Security Group -> VM Firewall

cloudbridge/cloud/providers/gce/README.rst

@@ -5,21 +5,21 @@ Compute Engine`_ (GCE). Object storage is provided by `Google Cloud Storage`_
 Security Groups
 ~~~~~~~~~~~~~~~
 CloudBridge API lets you control incoming traffic to VM instances by creating
-security groups, adding rules to security groups, and then assigning instances
-to security groups.
+VM firewalls, adding rules to VM firewalls, and then assigning instances to VM
+firewalls.
 
 GCE does this a little bit differently. GCE lets you assign `tags`_ to VM
 instances. Tags, then, can be used for networking purposes. In particular, you
 can create `firewall rules`_ to control incoming traffic to instances having a
-specific tag. So, to add GCE support to CloudBridge, we simulate security groups
-by tags.
+specific tag. So, to add GCE support to CloudBridge, we simulate VM firewalls by
+tags.
 
 To make this more clear, let us consider the example of adding a rule to a
-security group. When you add a security group rule from the CloudBridge API to
-a security group ``sg``, what really happens is that a firewall with one rule
-is created whose ``targetTags`` is ``[sg]``. This makes sure that the rule
-applies to all instances that have ``sg`` as a tag (in CloudBridge language
-instances belonging to the security group ``sg``).
+VM firewall. When you add a VM firewall rule from the CloudBridge API to a VM
+firewall ``vmf``, what really happens is that a firewall with one rule is
+created whose ``targetTags`` is ``[vmf]``. This makes sure that the rule
+applies to all instances that have ``vmf`` as a tag (in CloudBridge language
+instances belonging to the VM firewall ``vmf``).
 
 **Note**: This implementation does not take advantage of the full power of GCE
 firewall format and only creates firewalls with one rule and only can find or

cloudbridge/cloud/providers/gce/resources.py

@@ -21,10 +21,10 @@ from cloudbridge.cloud.base.resources import BaseNetwork
 from cloudbridge.cloud.base.resources import BasePlacementZone
 from cloudbridge.cloud.base.resources import BaseRegion
 from cloudbridge.cloud.base.resources import BaseRouter
-from cloudbridge.cloud.base.resources import BaseSecurityGroup
-from cloudbridge.cloud.base.resources import BaseSecurityGroupRule
 from cloudbridge.cloud.base.resources import BaseSnapshot
 from cloudbridge.cloud.base.resources import BaseSubnet
+from cloudbridge.cloud.base.resources import BaseVMFirewall
+from cloudbridge.cloud.base.resources import BaseVMFirewallRule
 from cloudbridge.cloud.base.resources import BaseVMType
 from cloudbridge.cloud.base.resources import BaseVolume
 from cloudbridge.cloud.base.resources import ServerPagedResultList
@@ -432,10 +432,10 @@ class GCEFirewallsDelegate(object):
         return True
 
 
-class GCESecurityGroup(BaseSecurityGroup):
+class GCEVMFirewall(BaseVMFirewall):
 
     def __init__(self, delegate, tag, network=None, description=None):
-        super(GCESecurityGroup, self).__init__(delegate.provider, tag)
+        super(GCEVMFirewall, self).__init__(delegate.provider, tag)
         self._description = description
         self._delegate = delegate
         if network is None:
@@ -447,32 +447,33 @@ class GCESecurityGroup(BaseSecurityGroup):
     @property
     def id(self):
         """
-        Return the ID of this security group which is determined based on the
-        network and the target tag corresponding to this security group.
+        Return the ID of this VM firewall which is determined based on the
+        network and the target tag corresponding to this VM firewall.
         """
-        return GCEFirewallsDelegate.tag_network_id(self._security_group,
+        return GCEFirewallsDelegate.tag_network_id(self._vm_firewall,
                                                    self._network.name)
 
     @property
     def name(self):
         """
-        Return the name of the security group which is the same as the
+        Return the name of the VM firewall which is the same as the
         corresponding tag name.
         """
-        return self._security_group
+        return self._vm_firewall
 
     @property
     def description(self):
         """
-        The description of the security group is even explicitly given when the
-        group is created or is determined from a firewall in the group.
+        The description of the VM firewall is even explicitly given when the
+        VM firewall is created or is determined from a VM firewall rule, i.e. a
+        GCE firewall, in the VM firewall.
 
-        If the firewalls are created using this API, they all have the same
+        If the GCE firewalls are created using this API, they all have the same
         description.
