Separated out creation of ACL policy set and policy in VNMC
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/124a4881 Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/124a4881 Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/124a4881 Branch: refs/heads/cisco-vnmc-api-integration Commit: 124a48819d34547d5355396c151279a23899ff65 Parents: 1e38515 Author: Koushik Das <[email protected]> Authored: Thu Feb 21 17:53:12 2013 +0530 Committer: Koushik Das <[email protected]> Committed: Thu Feb 21 17:53:12 2013 +0530 ---------------------------------------------------------------------- .../network/cisco/associate-acl-policy-set.xml | 2 +- .../network/cisco/create-acl-policy-ref.xml | 21 +++++ .../network/cisco/create-acl-policy-set.xml | 13 +--- .../network/cisco/create-ingress-acl-rule.xml | 18 ++-- .../cloud/network/cisco/CiscoVnmcConnection.java | 15 ++- .../network/cisco/CiscoVnmcConnectionImpl.java | 66 +++++++++----- .../cloud/network/element/CiscoVnmcElement.java | 1 - .../cloud/network/resource/CiscoVnmcResource.java | 69 +++++++++------ 8 files changed, 127 insertions(+), 78 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/124a4881/plugins/network-elements/cisco-vnmc/scripts/network/cisco/associate-acl-policy-set.xml ---------------------------------------------------------------------- diff --git a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/associate-acl-policy-set.xml b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/associate-acl-policy-set.xml index ae40a88..908b40f 100755 --- a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/associate-acl-policy-set.xml +++ b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/associate-acl-policy-set.xml @@ -3,7 +3,7 @@ inHierarchical="false"> <inConfigs> <pair key="%espdn%" > - <policyVirtualNetworkEdgeProfile + <policyVirtualNetworkEdgeProfile connTimeoutRef="" descr="%descr%" dn="%espdn%" http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/124a4881/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-acl-policy-ref.xml ---------------------------------------------------------------------- diff --git a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-acl-policy-ref.xml b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-acl-policy-ref.xml new file mode 100755 index 0000000..2d3f02a --- /dev/null +++ b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-acl-policy-ref.xml @@ -0,0 +1,21 @@ + +<configConfMos + cookie="%cookie%" + inHierarchical="false"> + + <inConfigs> + <pair key="%aclpolicyrefdn%"> + <policyPolicyNameRef + dn="%aclpolicyrefdn%" + order="100" + policyName="%aclpolicyname%" + status="created"/> + </pair> + + </inConfigs> +</configConfMos> + +<!-- + aclpolicyrefdn="org-root/org-vlan-123/org-VDC-vlan-123/pset-Ingress-ACL-Policy-Set-vlan-123/polref-aaa" + aclpolicyname="aaa" +--!> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/124a4881/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-acl-policy-set.xml ---------------------------------------------------------------------- diff --git a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-acl-policy-set.xml b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-acl-policy-set.xml index 4038b91..4e9d2ce 100755 --- a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-acl-policy-set.xml +++ b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-acl-policy-set.xml @@ -3,13 +3,6 @@ cookie="%cookie%" inHierarchical="false"> <inConfigs> - <pair key="%aclpolicyrefdn%"> - <policyPolicyNameRef - dn="%aclpolicyrefdn%" - order="100" - policyName="%aclpolicyname%" - status="created"/> - </pair> <pair key="%aclpolicysetdn%"> <policyPolicySet descr="" @@ -21,8 +14,6 @@ </configConfMos> <!-- - aclpolicysetdn="org-root/org-vlan-123/org-VDC-vlan-123/pset-foo" - aclpolicysetname="foo" - aclpolicyrefdn="org-root/org-vlan-123/org-VDC-vlan-123/pset-foo/polref-bar" - aclpolicyname="bar" + aclpolicysetdn="org-root/org-vlan-123/org-VDC-vlan-123/pset-foo" + aclpolicysetname="foo" --!> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/124a4881/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml ---------------------------------------------------------------------- diff --git a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml index 2c3fdab..8fb38a4 100755 --- a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml +++ b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml @@ -170,13 +170,13 @@ </configConfMos> <!-- - aclruledn="org-root/org-vlan-123/org-VDC-vlan-123/pol-test_policy/rule-dummy" - aclrulename="dummy" - actiontype="drop" or "permit" - protocolvalue = "TCP" or UDP or ICMP - sourcestartip="source start ip" - sourceendip="source end ip" - startport="start port at destination" - endport="end port at destination" - destinationip="public ip at destination" + aclruledn="org-root/org-vlan-123/org-VDC-vlan-123/pol-test_policy/rule-dummy" + aclrulename="dummy" + actiontype="drop" or "permit" + protocolvalue = "TCP" or UDP or ICMP + sourcestartip="source start ip" + sourceendip="source end ip" + startport="start port at destination" + endport="end port at destination" + destinationip="public ip at destination" --!> http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/124a4881/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java ---------------------------------------------------------------------- diff --git a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java index 5d59c65..3cb1ea5 100644 --- a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java +++ b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java @@ -64,18 +64,23 @@ public interface CiscoVnmcConnection { public boolean associateNatPolicySet(String tenantName) throws ExecutionException; - public boolean createIngressAclRule(String tenantName, String identifier, + public boolean createIngressAclRule(String tenantName, + String identifier, String policyIdentifier, String protocol, String sourceStartIp, String sourceEndIp, String destStartPort, String destEndPort, String destIp) throws ExecutionException; - public boolean deleteAclRule(String tenantName, String identifier) + public boolean deleteAclRule(String policyIdentifier, + String identifier, String destIp) throws ExecutionException; - public boolean createTenantVDCAclPolicy(String tenantName, boolean ingress) - throws ExecutionException; + public boolean createTenantVDCAclPolicy(String tenantName, String identifier, + boolean ingress) throws ExecutionException; + + public boolean createTenantVDCAclPolicyRef(String tenantName, String identifier, + boolean ingress) throws ExecutionException; - public boolean deleteTenantVDCAclPolicy(String tenantName, boolean ingress) + public boolean deleteTenantVDCAclPolicy(String tenantName, String identifier) throws ExecutionException; public boolean createTenantVDCAclPolicySet(String tenantName, boolean ingress) http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/124a4881/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java ---------------------------------------------------------------------- diff --git a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java index b304e05..e159dd1 100644 --- a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java +++ b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java @@ -66,6 +66,7 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection { DELETE_ACL_RULE("delete-acl-rule.xml", "policy-mgr"), CREATE_ACL_POLICY("create-acl-policy.xml", "policy-mgr"), DELETE_ACL_POLICY("delete-acl-policy.xml", "policy-mgr"), + CREATE_ACL_POLICY_REF("create-acl-policy-ref.xml", "policy-mgr"), CREATE_ACL_POLICY_SET("create-acl-policy-set.xml", "policy-mgr"), RESOLVE_ACL_POLICY_SET("associate-acl-policy-set.xml", "policy-mgr"), CREATE_EDGE_FIREWALL("create-edge-firewall.xml", "resource-mgr"), @@ -566,37 +567,38 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection { return getDnForTenantVDC(tenantName) + "/pset-" + getNameForAclPolicySet(tenantName, ingress) ; } - private String getNameForAclPolicy(String