Fix Bug 924: User is not allowed to upload NS Descriptors for project_user(role)
[osm/NBI.git] / osm_nbi / instance_topics.py
index 8f2ac0d..decb9c7 100644 (file)
@@ -18,11 +18,13 @@ from uuid import uuid4
 from http import HTTPStatus
 from time import time
 from copy import copy, deepcopy
-from validation import validate_input, ValidationError, ns_instantiate, ns_action, ns_scale, nsi_instantiate
-from base_topic import BaseTopic, EngineException, get_iterable
+from osm_nbi.validation import validate_input, ValidationError, ns_instantiate, ns_action, ns_scale, nsi_instantiate
+from osm_nbi.base_topic import BaseTopic, EngineException, get_iterable, deep_get
 # from descriptor_topics import DescriptorTopic
 from yaml import safe_dump
 from osm_common.dbbase import DbException
+from osm_common.msgbase import MsgException
+from osm_common.fsbase import FsException
 from re import match  # For checking that additional parameter names are valid Jinja2 identifiers
 
 __author__ = "Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
@@ -31,9 +33,10 @@ __author__ = "Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
 class NsrTopic(BaseTopic):
     topic = "nsrs"
     topic_msg = "ns"
+    schema_new = ns_instantiate
 
-    def __init__(self, db, fs, msg):
-        BaseTopic.__init__(self, db, fs, msg)
+    def __init__(self, db, fs, msg, auth):
+        BaseTopic.__init__(self, db, fs, msg, auth)
 
     def _check_descriptor_dependencies(self, session, descriptor):
         """
@@ -53,6 +56,7 @@ class NsrTopic(BaseTopic):
     def format_on_new(content, project_id=None, make_public=False):
         BaseTopic.format_on_new(content, project_id=project_id, make_public=make_public)
         content["_admin"]["nsState"] = "NOT_INSTANTIATED"
+        return None
 
     def check_conflict_on_del(self, session, _id, db_content):
         """
@@ -115,29 +119,41 @@ class NsrTopic(BaseTopic):
         return formated_request
 
     @staticmethod
-    def _format_addional_params(ns_request, member_vnf_index=None, descriptor=None):
+    def _format_addional_params(ns_request, member_vnf_index=None, vdu_id=None, kdu_name=None, descriptor=None):
         """
         Get and format user additional params for NS or VNF
         :param ns_request: User instantiation additional parameters
         :param member_vnf_index: None for extract NS params, or member_vnf_index to extract VNF params
         :param descriptor: If not None it check that needed parameters of descriptor are supplied
-        :return: a formated copy of additional params or None if not supplied
+        :return: a formatted copy of additional params or None if not supplied
         """
         additional_params = None
         if not member_vnf_index:
             additional_params = copy(ns_request.get("additionalParamsForNs"))
             where_ = "additionalParamsForNs"
         elif ns_request.get("additionalParamsForVnf"):
-            for additionalParamsForVnf in get_iterable(ns_request.get("additionalParamsForVnf")):
-                if additionalParamsForVnf["member-vnf-index"] == member_vnf_index:
-                    additional_params = copy(additionalParamsForVnf.get("additionalParams"))
-                    where_ = "additionalParamsForVnf[member-vnf-index={}]".format(
-                        additionalParamsForVnf["member-vnf-index"])
-                    break
+            where_ = "additionalParamsForVnf[member-vnf-index={}]".format(member_vnf_index)
+            item = next((x for x in ns_request["additionalParamsForVnf"] if x["member-vnf-index"] == member_vnf_index),
+                        None)
+            if item:
+                additional_params = copy(item.get("additionalParams")) or {}
+                if vdu_id and item.get("additionalParamsForVdu"):
+                    item_vdu = next((x for x in item["additionalParamsForVdu"] if x["vdu_id"] == vdu_id), None)
+                    if item_vdu and item_vdu.get("additionalParams"):
+                        where_ += ".additionalParamsForVdu[vdu_id={}]".format(vdu_id)
+                        additional_params = item_vdu["additionalParams"]
+                if kdu_name:
+                    additional_params = {}
+                    if item.get("additionalParamsForKdu"):
+                        item_kdu = next((x for x in item["additionalParamsForKdu"] if x["kdu_name"] == kdu_name), None)
+                        if item_kdu and item_kdu.get("additionalParams"):
+                            where_ += ".additionalParamsForKdu[kdu_name={}]".format(kdu_name)
+                            additional_params = item_kdu["additionalParams"]
+
         if additional_params:
             for k, v in additional_params.items():
-                # BEGIN Check that additional parameter names are valid Jinja2 identifiers
-                if not match('^[a-zA-Z_][a-zA-Z0-9_]*$', k):
+                # BEGIN Check that additional parameter names are valid Jinja2 identifiers if target is not Kdu
+                if not kdu_name and not match('^[a-zA-Z_][a-zA-Z0-9_]*$', k):
                     raise EngineException("Invalid param name at {}:{}. Must contain only alphanumeric characters "
                                           "and underscores, and cannot start with a digit"
                                           .format(where_, k))
@@ -153,20 +169,28 @@ class NsrTopic(BaseTopic):
             # check that enough parameters are supplied for the initial-config-primitive
             # TODO: check for cloud-init
             if member_vnf_index:
-                if descriptor.get("vnf-configuration"):
-                    for initial_primitive in get_iterable(
-                            descriptor["vnf-configuration"].get("initial-config-primitive")):
-                        for param in get_iterable(initial_primitive.get("parameter")):
-                            if param["value"].startswith("<") and param["value"].endswith(">"):
-                                if param["value"] in ("<rw_mgmt_ip>", "<VDU_SCALE_INFO>"):
-                                    continue
-                                if not additional_params or param["value"][1:-1] not in additional_params:
-                                    raise EngineException("Parameter '{}' needed for vnfd[id={}]:vnf-configuration:"
-                                                          "initial-config-primitive[name={}] not supplied".
-                                                          format(param["value"], descriptor["id"],
-                                                                 initial_primitive["name"]))
+                if kdu_name:
+                    initial_primitives = None
+                elif vdu_id:
+                    vdud = next(x for x in descriptor["vdu"] if x["id"] == vdu_id)
+                    initial_primitives = deep_get(vdud, ("vdu-configuration", "initial-config-primitive"))
+                else:
+                    initial_primitives = deep_get(descriptor, ("vnf-configuration", "initial-config-primitive"))
+            else:
+                initial_primitives = deep_get(descriptor, ("ns-configuration", "initial-config-primitive"))
 