         """
         if self._description is not None:
             return self._description
-        for firewall in self._delegate.iter_firewalls(self._security_group,
+        for firewall in self._delegate.iter_firewalls(self._vm_firewall,
                                                       self._network.name):
             if 'description' in firewall:
                 return firewall['description']
@@ -485,9 +486,9 @@ class GCESecurityGroup(BaseSecurityGroup):
     @property
     def rules(self):
         out = []
-        for firewall in self._delegate.iter_firewalls(self._security_group,
+        for firewall in self._delegate.iter_firewalls(self._vm_firewall,
                                                       self._network.name):
-            out.append(GCESecurityGroupRule(self._delegate, firewall['id']))
+            out.append(GCEVMFirewallRule(self._delegate, firewall['id']))
         return out
 
     @staticmethod
@@ -501,9 +502,9 @@ class GCESecurityGroup(BaseSecurityGroup):
 
     def add_rule(self, ip_protocol, from_port=None, to_port=None,
                  cidr_ip=None, src_group=None):
-        port = GCESecurityGroup.to_port_range(from_port, to_port)
+        port = GCEVMFirewall.to_port_range(from_port, to_port)
         src_tag = src_group.name if src_group is not None else None
-        self._delegate.add_firewall(self._security_group, ip_protocol, port,
+        self._delegate.add_firewall(self._vm_firewall, ip_protocol, port,
                                     cidr_ip, src_tag, self.description,
                                     self._network.name)
         return self.get_rule(ip_protocol, from_port, to_port, cidr_ip,
@@ -511,14 +512,14 @@ class GCESecurityGroup(BaseSecurityGroup):
 
     def get_rule(self, ip_protocol=None, from_port=None, to_port=None,
                  cidr_ip=None, src_group=None):
-        port = GCESecurityGroup.to_port_range(from_port, to_port)
+        port = GCEVMFirewall.to_port_range(from_port, to_port)
         src_tag = src_group.name if src_group is not None else None
         firewall_id = self._delegate.find_firewall(
-                self._security_group, ip_protocol, port, cidr_ip, src_tag,
+                self._vm_firewall, ip_protocol, port, cidr_ip, src_tag,
                 self._network.name)
         if firewall_id is None:
             return None
-        return GCESecurityGroupRule(self._delegate, firewall_id)
+        return GCEVMFirewallRule(self._delegate, firewall_id)
 
     def to_json(self):
         attr = inspect.getmembers(self, lambda a: not(inspect.isroutine(a)))
@@ -532,17 +533,17 @@ class GCESecurityGroup(BaseSecurityGroup):
             rule.delete()
 
 
-class GCESecurityGroupRule(BaseSecurityGroupRule):
+class GCEVMFirewallRule(BaseVMFirewallRule):
 
     def __init__(self, delegate, firewall_id):
-        super(GCESecurityGroupRule, self).__init__(
+        super(GCEVMFirewallRule, self).__init__(
                 delegate.provider, firewall_id, None)
         self._delegate = delegate
 
     @property
     def parent(self):
         """
-        Return the security group to which this rule belongs.
+        Return the VM firewall to which this rule belongs.
         """
         info = self._delegate.get_firewall_info(self._rule)
         if info is None:
@@ -552,7 +553,7 @@ class GCESecurityGroupRule(BaseSecurityGroupRule):
         network = self._delegate.network.get_by_name(info['network_name'])
         if network is None:
             return None
-        return GCESecurityGroup(self._delegate, info['target_tag'], network)
+        return GCEVMFirewall(self._delegate, info['target_tag'], network)
 
     @property
     def id(self):
@@ -608,7 +609,7 @@ class GCESecurityGroupRule(BaseSecurityGroupRule):
     @property
     def group(self):
         """
-        Return the security group from which this rule allows traffic.
+        Return the VM firewall from which this rule allows traffic.
         """
         info = self._delegate.get_firewall_info(self._rule)
         if info is None:
@@ -619,7 +620,7 @@ class GCESecurityGroupRule(BaseSecurityGroupRule):
                 info['network_name'])
         if network is None:
             return None
-        return GCESecurityGroup(self._delegate, info['source_tag'], network)
+        return GCEVMFirewall(self._delegate, info['source_tag'], network)
 
     def to_json(self):
         attr = inspect.getmembers(self, lambda a: not(inspect.isroutine(a)))
@@ -914,9 +915,9 @@ class GCEInstance(BaseInstance):
         return self._provider.parse_url(zone_uri).parameters['zone']
 
     @property
-    def security_groups(self):
+    def vm_firewalls(self):
         """
-        Get the security groups associated with this instance.
