 +2799,7 @@ public class ConfigurationManagerImpl implements ConfigurationManager, Configura
|
|||
|
||||
TrafficType trafficType = null;
|
||||
Availability availability = null;
|
||||
Network.GuestType type = null;
|
||||
Network.GuestType guestType = null;
|
||||
|
||||
// Verify traffic type
|
||||
for (TrafficType tType : TrafficType.values()) {
|
||||
|
|
@ -2815,12 +2815,12 @@ public class ConfigurationManagerImpl implements ConfigurationManager, Configura
|
|||
// Verify offering type
|
||||
for (Network.GuestType offType : Network.GuestType.values()) {
|
||||
if (offType.name().equalsIgnoreCase(cmd.getGuestIpType())) {
|
||||
type = offType;
|
||||
guestType = offType;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (type == null) {
|
||||
if (guestType == null) {
|
||||
throw new InvalidParameterValueException("Invalid \"type\" parameter is given; can have Shared and Isolated values");
|
||||
}
|
||||
|
||||
|
|
@ -2873,6 +2873,16 @@ public class ConfigurationManagerImpl implements ConfigurationManager, Configura
|
|||
if (cmd.getVpnService()) {
|
||||
serviceProviderMap.put(Network.Service.Vpn, defaultProviders);
|
||||
}
|
||||
|
||||
if (cmd.getSecurityGroupService()) {
|
||||
//allow security group service for Shared networks only
|
||||
if (guestType != GuestType.Shared) {
|
||||
throw new InvalidParameterValueException("Secrity group service is supported for network offerings with guest ip type " + GuestType.Shared);
|
||||
}
|
||||
Set<Network.Provider> sgProviders = new HashSet<Network.Provider>();
|
||||
sgProviders.add(Provider.SecurityGroupProvider);
|
||||
serviceProviderMap.put(Network.Service.SecurityGroup, sgProviders);
|
||||
}
|
||||
|
||||
// populate providers
|
||||
Map<String, List<String>> svcPrv = (Map<String, List<String>>) cmd.getServiceProviders();
|
||||
|
|
@ -2898,7 +2908,7 @@ public class ConfigurationManagerImpl implements ConfigurationManager, Configura
|
|||
}
|
||||
}
|
||||
|
||||
return createNetworkOffering(userId, name, displayText, trafficType, tags, maxConnections, specifyVlan, availability, networkRate, serviceProviderMap, false, type, false);
|
||||
return createNetworkOffering(userId, name, displayText, trafficType, tags, maxConnections, specifyVlan, availability, networkRate, serviceProviderMap, false, guestType, false);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
@ -3173,6 +3183,16 @@ public class ConfigurationManagerImpl implements ConfigurationManager, Configura
|
|||
if (cmd.getVpnService()) {
|
||||
serviceProviderMap.put(Network.Service.Vpn, defaultProviders);
|
||||
}
|
||||
|
||||
if (cmd.getSecurityGroupService()) {
|
||||
//allow security group service for Shared networks only
|
||||
if (offering.getGuestType() != GuestType.Shared) {
|
||||
throw new InvalidParameterValueException("Secrity group service is supported for network offerings with guest ip type " + GuestType.Shared);
|
||||
}
|
||||
Set<Network.Provider> sgProviders = new HashSet<Network.Provider>();
|
||||
sgProviders.add(Provider.SecurityGroupProvider);
|
||||
serviceProviderMap.put(Network.Service.SecurityGroup, sgProviders);
|
||||
}
|
||||
|
||||
// populate providers
|
||||
Map<String, List<String>> svcPrv = (Map<String, List<String>>) cmd.getServiceProviders();
|
||||
|
|
|
|||
|
|
@ -4253,7 +4253,7 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
|
|||
|
||||
@Override
|
||||
public boolean isSecurityGroupSupportedInNetwork(Network network) {
|
||||
boolean supported = isServiceSupportedByNetworkOffering(network.getNetworkOfferingId(), Service.SecurityGroup);
|
||||
boolean supported = isServiceEnabled(network.getPhysicalNetworkId(), network.getNetworkOfferingId(), Service.SecurityGroup);
|
||||
|
||||
return supported;
|
||||
}
|
||||
|
|
@ -4370,7 +4370,6 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
|
|||
|
||||
@Override
|
||||
public PhysicalNetwork getDefaultPhysicalNetworkByZoneAndTrafficType(long zoneId, TrafficType trafficType) {
|
||||
PhysicalNetworkVO network = null;
|
||||
|
||||
List<PhysicalNetworkVO> networkList = _physicalNetworkDao.listByZoneAndTrafficType(zoneId, trafficType);
|
||||
|
||||
|
|
|
|||
|
|
@ -911,7 +911,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
|
|||
@Override
|
||||
@DB
|
||||
public boolean addInstanceToGroups(final Long userVmId, final List<Long> groups) {
|
||||
if (!isVmNetworkOffSupportsSecurityGroup(userVmId)) {
|
||||
if (!isVmSecurityGroupEnabled(userVmId)) {
|
||||
s_logger.trace("User vm " + userVmId + " is not security group enabled, not adding it to security group");
|
||||
return false;
|
||||
}
|
||||
|
|
@ -1281,20 +1281,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
|
|||
List<NicProfile> nics = _networkMgr.getNicProfiles(vm);