-        return additional_params
+            for initial_primitive in get_iterable(initial_primitives):
+                for param in get_iterable(initial_primitive.get("parameter")):
+                    if param["value"].startswith("<") and param["value"].endswith(">"):
+                        if param["value"] in ("<rw_mgmt_ip>", "<VDU_SCALE_INFO>", "<ns_config_info>"):
+                            continue
+                        if not additional_params or param["value"][1:-1] not in additional_params:
+                            raise EngineException("Parameter '{}' needed for vnfd[id={}]:vnf-configuration:"
+                                                  "initial-config-primitive[name={}] not supplied".
+                                                  format(param["value"], descriptor["id"],
+                                                         initial_primitive["name"]))
+
+        return additional_params or None
 
     def new(self, rollback, session, indata=None, kwargs=None, headers=None):
         """
@@ -176,10 +200,16 @@ class NsrTopic(BaseTopic):
         :param indata: params to be used for the nsr
         :param kwargs: used to override the indata descriptor
         :param headers: http request headers
-        :return: the _id of nsr descriptor created at database
+        :return: the _id of nsr descriptor created at database. Or an exception of type
+            EngineException, ValidationError, DbException, FsException, MsgException.
+            Note: Exceptions are not captured on purpose. They should be captured at called
         """
 
         try:
+            step = "checking quotas"
+            self.check_quota(session)
+
+            step = "validating input parameters"
             ns_request = self._remove_envelop(indata)
             # Override descriptor with query string kwargs
             self._update_input_with_kwargs(ns_request, kwargs)
@@ -221,12 +251,12 @@ class NsrTopic(BaseTopic):
                 "nsd-id": nsd["_id"],
                 "vnfd-id": [],
                 "instantiate_params": self._format_ns_request(ns_request),
-                "additionalParamsForNs": self._format_addional_params(ns_request),
+                "additionalParamsForNs": self._format_addional_params(ns_request, descriptor=nsd),
                 "ns-instance-config-ref": nsr_id,
                 "id": nsr_id,
                 "_id": nsr_id,
                 # "input-parameter": xpath, value,
-                "ssh-authorized-key": ns_request.get("key-pair-ref"),  # TODO remove
+                "ssh-authorized-key": ns_request.get("ssh_keys"),  # TODO remove
             }
             ns_request["nsr_id"] = nsr_id
             # Create vld
@@ -261,7 +291,7 @@ class NsrTopic(BaseTopic):
                     "nsr-id-ref": nsr_id,
                     "member-vnf-index-ref": member_vnf["member-vnf-index"],
                     "additionalParamsForVnf": self._format_addional_params(ns_request, member_vnf["member-vnf-index"],
-                                                                           vnfd),
+                                                                           descriptor=vnfd),
                     "created-time": now,
                     # "vnfd": vnfd,        # at OSM model.but removed to avoid data duplication TODO: revise
                     "vnfd-ref": vnfd_id,
@@ -290,6 +320,44 @@ class NsrTopic(BaseTopic):
                         # vim-id  # TODO it would be nice having a vim port id
                     }
                     vnfr_descriptor["connection-point"].append(vnf_cp)
+
+                # Create k8s-cluster information
+                if vnfd.get("k8s-cluster"):
+                    vnfr_descriptor["k8s-cluster"] = vnfd["k8s-cluster"]
+                    for net in get_iterable(vnfr_descriptor["k8s-cluster"].get("nets")):
+                        if net.get("external-connection-point-ref"):
+                            for nsd_vld in get_iterable(nsd.get("vld")):
+                                for nsd_vld_cp in get_iterable(nsd_vld.get("vnfd-connection-point-ref")):
+                                    if nsd_vld_cp.get("vnfd-connection-point-ref") == \
+                                            net["external-connection-point-ref"] and \
+                                            nsd_vld_cp.get("member-vnf-index-ref") == member_vnf["member-vnf-index"]:
+                                        net["ns-vld-id"] = nsd_vld["id"]
+                                        break
+                                else:
+                                    continue
+                                break
+                        elif net.get("internal-connection-point-ref"):
+                            for vnfd_ivld in get_iterable(vnfd.get("internal-vld")):
+                                for vnfd_ivld_icp in get_iterable(vnfd_ivld.get("internal-connection-point")):
+                                    if vnfd_ivld_icp.get("id-ref") == net["internal-connection-point-ref"]:
+                                        net["vnf-vld-id"] = vnfd_ivld["id"]
+                                        break
+                                else:
+                                    continue
+                                break
+                # update kdus
+                for kdu in get_iterable(vnfd.get("kdu")):
+                    kdur = {x: kdu[x] for x in kdu if x in ("helm-chart", "juju-bundle")}
+                    kdur["kdu-name"] = kdu["name"]
+                    # TODO      "name": ""     Name of the VDU in the VIM
+                    kdur["ip-address"] = None  # mgmt-interface filled by LCM
+                    kdur["k8s-cluster"] = {}
+                    kdur["additionalParams"] = self._format_addional_params(ns_request, member_vnf["member-vnf-index"],
+                                                                            kdu_name=kdu["name"], descriptor=vnfd)
+                    if not vnfr_descriptor.get("kdur"):
+                        vnfr_descriptor["kdur"] = []
+                    vnfr_descriptor["kdur"].append(kdur)
+
                 for vdu in vnfd.get("vdu", ()):
                     vdur = {
                         "vdu-id-ref": vdu["id"],
@@ -298,6 +366,8 @@ class NsrTopic(BaseTopic):
                         # "vim-id", "flavor-id", "image-id", "management-ip" # filled by LCM
                         "internal-connection-point": [],
                         "interfaces": [],
+                        "additionalParams": self._format_addional_params(ns_request, member_vnf["member-vnf-index"],
+                                                                         vdu_id=vdu["id"], descriptor=vnfd)
                     }
                     if vdu.get("pdu-type"):
                         vdur["pdu-type"] = vdu["pdu-type"]
@@ -360,7 +430,7 @@ class NsrTopic(BaseTopic):
                     member_vnf["vnfd-id-ref"], member_vnf["member-vnf-index"])
 
                 # add at database
-                BaseTopic.format_on_new(vnfr_descriptor, session["project_id"], make_public=session["public"])
+                self.format_on_new(vnfr_descriptor, session["project_id"], make_public=session["public"])
                 self.db.create("vnfrs", vnfr_descriptor)
                 rollback.append({"topic": "vnfrs", "_id": vnfr_id})
                 nsr_descriptor["constituent-vnfr-ref"].append(vnfr_id)
@@ -373,12 +443,9 @@ class NsrTopic(BaseTopic):
             step = "creating nsr temporal folder"
             self.fs.mkdir(nsr_id)
 
-            return nsr_id
-        except Exception as e:
-            self.logger.exception("Exception {} at NsrTopic.new()".format(e), exc_info=True)
-            raise EngineException("Error {}: {}".format(step, e))
-        except ValidationError as e:
-            raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
+            return nsr_id, None
+        except (ValidationError, EngineException, DbException, MsgException, FsException) as e:
+            raise type(e)("{} while '{}".format(e, step), http_code=e.http_code)
 
     def edit(self, session, _id, indata=None, kwargs=None, content=None):
         raise EngineException("Method edit called directly", HTTPStatus.INTERNAL_SERVER_ERROR)
@@ -388,8 +455,8 @@ class VnfrTopic(BaseTopic):
     topic = "vnfrs"
     topic_msg = None
 
-    def __init__(self, db, fs, msg):
-        BaseTopic.__init__(self, db, fs, msg)
+    def __init__(self, db, fs, msg, auth):
+        BaseTopic.__init__(self, db, fs, msg, auth)
 
     def delete(self, session, _id, dry_run=False):
         raise EngineException("Method delete called directly", HTTPStatus.INTERNAL_SERVER_ERROR)
@@ -412,8 +479,8 @@ class NsLcmOpTopic(BaseTopic):
         "terminate": None,
     }
 
