Skip to content

[Bug Fix] Fix ExistingFsxNetworkingValidator #6806

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
May 1, 2025
Merged

[Bug Fix] Fix ExistingFsxNetworkingValidator #6806

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
979a581
Fix ExistingFsxNetworkingValidator
hehe7318 Apr 30, 2025
98edbb5
Add bug fix info in CHANGELOG
hehe7318 Apr 30, 2025
52279d5
Add Ipv4Ranges check for future compatibility. Add test cases to cove…
hehe7318 May 1, 2025
acead4f
Reformat
hehe7318 May 1, 2025
f24bfb4
Merge branch 'develop' into wip/fix-ExistingFsxNetworkingValidator
hehe7318 May 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ CHANGELOG
**CHANGES**
- Ubuntu 20.04 is no longer supported.

**BUG FIXES**
- Fix an issue where Security Group validation failed when a rule contained both IPv4 ranges (IpRanges) and security group references (UserIdGroupPairs).

3.13.0
------
Expand Down
11 changes: 7 additions & 4 deletions cli/src/pcluster/validators/cluster_validators.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -534,15 +534,18 @@ def _populate_allowed_src_or_dst(rule, ip_ranges, allowed_security_groups):
"""
if rule.get("PrefixListIds"):
return True # Always assume prefix list is properly set for code simplicity
elif rule.get("IpRanges"):
if rule.get("IpRanges"):
ip_ranges.extend(rule.get("IpRanges"))
return False # Ip Ranges have to be checked later. Return False because the rule allowance is not determined.
elif rule.get("UserIdGroupPairs"):
# Ip Ranges have to be checked later. Return False because the rule allowance is not determined.
if rule.get("Ipv4Ranges"):
# Currently the describe_security_groups API response syntax contains "IpRanges".
# This check is added for future compatibility if API changes to use "Ipv4Ranges"
ip_ranges.extend(rule.get("Ipv4Ranges"))
if rule.get("UserIdGroupPairs"):
allowed_security_groups.update(
{user_id_group_pair.get("GroupId") for user_id_group_pair in rule.get("UserIdGroupPairs")}
)
# Security groups have to be checked later. Return False because the rule allowance is not determined.
return False
return False


Expand Down
63 changes: 63 additions & 0 deletions cli/tests/pcluster/validators/test_cluster_validators.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1306,6 +1306,69 @@ def test_queue_name_validator(name, expected_message):
r"allows inbound TCP traffic through ports \[111, 2049, 20001, 20002, 20003\]. Missing ports: "
r"\[2049, 20001, 20002, 20003\]",
),
( # working case: The rule has both IpRanges and UserIdGroupPairs. Wrong ip permissions. But SG matches.
"LUSTRE",
"vpc-06e4ab6c6cEXAMPLE",
[
{
"IpProtocol": "-1",
"IpRanges": [{"CidrIp": "10.1.1.0/25"}],
"UserIdGroupPairs": [{"UserId": "123456789012", "GroupId": "sg-12345678"}],
}
],
[
{
"IpProtocol": "-1",
"IpRanges": [{"CidrIp": "10.1.1.0/25"}],
"UserIdGroupPairs": [{"UserId": "123456789012", "GroupId": "sg-12345678"}],
}
],
{frozenset({"sg-12345678"}), frozenset({"sg-12345678", "sg-23456789"})},
["eni-09b9460295ddd4e5f"],
None,
),
( # not-working case:The rule has both IpRanges and UserIdGroupPairs. Both don't match.
"LUSTRE",
"vpc-06e4ab6c6cEXAMPLE",
[
{
"IpProtocol": "-1",
"IpRanges": [{"CidrIp": "10.1.1.0/25"}],
"UserIdGroupPairs": [{"UserId": "123456789012", "GroupId": "sg-99999999"}],
}
],
[
{
"IpProtocol": "-1",
"IpRanges": [{"CidrIp": "10.1.1.0/25"}],
"UserIdGroupPairs": [{"UserId": "123456789012", "GroupId": "sg-99999999"}],
}
],
{frozenset({"sg-12345678"}), frozenset({"sg-12345678", "sg-23456789"})},
["eni-09b9460295ddd4e5f"],
r"allows inbound and outbound TCP traffic through ports \[988\]",
),
( # working case:IpRanges covers the subnet, but UserIdGroupPairs do not match
"LUSTRE",
"vpc-06e4ab6c6cEXAMPLE",
[
{
"IpProtocol": "-1",
"IpRanges": [{"CidrIp": "10.0.0.0/16"}],
"UserIdGroupPairs": [{"UserId": "123456789012", "GroupId": "sg-99999999"}],
}
],
[
{
"IpProtocol": "-1",
"IpRanges": [{"CidrIp": "10.0.0.0/16"}],
"UserIdGroupPairs": [{"UserId": "123456789012", "GroupId": "sg-99999999"}],
}
],
{frozenset({"sg-12345678"})},
["eni-09b9460295ddd4e5f"],
None,
),
],
)
def test_fsx_network_validator(
Expand Down
Loading