Remove 'os-security-group-default-rules' REST API

This is a nova-network-only API. As with previously removed APIs, this API now return a 410 response for all routes. There are some DB methods that were only used by this API. They will be removed separately in a future change. Change-Id: Iaa7fb6c548613164d33793822ee85339f9f7fefb Signed-off-by: Stephen Finucane <[email protected]>
Centrinix · Nov 18, 2019 · 22dee90 · 22dee90
1 parent 1dac054
commit 22dee90
Show file tree

Hide file tree

Showing 15 changed files with 61 additions and 607 deletions.
diff --git a/api-ref/source/index.rst b/api-ref/source/index.rst
@@ -71,7 +71,6 @@ limited to some maximum microversion.
 .. include:: os-floating-ip-pools.inc
 .. include:: os-floating-ips.inc
 .. include:: os-security-groups.inc
-.. include:: os-security-group-default-rules.inc
 .. include:: os-security-group-rules.inc
 .. include:: os-hosts.inc
 
@@ -90,3 +89,4 @@ Compute API in the past, but no longer exist.
 .. include:: os-floating-ips-bulk.inc
 .. include:: os-floating-ip-dns.inc
 .. include:: os-cells.inc
+.. include:: os-security-group-default-rules.inc
diff --git a/api-ref/source/os-security-group-default-rules.inc b/api-ref/source/os-security-group-default-rules.inc
@@ -1,17 +1,15 @@
 .. -*- rst -*-
 
-.. NOTE(gmann): These APIs are deprecated so do not update this
-   file even body, example or parameters are not complete.
-
-================================================================================
- Rules for default security group (os-security-group-default-rules) (DEPRECATED)
-================================================================================
+====================================================================
+ Rules for default security group (os-security-group-default-rules)
+====================================================================
 
 .. warning::
 
    This API only available with ``nova-network`` which is
    deprecated. It should be avoided in any new applications.
    These will fail with a 404 starting from microversion 2.36.
+   They were completely removed in the 21.0.0 (Ussuri) release.
 
 Lists, shows information for, and creates default security group rules.
 
@@ -24,7 +22,8 @@ Lists default security group rules.
 
 Normal response codes: 200
 
-Error response codes: unauthorized(401), forbidden(403), itemNotFound(404), notImplemented(501)
+Error response codes: unauthorized(401), forbidden(403), itemNotFound(404),
+gone(410), notImplemented(501)
 
 Response
 --------
@@ -53,7 +52,8 @@ Shows details for a security group rule.
 
 Normal response codes: 200
 
-Error response codes: badRequest(400), unauthorized(401), forbidden(403), itemNotFound(404), notImplemented(501)
+Error response codes: badRequest(400), unauthorized(401), forbidden(403),
+itemNotFound(404), gone(410), notImplemented(501)
 
 Request
 -------
@@ -92,7 +92,8 @@ IP protocol ( ``ip_protocol`` ) value. Otherwise, the operation returns the ``Ba
 
 Normal response codes: 200
 
-Error response codes: badRequest(400), unauthorized(401), forbidden(403), conflict(409), notImplemented(501)
+Error response codes: badRequest(400), unauthorized(401), forbidden(403),
+conflict(409), gone(410), notImplemented(501)
 
 Request
 -------
@@ -137,7 +138,8 @@ Deletes a security group rule.
 
 Normal response codes: 204
 
-Error response codes: badRequest(400), unauthorized(401), forbidden(403), itemNotFound(404), notImplemented(501)
+Error response codes: badRequest(400), unauthorized(401), forbidden(403),
+itemNotFound(404), gone(410), notImplemented(501)
 
 Request
 -------

diff --git a/nova/api/openstack/compute/rest_api_version_history.rst b/nova/api/openstack/compute/rest_api_version_history.rst
@@ -415,11 +415,25 @@ API endpoints as below::
   '/os-baremetal-nodes'
   '/os-fping'
 
-.. note:: A `regression`_ was introduced in this microversion which broke the
+.. note::
+
+    A `regression`__ was introduced in this microversion which broke the
     ``force`` parameter in the ``PUT /os-quota-sets`` API. The fix will have
     to be applied to restore this functionality.
 
-.. _regression: https://bugs.launchpad.net/nova/+bug/1733886
+    __ https://bugs.launchpad.net/nova/+bug/1733886
+
+.. versionchanged:: 18.0.0
+
+    The ``os-fping`` API was completely removed in the 18.0.0 (Rocky) release.
+    On deployments newer than this, the API will return HTTP 410 (Gone)
+    regardless of the requested microversion.
+
+.. versionchanged:: 21.0.0
+
+    The ``os-security-group-default-rules`` API was completely removed in the
+    21.0.0 (Ussuri) release. On deployments newer than this, the APIs will
+    return HTTP 410 (Gone) regadless of the requested microversion.
 