-    def __init__(self, db, fs, msg):
-        BaseTopic.__init__(self, db, fs, msg)
+    def __init__(self, db, fs, msg, auth):
+        BaseTopic.__init__(self, db, fs, msg, auth)
 
     def _check_ns_operation(self, session, nsr, operation, indata):
         """
@@ -423,22 +490,41 @@ class NsLcmOpTopic(BaseTopic):
         :param indata: descriptor with the parameters of the operation
         :return: None
         """
-        vnfds = {}
+        vnf_member_index_to_vnfd = {}  # map between vnf_member_index to vnf descriptor.
         vim_accounts = []
         wim_accounts = []
         nsd = nsr["nsd"]
 
         def check_valid_vnf_member_index(member_vnf_index):
-            # TODO change to vnfR
-            for vnf in nsd["constituent-vnfd"]:
-                if member_vnf_index == vnf["member-vnf-index"]:
-                    vnfd_id = vnf["vnfd-id-ref"]
-                    if vnfd_id not in vnfds:
-                        vnfds[vnfd_id] = self.db.get_one("vnfds", {"id": vnfd_id})
-                    return vnfds[vnfd_id]
-            else:
+            # Obtain vnf descriptor. The vnfr is used to get the vnfd._id used for this member_vnf_index
+            if vnf_member_index_to_vnfd.get(member_vnf_index):
+                return vnf_member_index_to_vnfd[member_vnf_index]
+            vnfr = self.db.get_one("vnfrs",
+                                   {"nsr-id-ref": nsr["_id"], "member-vnf-index-ref": member_vnf_index},
+                                   fail_on_empty=False)
+            if not vnfr:
                 raise EngineException("Invalid parameter member_vnf_index='{}' is not one of the "
                                       "nsd:constituent-vnfd".format(member_vnf_index))
+            vnfd = self.db.get_one("vnfds", {"_id": vnfr["vnfd-id"]}, fail_on_empty=False)
+            if not vnfd:
+                raise EngineException("vnfd id={} has been deleted!. Operation cannot be performed".
+                                      format(vnfr["vnfd-id"]))
+            vnf_member_index_to_vnfd[member_vnf_index] = vnfd  # add to cache, avoiding a later look for
+            return vnfd
+
+        def check_valid_vdu(vnfd, vdu_id):
+            for vdud in get_iterable(vnfd.get("vdu")):
+                if vdud["id"] == vdu_id:
+                    return vdud
+            else:
+                raise EngineException("Invalid parameter vdu_id='{}' not present at vnfd:vdu:id".format(vdu_id))
+
+        def check_valid_kdu(vnfd, kdu_name):
+            for kdud in get_iterable(vnfd.get("kdu")):
+                if kdud["name"] == kdu_name:
+                    return kdud
+            else:
+                raise EngineException("Invalid parameter kdu_name='{}' not present at vnfd:kdu:name".format(kdu_name))
 
         def _check_vnf_instantiation_params(in_vnfd, vnfd):
 
@@ -471,7 +557,7 @@ class NsLcmOpTopic(BaseTopic):
             for in_ivld in get_iterable(in_vnfd.get("internal-vld")):
                 for ivld in get_iterable(vnfd.get("internal-vld")):
                     if in_ivld["name"] == ivld["name"] or in_ivld["name"] == ivld["id"]:
-                        for in_icp in get_iterable(in_ivld["internal-connection-point"]):
+                        for in_icp in get_iterable(in_ivld.get("internal-connection-point")):
                             for icp in ivld["internal-connection-point"]:
                                 if in_icp["id-ref"] == icp["id-ref"]:
                                     break
@@ -517,10 +603,25 @@ class NsLcmOpTopic(BaseTopic):
                 indata["member_vnf_index"] = indata.pop("vnf_member_index")    # for backward compatibility
             if indata.get("member_vnf_index"):
                 vnfd = check_valid_vnf_member_index(indata["member_vnf_index"])
-                descriptor_configuration = vnfd.get("vnf-configuration", {}).get("config-primitive")
+                if indata.get("vdu_id"):
+                    vdud = check_valid_vdu(vnfd, indata["vdu_id"])
+                    descriptor_configuration = vdud.get("vdu-configuration", {}).get("config-primitive")
+                elif indata.get("kdu_name"):
+                    kdud = check_valid_kdu(vnfd, indata["kdu_name"])
+                    descriptor_configuration = kdud.get("kdu-configuration", {}).get("config-primitive")
+                else:
+                    descriptor_configuration = vnfd.get("vnf-configuration", {}).get("config-primitive")
             else:  # use a NSD
                 descriptor_configuration = nsd.get("ns-configuration", {}).get("config-primitive")
-            # check primitive
+
+            # For k8s allows default primitives without validating the parameters
+            if indata.get("kdu_name") and indata["primitive"] in ("upgrade", "rollback", "status", "inspect", "readme"):
+                # TODO should be checked that rollback only can contains revsision_numbe????
+                if not indata.get("member_vnf_index"):
+                    raise EngineException("Missing action parameter 'member_vnf_index' for default KDU primitive '{}'"
+                                          .format(indata["primitive"]))
+                return
+            # if not, check primitive
             for config_primitive in get_iterable(descriptor_configuration):
                 if indata["primitive"] == config_primitive["name"]:
                     # check needed primitive_params are provided
@@ -574,7 +675,6 @@ class NsLcmOpTopic(BaseTopic):
         Look for a free PDU in the catalog matching vdur type and interfaces. Fills vnfr.vdur with the interface
         (ip_address, ...) information.
         Modifies PDU _admin.usageState to 'IN_USE'
-        
         :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
         :param rollback: list with the database modifications to rollback if needed
         :param vnfr: vnfr to be updated. It is modified with pdu interface info if pdu is found
@@ -662,17 +762,97 @@ class NsLcmOpTopic(BaseTopic):
                                 "vnf-vld-id": vdur_interface.get("vnf-vld-id"),
                                 "ns-vld-id": vdur_interface.get("ns-vld-id")})
                             if pdu_interface.get("vim-network-id"):
-                                ifaces_forcing_vim_network.append({
-                                    "vim-network-id": pdu_interface.get("vim-network-id")})
+                                ifaces_forcing_vim_network[-1]["vim-network-id"] = pdu_interface["vim-network-id"]
                             if pdu_interface.get("vim-network-name"):
-                                ifaces_forcing_vim_network.append({
-                                    "vim-network-name": pdu_interface.get("vim-network-name")})
+                                ifaces_forcing_vim_network[-1]["vim-network-name"] = pdu_interface["vim-network-name"]
                         break
 
