Fix support for scoped tokens and default roles
This patch is the base patch to enable support for Keystone scoped tokens[1] and default roles[2] in the Designate API. It also migrates to using project_id in the context objects instead of the deprecated tenant_id. [1] https://docs.openstack.org/keystone/latest/admin/tokens-overview.html#authorization-scopes [2] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html Depends-On: https://review.opendev.org/c/openstack/designate-tempest-plugin/+/821632 Change-Id: I43bb76dc4dc1d167d86fd5ea139a50f95f3b0b4a
This commit is contained in:
parent
aa798fc006
commit
5f87d207b4
20
.zuul.yaml
20
.zuul.yaml
@ -54,6 +54,24 @@
|
||||
Functional testing for a FIPS enabled Centos 8 stream system
|
||||
pre-run: playbooks/enable-fips.yaml
|
||||
|
||||
- job:
|
||||
name: designate-bind9-scoped-tokens
|
||||
post-run: playbooks/designate-bind9/post.yaml
|
||||
parent: designate-base
|
||||
vars:
|
||||
devstack_local_conf:
|
||||
post-config:
|
||||
$DESIGNATE_CONF:
|
||||
oslo_policy:
|
||||
enforce_scope: True
|
||||
enforce_new_defaults: True
|
||||
test-config:
|
||||
"$TEMPEST_CONFIG":
|
||||
enforce_scope:
|
||||
designate: True
|
||||
dns_feature_enabled:
|
||||
enforce_new_defaults: True
|
||||
|
||||
- job:
|
||||
name: designate-pdns4
|
||||
post-run: playbooks/designate-pdns4/post.yaml
|
||||
@ -136,6 +154,7 @@
|
||||
- designate-bind9
|
||||
- designate-bind9-centos8stream-fips:
|
||||
voting: false
|
||||
- designate-bind9-scoped-tokens
|
||||
- designate-pdns4
|
||||
- designate-grenade-pdns4
|
||||
- designate-ipv6-only-pdns4
|
||||
@ -145,6 +164,7 @@
|
||||
queue: designate
|
||||
jobs:
|
||||
- designate-bind9
|
||||
- designate-bind9-scoped-tokens
|
||||
- designate-pdns4
|
||||
- designate-grenade-pdns4
|
||||
- designate-ipv6-only-pdns4
|
||||
|
@ -128,14 +128,13 @@ class KeystoneContextMiddleware(ContextMiddleware):
|
||||
pass
|
||||
|
||||
tenant_id = headers.get('X-Tenant-ID')
|
||||
if tenant_id is None:
|
||||
return flask.Response(status=401)
|
||||
|
||||
catalog = None
|
||||
if headers.get('X-Service-Catalog'):
|
||||
catalog = jsonutils.loads(headers.get('X-Service-Catalog'))
|
||||
|
||||
roles = headers.get('X-Roles').split(',')
|
||||
system_scope = headers.get('Openstack-System-Scope')
|
||||
|
||||
try:
|
||||
self.make_context(
|
||||
@ -144,7 +143,8 @@ class KeystoneContextMiddleware(ContextMiddleware):
|
||||
user_id=headers.get('X-User-ID'),
|
||||
project_id=tenant_id,
|
||||
roles=roles,
|
||||
service_catalog=catalog
|
||||
service_catalog=catalog,
|
||||
system_scope=system_scope
|
||||
)
|
||||
except exceptions.Forbidden:
|
||||
return flask.Response(status=403)
|
||||
|
@ -17,6 +17,7 @@ from oslo_log import log as logging
|
||||
import pecan
|
||||
|
||||
from designate.api.v2.controllers import rest
|
||||
from designate.common import constants
|
||||
from designate import exceptions
|
||||
from designate.objects.adapters import DesignateAdapter
|
||||
from designate import policy
|
||||
@ -31,7 +32,11 @@ class ZoneExportController(rest.RestController):
|
||||
@utils.validate_uuid('export_id')
|
||||
def get_all(self, export_id):
|
||||
context = pecan.request.environ['context']
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
|
||||
policy.check('zone_export', context, target)
|
||||
|
||||
export = self.central_api.get_zone_export(context, export_id)
|
||||
|
@ -33,6 +33,7 @@ from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
import oslo_messaging as messaging
|
||||
|
||||
from designate.common import constants
|
||||
from designate import context as dcontext
|
||||
from designate import coordination
|
||||
from designate import dnsutils
|
||||
@ -483,6 +484,12 @@ class Service(service.RPCService):
|
||||
raise exceptions.InvalidTTL('TTL is below the minimum: %s'
|
||||
% min_ttl)
|
||||
|
||||
def _is_valid_project_id(self, project_id):
|
||||
if project_id is None:
|
||||
raise exceptions.MissingProjectID(
|
||||
"A project ID must be specified when not using a project "
|
||||
"scoped token.")
|
||||
|
||||
def _increment_zone_serial(self, context, zone, set_delayed_notify=False):
|
||||
"""Update the zone serial and the SOA record
|
||||
Optionally set delayed_notify to have PM issue delayed notify
|
||||
@ -658,16 +665,29 @@ class Service(service.RPCService):
|
||||
# Quota Methods
|
||||
@rpc.expected_exceptions()
|
||||
def get_quotas(self, context, tenant_id):
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: tenant_id,
|
||||
'all_tenants': context.all_tenants}
|
||||
else:
|
||||
target = {'tenant_id': tenant_id}
|
||||
policy.check('get_quotas', context, target)
|
||||
|
||||
if tenant_id != context.project_id and not context.all_tenants:
|
||||
# TODO(johnsom) Deprecated since Wallaby, remove with legacy default
|
||||
# policies. System scoped admin doesn't have a project_id
|
||||
if (tenant_id != context.project_id and not context.all_tenants and not
|
||||
policy.enforce_new_defaults()):
|
||||
raise exceptions.Forbidden()
|
||||
|
||||
return self.quota.get_quotas(context, tenant_id)
|
||||
|
||||
@rpc.expected_exceptions()
|
||||
def get_quota(self, context, tenant_id, resource):
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: tenant_id,
|
||||
'resource': resource
|
||||
}
|
||||
else:
|
||||
target = {'tenant_id': tenant_id, 'resource': resource}
|
||||
policy.check('get_quota', context, target)
|
||||
|
||||
@ -676,6 +696,13 @@ class Service(service.RPCService):
|
||||
@rpc.expected_exceptions()
|
||||
@transaction
|
||||
def set_quota(self, context, tenant_id, resource, hard_limit):
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: tenant_id,
|
||||
'resource': resource,
|
||||
'hard_limit': hard_limit,
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'tenant_id': tenant_id,
|
||||
'resource': resource,
|
||||
@ -683,13 +710,19 @@ class Service(service.RPCService):
|
||||
}
|
||||
|
||||
policy.check('set_quota', context, target)
|
||||
if tenant_id != context.project_id and not context.all_tenants:
|
||||
# TODO(johnsom) Deprecated since Wallaby, remove with legacy default
|
||||
# policies. System scoped admin doesn't have a project_id
|
||||
if (tenant_id != context.project_id and not context.all_tenants and not
|
||||
policy.enforce_new_defaults()):
|
||||
raise exceptions.Forbidden()
|
||||
|
||||
return self.quota.set_quota(context, tenant_id, resource, hard_limit)
|
||||
|
||||
@transaction
|
||||
def reset_quotas(self, context, tenant_id):
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: tenant_id}
|
||||
else:
|
||||
target = {'tenant_id': tenant_id}
|
||||
policy.check('reset_quotas', context, target)
|
||||
|
||||
@ -806,9 +839,10 @@ class Service(service.RPCService):
|
||||
|
||||
@rpc.expected_exceptions()
|
||||
def get_tenant(self, context, tenant_id):
|
||||
target = {
|
||||
'tenant_id': tenant_id
|
||||
}
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: tenant_id}
|
||||
else:
|
||||
target = {'tenant_id': tenant_id}
|
||||
|
||||
policy.check('get_tenant', context, target)
|
||||
|
||||
@ -855,6 +889,12 @@ class Service(service.RPCService):
|
||||
# Default to creating in the current users tenant
|
||||
zone.tenant_id = zone.tenant_id or context.project_id
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id,
|
||||
'zone_name': zone.name
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'tenant_id': zone.tenant_id,
|
||||
'zone_name': zone.name
|
||||
@ -862,6 +902,8 @@ class Service(service.RPCService):
|
||||
|
||||
policy.check('create_zone', context, target)
|
||||
|
||||
self._is_valid_project_id(zone.tenant_id)
|
||||
|
||||
# Ensure the tenant has enough quota to continue
|
||||
self._enforce_zone_quota(context, zone.tenant_id)
|
||||
|
||||
@ -969,11 +1011,19 @@ class Service(service.RPCService):
|
||||
"""
|
||||
zone = self.storage.get_zone(context, zone_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'tenant_id': zone.tenant_id
|
||||
}
|
||||
|
||||
policy.check('get_zone', context, target)
|
||||
|
||||
return zone
|
||||
@ -986,6 +1036,14 @@ class Service(service.RPCService):
|
||||
pool_id = cfg.CONF['service:central'].default_pool_id
|
||||
else:
|
||||
zone = self.storage.get_zone(context, zone_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
@ -1008,7 +1066,11 @@ class Service(service.RPCService):
|
||||
sort_key=None, sort_dir=None):
|
||||
"""List existing zones including the ones flagged for deletion.