 2.37
 ----

diff --git a/nova/api/openstack/compute/security_group_default_rules.py b/nova/api/openstack/compute/security_group_default_rules.py
@@ -14,121 +14,24 @@
 
 from webob import exc
 
-from nova.api.openstack.api_version_request \
-    import MAX_PROXY_API_SUPPORT_VERSION
-from nova.api.openstack.compute import security_groups as sg
 from nova.api.openstack import wsgi
-from nova import exception
-from nova.i18n import _
-from nova.network.security_group import openstack_driver
-from nova.policies import security_group_default_rules as sgdr_policies
 
 
-class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase,
-                                          wsgi.Controller):
+class SecurityGroupDefaultRulesController(wsgi.Controller):
+    """(Removed) Controller for default project security groups."""
 
-    def __init__(self):
-        super(SecurityGroupDefaultRulesController, self).__init__()
-        self.security_group_api = (
-            openstack_driver.get_openstack_security_group_driver())
-
-    @wsgi.Controller.api_version("2.1", MAX_PROXY_API_SUPPORT_VERSION)
-    @wsgi.expected_errors((400, 409, 501))
+    @wsgi.expected_errors(410)
     def create(self, req, body):
-        context = req.environ['nova.context']
-        context.can(sgdr_policies.BASE_POLICY_NAME)
-
-        sg_rule = self._from_body(body, 'security_group_default_rule')
-
-        try:
-            values = self._rule_args_to_dict(to_port=sg_rule.get('to_port'),
-                from_port=sg_rule.get('from_port'),
-                ip_protocol=sg_rule.get('ip_protocol'),
-                cidr=sg_rule.get('cidr'))
-        except (exception.InvalidCidr,
-                exception.InvalidInput,
-                exception.InvalidIpProtocol,
-                exception.InvalidPortRange) as ex:
-            raise exc.HTTPBadRequest(explanation=ex.format_message())
-
-        if values is None:
-            msg = _('Not enough parameters to build a valid rule.')
-            raise exc.HTTPBadRequest(explanation=msg)
+        raise exc.HTTPGone()
 
-        if self.security_group_api.default_rule_exists(context, values):
-            msg = _('This default rule already exists.')
-            raise exc.HTTPConflict(explanation=msg)
-        security_group_rule = self.security_group_api.add_default_rules(
-            context, [values])[0]
-        fmt_rule = self._format_security_group_default_rule(
-                                                        security_group_rule)
-        return {'security_group_default_rule': fmt_rule}
-
-    def _rule_args_to_dict(self, to_port=None, from_port=None,
-                           ip_protocol=None, cidr=None):
-        cidr = self.security_group_api.parse_cidr(cidr)
-        return self.security_group_api.new_cidr_ingress_rule(
-            cidr, ip_protocol, from_port, to_port)
-
-    @wsgi.Controller.api_version("2.1", MAX_PROXY_API_SUPPORT_VERSION)
-    @wsgi.expected_errors((400, 404, 501))
+    @wsgi.expected_errors(410)
     def show(self, req, id):
-        context = req.environ['nova.context']
-        context.can(sgdr_policies.BASE_POLICY_NAME)
-
-        try:
-            id = self.security_group_api.validate_id(id)
-        except exception.Invalid as ex:
-            raise exc.HTTPBadRequest(explanation=ex.format_message())
+        raise exc.HTTPGone()
 
-        try:
-            rule = self.security_group_api.get_default_rule(context, id)
-        except exception.SecurityGroupDefaultRuleNotFound as ex:
-            raise exc.HTTPNotFound(explanation=ex.format_message())
-
-        fmt_rule = self._format_security_group_default_rule(rule)
-        return {"security_group_default_rule": fmt_rule}
-
-    @wsgi.Controller.api_version("2.1", MAX_PROXY_API_SUPPORT_VERSION)
-    @wsgi.expected_errors((400, 404, 501))
-    @wsgi.response(204)
+    @wsgi.expected_errors(410)
     def delete(self, req, id):
-        context = req.environ['nova.context']
-        context.can(sgdr_policies.BASE_POLICY_NAME)
-
-        try:
-            id = self.security_group_api.validate_id(id)
-        except exception.Invalid as ex:
-            raise exc.HTTPBadRequest(explanation=ex.format_message())
-
-        try:
-            rule = self.security_group_api.get_default_rule(context, id)
-            self.security_group_api.remove_default_rules(context, [rule['id']])
-        except exception.SecurityGroupDefaultRuleNotFound as ex:
-            raise exc.HTTPNotFound(explanation=ex.format_message())
+        raise exc.HTTPGone()
 
