Remove the publish patch in SG rule BEFORE_DELETE and BEFORE_CREATE
The method ``delete_security_group_rule`` is publishing the
BEFORE_DELETE event before starting the security group rule deletion.
This event is published using a wrap method called
``SecurityGroupDbMixin._registry_publish``. This method is capturing
any ``CallbackFailure`` exception and raising a
``SecurityGroupRuleInUse`` one. That makes no sense because:
* We are hidding the real cause of the callback failure.
* The BEFORE_DELETE is not checking that the security group rule is
being used (NOTE 1).
* If any new implementation makes this check, the corresponding callback
should return explicitly this exception.
The method ``_create_security_group_rule`` is publishing the
BEFORE_CREATE event before starting the security group rule creation.
The same argument applies here: the callback manager should return the
exception raise by the callback method (NOTE 2).
In a follow-up patch, this events will be captured to check the
permissions related to the user creating or deleting the security group
rule. In case of error, it will be needed to raise a ``NotAuthorized``
derived exception, instead of a ``InUse`` one.
NOTE 1: this is the current use of BEFORE_DELETE event in the
OpenStack repository:
* [2] Omni project had no activity for the last 4 years.
* [3] networking-arista: the method ``run_cmds_on_all_switches``, that
calls ``run_openstack_sg_cmds``, returns its own exceptions.
* [4] networking-opencontrail: same justification.
* [5] The ML2/OVN mechanism driver, that will raise an exception if the
OVN ACL deletion doesn't succeed.
NOTE 2: this is the current use of BEFORE_DELETE event in the
OpenStack repository:
* [2] Omni project had no activity for the last 4 years.
Reviewed: https:/ /review. opendev. org/c/openstack /neutron/ +/896273 /opendev. org/openstack/ neutron/ commit/ 78027da56ccb25d 19ac2c3bc1c174a cb2150e6a5
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 78027da56ccb25d 19ac2c3bc1c174a cb2150e6a5
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Tue Sep 12 08:57:45 2023 +0000
Remove the publish patch in SG rule BEFORE_DELETE and BEFORE_CREATE
The method ``delete_ security_ group_rule` ` is publishing the roupDbMixin. _registry_ publish` `. This method is capturing roupRuleInUse` ` one. That makes no sense because:
BEFORE_DELETE event before starting the security group rule deletion.
This event is published using a wrap method called
``SecurityG
any ``CallbackFailure`` exception and raising a
``SecurityG
* We are hidding the real cause of the callback failure.
* The BEFORE_DELETE is not checking that the security group rule is
being used (NOTE 1).
* If any new implementation makes this check, the corresponding callback
should return explicitly this exception.
The method ``_create_ security_ group_rule` ` is publishing the
BEFORE_CREATE event before starting the security group rule creation.
The same argument applies here: the callback manager should return the
exception raise by the callback method (NOTE 2).
In a follow-up patch, this events will be captured to check the
permissions related to the user creating or deleting the security group
rule. In case of error, it will be needed to raise a ``NotAuthorized``
derived exception, instead of a ``InUse`` one.
NOTE 1: this is the current use of BEFORE_DELETE event in the on_all_ switches` `, that _sg_cmds` `, returns its own exceptions. opencontrail: same justification.
OpenStack repository:
* [2] Omni project had no activity for the last 4 years.
* [3] networking-arista: the method ``run_cmds_
calls ``run_openstack
* [4] networking-
* [5] The ML2/OVN mechanism driver, that will raise an exception if the
OVN ACL deletion doesn't succeed.
NOTE 2: this is the current use of BEFORE_DELETE event in the
OpenStack repository:
* [2] Omni project had no activity for the last 4 years.
[1]https:/ /codesearch. openstack. org/?q= %5C.SECURITY_ GROUP_RULE& i=nope& literal= nope&files= &excludeFiles= &repos= /opendev. org/x/omni/ src/branch/ master/ neutron/ neutron/ plugins/ ml2/drivers/ aws/callbacks. py /opendev. org/x/networkin g-arista/ src/branch/ master/ networking_ arista/ ml2/security_ groups/ arista_ security_ groups. py /opendev. org/x/networkin g-opencontrail/ src/branch/ master/ networking_ opencontrail/ ml2/opencontrai l_sg_callback. py /opendev. org/openstack/ neutron/ src/branch/ master/ neutron/ plugins/ ml2/drivers/ ovn/mech_ driver/ mech_driver. py
[2]https:/
[3]https:/
[4]https:/
[5]https:/
Partial-Bug: #2019960
Change-Id: I8d5f5392fb7a6a b9b20e9222c143f 4e67c925cae