+        Get the VM firewalls associated with this instance.
         """
         network_url = self._gce_instance.get('networkInterfaces')[0].get(
             'network')
@@ -925,20 +926,20 @@ class GCEInstance(BaseInstance):
         if 'items' not in self._gce_instance['tags']:
             return []
         tags = self._gce_instance['tags']['items']
-        # Tags are mapped to non-empty security groups under the instance
-        # network. Unmatched tags are ignored.
+        # Tags are mapped to non-empty VM firewalls under the instance network.
+        # Unmatched tags are ignored.
         sgs = (self._provider.security
-               .security_groups.find_by_network_and_tags(
+               .vm_firewalls.find_by_network_and_tags(
                    network_name, tags))
         return sgs
 
     @property
-    def security_group_ids(self):
+    def vm_firewall_ids(self):
         """
-        Get the security groups IDs associated with this instance.
+        Get the VM firewall IDs associated with this instance.
         """
         sg_ids = []
-        for sg in self.security_groups:
+        for sg in self.vm_firewalls:
             sg_ids.append(sg.id)
         return sg_ids
 
@@ -1187,10 +1188,10 @@ class GCEInstance(BaseInstance):
         self_link = self._gce_instance.get('selfLink')
         self._gce_instance = self._provider.parse_url(self_link).get_resource()
 
-    def add_security_group(self, sg):
+    def add_vm_firewall(self, sg):
         raise NotImplementedError('To be implemented.')
 
-    def remove_security_group(self, sg):
+    def remove_vm_firewall(self, sg):
         raise NotImplementedError('To be implemented.')
 
 

cloudbridge/cloud/providers/gce/services.py

@@ -12,15 +12,15 @@ from cloudbridge.cloud.base.services import BaseInstanceService
 from cloudbridge.cloud.base.services import BaseKeyPairService
 from cloudbridge.cloud.base.services import BaseNetworkService
 from cloudbridge.cloud.base.services import BaseRegionService
-from cloudbridge.cloud.base.services import BaseSecurityGroupService
 from cloudbridge.cloud.base.services import BaseSecurityService
 from cloudbridge.cloud.base.services import BaseSnapshotService
 from cloudbridge.cloud.base.services import BaseStorageService
 from cloudbridge.cloud.base.services import BaseSubnetService
+from cloudbridge.cloud.base.services import BaseVMFirewallService
 from cloudbridge.cloud.base.services import BaseVMTypeService
 from cloudbridge.cloud.base.services import BaseVolumeService
 from cloudbridge.cloud.interfaces.resources import PlacementZone
-from cloudbridge.cloud.interfaces.resources import SecurityGroup
+from cloudbridge.cloud.interfaces.resources import VMFirewall
 from cloudbridge.cloud.providers.gce import helpers
 
 import googleapiclient
@@ -36,9 +36,9 @@ from .resources import GCENetwork
 from .resources import GCEPlacementZone
 from .resources import GCERegion
 from .resources import GCERouter
-from .resources import GCESecurityGroup
 from .resources import GCESnapshot
 from .resources import GCESubnet
+from .resources import GCEVMFirewall
 from .resources import GCEVMType
 from .resources import GCEVolume
 from .resources import GCSBucket
@@ -51,15 +51,15 @@ class GCESecurityService(BaseSecurityService):
 
         # Initialize provider services
         self._key_pairs = GCEKeyPairService(provider)
-        self._security_groups = GCESecurityGroupService(provider)
+        self._vm_firewalls = GCEVMFirewallService(provider)
 
     @property
     def key_pairs(self):
         return self._key_pairs
 
     @property
-    def security_groups(self):
-        return self._security_groups
+    def vm_firewalls(self):
+        return self._vm_firewalls
 
 
 class GCEKeyPairService(BaseKeyPairService):
@@ -213,10 +213,10 @@ class GCEKeyPairService(BaseKeyPairService):
                           kp_material=private_key)
 
 
-class GCESecurityGroupService(BaseSecurityGroupService):
+class GCEVMFirewallService(BaseVMFirewallService):
 
     def __init__(self, provider):
-        super(GCESecurityGroupService, self).__init__(provider)
+        super(GCEVMFirewallService, self).__init__(provider)
         self._delegate = GCEFirewallsDelegate(provider)
 
     def get(self, group_id):
@@ -224,32 +224,32 @@ class GCESecurityGroupService(BaseSecurityGroupService):
         if tag is None:
             return None
         network = self.provider.network.get_by_name(network_name)
-        return GCESecurityGroup(self._delegate, tag, network)
+        return GCEVMFirewall(self._delegate, tag, network)
 