         return ifaces_forcing_vim_network
 
+    def _look_for_k8scluster(self, session, rollback, vnfr, vim_account, vnfr_update, vnfr_update_rollback):
+        """
+        Look for an available k8scluster for all the kuds in the vnfd matching version and cni requirements.
+        Fills vnfr.kdur with the selected k8scluster
+
+        :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
+        :param rollback: list with the database modifications to rollback if needed
+        :param vnfr: vnfr to be updated. It is modified with pdu interface info if pdu is found
+        :param vim_account: vim_account where this vnfr should be deployed
+        :param vnfr_update: dictionary filled by this method with changes to be done at database vnfr
+        :param vnfr_update_rollback: dictionary filled by this method with original content of vnfr in case a rollback
+                                     of the changed vnfr is needed
+
+        :return: List of KDU interfaces that are connected to an existing VIM network. Each item contains:
+                 "vim-network-name": used at VIM
+                  "name": interface name
+                  "vnf-vld-id": internal VNFD vld where this interface is connected, or
+                  "ns-vld-id": NSD vld where this interface is connected.
+                  NOTE: One, and only one between 'vnf-vld-id' and 'ns-vld-id' contains a value. The other will be None
+        """
+
+        ifaces_forcing_vim_network = []
+        if not vnfr.get("kdur"):
+            return ifaces_forcing_vim_network
+
+        kdu_filter = self._get_project_filter(session)
+        kdu_filter["vim_account"] = vim_account
+        # TODO kdu_filter["_admin.operationalState"] = "ENABLED"
+        available_k8sclusters = self.db.get_list("k8sclusters", kdu_filter)
+
+        k8s_requirements = {}  # just for logging
+        for k8scluster in available_k8sclusters:
+            if not vnfr.get("k8s-cluster"):
+                break
+            # restrict by cni
+            if vnfr["k8s-cluster"].get("cni"):
+                k8s_requirements["cni"] = vnfr["k8s-cluster"]["cni"]
+                if not set(vnfr["k8s-cluster"]["cni"]).intersection(k8scluster.get("cni", ())):
+                    continue
+            # restrict by version
+            if vnfr["k8s-cluster"].get("version"):
+                k8s_requirements["version"] = vnfr["k8s-cluster"]["version"]
+                if k8scluster.get("k8s_version") not in vnfr["k8s-cluster"]["version"]:
+                    continue
+            # restrict by number of networks
+            if vnfr["k8s-cluster"].get("nets"):
+                k8s_requirements["networks"] = len(vnfr["k8s-cluster"]["nets"])
+                if not k8scluster.get("nets") or len(k8scluster["nets"]) < len(vnfr["k8s-cluster"]["nets"]):
+                    continue
+            break
+        else:
+            raise EngineException("No k8scluster with requirements='{}' at vim_account={} found for member_vnf_index={}"
+                                  .format(k8s_requirements, vim_account, vnfr["member-vnf-index-ref"]))
+
+        for kdur_index, kdur in enumerate(get_iterable(vnfr.get("kdur"))):
+            # step 3. Fill vnfr info by filling kdur
+            kdu_text = "kdur.{}.".format(kdur_index)
+            vnfr_update_rollback[kdu_text + "k8s-cluster.id"] = None
+            vnfr_update[kdu_text + "k8s-cluster.id"] = k8scluster["_id"]
+
+        # step 4. Check VIM networks that forces the selected k8s_cluster
+        if vnfr.get("k8s-cluster") and vnfr["k8s-cluster"].get("nets"):
+            k8scluster_net_list = list(k8scluster.get("nets").keys())
+            for net_index, kdur_net in enumerate(vnfr["k8s-cluster"]["nets"]):
+                # get a network from k8s_cluster nets. If name matches use this, if not use other
+                if kdur_net["id"] in k8scluster_net_list:  # name matches
+                    vim_net = k8scluster["nets"][kdur_net["id"]]
+                    k8scluster_net_list.remove(kdur_net["id"])
+                else:
+                    vim_net = k8scluster["nets"][k8scluster_net_list[0]]
+                    k8scluster_net_list.pop(0)
+                vnfr_update_rollback["k8s-cluster.nets.{}.vim_net".format(net_index)] = None
+                vnfr_update["k8s-cluster.nets.{}.vim_net".format(net_index)] = vim_net
+                if vim_net and (kdur_net.get("vnf-vld-id") or kdur_net.get("ns-vld-id")):
+                    ifaces_forcing_vim_network.append({
+                        "name": kdur_net.get("vnf-vld-id") or kdur_net.get("ns-vld-id"),
+                        "vnf-vld-id": kdur_net.get("vnf-vld-id"),
+                        "ns-vld-id": kdur_net.get("ns-vld-id"),
+                        "vim-network-name": vim_net,   # TODO can it be vim-network-id ???
+                    })
+            # TODO check that this forcing is not incompatible with other forcing
+        return ifaces_forcing_vim_network
+
     def _update_vnfrs(self, session, rollback, nsr, indata):
-        vnfrs = None
         # get vnfr
         nsr_id = nsr["_id"]
         vnfrs = self.db.get_list("vnfrs", {"nsr-id-ref": nsr_id})
@@ -698,7 +878,10 @@ class NsLcmOpTopic(BaseTopic):
             ifaces_forcing_vim_network = self._look_for_pdu(session, rollback, vnfr, vim_account, vnfr_update,
                                                             vnfr_update_rollback)
 
