forked from zstackio/zstack
-
Notifications
You must be signed in to change notification settings - Fork 0
<fix>[securitygroup]: remove strict sequential priority restriction #3344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
MatheMatrix
wants to merge
27
commits into
5.5.6
Choose a base branch
from
sync/ye.zou/fix/ZSTAC-79067
base: 5.5.6
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
27 commits
Select commit
Hold shift + click to select a range
6b4521b
<fix>[vm]: use max of virtual and actual size for root disk when no d…
AlanJager 3b5bda3
<fix>[zbs]: enable tryNext and 30s timeout for getActiveClients MDS call
AlanJager 80df074
<fix>[vm]: add Destroying->Stopped state transition
AlanJager a84a36e
<fix>[ceph]: apply over-provisioning ratio when releasing snapshot ca…
AlanJager f19223a
<fix>[loadBalancer]: block SLB deletion during grayscale upgrade
AlanJager 24d4f3b
<fix>[i18n]: improve snapshot error message for unattached volume
AlanJager f563992
<fix>[compute]: add null check for VmNicVO in afterDelIpAddress and a…
AlanJager 6545350
<fix>[network]: filter reserved IPs from GetFreeIp API results
AlanJager 76490a5
Merge branch 'fix/ZSTAC-80620' into '5.5.12'
461e8a2
Merge branch 'fix/ZSTAC-82153' into '5.5.12'
32e1e94
Merge branch 'fix/ZSTAC-80595' into '5.5.12'
addec8c
Merge branch 'fix/ZSTAC-74683' into '5.5.12'
26b8b1a
<fix>[mn]: synchronize hash ring operations to prevent dual-MN task s…
AlanJager be53c72
Merge branch 'fix/ZSTAC-81182' into '5.5.12'
e1dee9f
Merge branch 'fix/ZSTAC-79709' into '5.5.12'
3bd062b
Merge branch 'fix/ZSTAC-81741' into '5.5.12'
aaeaf39
<fix>[storage]: desensitize mdsUrls in ExternalPrimaryStorageInventory
AlanJager f41558d
<fix>[volumebackup]: add backup cancel timeout error code
AlanJager 673be94
Merge branch 'fix/ZSTAC-77711' into '5.5.12'
7f53f5a
<fix>[thread]: guard Context.current() with telemetry check
PandaWuu 72ce6ef
Merge branch 'bugfix/ZSTAC-82275' into '5.5.12'
PandaWuu 34bceb1
Merge branch 'fix/ZSTAC-78989' into '5.5.12'
3e02188
Merge branch 'fix/ZSTAC-82195' into '5.5.12'
799a84f
Merge branch 'fix/ZSTAC-80664' into '5.5.12'
b65f499
<fix>[securityGroup]: remove strict consecutive priority validation f…
AlanJager fb9245a
<fix>[securitygroup]: update tests for relaxed priority validation
AlanJager e5b952b
<fix>[securitygroup]: update test to verify global limit instead of c…
AlanJager File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -343,13 +343,8 @@ private void validate(APISetVmNicSecurityGroupMsg msg) { | |
| if (!aoMap.isEmpty()) { | ||
| Integer[] priorities = aoMap.keySet().toArray(new Integer[aoMap.size()]); | ||
| Arrays.sort(priorities); | ||
| if (priorities[0] != 1) { | ||
| throw new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10022, "could no set vm nic security group, because invalid priority, priority expects to start at 1, but [%d]", priorities[0])); | ||
| } | ||
| for (int i = 0; i < priorities.length - 1; i++) { | ||
| if (priorities[i] + 1 != priorities[i + 1]) { | ||
| throw new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10023, "could no set vm nic security group, because invalid priority, priority[%d] and priority[%d] expected to be consecutive", priorities[i], priorities[i + 1])); | ||
| } | ||
| if (priorities[0] < 1) { | ||
| throw new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10022, "could no set vm nic security group, because invalid priority, priority expects to be positive, but [%d]", priorities[0])); | ||
| } | ||
| } | ||
|
|
||
|
|
@@ -390,13 +385,8 @@ private void validate(APISetVmNicSecurityGroupMsg msg) { | |
| if (!adminIntegers.isEmpty()) { | ||
| Integer[] priorities = adminIntegers.toArray(new Integer[adminIntegers.size()]); | ||
| Arrays.sort(priorities); | ||
| if (priorities[0] != 1) { | ||
| throw new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10024, "could no set vm nic security group, because admin security group priority[%d] must be higher than users", priorities[0])); | ||
| } | ||
| for (int i = 0; i < priorities.length - 1; i++) { | ||
| if (priorities[i] + 1 != priorities[i + 1]) { | ||
| throw new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10025, "could no set vm nic security group, because admin security group priority[%d] must be higher than users", priorities[i + 1])); | ||
| } | ||
| if (priorities[0] < 1) { | ||
| throw new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10024, "could no set vm nic security group, because admin security group priority[%d] must be positive", priorities[0])); | ||
| } | ||
| } | ||
| } | ||
|
|
@@ -498,8 +488,9 @@ private void validate(APIUpdateSecurityGroupRulePriorityMsg msg) { | |