|
||||
"""
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
|
||||
policy.check('find_zones', context, target)
|
||||
|
||||
return self.storage.find_zones(context, criterion, marker, limit,
|
||||
@ -1016,7 +1078,11 @@ class Service(service.RPCService):
|
||||
|
||||
@rpc.expected_exceptions()
|
||||
def find_zone(self, context, criterion=None):
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
|
||||
policy.check('find_zone', context, target)
|
||||
|
||||
return self.storage.find_zone(context, criterion)
|
||||
@ -1030,6 +1096,14 @@ class Service(service.RPCService):
|
||||
|
||||
:returns: updated zone
|
||||
"""
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone.obj_get_original_value('id'),
|
||||
'zone_name': zone.obj_get_original_value('name'),
|
||||
constants.RBAC_PROJECT_ID: (
|
||||
zone.obj_get_original_value('tenant_id')),
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone.obj_get_original_value('id'),
|
||||
'zone_name': zone.obj_get_original_value('name'),
|
||||
@ -1100,6 +1174,13 @@ class Service(service.RPCService):
|
||||
"""
|
||||
zone = self.storage.get_zone(context, zone_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
@ -1159,6 +1240,13 @@ class Service(service.RPCService):
|
||||
def xfr_zone(self, context, zone_id):
|
||||
zone = self.storage.get_zone(context, zone_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
@ -1189,6 +1277,11 @@ class Service(service.RPCService):
|
||||
if criterion is None:
|
||||
criterion = {}
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None)
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'tenant_id': criterion.get('tenant_id', None)
|
||||
}
|
||||
@ -1233,6 +1326,13 @@ class Service(service.RPCService):
|
||||
def touch_zone(self, context, zone_id):
|
||||
zone = self.storage.get_zone(context, zone_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
@ -1266,6 +1366,15 @@ class Service(service.RPCService):
|
||||
if zone.action == 'DELETE':
|
||||
raise exceptions.BadRequest('Can not update a deleting zone')
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'zone_type': zone.type,
|
||||
'recordset_name': recordset.name,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id,
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
@ -1357,6 +1466,14 @@ class Service(service.RPCService):
|
||||
else:
|
||||
zone = self.storage.get_zone(context, recordset.zone_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone.id,
|
||||
'zone_name': zone.name,
|
||||
'recordset_id': recordset.id,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id,
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone.id,
|
||||
'zone_name': zone.name,
|
||||
@ -1375,7 +1492,11 @@ class Service(service.RPCService):
|
||||
@rpc.expected_exceptions()
|
||||
def find_recordsets(self, context, criterion=None, marker=None, limit=None,
|
||||
sort_key=None, sort_dir=None, force_index=False):
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
|
||||
policy.check('find_recordsets', context, target)
|
||||
|
||||
recordsets = self.storage.find_recordsets(context, criterion, marker,
|
||||
@ -1386,6 +1507,9 @@ class Service(service.RPCService):
|
||||
|
||||
@rpc.expected_exceptions()
|
||||
def find_recordset(self, context, criterion=None):
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
policy.check('find_recordset', context, target)
|
||||
|
||||
@ -1430,6 +1554,15 @@ class Service(service.RPCService):
|
||||
if zone.action == 'DELETE':
|
||||
raise exceptions.BadRequest('Can not update a deleting zone')
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': recordset.obj_get_original_value('zone_id'),
|
||||
'zone_type': zone.type,
|
||||
'recordset_id': recordset.obj_get_original_value('id'),
|
||||
'zone_name': zone.name,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': recordset.obj_get_original_value('zone_id'),
|
||||
'zone_type': zone.type,
|
||||
@ -1494,6 +1627,15 @@ class Service(service.RPCService):
|
||||
if zone.action == 'DELETE':
|
||||
raise exceptions.BadRequest('Can not update a deleting zone')
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'zone_type': zone.type,
|
||||
'recordset_id': recordset.id,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
@ -1543,9 +1685,12 @@ class Service(service.RPCService):
|
||||
if criterion is None:
|
||||
criterion = {}
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'tenant_id': criterion.get('tenant_id', None)
|
||||
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None)
|
||||
}
|
||||
else:
|
||||
target = {'tenant_id': criterion.get('tenant_id', None)}
|
||||
|
||||
policy.check('count_recordsets', context, target)
|
||||
|
||||
@ -1565,6 +1710,16 @@ class Service(service.RPCService):
|
||||
|
||||
recordset = self.storage.get_recordset(context, recordset_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'zone_type': zone.type,
|
||||
'recordset_id': recordset_id,
|
||||
'recordset_name': recordset.name,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
@ -1619,6 +1774,16 @@ class Service(service.RPCService):
|
||||
if recordset.id != record.recordset_id:
|
||||
raise exceptions.RecordNotFound()
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'recordset_id': recordset_id,
|
||||
'recordset_name': recordset.name,
|
||||
'record_id': record.id,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
@ -1635,6 +1800,10 @@ class Service(service.RPCService):
|
||||
@rpc.expected_exceptions()
|
||||
def find_records(self, context, criterion=None, marker=None, limit=None,
|
||||
sort_key=None, sort_dir=None):
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
policy.check('find_records', context, target)
|
||||
|
||||
@ -1643,6 +1812,10 @@ class Service(service.RPCService):
|
||||
|
||||
@rpc.expected_exceptions()
|
||||
def find_record(self, context, criterion=None):
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
policy.check('find_record', context, target)
|
||||
|
||||
@ -1677,6 +1850,17 @@ class Service(service.RPCService):
|
||||
raise exceptions.BadRequest('Moving a recordset between '
|
||||
'recordsets is not allowed')
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': record.obj_get_original_value('zone_id'),
|
||||
'zone_name': zone.name,
|
||||
'zone_type': zone.type,
|
||||
'recordset_id': record.obj_get_original_value('recordset_id'),
|
||||
'recordset_name': recordset.name,
|
||||
'record_id': record.obj_get_original_value('id'),
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': record.obj_get_original_value('zone_id'),
|
||||
'zone_name': zone.name,
|
||||
@ -1739,6 +1923,17 @@ class Service(service.RPCService):
|
||||
if recordset.id != record.recordset_id:
|
||||