-    @wsgi.Controller.api_version("2.1", MAX_PROXY_API_SUPPORT_VERSION)
-    @wsgi.expected_errors((404, 501))
+    @wsgi.expected_errors(410)
     def index(self, req):
-        context = req.environ['nova.context']
-        context.can(sgdr_policies.BASE_POLICY_NAME)
-
-        ret = {'security_group_default_rules': []}
-        try:
-            for rule in self.security_group_api.get_all_default_rules(context):
-                rule_fmt = self._format_security_group_default_rule(rule)
-                ret['security_group_default_rules'].append(rule_fmt)
-        except exception.SecurityGroupDefaultRuleNotFound as ex:
-            raise exc.HTTPNotFound(explanation=ex.format_message())
-
-        return ret
-
-    def _format_security_group_default_rule(self, rule):
-        sg_rule = {}
-        sg_rule['id'] = rule['id']
-        sg_rule['ip_protocol'] = rule['protocol']
-        sg_rule['from_port'] = rule['from_port']
-        sg_rule['to_port'] = rule['to_port']
-        sg_rule['ip_range'] = {}
-        sg_rule['ip_range'] = {'cidr': rule['cidr']}
-        return sg_rule
+        raise exc.HTTPGone()
diff --git a/nova/policies/__init__.py b/nova/policies/__init__.py
@@ -53,7 +53,6 @@
 from nova.policies import quota_sets
 from nova.policies import remote_consoles
 from nova.policies import rescue
-from nova.policies import security_group_default_rules
 from nova.policies import security_groups
 from nova.policies import server_diagnostics
 from nova.policies import server_external_events
@@ -116,7 +115,6 @@ def list_rules():
         quota_sets.list_rules(),
         remote_consoles.list_rules(),
         rescue.list_rules(),
-        security_group_default_rules.list_rules(),
         security_groups.list_rules(),
         server_diagnostics.list_rules(),
         server_external_events.list_rules(),

diff --git a/nova/policies/security_group_default_rules.py b/nova/policies/security_group_default_rules.py
diff --git a/..._samples/os-security-group-default-rules/security-group-default-rules-create-req.json.tpl b/..._samples/os-security-group-default-rules/security-group-default-rules-create-req.json.tpl
diff --git a/...samples/os-security-group-default-rules/security-group-default-rules-create-resp.json.tpl b/...samples/os-security-group-default-rules/security-group-default-rules-create-resp.json.tpl
diff --git a/...i_samples/os-security-group-default-rules/security-group-default-rules-list-resp.json.tpl b/...i_samples/os-security-group-default-rules/security-group-default-rules-list-resp.json.tpl
diff --git a/...i_samples/os-security-group-default-rules/security-group-default-rules-show-resp.json.tpl b/...i_samples/os-security-group-default-rules/security-group-default-rules-show-resp.json.tpl
diff --git a/nova/tests/functional/api_sample_tests/test_security_group_default_rules.py b/nova/tests/functional/api_sample_tests/test_security_group_default_rules.py
@@ -15,29 +15,17 @@
 from nova.tests.functional.api_sample_tests import api_sample_base
 
 
-# TODO(stephenfin): Remove this API since it's nova-network only
 class SecurityGroupDefaultRulesSampleJsonTest(
         api_sample_base.ApiSampleTestBaseV21):
-    USE_NEUTRON = False  # nova-net only
-    ADMIN_API = True
-    sample_dir = 'os-security-group-default-rules'
 
     def test_security_group_default_rules_create(self):
-        response = self._do_post('os-security-group-default-rules',
-                                 'security-group-default-rules-create-req',
-                                 {})
-        self._verify_response('security-group-default-rules-create-resp',
-                              {}, response, 200)
+        self.api.api_post('os-security-group-default-rules', {},
+                          check_response_status=[410])
 
     def test_security_group_default_rules_list(self):
-        self.test_security_group_default_rules_create()
-        response = self._do_get('os-security-group-default-rules')
-        self._verify_response('security-group-default-rules-list-resp',
-                              {}, response, 200)
+        self.api.api_get('os-security-group-default-rules',
+                         check_response_status=[410])
 
     def test_security_group_default_rules_show(self):
-        self.test_security_group_default_rules_create()
-        rule_id = '1'
-        response = self._do_get('os-security-group-default-rules/%s' % rule_id)
-        self._verify_response('security-group-default-rules-show-resp',
-                              {}, response, 200)
+        self.api.api_get('os-security-group-default-rules/1',
+                         check_response_status=[410])