| rvos.stream().filter(rvo -> rvo.getUuid().equals(ao.getRuleUuid())).findFirst().orElseThrow(() -> | ||
| new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10041, "could not update security group rule priority, because rule[uuid:%s] not in security group[uuid:%s]", ao.getRuleUuid(), msg.getSecurityGroupUuid()))); | ||
|
|
||
| rvos.stream().filter(rvo -> rvo.getPriority() == ao.getPriority()).findFirst().orElseThrow(() -> | ||
| new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10042, "could not update security group rule priority, because priority[%d] not in security group[uuid:%s]", ao.getPriority(), msg.getSecurityGroupUuid()))); | ||
| if (ao.getPriority() < 1) { | ||
| throw new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10042, "could not update security group rule priority, because priority[%d] must be positive", ao.getPriority())); | ||
| } | ||
|
Comment on lines
+491
to
+493
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
🔧 建议补充上限校验 if (ao.getPriority() < 1) {
throw new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10042, "could not update security group rule priority, because priority[%d] must be positive", ao.getPriority()));
}
+ if (ao.getPriority() > SecurityGroupGlobalConfig.SECURITY_GROUP_RULES_NUM_LIMIT.value(Integer.class)) {
+ throw new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10042, "could not update security group rule priority, because priority[%d] exceeds the maximum limit[%d]", ao.getPriority(), SecurityGroupGlobalConfig.SECURITY_GROUP_RULES_NUM_LIMIT.value(Integer.class)));
+ }🤖 Prompt for AI Agents |
||
| } | ||
|
|
||
| List<String> uuidList = new ArrayList<>(priorityMap.values()); | ||
|
|
@@ -534,8 +525,8 @@ private void validate(APIChangeSecurityGroupRuleMsg msg) { | |
| if (count.intValue() > SecurityGroupGlobalConfig.SECURITY_GROUP_RULES_NUM_LIMIT.value(Integer.class)) { | ||
| throw new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10047, "could not change security group rule, because security group %s rules number[%d] is out of max limit[%d]", vo.getType(), count.intValue(), SecurityGroupGlobalConfig.SECURITY_GROUP_RULES_NUM_LIMIT.value(Integer.class))); | ||
| } | ||
| if (msg.getPriority() > count.intValue()) { | ||
| throw new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10048, "could not change security group rule, because the maximum priority of %s rule is [%d]", vo.getType().toString(), count.intValue())); | ||
| if (msg.getPriority() > SecurityGroupGlobalConfig.SECURITY_GROUP_RULES_NUM_LIMIT.value(Integer.class)) { | ||
| throw new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10048, "could not change security group rule, because priority[%d] exceeds the maximum limit[%d]", msg.getPriority(), SecurityGroupGlobalConfig.SECURITY_GROUP_RULES_NUM_LIMIT.value(Integer.class))); | ||
| } | ||
| if (msg.getPriority() < 0) { | ||
| msg.setPriority(SecurityGroupConstant.LOWEST_RULE_PRIORITY); | ||
|
|
@@ -1198,11 +1189,8 @@ private void validate(APIAddSecurityGroupRuleMsg msg) { | |
| throw new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10119, "could not add security group rule, because security group %s rules number[%d] is out of max limit[%d]", | ||
| SecurityGroupRuleType.Egress, (egressRuleCount + toCreateEgressRuleCount), SecurityGroupGlobalConfig.SECURITY_GROUP_RULES_NUM_LIMIT.value(Integer.class))); | ||
| } | ||
| if (msg.getPriority() > (ingressRuleCount + 1) && toCreateIngressRuleCount > 0) { | ||
| throw new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10120, "could not add security group rule, because priority[%d] must be consecutive, the ingress rule maximum priority is [%d]", msg.getPriority(), ingressRuleCount)); | ||
| } | ||
| if (msg.getPriority() > (egressRuleCount + 1) && toCreateEgressRuleCount > 0) { | ||
| throw new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10121, "could not add security group rule, because priority[%d] must be consecutive, the egress rule maximum priority is [%d]", msg.getPriority(), egressRuleCount)); | ||
| if (msg.getPriority() > SecurityGroupGlobalConfig.SECURITY_GROUP_RULES_NUM_LIMIT.value(Integer.class)) { | ||
| throw new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10120, "could not add security group rule, because priority[%d] exceeds the maximum limit[%d]", msg.getPriority(), SecurityGroupGlobalConfig.SECURITY_GROUP_RULES_NUM_LIMIT.value(Integer.class))); | ||
| } | ||
| } | ||
|
|
||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
避免跨 IP 版本比较引发异常或误删
reservedIpRanges可能同时包含 IPv4/IPv6 范围,但当前对每个 free IP 都遍历所有范围;当版本不一致时,底层比较可能抛异常或产生错误过滤。建议先按ipVersion过滤再做isInRange。🔧 建议修改
🤖 Prompt for AI Agents