raise exceptions.RecordNotFound()
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'zone_type': zone.type,
|
||||
'recordset_id': recordset_id,
|
||||
'recordset_name': recordset.name,
|
||||
'record_id': record.id,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
@ -1783,9 +1978,12 @@ class Service(service.RPCService):
|
||||
if criterion is None:
|
||||
criterion = {}
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'tenant_id': criterion.get('tenant_id', None)
|
||||
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None)
|
||||
}
|
||||
else:
|
||||
target = {'tenant_id': criterion.get('tenant_id', None)}
|
||||
|
||||
policy.check('count_records', context, target)
|
||||
return self.storage.count_records(context, criterion)
|
||||
@ -1812,6 +2010,13 @@ class Service(service.RPCService):
|
||||
def sync_zone(self, context, zone_id):
|
||||
zone = self.storage.get_zone(context, zone_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
@ -1828,6 +2033,16 @@ class Service(service.RPCService):
|
||||
zone = self.storage.get_zone(context, zone_id)
|
||||
recordset = self.storage.get_recordset(context, recordset_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'recordset_id': recordset_id,
|
||||
'recordset_name': recordset.name,
|
||||
'record_id': record_id,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
@ -2255,6 +2470,8 @@ class Service(service.RPCService):
|
||||
|
||||
policy.check('create_pool', context)
|
||||
|
||||
self._is_valid_project_id(pool.tenant_id)
|
||||
|
||||
created_pool = self.storage.create_pool(context, pool)
|
||||
|
||||
return created_pool
|
||||
@ -2506,9 +2723,11 @@ class Service(service.RPCService):
|
||||
if zone.action == 'DELETE':
|
||||
raise exceptions.BadRequest('Can not transfer a deleting zone')
|
||||
|
||||
target = {
|
||||
'tenant_id': zone.tenant_id,
|
||||
}
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: zone.tenant_id}
|
||||
else:
|
||||
target = {'tenant_id': zone.tenant_id}
|
||||
|
||||
policy.check('create_zone_transfer_request', context, target)
|
||||
|
||||
zone_transfer_request.key = self._transfer_key_generator()
|
||||
@ -2516,6 +2735,8 @@ class Service(service.RPCService):
|
||||
if zone_transfer_request.tenant_id is None:
|
||||
zone_transfer_request.tenant_id = context.project_id
|
||||
|
||||
self._is_valid_project_id(zone_transfer_request.tenant_id)
|
||||
|
||||
created_zone_transfer_request = \
|
||||
self.storage.create_zone_transfer_request(
|
||||
context, zone_transfer_request)
|
||||
@ -2532,10 +2753,18 @@ class Service(service.RPCService):
|
||||
elevated_context, zone_transfer_request_id)
|
||||
|
||||
LOG.info('Target Tenant ID found - using scoped policy')
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_TARGET_PROJECT_ID: (zone_transfer_request.
|
||||
target_tenant_id),
|
||||
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'target_tenant_id': zone_transfer_request.target_tenant_id,
|
||||
'tenant_id': zone_transfer_request.tenant_id,
|
||||
}
|
||||
|
||||
policy.check('get_zone_transfer_request', context, target)
|
||||
|
||||
return zone_transfer_request
|
||||
@ -2555,9 +2784,15 @@ class Service(service.RPCService):
|
||||
|
||||
@rpc.expected_exceptions()
|
||||
def find_zone_transfer_request(self, context, criterion):
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: context.project_id,
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'tenant_id': context.project_id,
|
||||
}
|
||||
|
||||
policy.check('find_zone_transfer_request', context, target)
|
||||
return self.storage.find_zone_transfer_requests(context, criterion)
|
||||
|
||||
@ -2569,6 +2804,11 @@ class Service(service.RPCService):
|
||||
if 'zone_id' in zone_transfer_request.obj_what_changed():
|
||||
raise exceptions.InvalidOperation('Zone cannot be changed')
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'tenant_id': zone_transfer_request.tenant_id,
|
||||
}
|
||||
@ -2585,9 +2825,14 @@ class Service(service.RPCService):
|
||||
# Get zone transfer request
|
||||
zone_transfer_request = self.storage.get_zone_transfer_request(
|
||||
context, zone_transfer_request_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'tenant_id': zone_transfer_request.tenant_id,
|
||||
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {'tenant_id': zone_transfer_request.tenant_id}
|
||||
|
||||
policy.check('delete_zone_transfer_request', context, target)
|
||||
return self.storage.delete_zone_transfer_request(
|
||||
context,
|
||||
@ -2614,14 +2859,23 @@ class Service(service.RPCService):
|
||||
raise exceptions.IncorrectZoneTransferKey(
|
||||
'Key does not match stored key for request')
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_TARGET_PROJECT_ID: (zone_transfer_request.
|
||||
target_tenant_id)
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'target_tenant_id': zone_transfer_request.target_tenant_id
|
||||
}
|
||||
|
||||
policy.check('create_zone_transfer_accept', context, target)
|
||||
|
||||
if zone_transfer_accept.tenant_id is None:
|
||||
zone_transfer_accept.tenant_id = context.project_id
|
||||
|
||||
self._is_valid_project_id(zone_transfer_accept.tenant_id)
|
||||
|
||||
created_zone_transfer_accept = \
|
||||
self.storage.create_zone_transfer_accept(
|
||||
context, zone_transfer_accept)
|
||||
@ -2664,9 +2918,15 @@ class Service(service.RPCService):
|
||||
zone_transfer_accept = self.storage.get_zone_transfer_accept(
|
||||
context, zone_transfer_accept_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: zone_transfer_accept.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'tenant_id': zone_transfer_accept.tenant_id
|
||||
}
|
||||
|
||||
policy.check('get_zone_transfer_accept', context, target)
|
||||
|
||||
return zone_transfer_accept
|
||||
@ -2688,6 +2948,11 @@ class Service(service.RPCService):
|
||||
@notification('dns.zone_transfer_accept.update')
|
||||
@transaction
|
||||
def update_zone_transfer_accept(self, context, zone_transfer_accept):
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: zone_transfer_accept.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'tenant_id': zone_transfer_accept.tenant_id
|
||||
}
|
||||
@ -2705,9 +2970,15 @@ class Service(service.RPCService):
|
||||
zt_accept = self.storage.get_zone_transfer_accept(
|
||||
context, zone_transfer_accept_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: zt_accept.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'tenant_id': zt_accept.tenant_id
|
||||
}
|
||||
|
||||
policy.check('delete_zone_transfer_accept', context, target)
|
||||
return self.storage.delete_zone_transfer_accept(
|
||||
context,
|
||||
@ -2717,9 +2988,16 @@ class Service(service.RPCService):
