Merge "[GCE] Skip Security group rule verification for egress rules"

2017-08-11 02:36:44 +00:00 · 2017-08-11 02:36:44 +00:00 · 4aa67e3eea
commit 4aa67e3eea
parent 57727d3e19 60e596283c
2 changed files with 19 additions and 14 deletions
--- a/neutron/neutron/common/gceutils.py
+++ b/neutron/neutron/common/gceutils.py
@ -160,7 +160,7 @@ def get_gce_service(service_key):
        raise GceServiceKeyNotFound(path=service_key)

    credentials = GoogleCredentials.from_stream(service_key)
-    service = build('compute', 'v1', credentials=credentials)
+    service = build('compute', 'beta', credentials=credentials)
    return service


--- a/neutron/neutron/plugins/ml2/drivers/gce/mech_gce.py
+++ b/neutron/neutron/plugins/ml2/drivers/gce/mech_gce.py
@ -158,32 +158,31 @@ class GceMechanismDriver(api.MechanismDriver):
        return "secgrp-" + openstack_id

    def _convert_secgrp_rule_to_gce(self, rule, network_link, validate=False):
-        if rule['ethertype'] != 'IPv4':
-            raise sg.SecurityGroupRuleInvalidEtherType(
-                ethertype=rule['ethertype'], values=('IPv4', ))
-
        gce_rule = {
            'sourceRanges': [],
-            'sourceTags': [],
            'targetTags': [],
            'allowed': [{}],
-            'destinationRanges': [],
+            'priority': 1000
        }
-        if not validate:
-            gce_rule['name'] = self._gce_secgrp_id(rule['id'])
-            gce_rule['network'] = network_link
-
        directions = {
            'ingress': 'INGRESS',
        }
-        gce_protocols = ('tcp', 'udp', 'icmp', 'esp', 'ah', 'sctp')
-
        if rule['direction'] in directions:
            gce_rule['direction'] = directions[rule['direction']]
        else:
            raise SecurityGroupInvalidDirection(direction=rule['direction'],
                                                values=directions.keys())

+        if rule['ethertype'] != 'IPv4':
+            raise sg.SecurityGroupRuleInvalidEtherType(
+                ethertype=rule['ethertype'], values=('IPv4', ))
+
+        if not validate:
+            gce_rule['name'] = self._gce_secgrp_id(rule['id'])
+            gce_rule['network'] = network_link
+
+        gce_protocols = ('tcp', 'udp', 'icmp', 'esp', 'ah', 'sctp')
+
        protocol = rule['protocol']
        if protocol is None:
            gce_rule['allowed'][0]['IPProtocol'] = 'all'
@ -215,10 +214,13 @@ class GceMechanismDriver(api.MechanismDriver):
        compute, project = self.gce_svc, self.gce_project
        try:
            gce_rule = self._convert_secgrp_rule_to_gce(rule, network_link)
+        except SecurityGroupInvalidDirection:
+            LOG.warn("Egress rules are not supported on GCE.")
+            return
        except Exception as e:
            LOG.exception(
                "An error occured while creating security group: %s" % e)
-            return
+            raise e
        LOG.info("Create GCE firewall rule %s" % gce_rule)
        operation = gceutils.create_firewall_rule(compute, project, gce_rule)
        gceutils.wait_for_operation(compute, project, operation)
@ -227,6 +229,9 @@ class GceMechanismDriver(api.MechanismDriver):
        try:
            self._convert_secgrp_rule_to_gce(
                rule, network_link=None, validate=True)
+        except SecurityGroupInvalidDirection:
+            LOG.warn("Egress rules are not supported on GCE.")
+            return
        except Exception as e:
            LOG.exception("An error occurred while creating security "
                          "group: %s" % e)