-            # updata database vnfr
+            # get kdus
+            ifaces_forcing_vim_network += self._look_for_k8scluster(session, rollback, vnfr, vim_account, vnfr_update,
+                                                                    vnfr_update_rollback)
+            # update database vnfr
             self.db.set_one("vnfrs", {"_id": vnfr["_id"]}, vnfr_update)
             rollback.append({"topic": "vnfrs", "_id": vnfr["_id"], "operation": "set", "content": vnfr_update_rollback})
 
@@ -763,6 +946,15 @@ class NsLcmOpTopic(BaseTopic):
         :param headers: http request headers
         :return: id of the nslcmops
         """
+        def check_if_nsr_is_not_slice_member(session, nsr_id):
+            nsis = None
+            db_filter = self._get_project_filter(session)
+            db_filter["_admin.nsrs-detailed-list.ANYINDEX.nsrId"] = nsr_id
+            nsis = self.db.get_one("nsis", db_filter, fail_on_empty=False, fail_on_more=False)
+            if nsis:
+                raise EngineException("The NS instance {} cannot be terminate because is used by the slice {}".format(
+                                      nsr_id, nsis["_id"]), http_code=HTTPStatus.CONFLICT)
+
         try:
             # Override descriptor with query string kwargs
             self._update_input_with_kwargs(indata, kwargs)
@@ -776,10 +968,12 @@ class NsLcmOpTopic(BaseTopic):
             nsr = self.db.get_one("nsrs", _filter)
 
             # initial checking
+            if operation == "terminate" and slice_object is False:
+                check_if_nsr_is_not_slice_member(session, nsr["_id"])
             if not nsr["_admin"].get("nsState") or nsr["_admin"]["nsState"] == "NOT_INSTANTIATED":
                 if operation == "terminate" and indata.get("autoremove"):
                     # NSR must be deleted
-                    return None    # a none in this case is used to indicate not instantiated. It can be removed
+                    return None, None    # a none in this case is used to indicate not instantiated. It can be removed
                 if operation != "instantiate":
                     raise EngineException("ns_instance '{}' cannot be '{}' because it is not instantiated".format(
                         nsInstanceId, operation), HTTPStatus.CONFLICT)
@@ -793,13 +987,14 @@ class NsLcmOpTopic(BaseTopic):
                 self._update_vnfrs(session, rollback, nsr, indata)
 
             nslcmop_desc = self._create_nslcmop(nsInstanceId, operation, indata)
+            _id = nslcmop_desc["_id"]
             self.format_on_new(nslcmop_desc, session["project_id"], make_public=session["public"])
-            _id = self.db.create("nslcmops", nslcmop_desc)
+            self.db.create("nslcmops", nslcmop_desc)
             rollback.append({"topic": "nslcmops", "_id": _id})
             if not slice_object:
                 self.msg.write("ns", operation, nslcmop_desc)
-            return _id
-        except ValidationError as e:
+            return _id, None
+        except ValidationError as e:  # TODO remove try Except, it is captured at nbi.py
             raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
         # except DbException as e:
         #     raise EngineException("Cannot get ns_instance '{}': {}".format(e), HTTPStatus.NOT_FOUND)
@@ -815,9 +1010,9 @@ class NsiTopic(BaseTopic):
     topic = "nsis"
     topic_msg = "nsi"
 
-    def __init__(self, db, fs, msg):
-        BaseTopic.__init__(self, db, fs, msg)
-        self.nsrTopic = NsrTopic(db, fs, msg)
+    def __init__(self, db, fs, msg, auth):
+        BaseTopic.__init__(self, db, fs, msg, auth)
+        self.nsrTopic = NsrTopic(db, fs, msg, auth)
 
     @staticmethod
     def _format_ns_request(ns_request):
@@ -976,12 +1171,15 @@ class NsiTopic(BaseTopic):
         """
 
         try:
+            step = "checking quotas"
+            self.check_quota(session)
+
+            step = ""
             slice_request = self._remove_envelop(indata)
             # Override descriptor with query string kwargs
             self._update_input_with_kwargs(slice_request, kwargs)
             self._validate_input_new(slice_request, session["force"])
 