|
||||
@rpc.expected_exceptions()
|
||||
@notification('dns.zone_import.create')
|
||||
def create_zone_import(self, context, request_body):
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
|
||||
policy.check('create_zone_import', context, target)
|
||||
|
||||
self._is_valid_project_id(context.project_id)
|
||||
|
||||
values = {
|
||||
'status': 'PENDING',
|
||||
'message': None,
|
||||
@ -2811,7 +3089,12 @@ class Service(service.RPCService):
|
||||
@rpc.expected_exceptions()
|
||||
def find_zone_imports(self, context, criterion=None, marker=None,
|
||||
limit=None, sort_key=None, sort_dir=None):
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
|
||||
policy.check('find_zone_imports', context, target)
|
||||
|
||||
if not criterion:
|
||||
@ -2826,16 +3109,22 @@ class Service(service.RPCService):
|
||||
|
||||
@rpc.expected_exceptions()
|
||||
def get_zone_import(self, context, zone_import_id):
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
|
||||
policy.check('get_zone_import', context, target)
|
||||
return self.storage.get_zone_import(context, zone_import_id)
|
||||
|
||||
@rpc.expected_exceptions()
|
||||
@notification('dns.zone_import.update')
|
||||
def update_zone_import(self, context, zone_import):
|
||||
target = {
|
||||
'tenant_id': zone_import.tenant_id,
|
||||
}
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: zone_import.tenant_id}
|
||||
else:
|
||||
target = {'tenant_id': zone_import.tenant_id}
|
||||
policy.check('update_zone_import', context, target)
|
||||
|
||||
return self.storage.update_zone_import(context, zone_import)
|
||||
@ -2844,10 +3133,18 @@ class Service(service.RPCService):
|
||||
@notification('dns.zone_import.delete')
|
||||
@transaction
|
||||
def delete_zone_import(self, context, zone_import_id):
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_import_id': zone_import_id,
|
||||
constants.RBAC_PROJECT_ID: context.project_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_import_id': zone_import_id,
|
||||
'tenant_id': context.project_id
|
||||
}
|
||||
|
||||
policy.check('delete_zone_import', context, target)
|
||||
|
||||
zone_import = self.storage.delete_zone_import(context, zone_import_id)
|
||||
@ -2861,9 +3158,15 @@ class Service(service.RPCService):
|
||||
# Try getting the zone to ensure it exists
|
||||
zone = self.storage.get_zone(context, zone_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
|
||||
policy.check('create_zone_export', context, target)
|
||||
|
||||
self._is_valid_project_id(context.project_id)
|
||||
|
||||
values = {
|
||||
'status': 'PENDING',
|
||||
'message': None,
|
||||
@ -2884,6 +3187,10 @@ class Service(service.RPCService):
|
||||
@rpc.expected_exceptions()
|
||||
def find_zone_exports(self, context, criterion=None, marker=None,
|
||||
limit=None, sort_key=None, sort_dir=None):
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
policy.check('find_zone_exports', context, target)
|
||||
|
||||
@ -2899,7 +3206,12 @@ class Service(service.RPCService):
|
||||
|
||||
@rpc.expected_exceptions()
|
||||
def get_zone_export(self, context, zone_export_id):
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
|
||||
policy.check('get_zone_export', context, target)
|
||||
|
||||
return self.storage.get_zone_export(context, zone_export_id)
|
||||
@ -2907,9 +3219,12 @@ class Service(service.RPCService):
|
||||
@rpc.expected_exceptions()
|
||||
@notification('dns.zone_export.update')
|
||||
def update_zone_export(self, context, zone_export):
|
||||
target = {
|
||||
'tenant_id': zone_export.tenant_id,
|
||||
}
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: zone_export.tenant_id}
|
||||
else:
|
||||
target = {'tenant_id': zone_export.tenant_id}
|
||||
|
||||
policy.check('update_zone_export', context, target)
|
||||
|
||||
return self.storage.update_zone_export(context, zone_export)
|
||||
@ -2918,10 +3233,18 @@ class Service(service.RPCService):
|
||||
@notification('dns.zone_export.delete')
|
||||
@transaction
|
||||
def delete_zone_export(self, context, zone_export_id):
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_export_id': zone_export_id,
|
||||
constants.RBAC_PROJECT_ID: context.project_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_export_id': zone_export_id,
|
||||
'tenant_id': context.project_id
|
||||
}
|
||||
|
||||
policy.check('delete_zone_export', context, target)
|
||||
|
||||
zone_export = self.storage.delete_zone_export(context, zone_export_id)
|
||||
|
17
designate/common/constants.py
Normal file
17
designate/common/constants.py
Normal file
@ -0,0 +1,17 @@
|
||||
# Copyright 2021 Red Hat
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
# RBAC related constants
|
||||
RBAC_PROJECT_ID = 'project_id'
|
||||
RBAC_TARGET_PROJECT_ID = 'target_project_id'
|
@ -12,17 +12,14 @@
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
from oslo_log import versionutils
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
|
||||
RULE_ADMIN = 'rule:admin'
|
||||
RULE_ZONE_PRIMARY_OR_ADMIN = \
|
||||
"('PRIMARY':%(zone_type)s and rule:admin_or_owner) "\
|
||||
"OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
|
||||
RULE_ZONE_TRANSFER = "rule:admin_or_owner OR tenant:%(target_tenant_id)s " \
|
||||
"OR None:%(target_tenant_id)s"
|
||||
DEPRECATED_REASON = """
|
||||
The designate API now supports system scope and default roles.
|
||||
"""
|
||||
|
||||
RULE_ANY = "@"
|
||||
|
||||
# Generic policy check string for system administrators. These are the people
|
||||
@ -59,37 +56,56 @@ SYSTEM_OR_PROJECT_READER = (
|
||||
'(' + SYSTEM_READER + ') or (' + PROJECT_READER + ')'
|
||||
)
|
||||
|
||||
# Designate specific "secure RBAC" rules
|
||||
ALL_TENANTS = 'True:%(all_tenants)s'
|
||||
|
||||
ALL_TENANTS_READER = ALL_TENANTS + ' and role:reader'
|
||||
|
||||
SYSTEM_OR_PROJECT_READER_OR_ALL_TENANTS_READER = (
|
||||
'(' + SYSTEM_READER + ') or (' + PROJECT_READER + ') or (' +
|
||||
ALL_TENANTS_READER + ')'
|
||||
)
|
||||
|
||||
RULE_ZONE_TRANSFER = (
|
||||
'(' + SYSTEM_ADMIN_OR_PROJECT_MEMBER + ') or '
|
||||
'project_id:%(target_project_id)s or '
|
||||
'None:%(target_project_id)s')
|
||||
|
||||
|
||||
# Deprecated in Wallaby as part of the "secure RBAC" work.
|
||||
# TODO(johnsom) remove when the deprecated RBAC rules are removed.
|
||||
RULE_ADMIN = 'rule:admin'
|
||||
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
|
||||
LEGACY_RULE_ZONE_TRANSFER = "rule:admin_or_owner OR " \
|
||||
"tenant:%(target_tenant_id)s " \
|
||||
"OR None:%(target_tenant_id)s"
|
||||
|
||||
deprecated_default = policy.DeprecatedRule(
|
||||
name="default",
|
||||
check_str=RULE_ADMIN_OR_OWNER,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
