add acl support to unimgr

Change-Id: Ia17c821c6664eaa3d0aea680eda3ad90ac0f530d
Signed-off-by: David Goldberg <gdavid@hpe.com>

diff --git a/legato-api/src/main/yang/mef-services.yang b/legato-api/src/main/yang/mef-services.yang
index 774cafe7290273dbca0e520bdc0668ea1033aa82..869fb24a458e3356471497ae7fd3ebc3ccde3b92 100644 (file)
--- a/legato-api/src/main/yang/mef-services.yang
+++ b/legato-api/src/main/yang/mef-services.yang
@@ -87,7 +87,7 @@ module mef-services {
                   }
                 }
                 leaf-list security-groups {
-                    type mef-types:identifier45;
+                    type yang:uuid;
                     description "The security group ID to associate with this interface.";
                 }
                 leaf port-security-enabled {
@@ -692,7 +692,7 @@ module mef-services {
                   }
                 }
                 leaf-list security-groups {
-                    type mef-types:identifier45;
+                    type yang:uuid;
                     description "The security group ID to associate with this interface.";
                 }
                 leaf port-security-enabled {

diff --git a/netvirt/pom.xml b/netvirt/pom.xml
index 3cead70d00aa51158285685c772ffae7f857fa87..d819f5af08099fead110e172cdc7d6ce9333235f 100644 (file)
--- a/netvirt/pom.xml
+++ b/netvirt/pom.xml
@@ -27,7 +27,7 @@
   <!-- <name> formatting is used by autorelease to parse and notify projects on
        build failure. Please do not modify this unless you have a good reason. -->
   <name>ODL :: unimgr :: ${project.artifactId}</name>
-  
+
   <build>
     <plugins>
       <plugin>
@@ -75,6 +75,11 @@
       <groupId>org.opendaylight.netvirt</groupId>
       <artifactId>elanmanager-impl</artifactId>
       <version>${vpnservices.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.opendaylight.netvirt</groupId>
+      <artifactId>aclservice-api</artifactId>
+      <version>${vpnservices.version}</version>
     </dependency>
      <dependency>
       <groupId>org.opendaylight.genius</groupId>

diff --git a/netvirt/src/main/java/org/opendaylight/unimgr/mef/netvirt/EvcListener.java b/netvirt/src/main/java/org/opendaylight/unimgr/mef/netvirt/EvcListener.java
index b2bc4af5e01f92862cd03372efc64523c69e6b28..d27218165169ad2cd7742c527de4798feed3571c 100644 (file)
--- a/netvirt/src/main/java/org/opendaylight/unimgr/mef/netvirt/EvcListener.java
+++ b/netvirt/src/main/java/org/opendaylight/unimgr/mef/netvirt/EvcListener.java
@@ -16,6 +16,7 @@ import java.util.stream.Collectors;
 import org.opendaylight.controller.md.sal.binding.api.DataBroker;
 import org.opendaylight.controller.md.sal.binding.api.DataTreeIdentifier;
 import org.opendaylight.controller.md.sal.binding.api.DataTreeModification;
+import org.opendaylight.controller.md.sal.binding.api.WriteTransaction;
 import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
 import org.opendaylight.unimgr.api.UnimgrDataTreeChangeListener;
 import org.opendaylight.yang.gen.v1.http.metroethernetforum.org.ns.yang.mef.services.rev150526.mef.services.MefService;
@@ -105,7 +106,7 @@ public class EvcListener extends UnimgrDataTreeChangeListener<Evc> implements IU
     @Override
     public void connectUni(String uniId) {
         List<RetailSvcIdType> allEvcs = MefServicesUtils.getAllEvcsServiceIds(dataBroker);
-        allEvcs = (allEvcs != null) ? allEvcs : Collections.emptyList();
+        allEvcs = allEvcs != null ? allEvcs : Collections.emptyList();
 
         for (RetailSvcIdType evcSerId : allEvcs) {
             InstanceIdentifier<Evc> evcId = MefServicesUtils.getEvcInstanceIdentifier(evcSerId);
@@ -119,8 +120,8 @@ public class EvcListener extends UnimgrDataTreeChangeListener<Evc> implements IU
             boolean isEtree = evc.getEvcType() == EvcType.RootedMultipoint;
 
