NSX: neutron router-interface-add should clear security-groups

NSX does not support security groups on router ports so in the case
where someone uses a port that has a security group on it as the router
port we need to clear the security group off the port.

Change-Id: Ia0fb331516887dcd7e9a435094ce1eb082d72575
closes-bug: 1329043

diff --git a/neutron/plugins/vmware/plugins/base.py b/neutron/plugins/vmware/plugins/base.py
index 058dd18cb7d7478013403a8eef71779f77724440..072fd20eba27affbde5c08dda8f25925142e4a74 100644 (file)
--- a/neutron/plugins/vmware/plugins/base.py
+++ b/neutron/plugins/vmware/plugins/base.py
@@ -1716,7 +1716,12 @@ class NsxPluginV2(addr_pair_db.AllowedAddressPairsMixin,
         nsx_router_id = nsx_utils.get_nsx_router_id(
             context.session, self.cluster, router_id)
         if port_id:
-            port_data = self._get_port(context, port_id)
+            port_data = self.get_port(context, port_id)
+            # If security groups are present we need to remove them as
+            # this is a router port.
+            if port_data['security_groups']:
+                self.update_port(context, port_id,
+                                 {'port': {'security_groups': []}})
             nsx_switch_id, nsx_port_id = nsx_utils.get_nsx_switch_and_port_id(
                 context.session, self.cluster, port_id)
             # Unplug current attachment from lswitch port

diff --git a/neutron/tests/unit/vmware/test_nsx_plugin.py b/neutron/tests/unit/vmware/test_nsx_plugin.py
index 4f610802cb70eee2c90e2d5894e35ee2039d666c..21b28513aaf4d69932e3182dc05e0676f7fea264 100644 (file)
--- a/neutron/tests/unit/vmware/test_nsx_plugin.py
+++ b/neutron/tests/unit/vmware/test_nsx_plugin.py
@@ -993,6 +993,25 @@ class TestL3NatTestCase(L3NatTest,
                     self.assertEqual(webob.exc.HTTPServiceUnavailable.code,
                                      res.status_int)
 
+    def test_router_add_interface_port_removes_security_group(self):
+        with self.router() as r:
+            with self.port(no_delete=True) as p:
+                body = self._router_interface_action('add',
+                                                     r['router']['id'],
+                                                     None,
+                                                     p['port']['id'])
+                self.assertIn('port_id', body)
+                self.assertEqual(body['port_id'], p['port']['id'])
+
+                # fetch port and confirm no security-group on it.
+                body = self._show('ports', p['port']['id'])
+                self.assertEqual(body['port']['security_groups'], [])
+                # clean-up
+                self._router_interface_action('remove',
+                                              r['router']['id'],
+                                              None,
+                                              p['port']['id'])
+
 
 class ExtGwModeTestCase(NsxPluginV2TestCase,
                         test_ext_gw_mode.ExtGwModeIntTestCase):