     def list(self, limit=None, marker=None):
-        security_groups = []
+        vm_firewalls = []
         for tag, network_name in self._delegate.tag_networks:
             network = self.provider.network.get_by_name(network_name)
-            security_group = GCESecurityGroup(self._delegate, tag, network)
-            security_groups.append(security_group)
-        return ClientPagedResultList(self.provider, security_groups,
+            vm_firewall = GCEVMFirewall(self._delegate, tag, network)
+            vm_firewalls.append(vm_firewall)
+        return ClientPagedResultList(self.provider, vm_firewalls,
                                      limit=limit, marker=marker)
 
     def create(self, name, description, network_id=None):
         network = self.provider.network.get(network_id)
-        return GCESecurityGroup(self._delegate, name, network, description)
+        return GCEVMFirewall(self._delegate, name, network, description)
 
     def find(self, name, limit=None, marker=None):
         """
-        Finds a non-empty security group. If a security group with the given
-        name does not exist, or if it does not contain any rules, an empty list
-        is returned.
+        Finds a non-empty VM firewall. If a VM firewall with the given name
+        does not exist, or if it does not contain any rules, an empty list is
+        returned.
         """
         out = []
         for tag, network_name in self._delegate.tag_networks:
             if tag == name:
                 network = self.provider.network.get_by_name(network_name)
-                out.append(GCESecurityGroup(self._delegate, name, network))
+                out.append(GCEVMFirewall(self._delegate, name, network))
         return out
 
     def delete(self, group_id):
@@ -257,20 +257,19 @@ class GCESecurityGroupService(BaseSecurityGroupService):
 
     def find_by_network_and_tags(self, network_name, tags):
         """
-        Finds non-empty security groups by network name and security group
-        names (tags). If no matching security group is found, an empty list
-        is returned.
+        Finds non-empty VM firewalls by network name and VM firewall names
+        (tags). If no matching VM firewall is found, an empty list is returned.
         """
-        security_groups = []
+        vm_firewalls = []
         for tag, net_name in self._delegate.tag_networks:
             if network_name != net_name:
                 continue
             if tag not in tags:
                 continue
             network = self.provider.network.get_by_name(net_name)
-            security_groups.append(
-                GCESecurityGroup(self._delegate, tag, network))
-        return security_groups
+            vm_firewalls.append(
+                GCEVMFirewall(self._delegate, tag, network))
+        return vm_firewalls
 
 
 class GCEVMTypeService(BaseVMTypeService):
@@ -449,7 +448,7 @@ class GCEInstanceService(BaseInstanceService):
         super(GCEInstanceService, self).__init__(provider)
 
     def create(self, name, image, instance_type, subnet, zone=None,
-               key_pair=None, security_groups=None, user_data=None,
+               key_pair=None, vm_firewalls=None, user_data=None,
                launch_config=None, **kwargs):
         """
         Creates a new virtual machine instance.
@@ -480,15 +479,15 @@ class GCEInstanceService(BaseInstanceService):
                                            'name': 'External NAT'}]
                     }],
             }
-            if security_groups and isinstance(security_groups, list):
-                sg_names = []
-                if isinstance(security_groups[0], SecurityGroup):
-                    sg_names = [sg.name for sg in security_groups]
-                elif isinstance(security_groups[0], str):
-                    sg_names = security_groups
-                if len(sg_names) > 0:
+            if vm_firewalls and isinstance(vm_firewalls, list):
+                vm_firewall_names = []
+                if isinstance(vm_firewalls[0], VMFirewall):
+                    vm_firewall_names = [f.name for f in vm_firewalls]
+                elif isinstance(vm_firewalls[0], str):
+                    vm_firewall_names = vm_firewalls
+                if len(vm_firewall_names) > 0:
                     config['tags'] = {}
-                    config['tags']['items'] = sg_names
+                    config['tags']['items'] = vm_firewall_names
         else:
             config = launch_config
         operation = (self.provider