tenantName, boolean ingress) { - return (ingress ? "Ingress-" : "Egress-") + "ACL-For-" + tenantName; + private String getNameForAclPolicy(String tenantName, String identifier) { + return "Policy-" + tenantName + "-" + identifier; } - private String getDnForAclPolicy(String tenantName, boolean ingress) { - return getDnForTenantVDC(tenantName) + "/pol-" + getNameForAclPolicy(tenantName, ingress); + private String getDnForAclPolicy(String tenantName, String identifier) { + return getDnForTenantVDC(tenantName) + "/pol-" + getNameForAclPolicy(tenantName, identifier); } - private String getDnForAclPolicyRef(String tenantName, boolean ingress) { - return getDnForAclPolicySet(tenantName, ingress) + "/polref-" + getNameForAclPolicy(tenantName, ingress); + private String getDnForAclPolicyRef(String tenantName, String identifier, boolean ingress) { + return getDnForAclPolicySet(tenantName, ingress) + "/polref-" + getNameForAclPolicy(tenantName, identifier); } - private String getNameForAclRule(String tenantName, String identifier, boolean ingress) { - return (ingress ? "Ingress-" : "Egress-") + "ACL-Rule-For-" + tenantName + "-" + identifier; + private String getNameForAclRule(String tenantName, String identifier) { + return "Rule-" + tenantName + "-" + identifier; } - private String getDnForAclRule(String tenantName, String identifier, boolean ingress) { - return getDnForAclPolicy(tenantName, ingress) + "/rule-" + getNameForAclRule(tenantName, identifier, ingress); + private String getDnForAclRule(String tenantName, String identifier, String policyIdentifier) { + return getDnForAclPolicy(tenantName, policyIdentifier) + "/rule-" + getNameForAclRule(tenantName, identifier); } /* (non-Javadoc) * @see com.cloud.network.resource.CiscoVnmcConnection#createTenantVDCAclPolicy(java.lang.String) */ @Override - public boolean createTenantVDCAclPolicy(String tenantName, boolean ingress) throws ExecutionException { + public boolean createTenantVDCAclPolicy(String tenantName, String identifier, boolean ingress) throws ExecutionException { String xml = VnmcXml.CREATE_ACL_POLICY.getXml(); String service = VnmcXml.CREATE_ACL_POLICY.getService(); xml = replaceXmlValue(xml, "cookie", _cookie); //xml = replaceXmlValue(xml, "descr", "ACL Policy for Tenant VDC " + tenantName); - xml = replaceXmlValue(xml, "aclpolicyname", getNameForAclPolicy(tenantName, ingress)); - xml = replaceXmlValue(xml, "aclpolicydn", getDnForAclPolicy(tenantName, ingress)); + xml = replaceXmlValue(xml, "aclpolicyname", getNameForAclPolicy(tenantName, identifier)); + xml = replaceXmlValue(xml, "aclpolicydn", getDnForAclPolicy(tenantName, identifier)); + xml = replaceXmlValue(xml, "aclpolicyrefdn", getDnForAclPolicyRef(tenantName, identifier, ingress)); String response = sendRequest(service, xml); @@ -607,12 +609,29 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection { * @see com.cloud.network.resource.CiscoVnmcConnection#deleteTenantVDCAclPolicy(java.lang.String) */ @Override - public boolean deleteTenantVDCAclPolicy(String tenantName, boolean ingress) throws ExecutionException { + public boolean deleteTenantVDCAclPolicy(String tenantName, String identifier) throws ExecutionException { String xml = VnmcXml.DELETE_ACL_POLICY.getXml(); String service = VnmcXml.DELETE_ACL_POLICY.getService(); xml = replaceXmlValue(xml, "cookie", _cookie); - xml = replaceXmlValue(xml, "aclpolicyname", getNameForAclPolicy(tenantName, ingress)); - xml = replaceXmlValue(xml, "aclpolicydn", getDnForAclPolicy(tenantName, ingress)); + xml = replaceXmlValue(xml, "aclpolicyname", getNameForAclPolicy(tenantName, identifier)); + xml = replaceXmlValue(xml, "aclpolicydn", getDnForAclPolicy(tenantName, identifier)); + + String response = sendRequest(service, xml); + + return verifySuccess(response); + } + + /* (non-Javadoc) + * @see com.cloud.network.resource.CiscoVnmcConnection#createTenantVDCAclPolicySet(java.lang.String) + */ + @Override + public boolean createTenantVDCAclPolicyRef(String tenantName, String identifier, boolean ingress) throws