             List<Uni> toConnect = new ArrayList<>();
-            List<Uni> unis = (evc.getUnis() != null) ? evc.getUnis().getUni() : null;
-            unis = (unis != null) ? unis : Collections.emptyList();
+            List<Uni> unis = evc.getUnis() != null ? evc.getUnis().getUni() : null;
+            unis = unis != null ? unis : Collections.emptyList();
             for (Uni uni : unis) {
                 if (uni.getUniId().getValue().equals(uniId)) {
                     Log.info("Connecting Uni {} to svc id {}", uniId, evcSerId);
@@ -149,7 +150,7 @@ public class EvcListener extends UnimgrDataTreeChangeListener<Evc> implements IU
     @Override
     public void disconnectUni(String uniId) {
         List<RetailSvcIdType> allEvcs = MefServicesUtils.getAllEvcsServiceIds(dataBroker);
-        allEvcs = (allEvcs != null) ? allEvcs : Collections.emptyList();
+        allEvcs = allEvcs != null ? allEvcs : Collections.emptyList();
 
         for (RetailSvcIdType evcSerId : allEvcs) {
             InstanceIdentifier<Evc> evcId = MefServicesUtils.getEvcInstanceIdentifier(evcSerId);
@@ -161,8 +162,8 @@ public class EvcListener extends UnimgrDataTreeChangeListener<Evc> implements IU
 
             String instanceName = evc.getEvcId().getValue();
             List<Uni> toDisconnect = new ArrayList<>();
-            List<Uni> unis = (evc.getUnis() != null) ? evc.getUnis().getUni() : null;
-            unis = (unis != null) ? unis : Collections.emptyList();
+            List<Uni> unis = evc.getUnis() != null ? evc.getUnis().getUni() : null;
+            unis = unis != null ? unis : Collections.emptyList();
             for (Uni uni : unis) {
                 if (uni.getUniId().getValue().equals(uniId)) {
                     Log.info("Disconnecting Uni {} from svc id {}", uniId, evcSerId);
@@ -316,6 +317,11 @@ public class EvcListener extends UnimgrDataTreeChangeListener<Evc> implements IU
             log.info("Creting elan interface for elan {} vlan {} interface {}", instanceName, 0, interfaceName);
             NetvirtUtils.createElanInterface(dataBroker, instanceName, interfaceName, roleToInterfaceType(role),
                     isEtree);
+            if (uni.isPortSecurityEnabled() && uni.getSecurityGroups() != null && !uni.getSecurityGroups().isEmpty()) {
+                WriteTransaction tx = dataBroker.newWriteOnlyTransaction();
+                NetvirtUtils.addAclToInterface(interfaceName, uni.getSecurityGroups(), tx);
+                MdsalUtils.commitTransaction(tx);
+            }
             uniQosManager.mapUniPortBandwidthLimits(uni.getUniId().getValue(), interfaceName,
                     uni.getIngressBwProfile());
             setOperEvcElanPort(evcId, instanceName, interfaceName);
@@ -337,6 +343,10 @@ public class EvcListener extends UnimgrDataTreeChangeListener<Evc> implements IU
                 log.info("Creting elan interface for elan {} vlan {} interface {}", instanceName, 0, interfaceName);
                 NetvirtUtils.createElanInterface(dataBroker, instanceName, interfaceName, roleToInterfaceType(role),
                         isEtree);
+                if (uni.isPortSecurityEnabled() && uni.getSecurityGroups() != null && !uni.getSecurityGroups().isEmpty()) {
+                    WriteTransaction tx = dataBroker.newWriteOnlyTransaction();
+                    NetvirtUtils.addAclToInterface(interfaceName, uni.getSecurityGroups(), tx);
+                    MdsalUtils.commitTransaction(tx);                }
                 uniQosManager.mapUniPortBandwidthLimits(uni.getUniId().getValue(), interfaceName,
                         uni.getIngressBwProfile());
                 setOperEvcElanPort(evcId, instanceName, interfaceName);

diff --git a/netvirt/src/main/java/org/opendaylight/unimgr/mef/netvirt/IpvcListener.java b/netvirt/src/main/java/org/opendaylight/unimgr/mef/netvirt/IpvcListener.java
index 244f5a232cef379c8e08b576a16922c262223ca8..a0aea4d12749260712fd7cca0cd185f9766d762b 100644 (file)
--- a/netvirt/src/main/java/org/opendaylight/unimgr/mef/netvirt/IpvcListener.java
+++ b/netvirt/src/main/java/org/opendaylight/unimgr/mef/netvirt/IpvcListener.java
@@ -63,7 +63,7 @@ public class IpvcListener extends UnimgrDataTreeChangeListener<Ipvc> implements
     private ListenerRegistration<IpvcListener> ipvcListenerRegistration;
     @SuppressWarnings("unused")
     private final UniAwareListener uniAwareListener;
-    private OdlInterfaceRpcService odlInterfaceRpcService;
+    private final OdlInterfaceRpcService odlInterfaceRpcService;
     private final SouthboundUtils southBoundUtils;
     private final org.opendaylight.ovsdb.utils.mdsal.utils.MdsalUtils mdsalUtils;
     private final NotificationPublishService notificationPublishService;
@@ -71,7 +71,7 @@ public class IpvcListener extends UnimgrDataTreeChangeListener<Ipvc> implements
     private static final String LOCAL_IP = "local_ip";
 