|
||||
rules = [
|
||||
# TODO(johnsom) remove when the deprecated RBAC rules are removed.
|
||||
policy.RuleDefault(
|
||||
name="admin",
|
||||
check_str="role:admin or is_admin:True"),
|
||||
policy.RuleDefault(
|
||||
name="primary_zone",
|
||||
check_str="target.zone_type:SECONDARY"),
|
||||
# TODO(johnsom) remove when the deprecated RBAC rules are removed.
|
||||
policy.RuleDefault(
|
||||
name="owner",
|
||||
check_str="tenant:%(tenant_id)s"),
|
||||
# TODO(johnsom) remove when the deprecated RBAC rules are removed.
|
||||
policy.RuleDefault(
|
||||
name="admin_or_owner",
|
||||
check_str="rule:admin or rule:owner"),
|
||||
|
||||
# Default policy
|
||||
policy.RuleDefault(
|
||||
name="default",
|
||||
check_str="rule:admin_or_owner"),
|
||||
policy.RuleDefault(
|
||||
name="target",
|
||||
check_str="tenant:%(target_tenant_id)s"),
|
||||
policy.RuleDefault(
|
||||
name="owner_or_target",
|
||||
check_str="rule:target or rule:owner"),
|
||||
policy.RuleDefault(
|
||||
name="admin_or_owner_or_target",
|
||||
check_str="rule:owner_or_target or rule:admin"),
|
||||
policy.RuleDefault(
|
||||
name="admin_or_target",
|
||||
check_str="rule:admin or rule:target"),
|
||||
policy.RuleDefault(
|
||||
name="zone_primary_or_admin",
|
||||
check_str=RULE_ZONE_PRIMARY_OR_ADMIN)
|
||||
check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
deprecated_rule=deprecated_default),
|
||||
]
|
||||
|
||||
|
||||
|
@ -13,28 +13,62 @@
|
||||
# under the License.
|
||||
|
||||
|
||||
from oslo_log import versionutils
|
||||
from oslo_policy import policy
|
||||
|
||||
from designate.common.policies import base
|
||||
|
||||
|
||||
deprecated_all_tenants = policy.DeprecatedRule(
|
||||
name="all_tenants",
|
||||
check_str=base.RULE_ADMIN,
|
||||
deprecated_reason=base.DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_edit_managed_records = policy.DeprecatedRule(
|
||||
name="edit_managed_records",
|
||||
check_str=base.RULE_ADMIN,
|
||||
deprecated_reason=base.DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_use_low_ttl = policy.DeprecatedRule(
|
||||
name="use_low_ttl",
|
||||
check_str=base.RULE_ADMIN,
|
||||
deprecated_reason=base.DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_use_sudo = policy.DeprecatedRule(
|
||||
name="use_sudo",
|
||||
check_str=base.RULE_ADMIN,
|
||||
deprecated_reason=base.DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
name="all_tenants",
|
||||
check_str=base.RULE_ADMIN,
|
||||
description='Action on all tenants.'),
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Action on all tenants.',
|
||||
deprecated_rule=deprecated_all_tenants),
|
||||
policy.RuleDefault(
|
||||
name="edit_managed_records",
|
||||
check_str=base.RULE_ADMIN,
|
||||
description='Edit managed records.'),
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Edit managed records.',
|
||||
deprecated_rule=deprecated_edit_managed_records),
|
||||
policy.RuleDefault(
|
||||
name="use_low_ttl",
|
||||
check_str=base.RULE_ADMIN,
|
||||
description='Use low TTL.'),
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Use low TTL.',
|
||||
deprecated_rule=deprecated_use_low_ttl),
|
||||
policy.RuleDefault(
|
||||
name="use_sudo",
|
||||
check_str=base.RULE_ADMIN,
|
||||
description='Accept sudo from user to tenant.')
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Accept sudo from user to tenant.',
|
||||
deprecated_rule=deprecated_use_sudo)
|
||||
]
|
||||
|
||||
|
||||
|
@ -12,29 +12,62 @@
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
from oslo_log import versionutils
|
||||
from oslo_policy import policy
|
||||
|
||||
from designate.common.policies import base
|
||||
|
||||
|
||||
deprecated_diagnostics_ping = policy.DeprecatedRule(
|
||||
name="diagnostics_ping",
|
||||
check_str=base.RULE_ADMIN,
|
||||
deprecated_reason=base.DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_diagnostics_sync_zones = policy.DeprecatedRule(
|
||||
name="diagnostics_sync_zones",
|
||||
check_str=base.RULE_ADMIN,
|
||||
deprecated_reason=base.DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_diagnostics_sync_zone = policy.DeprecatedRule(
|
||||
name="diagnostics_sync_zone",
|
||||
check_str=base.RULE_ADMIN,
|
||||
deprecated_reason=base.DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_diagnostics_sync_record = policy.DeprecatedRule(
|
||||
name="diagnostics_sync_record",
|
||||
check_str=base.RULE_ADMIN,
|
||||
deprecated_reason=base.DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
name="diagnostics_ping",
|
||||
check_str=base.RULE_ADMIN,
|
||||
description='Diagnose ping.'),
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Diagnose ping.',
|
||||
deprecated_rule=deprecated_diagnostics_ping),
|
||||
policy.RuleDefault(
|
||||
name="diagnostics_sync_zones",
|
||||
check_str=base.RULE_ADMIN,
|
||||
description='Diagnose sync zones.'),
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Diagnose sync zones.',
|
||||
deprecated_rule=deprecated_diagnostics_sync_zones),
|
||||
policy.RuleDefault(
|
||||
name="diagnostics_sync_zone",
|
||||
check_str=base.RULE_ADMIN,
|
||||
description='Diagnose sync zone.'),
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Diagnose sync zone.',
|
||||
deprecated_rule=deprecated_diagnostics_sync_zone),
|
||||
policy.RuleDefault(
|
||||
name="diagnostics_sync_record",
|
||||
check_str=base.RULE_ADMIN,
|
||||
description='Diagnose sync record.')
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Diagnose sync record.',
|
||||
deprecated_rule=deprecated_diagnostics_sync_record)
|
||||
]
|
||||
|
||||
|
||||
|
@ -50,7 +50,7 @@ deprecated_reset_quotas = policy.DeprecatedRule(
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name="get_quotas",
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER_OR_ALL_TENANTS_READER,
|
||||
scope_types=['system', 'project'],
|
||||
description="View Current Project's Quotas.",
|
||||
operations=[
|
||||
|
@ -22,9 +22,15 @@ DEPRECATED_REASON = """
|
||||
The record set API now supports system scope and default roles.
|
||||
"""