ExecutionException { + String xml = VnmcXml.CREATE_ACL_POLICY_REF.getXml(); + String service = VnmcXml.CREATE_ACL_POLICY_REF.getService(); + xml = replaceXmlValue(xml, "cookie", _cookie); + xml = replaceXmlValue(xml, "aclpolicyname", getNameForAclPolicy(tenantName, identifier)); + xml = replaceXmlValue(xml, "aclpolicydn", getDnForAclPolicy(tenantName, identifier)); + xml = replaceXmlValue(xml, "aclpolicyrefdn", getDnForAclPolicyRef(tenantName, identifier, ingress)); String response = sendRequest(service, xml); @@ -628,10 +647,8 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection { String service = VnmcXml.CREATE_ACL_POLICY_SET.getService(); xml = replaceXmlValue(xml, "cookie", _cookie); //xml = replaceXmlValue(xml, "descr", "ACL Policy Set for Tenant VDC " + tenantName); - xml = replaceXmlValue(xml, "aclpolicyname", getNameForAclPolicy(tenantName, ingress)); xml = replaceXmlValue(xml, "aclpolicysetname", getNameForAclPolicySet(tenantName, ingress)); xml = replaceXmlValue(xml, "aclpolicysetdn", getDnForAclPolicySet(tenantName, ingress)); - xml = replaceXmlValue(xml, "aclpolicyrefdn", getDnForAclPolicyRef(tenantName, ingress)); String response = sendRequest(service, xml); @@ -663,15 +680,16 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection { * @see com.cloud.network.resource.CiscoVnmcConnection#createIngressAclRule(java.lang.String) */ @Override - public boolean createIngressAclRule(String tenantName, String identifier, + public boolean createIngressAclRule(String tenantName, + String identifier, String policyIdentifier, String protocol, String sourceStartIp, String sourceEndIp, String destStartPort, String destEndPort, String destIp) throws ExecutionException { String xml = VnmcXml.CREATE_INGRESS_ACL_RULE.getXml(); String service = VnmcXml.CREATE_INGRESS_ACL_RULE.getService(); xml = replaceXmlValue(xml, "cookie", _cookie); //xml = replaceXmlValue(xml, "descr", "Ingress ACL Policy for Tenant VDC" + tenantName); - xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, true)); - xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier, true)); + xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, policyIdentifier)); + xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier)); xml = replaceXmlValue(xml, "actiontype", "permit"); xml = replaceXmlValue(xml, "protocolvalue", protocol); xml = replaceXmlValue(xml, "sourcestartip", sourceStartIp); @@ -689,12 +707,12 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection { * @see com.cloud.network.resource.CiscoVnmcConnection#deleteAclRule(java.lang.String) */ @Override - public boolean deleteAclRule(String tenantName, String identifier) throws ExecutionException { + public boolean deleteAclRule(String tenantName, String identifier, String policyIdentifier) throws ExecutionException { String xml = VnmcXml.DELETE_ACL_RULE.getXml(); String service = VnmcXml.DELETE_ACL_RULE.getService(); xml = replaceXmlValue(xml, "cookie", _cookie); - xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, true)); - xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier, true)); + xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, policyIdentifier)); + xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier)); String response = sendRequest(service, xml); http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/124a4881/plugins/network-elements/cisco-vnmc/src/com/cloud/network/element/CiscoVnmcElement.java ---------------------------------------------------------------------- diff --git a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/element/CiscoVnmcElement.java b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/element/CiscoVnmcElement.java index c96abac..22d58a6 100644 --- a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/element/CiscoVnmcElement.java +++ b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/element/CiscoVnmcElement.java @@ -147,7 +147,6 @@ public class CiscoVnmcElement extends AdapterBase implements SourceNatServicePro CiscoAsa1000vDao _ciscoAsa1000vDao; @Inject NetworkAsa1000vMapDao _networkAsa1000vMapDao; - private boolean canHandle(Network network) { if (network.getBroadcastDomainType() != BroadcastDomainType.Vlan) { http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/124a4881/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java ---------------------------------------------------------------------- diff --git a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java index 3e58398..85188c8 100644 --- a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java +++ b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java @@ -17,6 +17,7 @@ package com.cloud.network.resource; import java.util.ArrayList; +import java.util.HashMap; import java.util.List; import java.util.Map; @@ -319,39 +320,53 @@ public class CiscoVnmcResource implements ServerResource{ private Answer execute(SetFirewallRulesCommand cmd, int numRetries) { String vlanId = cmd.getContextParam(NetworkElementCommand.GUEST_VLAN_TAG); String tenant = "vlan-" + vlanId; + + FirewallRuleTO[] rules = cmd.getRules(); + Map<String, List<FirewallRuleTO>> publicIpRulesMap = new HashMap<String, List<FirewallRuleTO>>(); + for (FirewallRuleTO rule : rules) { + String publicIp = rule.getSrcIp(); + if (!publicIpRulesMap.containsKey(publicIp)) { + List<FirewallRuleTO> publicIpRulesList = new ArrayList<FirewallRuleTO>(); + publicIpRulesMap.put(publicIp, publicIpRulesList); + } + publicIpRulesMap.get(publicIp).add(rule); + } + try { // create-acl-policy-set for ingress _connection.createTenantVDCAclPolicySet(tenant, true); - - // delete-acl-policy for ingress - _connection.deleteTenantVDCAclPolicy(tenant, true); - // delete-acl-policy for egress - - // create-acl-policy for ingress - _connection.createTenantVDCAclPolicy(tenant, true); - // create-acl-policy-set for egress - // create-acl-policy for egress - - FirewallRuleTO[] rules = cmd.getRules(); - for (FirewallRuleTO rule : rules) { - if (rule.revoked()) { - // delete-acl-rule - //_connection.deleteAclRule(tenant, Long.toString(rule.getId())); - } else { - String cidr = rule.getSourceCidrList().get(0); - String[] result = cidr.split("\\/"); - assert (result.length == 2) : "Something is wrong with source cidr " + cidr; - long size = Long.valueOf(result[1]); - String startIp = NetUtils.getIpRangeStartIpFromCidr(result[0], size); - String endIp = NetUtils.getIpRangeEndIpFromCidr(result[0], size); - // create-ingress-acl-rule - _connection.createIngressAclRule(tenant, - Long.toString(rule.getId()), rule.getProtocol().toUpperCase(), startIp, endIp, - Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]), rule.getSrcIp()); + + for (String publicIp : publicIpRulesMap.keySet()) { + String policyIdentifier = publicIp.replace('.', '-'); + // delete-acl-policy for ingress + _connection.deleteTenantVDCAclPolicy(tenant, policyIdentifier); + // delete-acl-policy for egress + + // create-acl-policy for ingress + _connection.createTenantVDCAclPolicy(tenant, policyIdentifier, true); + _connection.createTenantVDCAclPolicyRef(tenant, policyIdentifier, true); + // create-acl-policy for egress + + for (FirewallRuleTO rule : publicIpRulesMap.get(publicIp)) { + if (rule.revoked()) { + // delete-acl-rule + //_connection.deleteAclRule(tenant, Long.toString(rule.getId()), publicIp); + } else { + String cidr = rule.getSourceCidrList().get(0); + String[] result = cidr.split("\\/"); + assert (result.length == 2) : "Something is wrong with source cidr " + cidr; + long size = Long.valueOf(result[1]); + String externalStartIp = NetUtils.getIpRangeStartIpFromCidr(result[0], size); + String externalEndIp = NetUtils.getIpRangeEndIpFromCidr(result[0], size); + // create-ingress-acl-rule + _connection.createIngressAclRule(tenant, + Long.toString(rule.getId()), policyIdentifier, + rule.getProtocol().toUpperCase(), externalStartIp, externalEndIp, + Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]), publicIp); + } } } - // associate-acl-policy-set _connection.associateAclPolicySet(tenant); } catch (Throwable e) {