     // TODO: make it as service
-    private ConcurrentHashMap<String, BigInteger> portToDpn;
+    private final ConcurrentHashMap<String, BigInteger> portToDpn;
 
     public IpvcListener(final DataBroker dataBroker, final IUniPortManager uniPortManager,
             final ISubnetManager subnetManager, final UniQosManager uniQosManager,
@@ -395,6 +395,11 @@ public class IpvcListener extends UnimgrDataTreeChangeListener<Ipvc> implements
                     uni.getMacAddress(), tx);
             MefServicesUtils.addOperIpvcVpnElan(ipvcId, vpnName, uniInService.getUniId(), uniInService.getIpUniId(),
                     elanName, interfaceName, null, tx);
+
+            if (uniInService.isPortSecurityEnabled() && uniInService.getSecurityGroups() != null && !uniInService.getSecurityGroups().isEmpty()) {
+                NetvirtUtils.addAclToInterface(interfaceName, uniInService.getSecurityGroups(), tx);
+            }
+
             MdsalUtils.commitTransaction(tx);
         }
     }
@@ -477,11 +482,13 @@ public class IpvcListener extends UnimgrDataTreeChangeListener<Ipvc> implements
     private void waitForInterfaceDpnClean(String vpnName, String rd, String interfaceName) {
         InstanceIdentifier<VpnInstanceOpDataEntry> vpnId = NetvirtVpnUtils.getVpnInstanceOpDataIdentifier(rd);
         DataWaitGetter<VpnInstanceOpDataEntry> getInterfByName = (vpn) -> {
-            if (vpn.getVpnToDpnList() == null)
+            if (vpn.getVpnToDpnList() == null) {
                 return null;
+            }
             for (VpnToDpnList is : vpn.getVpnToDpnList()) {
-                if (is.getVpnInterfaces() == null)
+                if (is.getVpnInterfaces() == null) {
                     continue;
+                }
                 for (VpnInterfaces i : is.getVpnInterfaces()) {
                     if (i.getInterfaceName().equals(interfaceName)) {
                         Log.info("Waiting for deletion vpn interface from vpn to dpn list vpn : {} interface: {}",

diff --git a/netvirt/src/main/java/org/opendaylight/unimgr/mef/netvirt/NetvirtUtils.java b/netvirt/src/main/java/org/opendaylight/unimgr/mef/netvirt/NetvirtUtils.java
index 61f8fed75d8eed8203b26894a3a83eee3802abcc..6b8948d653916ad577f3774d784f4111c3b4c117 100644 (file)
--- a/netvirt/src/main/java/org/opendaylight/unimgr/mef/netvirt/NetvirtUtils.java
+++ b/netvirt/src/main/java/org/opendaylight/unimgr/mef/netvirt/NetvirtUtils.java
@@ -9,6 +9,7 @@
 package org.opendaylight.unimgr.mef.netvirt;
 
 import java.math.BigInteger;
+import java.util.Collections;
 import java.util.List;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.Future;
@@ -29,6 +30,7 @@ import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.
 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.Interface;
 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.InterfaceBuilder;
 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.InterfaceKey;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev130715.Uuid;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rev160406.IfL2vlan;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rev160406.IfL2vlanBuilder;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rev160406.ParentRefs;
@@ -46,6 +48,8 @@ import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.dhcp_allocation_poo
 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.dhcp_allocation_pool.rev161214.dhcp_allocation_pool.network.AllocationPool;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.dhcp_allocation_pool.rev161214.dhcp_allocation_pool.network.AllocationPoolBuilder;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.dhcp_allocation_pool.rev161214.dhcp_allocation_pool.network.AllocationPoolKey;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.InterfaceAcl;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.InterfaceAclBuilder;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.elan.etree.rev160614.EtreeInstance;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.elan.etree.rev160614.EtreeInstanceBuilder;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.elan.etree.rev160614.EtreeInterface;
@@ -167,6 +171,17 @@ public class NetvirtUtils {
         return interfaceBuilder.build();
     }
 
+    public static void addAclToInterface(String interfaceName, List<Uuid> securityGroups, WriteTransaction tx) {
+        InterfaceBuilder interfaceBuilder = new InterfaceBuilder();
+        interfaceBuilder.setName(interfaceName);
+        InterfaceAclBuilder interfaceAclBuilder = new InterfaceAclBuilder();
+        interfaceAclBuilder.setPortSecurityEnabled(true);
+        interfaceAclBuilder.setSecurityGroups(securityGroups);
+        interfaceAclBuilder.setAllowedAddressPairs(Collections.emptyList());
+        interfaceBuilder.addAugmentation(InterfaceAcl.class, interfaceAclBuilder.build());
+        tx.merge(LogicalDatastoreType.CONFIGURATION, getInterfaceIdentifier(interfaceName), interfaceBuilder.build());
+    }
+
     private static ElanInstanceBuilder createElanInstanceBuilder(String instanceName) {
         return createElanInstanceBuilder(instanceName, Long.valueOf(Math.abs((short) instanceName.hashCode())));
     }