-            step = ""
             # look for nstd
             step = "getting nstd id='{}' from database".format(slice_request.get("nstId"))
             _filter = self._get_project_filter(session)
@@ -1032,7 +1230,7 @@ class NsiTopic(BaseTopic):
                 nsi_vlds.append(nsi_vld)
 
             nsi_descriptor["_admin"]["netslice-vld"] = nsi_vlds
-            # Creating netslice-subnet_record. 
+            # Creating netslice-subnet_record.
             needed_nsds = {}
             services = []
 
@@ -1068,14 +1266,15 @@ class NsiTopic(BaseTopic):
                 # Is the nss shared and instantiated?
                 _filter["_admin.nsrs-detailed-list.ANYINDEX.shared"] = True
                 _filter["_admin.nsrs-detailed-list.ANYINDEX.nsd-id"] = service["nsd-ref"]
+                _filter["_admin.nsrs-detailed-list.ANYINDEX.nss-id"] = service["id"]
                 nsi = self.db.get_one("nsis", _filter, fail_on_empty=False, fail_on_more=False)
-                
                 if nsi and service.get("is-shared-nss"):
                     nsrs_detailed_list = nsi["_admin"]["nsrs-detailed-list"]
                     for nsrs_detailed_item in nsrs_detailed_list:
                         if nsrs_detailed_item["nsd-id"] == service["nsd-ref"]:
-                            _id_nsr = nsrs_detailed_item["nsrId"]
-                            break
+                            if nsrs_detailed_item["nss-id"] == service["id"]:
+                                _id_nsr = nsrs_detailed_item["nsrId"]
+                                break
                     for netslice_subnet in nsi["_admin"]["netslice-subnet"]:
                         if netslice_subnet["nss-id"] == service["id"]:
                             indata_ns = netslice_subnet
@@ -1090,7 +1289,8 @@ class NsiTopic(BaseTopic):
                     indata_ns["nsName"] = slice_request.get("nsiName") + "." + service["id"]
                     indata_ns["vimAccountId"] = slice_request.get("vimAccountId")
                     indata_ns["nsDescription"] = service["description"]
-                    indata_ns["key-pair-ref"] = slice_request.get("key-pair-ref")
+                    if slice_request.get("ssh_keys"):
+                        indata_ns["ssh_keys"] = slice_request.get("ssh_keys")
 
                     if ns_params:
                         for ns_param in ns_params:
@@ -1101,9 +1301,9 @@ class NsiTopic(BaseTopic):
                                 break                   
 
                     # Creates Nsr objects
-                    _id_nsr = self.nsrTopic.new(rollback, session, indata_ns, kwargs, headers)
+                    _id_nsr, _ = self.nsrTopic.new(rollback, session, indata_ns, kwargs, headers)
                 nsrs_item = {"nsrId": _id_nsr, "shared": service.get("is-shared-nss"), "nsd-id": service["nsd-ref"], 
-                             "nslcmop_instantiate": None}
+                             "nss-id": service["id"], "nslcmop_instantiate": None}
                 indata_ns["nss-id"] = service["id"]
                 nsrs_list.append(nsrs_item)
                 nsi_netslice_subnet.append(indata_ns)
@@ -1118,8 +1318,8 @@ class NsiTopic(BaseTopic):
             # Creating the entry in the database
             self.db.create("nsis", nsi_descriptor)
             rollback.append({"topic": "nsis", "_id": nsi_id})
-            return nsi_id
-        except Exception as e:
+            return nsi_id, None
+        except Exception as e:   # TODO remove try Except, it is captured at nbi.py
             self.logger.exception("Exception {} at NsiTopic.new()".format(e), exc_info=True)
             raise EngineException("Error {}: {}".format(step, e))
         except ValidationError as e:
@@ -1137,9 +1337,9 @@ class NsiLcmOpTopic(BaseTopic):
         "terminate": None
     }
     
-    def __init__(self, db, fs, msg):
-        BaseTopic.__init__(self, db, fs, msg)
-        self.nsi_NsLcmOpTopic = NsLcmOpTopic(self.db, self.fs, self.msg)
+    def __init__(self, db, fs, msg, auth):
+        BaseTopic.__init__(self, db, fs, msg, auth)
+        self.nsi_NsLcmOpTopic = NsLcmOpTopic(self.db, self.fs, self.msg, self.auth)
 