|
||||
|
||||
# Deprecated in Wallaby as part of the "secure RBAC" work.
|
||||
# TODO(johnsom) remove when the deprecated RBAC rules are removed.
|
||||
RULE_ZONE_PRIMARY_OR_ADMIN = (
|
||||
"('PRIMARY':%(zone_type)s and rule:admin_or_owner) "
|
||||
"OR ('SECONDARY':%(zone_type)s AND is_admin:True)")
|
||||
|
||||
deprecated_create_recordset = policy.DeprecatedRule(
|
||||
name="create_recordset",
|
||||
check_str=base.RULE_ZONE_PRIMARY_OR_ADMIN,
|
||||
check_str=RULE_ZONE_PRIMARY_OR_ADMIN,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
@ -40,15 +46,27 @@ deprecated_get_recordset = policy.DeprecatedRule(
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_find_recordset = policy.DeprecatedRule(
|
||||
name="find_recordset",
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_find_recordsets = policy.DeprecatedRule(
|
||||
name="find_recordsets",
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_update_recordset = policy.DeprecatedRule(
|
||||
name="update_recordset",
|
||||
check_str=base.RULE_ZONE_PRIMARY_OR_ADMIN,
|
||||
check_str=RULE_ZONE_PRIMARY_OR_ADMIN,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_delete_recordset = policy.DeprecatedRule(
|
||||
name="delete_recordset",
|
||||
check_str=base.RULE_ZONE_PRIMARY_OR_ADMIN,
|
||||
check_str=RULE_ZONE_PRIMARY_OR_ADMIN,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
@ -69,7 +87,7 @@ SYSTEM_ADMIN_AND_SECONDARY_ZONE = (
|
||||
'(' + base.SYSTEM_ADMIN + ') and (\'SECONDARY\':%(zone_type)s)'
|
||||
)
|
||||
|
||||
SYSTEM_ADMIN_OR_PROJECT_MEMBER = ''.join(
|
||||
SYSTEM_ADMIN_OR_PROJECT_MEMBER_ZONE_TYPE = ' or '.join(
|
||||
[PROJECT_MEMBER_AND_PRIMARY_ZONE,
|
||||
SYSTEM_ADMIN_AND_PRIMARY_ZONE,
|
||||
SYSTEM_ADMIN_AND_SECONDARY_ZONE]
|
||||
@ -79,16 +97,13 @@ SYSTEM_ADMIN_OR_PROJECT_MEMBER = ''.join(
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name="create_recordset",
|
||||
check_str=SYSTEM_ADMIN_AND_SECONDARY_ZONE,
|
||||
check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER_ZONE_TYPE,
|
||||
scope_types=['system', 'project'],
|
||||
description="Create Recordset",
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/zones/{zone_id}/recordsets',
|
||||
'method': 'POST'
|
||||
}, {
|
||||
'path': '/v2/reverse/floatingips/{region}:{floatingip_id}',
|
||||
'method': 'PATCH'
|
||||
}
|
||||
],
|
||||
deprecated_rule=deprecated_create_recordset
|
||||
@ -108,35 +123,46 @@ rules = [
|
||||
{
|
||||
'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}',
|
||||
'method': 'GET'
|
||||
}, {
|
||||
'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}',
|
||||
'method': 'DELETE'
|
||||
}, {
|
||||
'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}',
|
||||
'method': 'PUT'
|
||||
}
|
||||
],
|
||||
deprecated_rule=deprecated_get_recordset
|
||||
),
|
||||
policy.RuleDefault(
|
||||
name="find_recordset",
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
scope_types=['system', 'project'],
|
||||
description="List a Recordset in a Zone",
|
||||
deprecated_rule=deprecated_find_recordset
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name="find_recordsets",
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
scope_types=['system', 'project'],
|
||||
description="List Recordsets in a Zone",
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/zones/{zone_id}/recordsets',
|
||||
'method': 'GET'
|
||||
},
|
||||
],
|
||||
deprecated_rule=deprecated_find_recordsets
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name="update_recordset",
|
||||
check_str=SYSTEM_ADMIN_AND_SECONDARY_ZONE,
|
||||
check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER_ZONE_TYPE,
|
||||
scope_types=['system', 'project'],
|
||||
description="Update recordset",
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}',
|
||||
'method': 'PUT'
|
||||
}, {
|
||||
'path': '/v2/reverse/floatingips/{region}:{floatingip_id}',
|
||||
'method': 'PATCH'
|
||||
}
|
||||
],
|
||||
deprecated_rule=deprecated_update_recordset
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name="delete_recordset",
|
||||
check_str=SYSTEM_ADMIN_AND_SECONDARY_ZONE,
|
||||
check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER_ZONE_TYPE,
|
||||
scope_types=['system', 'project'],
|
||||
description="Delete RecordSet",
|
||||
operations=[
|
||||
|
@ -88,9 +88,6 @@ rules = [
|
||||
description="Show a Tsigkey",
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/tsigkeys/{tsigkey_id}',
|
||||
'method': 'PATCH'
|
||||
}, {
|
||||
'path': '/v2/tsigkeys/{tsigkey_id}',
|
||||
'method': 'GET'
|
||||
}
|
||||
|
@ -46,6 +46,12 @@ deprecated_get_zone_servers = policy.DeprecatedRule(
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_get_zone_ns_records = policy.DeprecatedRule(
|
||||
name="get_zone_ns_records",
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_find_zones = policy.DeprecatedRule(
|
||||
name="find_zones",
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
@ -131,12 +137,6 @@ rules = [
|
||||
{
|
||||
'path': '/v2/zones/{zone_id}',
|
||||
'method': 'GET'
|
||||
}, {
|
||||
'path': '/v2/zones/{zone_id}',
|
||||
'method': 'PATCH'
|
||||
}, {
|
||||
'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}',
|
||||
'method': 'PUT'
|
||||
}
|
||||
],
|
||||
deprecated_rule=deprecated_get_zone
|
||||
@ -147,6 +147,19 @@ rules = [
|
||||
scope_types=['system', 'project'],
|
||||
deprecated_rule=deprecated_get_zone_servers
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name="get_zone_ns_records",
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
scope_types=['system', 'project'],
|
||||
description="Get the Name Servers for a Zone",
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/zones/{zone_id}/nameservers',
|
||||
'method': 'GET'
|
||||
}
|
||||
],
|
||||
deprecated_rule=deprecated_get_zone_ns_records
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name="find_zones",
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
|
@ -52,6 +52,12 @@ deprecated_update_zone_export = policy.DeprecatedRule(
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_delete_zone_export = policy.DeprecatedRule(
|
||||
name="delete_zone_export",
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
|
||||
|
||||
rules = [
|
||||
@ -103,9 +109,6 @@ rules = [
|
||||
{
|
||||
'path': '/v2/zones/tasks/exports/{zone_export_id}',
|
||||
'method': 'GET'
|
||||
}, {
|
||||
'path': '/v2/zones/tasks/exports/{zone_export_id}/export',
|
||||
'method': 'GET'
|
||||
}
|
||||
],
|
||||
deprecated_rule=deprecated_get_zone_export
|
||||
@ -122,7 +125,20 @@ rules = [
|
||||
}
|
||||
],
|
||||
deprecated_rule=deprecated_update_zone_export
|
||||
)
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name="delete_zone_export",
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
description="Delete a zone export",
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/zones/tasks/exports/{zone_export_id}',
|
||||
'method': 'DELETE'
|
||||
}
|
||||
],
|
||||
deprecated_rule=deprecated_delete_zone_export
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -115,7 +115,7 @@ rules = [
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/zones/tasks/imports/{zone_import_id}',
|
||||
'method': 'GET'
|
||||
'method': 'DELETE'
|
||||
}
|
||||
],
|
||||
deprecated_rule=deprecated_delete_zone_import
|
||||
|
@ -24,7 +24,7 @@ The zone transfer accept API now supports system scope and default roles.