|
||||
for (NicProfile nic : nics) {
|
||||
Network network = _networkMgr.getNetwork(nic.getNetworkId());
|
||||
if (_networkMgr.isServiceEnabled(network.getPhysicalNetworkId(), network.getNetworkOfferingId(), Service.SecurityGroup) && vm.getHypervisorType() != HypervisorType.VMware) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
protected boolean isVmNetworkOffSupportsSecurityGroup(Long vmId) {
|
||||
VirtualMachine vm = _vmDao.findByIdIncludingRemoved(vmId);
|
||||
List<NicProfile> nics = _networkMgr.getNicProfiles(vm);
|
||||
for (NicProfile nic : nics) {
|
||||
Network network = _networkMgr.getNetwork(nic.getNetworkId());
|
||||
if (_networkMgr.isServiceSupportedByNetworkOffering(network.getNetworkOfferingId(), Service.SecurityGroup) && vm.getHypervisorType() != HypervisorType.VMware) {
|
||||
if (_networkMgr.isSecurityGroupSupportedInNetwork(network) && vm.getHypervisorType() != HypervisorType.VMware) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -150,8 +150,6 @@ public class SecurityGroupManagerImpl2 extends SecurityGroupManagerImpl{
|
|||
} catch (InterruptedException e1) {
|
||||
s_logger.warn("SG work: caught InterruptException", e1);
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
public void sendRulesetUpdates(SecurityGroupWork work){
|
||||
|
|
|
|||
|
|
@ -2008,7 +2008,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager
|
|||
|
||||
if (securityGroupIdList != null && isVmWare) {
|
||||
throw new InvalidParameterValueException("Security group feature is not supported for vmWare hypervisor");
|
||||
} else if (!isVmWare && _networkMgr.isServiceSupportedByNetworkOffering(defaultNetwork.getNetworkOfferingId(), Service.SecurityGroup)) {
|
||||
} else if (!isVmWare && _networkMgr.isSecurityGroupSupportedInNetwork(defaultNetwork)) {
|
||||
if (securityGroupIdList == null) {
|
||||
securityGroupIdList = new ArrayList<Long>();
|
||||
}
|
||||
|
|
@ -2097,7 +2097,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager
|
|||
throw new InvalidParameterValueException("Unable to find network by id " + networkIdList.get(0).longValue());
|
||||
}
|
||||
|
||||
boolean isSecurityGroupEnabled = _networkMgr.isServiceSupportedByNetworkOffering(network.getNetworkOfferingId(), Service.SecurityGroup);
|
||||
boolean isSecurityGroupEnabled = _networkMgr.isServiceEnabled(network.getPhysicalNetworkId(), network.getNetworkOfferingId(), Service.SecurityGroup);
|
||||
if (isSecurityGroupEnabled && networkIdList.size() > 1) {
|
||||
throw new InvalidParameterValueException("Can't create a vm with multiple networks one of which is Security Group enabled");
|
||||
}
|
||||
|
|
@ -2381,6 +2381,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager
|
|||
}
|
||||
}
|
||||
|
||||
//check if the user data is correct
|
||||
validateUserData(userData);
|
||||
|
||||
// Find an SSH public key corresponding to the key pair name, if one is given
|
||||
|
|
@ -2394,11 +2395,9 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager
|
|||
sshPublicKey = pair.getPublicKey();
|
||||
}
|
||||
|
||||
DataCenterDeployment plan = new DataCenterDeployment(zone.getId());
|
||||
s_logger.debug("Allocating in the DB for vm");
|
||||
|
||||
List<Pair<NetworkVO, NicProfile>> networks = new ArrayList<Pair<NetworkVO, NicProfile>>();
|
||||
short defaultNetworkNumber = 0;
|
||||
boolean securityGroupEnabled = false;
|
||||
for (NetworkVO network : networkList) {
|
||||
|
||||
if (network.getDataCenterId() != zone.getId()) {
|
||||
|
|
@ -2421,6 +2420,14 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager
|
|||
}
|
||||
|
||||
networks.add(new Pair<NetworkVO, NicProfile>(network, profile));
|
||||
|
||||
if (_networkMgr.isServiceEnabled(network.getPhysicalNetworkId(), network.getNetworkOfferingId(), Service.SecurityGroup)) {
|
||||
securityGroupEnabled = true;
|
||||
}
|
||||
}
|
||||
|
||||
if (securityGroupIdList != null && !securityGroupIdList.isEmpty() && !securityGroupEnabled) {
|
||||
throw new InvalidParameterValueException("Unable to deploy vm with security groups as SecurityGroup service is not enabled for the vm's network");
|
||||
}
|
||||
|
||||
// Verify network information - network default network has to be set; and vm can't have more than one default network
|
||||
|
|
@ -2468,6 +2475,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager
|
|||
}
|
||||
|
||||
s_logger.debug("Allocating in the DB for vm");
|
||||
DataCenterDeployment plan = new DataCenterDeployment(zone.getId());
|
||||
|
||||
if (_itMgr.allocate(vm, _templateDao.findById(template.getId()), offering, rootDiskOffering, dataDiskOfferings, networks, null, plan, hypervisorType, owner) == null) {
|
||||
return null;
|
||||
|
|
|
|||
Loading…
Reference in New Issue