     def _check_nsi_operation(self, session, nsir, operation, indata):
         """
@@ -1184,7 +1384,7 @@ class NsiLcmOpTopic(BaseTopic):
             "isCancelPending": False,
             "links": {
                 "self": "/osm/nsilcm/v1/nsi_lcm_op_occs/" + _id,
-                "nsInstance": "/osm/nsilcm/v1/netslice_instances/" + netsliceInstanceId,
+                "netsliceInstanceId": "/osm/nsilcm/v1/netslice_instances/" + netsliceInstanceId,
             }
         }
         return nsilcmop
@@ -1209,7 +1409,7 @@ class NsiLcmOpTopic(BaseTopic):
         :param rollback: list to append created items at database in case a rollback must to be done
         :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
         :param indata: descriptor with the parameters of the operation. It must contains among others
-            nsiInstanceId: _id of the nsir to perform the operation
+            netsliceInstanceId: _id of the nsir to perform the operation
             operation: it can be: instantiate, terminate, action, TODO: update, heal
         :param kwargs: used to override the indata descriptor
         :param headers: http request headers
@@ -1219,12 +1419,12 @@ class NsiLcmOpTopic(BaseTopic):
             # Override descriptor with query string kwargs
             self._update_input_with_kwargs(indata, kwargs)
             operation = indata["lcmOperationType"]
-            nsiInstanceId = indata["nsiInstanceId"]
+            netsliceInstanceId = indata["netsliceInstanceId"]
             validate_input(indata, self.operation_schema[operation])
 
-            # get nsi from nsiInstanceId
+            # get nsi from netsliceInstanceId
             _filter = self._get_project_filter(session)
-            _filter["_id"] = nsiInstanceId
+            _filter["_id"] = netsliceInstanceId
             nsir = self.db.get_one("nsis", _filter)
             del _filter["_id"]
 
@@ -1232,14 +1432,14 @@ class NsiLcmOpTopic(BaseTopic):
             if not nsir["_admin"].get("nsiState") or nsir["_admin"]["nsiState"] == "NOT_INSTANTIATED":
                 if operation == "terminate" and indata.get("autoremove"):
                     # NSIR must be deleted
-                    return None    # a none in this case is used to indicate not instantiated. It can be removed
+                    return None, None    # a none in this case is used to indicate not instantiated. It can be removed
                 if operation != "instantiate":
                     raise EngineException("netslice_instance '{}' cannot be '{}' because it is not instantiated".format(
-                        nsiInstanceId, operation), HTTPStatus.CONFLICT)
+                        netsliceInstanceId, operation), HTTPStatus.CONFLICT)
             else:
                 if operation == "instantiate" and not session["force"]:
                     raise EngineException("netslice_instance '{}' cannot be '{}' because it is already instantiated".
-                                          format(nsiInstanceId, operation), HTTPStatus.CONFLICT)
+                                          format(netsliceInstanceId, operation), HTTPStatus.CONFLICT)
             
             # Creating all the NS_operation (nslcmop)
             # Get service list from db
@@ -1252,7 +1452,7 @@ class NsiLcmOpTopic(BaseTopic):
                     _filter["_admin.nsrs-detailed-list.ANYINDEX.shared"] = True
                     _filter["_admin.nsrs-detailed-list.ANYINDEX.nsrId"] = nsr_item["nsrId"]
                     _filter["_admin.nsrs-detailed-list.ANYINDEX.nslcmop_instantiate.ne"] = None
-                    _filter["_id.ne"] = nsiInstanceId
+                    _filter["_id.ne"] = netsliceInstanceId
                     nsi = self.db.get_one("nsis", _filter, fail_on_empty=False, fail_on_more=False)
                     if operation == "terminate":
                         _update = {"_admin.nsrs-detailed-list.{}.nslcmop_instantiate".format(index): None}
@@ -1280,12 +1480,11 @@ class NsiLcmOpTopic(BaseTopic):
                     indata_ns["lcmOperationType"] = operation
                     indata_ns["nsInstanceId"] = service["_id"]
                     # Including netslice_id in the ns instantiate Operation
-                    indata_ns["netsliceInstanceId"] = nsiInstanceId
-                    del indata_ns["key-pair-ref"]
-                    # Creating NS_LCM_OP with the flag slice_object=True to not trigger the service instantiation 
+                    indata_ns["netsliceInstanceId"] = netsliceInstanceId
+                    # Creating NS_LCM_OP with the flag slice_object=True to not trigger the service instantiation
                     # message via kafka bus
-                    nslcmop = self.nsi_NsLcmOpTopic.new(rollback, session, indata_ns, kwargs, headers, 
-                                                        slice_object=True)
+                    nslcmop, _ = self.nsi_NsLcmOpTopic.new(rollback, session, indata_ns, kwargs, headers,
+                                                           slice_object=True)
                     nslcmops.append(nslcmop)
                     if operation == "terminate":
                         nslcmop = None
@@ -1302,12 +1501,12 @@ class NsiLcmOpTopic(BaseTopic):
             indata["nslcmops_ids"] = nslcmops
             self._check_nsi_operation(session, nsir, operation, indata)
 
-            nsilcmop_desc = self._create_nsilcmop(session, nsiInstanceId, operation, indata)
+            nsilcmop_desc = self._create_nsilcmop(session, netsliceInstanceId, operation, indata)
             self.format_on_new(nsilcmop_desc, session["project_id"], make_public=session["public"])
             _id = self.db.create("nsilcmops", nsilcmop_desc)
             rollback.append({"topic": "nsilcmops", "_id": _id})
             self.msg.write("nsi", operation, nsilcmop_desc)
-            return _id
+            return _id, None
         except ValidationError as e:
             raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)