|
||||
|
||||
deprecated_create_zone_transfer_accept = policy.DeprecatedRule(
|
||||
name="create_zone_transfer_accept",
|
||||
check_str=base.RULE_ZONE_TRANSFER,
|
||||
check_str=base.LEGACY_RULE_ZONE_TRANSFER,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
@ -64,13 +64,15 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name="create_zone_transfer_accept",
|
||||
check_str=base.RULE_ZONE_TRANSFER,
|
||||
scope_types=['system', 'project'],
|
||||
description="Create Zone Transfer Accept",
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/zones/tasks/transfer_accepts',
|
||||
'method': 'POST'
|
||||
}
|
||||
]
|
||||
],
|
||||
deprecated_rule=deprecated_create_zone_transfer_accept
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name="get_zone_transfer_accept",
|
||||
|
@ -30,7 +30,7 @@ deprecated_create_zone_transfer_request = policy.DeprecatedRule(
|
||||
)
|
||||
deprecated_get_zone_transfer_request = policy.DeprecatedRule(
|
||||
name="get_zone_transfer_request",
|
||||
check_str=base.RULE_ZONE_TRANSFER,
|
||||
check_str=base.LEGACY_RULE_ZONE_TRANSFER,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
@ -40,12 +40,6 @@ deprecated_get_zone_transfer_request_detailed = policy.DeprecatedRule(
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_find_zone_transfer_requests = policy.DeprecatedRule(
|
||||
name="find_zone_transfer_requests",
|
||||
check_str=base.RULE_ANY,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_update_zone_transfer_request = policy.DeprecatedRule(
|
||||
name="update_zone_transfer_request",
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
@ -77,16 +71,15 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name="get_zone_transfer_request",
|
||||
check_str=base.RULE_ZONE_TRANSFER,
|
||||
scope_types=['system', 'project'],
|
||||
description="Show a Zone Transfer Request",
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}', # noqa
|
||||
'method': 'GET'
|
||||
}, {
|
||||
'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}', # noqa
|
||||
'method': 'PATCH'
|
||||
}
|
||||
]
|
||||
],
|
||||
deprecated_rule=deprecated_get_zone_transfer_request
|
||||
),
|
||||
policy.RuleDefault(
|
||||
name="get_zone_transfer_request_detailed",
|
||||
@ -103,7 +96,7 @@ rules = [
|
||||
'path': '/v2/zones/tasks/transfer_requests',
|
||||
'method': 'GET'
|
||||
}
|
||||
]
|
||||
],
|
||||
),
|
||||
policy.RuleDefault(
|
||||
name="find_zone_transfer_request",
|
||||
|
@ -107,6 +107,8 @@ class DesignateContext(context.RequestContext):
|
||||
|
||||
# NOTE(kiall): Ugly - required to match http://tinyurl.com/o3y8qmw
|
||||
context.roles.append('admin')
|
||||
if policy.enforce_new_defaults():
|
||||
context.system_scope = 'all'
|
||||
|
||||
if show_deleted is not None:
|
||||
context.show_deleted = show_deleted
|
||||
@ -132,7 +134,8 @@ class DesignateContext(context.RequestContext):
|
||||
def get_admin_context(cls, **kwargs):
|
||||
# TODO(kiall): Remove Me
|
||||
kwargs['is_admin'] = True
|
||||
kwargs['roles'] = ['admin']
|
||||
kwargs['roles'] = ['admin', 'reader']
|
||||
kwargs['system_scope'] = 'all'
|
||||
|
||||
return cls(None, **kwargs)
|
||||
|
||||
|
@ -256,6 +256,10 @@ class IncorrectZoneTransferKey(Forbidden):
|
||||
error_type = 'invalid_key'
|
||||
|
||||
|
||||
class InvalidTokenScope(Forbidden):
|
||||
error_type = 'invalid_token_scope'
|
||||
|
||||
|
||||
class Duplicate(DesignateException):
|
||||
expected = True
|
||||
error_code = 409
|
||||
@ -473,3 +477,12 @@ class LastServerDeleteNotAllowed(BadRequest):
|
||||
class ResourceNotFound(NotFound):
|
||||
# TODO(kiall): Should this be extending NotFound??
|
||||
pass
|
||||
|
||||
|
||||
class MissingProjectID(BadRequest):
|
||||
# Note: This should be 400, but is 401 for compatibility with
|
||||
# previous versions of the API.
|
||||
# https://github.com/openstack/designate/blob/stable/wallaby/ \
|
||||
# designate/api/middleware.py#L132
|
||||
error_code = 401
|
||||
error_type = 'missing_project_id'
|
||||
|
@ -11,6 +11,7 @@
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
from designate.common import constants
|
||||
from designate import exceptions
|
||||
from designate import objects
|
||||
from designate.objects.adapters.api_v2 import base
|
||||
@ -65,9 +66,10 @@ class ZoneTransferRequestAPIv2Adapter(base.APIv2Adapter):
|
||||
object, *args, **kwargs)
|
||||
|
||||
try:
|
||||
target = {
|
||||
'tenant_id': object.tenant_id,
|
||||
}
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: object.tenant_id}
|
||||
else:
|
||||
target = {'tenant_id': object.tenant_id}
|
||||
|
||||
policy.check(
|
||||
'get_zone_transfer_request_detailed',
|
||||
|
@ -73,10 +73,17 @@ def init(default_rule=None, policy_file=None):
|
||||
|
||||
|
||||
def check(rule, ctxt, target=None, do_raise=True, exc=exceptions.Forbidden):
|
||||
if enforce_new_defaults():
|
||||
creds = ctxt.to_policy_values()
|
||||
else:
|
||||
creds = ctxt.to_dict()
|
||||
target = target or {}
|
||||
try:
|
||||
result = _ENFORCER.enforce(rule, target, creds, do_raise, exc)
|
||||
except policy.InvalidScope:
|
||||
result = False
|
||||
if do_raise:
|
||||
raise exceptions.InvalidTokenScope
|
||||
except Exception:
|
||||
result = False
|
||||
raise
|
||||
@ -93,3 +100,9 @@ def check(rule, ctxt, target=None, do_raise=True, exc=exceptions.Forbidden):
|
||||
LOG.info("Policy check failed for rule '%(rule)s' "
|
||||
"on target %(target)s",
|
||||
{'rule': rule, 'target': repr(target)}, extra=extra)
|
||||
|
||||
|
||||
def enforce_new_defaults():
|
||||
if CONF.get('oslo_policy'):
|
||||
return CONF['oslo_policy'].get('enforce_new_defaults', False)
|
||||
return False
|
||||
|
@ -1488,6 +1488,12 @@ class SQLAlchemyStorage(sqlalchemy_base.SQLAlchemy, storage_base.Storage):
|
||||
).select_from(ljoin)
|
||||
|
||||
if not context.all_tenants:
|
||||
# If we have a system scoped token with no project_id and
|
||||
# all_tenants was not used, we don't know what records to return,
|
||||
# so return an empty list.
|
||||
if not context.project_id:
|
||||
return objects.ZoneTransferRequestList()
|
||||
|
||||
query = query.where(or_(
|
||||
table.c.tenant_id == context.project_id,
|
||||
table.c.target_tenant_id == context.project_id))
|
||||
@ -1498,7 +1504,8 @@ class SQLAlchemyStorage(sqlalchemy_base.SQLAlchemy, storage_base.Storage):
|
||||
exceptions.ZoneTransferRequestNotFound,
|
||||
criterion,
|
||||
one=one, marker=marker, limit=limit, sort_dir=sort_dir,
|
||||
sort_key=sort_key, query=query, apply_tenant_criteria=False
|
||||
sort_key=sort_key, query=query,
|
||||
apply_tenant_criteria=False
|
||||
)
|
||||
|
||||
def create_zone_transfer_request(self, context, zone_transfer_request):
|
||||
|
@ -387,6 +387,8 @@ class TestCase(base.BaseTestCase):
|
||||
self.central_service = self.start_service('central')
|
||||
|
||||
self.admin_context = self.get_admin_context()
|
||||
self.admin_context_all_tenants = self.get_admin_context(
|
||||
all_tenants=True)
|
||||
storage_driver = CONF['service:central'].storage_driver
|
||||
self.storage = storage.get_storage(storage_driver)
|
||||
|
||||
@ -436,10 +438,11 @@ class TestCase(base.BaseTestCase):
|
||||
def get_context(self, **kwargs):
|
||||
return DesignateContext(**kwargs)
|
||||
|
||||
def get_admin_context(self):
|
||||
def get_admin_context(self, **kwargs):
|
||||
return DesignateContext.get_admin_context(
|
||||
project_id=utils.generate_uuid(),
|
||||
user_id=utils.generate_uuid())
|
||||
user_id=utils.generate_uuid(),
|
||||
**kwargs)
|
||||
|
||||
# Fixture methods
|
||||
def get_quota_fixture(self, fixture=0, values=None):
|
||||
@ -794,7 +797,7 @@ class TestCase(base.BaseTestCase):
|
||||
|
||||
# Retrieve it, and ensure it's the same
|
||||
zone_import = self.central_service.get_zone_import(
|
||||
self.admin_context, zone_import_id)
|
||||
self.admin_context_all_tenants, zone_import_id)
|
||||
|
||||
# If the import is done, we're done
|
||||
if zone_import.status == 'COMPLETE':
|
||||
|
@ -102,7 +102,8 @@ class KeystoneContextMiddlewareTest(ApiTestCase):
|
||||
# Process the request
|
||||
response = app(request)
|
||||
|
||||
self.assertEqual(401, response.status_code)
|
||||
# Ensure request was not blocked
|
||||
self.assertEqual(response, 'FakeResponse')
|
||||
|
||||
|
||||
class NoAuthContextMiddlewareTest(ApiTestCase):
|
||||
|
@ -36,6 +36,7 @@ from designate import objects
|
||||
from designate.storage.impl_sqlalchemy import tables
|
||||
from designate.tests import fixtures
|
||||
from designate.tests.test_central import CentralTestCase
|
||||
from designate import utils
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
@ -3537,7 +3538,7 @@ class CentralServiceTest(CentralTestCase):
|
||||
# Zone Import Tests
|
||||
def test_create_zone_import(self):
|
||||
# Create a Zone Import
|
||||
context = self.get_context()
|
||||
context = self.get_context(project_id=utils.generate_uuid())
|
||||
request_body = self.get_zonefile_fixture()
|
||||
zone_import = self.central_service.create_zone_import(context,
|
||||
request_body)
|
||||
@ -3551,7 +3552,7 @@ class CentralServiceTest(CentralTestCase):
|
||||
self.wait_for_import(zone_import.id)
|
||||
|
||||
def test_find_zone_imports(self):
|
||||
context = self.get_context()
|
||||
context = self.get_context(project_id=utils.generate_uuid())
|
||||
|
||||
# Ensure we have no zone_imports to start with.
|
||||
zone_imports = self.central_service.find_zone_imports(
|
||||
@ -3568,7 +3569,7 @@ class CentralServiceTest(CentralTestCase):
|
||||
|
||||
# Ensure we can retrieve the newly created zone_import
|
||||
zone_imports = self.central_service.find_zone_imports(
|
||||
self.admin_context)
|
||||
self.admin_context_all_tenants)
|
||||
self.assertEqual(1, len(zone_imports))
|
||||
|
||||
# Create a second zone_import
|
||||
@ -3581,14 +3582,14 @@ class CentralServiceTest(CentralTestCase):
|
||||
|
||||
# Ensure we can retrieve both zone_imports
|
||||
zone_imports = self.central_service.find_zone_imports(
|
||||
self.admin_context)
|
||||
self.admin_context_all_tenants)
|
||||
self.assertEqual(2, len(zone_imports))
|
||||
self.assertEqual('COMPLETE', zone_imports[0].status)
|
||||
self.assertEqual('COMPLETE', zone_imports[1].status)
|
||||
|
||||
def test_get_zone_import(self):
|
||||
# Create a Zone Import
|
||||
context = self.get_context()
|
||||
context = self.get_context(project_id=utils.generate_uuid())
|
||||
request_body = self.get_zonefile_fixture()
|
||||
zone_import = self.central_service.create_zone_import(
|
||||
context, request_body)
|
||||
@ -3598,7 +3599,7 @@ class CentralServiceTest(CentralTestCase):
|
||||
|
||||
# Retrieve it, and ensure it's the same
|
||||
zone_import = self.central_service.get_zone_import(
|
||||
self.admin_context, zone_import.id)
|
||||
self.admin_context_all_tenants, zone_import.id)
|
||||
|
||||
self.assertEqual(zone_import.id, zone_import['id'])
|
||||
self.assertEqual(zone_import.status, zone_import['status'])
|
||||
@ -3606,7 +3607,7 @@ class CentralServiceTest(CentralTestCase):
|
||||
|
||||
def test_update_zone_import(self):
|
||||
# Create a Zone Import
|
||||
context = self.get_context()
|
||||
context = self.get_context(project_id=utils.generate_uuid())
|
||||
request_body = self.get_zonefile_fixture()
|
||||
zone_import = self.central_service.create_zone_import(
|
||||
context, request_body)
|
||||
@ -3618,7 +3619,7 @@ class CentralServiceTest(CentralTestCase):
|
||||
|
||||
# Perform the update
|
||||
zone_import = self.central_service.update_zone_import(
|
||||
self.admin_context, zone_import)
|
||||
self.admin_context_all_tenants, zone_import)
|
||||
|
||||
# Fetch the zone_import again
|
||||
zone_import = self.central_service.get_zone_import(context,
|
||||
@ -3629,7 +3630,7 @@ class CentralServiceTest(CentralTestCase):
|
||||
|
||||
def test_delete_zone_import(self):
|
||||
# Create a Zone Import
|
||||
context = self.get_context()
|
||||
context = self.get_context(project_id=utils.generate_uuid())
|
||||
request_body = self.get_zonefile_fixture()
|
||||
zone_import = self.central_service.create_zone_import(
|
||||
context, request_body)
|
||||
|
@ -256,6 +256,7 @@ class CentralBasic(TestCase):
|
||||
'set_rules',
|
||||
'init',
|
||||
'check',
|
||||
'enforce_new_defaults',
|
||||
])
|
||||
|
||||
designate.central.service.quota = mock.NonCallableMock(spec_set=[
|
||||
@ -932,7 +933,7 @@ class CentralZoneTestCase(CentralBasic):
|
||||
n, ctx, target = designate.central.service.policy.check.call_args[0]
|
||||
self.assertEqual(CentralZoneTestCase.zone__id, target['zone_id'])
|
||||
self.assertEqual('foo', target['zone_name'])
|
||||
self.assertEqual('2', target['tenant_id'])
|
||||
self.assertEqual('2', target['project_id'])
|
||||
|
||||
def test_get_zone_servers(self):
|
||||
self.service.storage.get_zone.return_value = RoObject(
|
||||
@ -995,6 +996,7 @@ class CentralZoneTestCase(CentralBasic):
|
||||
'set_rules',
|
||||
'init',
|
||||
'check',
|
||||
'enforce_new_defaults',
|
||||
])
|
||||
self.context.abandon = True
|
||||
self.service.storage.count_zones.return_value = 0
|
||||
@ -1187,7 +1189,7 @@ class CentralZoneTestCase(CentralBasic):
|
||||
'zone_id': CentralZoneTestCase.zone__id_2,
|
||||
'zone_name': 'example.org.',
|
||||
'recordset_id': CentralZoneTestCase.recordset__id,
|
||||
'tenant_id': '2'}, target)
|
||||
'project_id': '2'}, target)
|
||||
|
||||
def test_find_recordsets(self):
|
||||
self.context = mock.Mock()
|
||||
@ -1196,7 +1198,7 @@ class CentralZoneTestCase(CentralBasic):
|
||||
self.assertTrue(self.service.storage.find_recordsets.called)
|
||||
n, ctx, target = designate.central.service.policy.check.call_args[0]
|
||||
self.assertEqual('find_recordsets', n)
|
||||
self.assertEqual({'tenant_id': 't'}, target)
|
||||
self.assertEqual({'project_id': 't'}, target)
|
||||
|
||||
def test_find_recordset(self):
|
||||
self.context = mock.Mock()
|
||||
@ -1205,7 +1207,7 @@ class CentralZoneTestCase(CentralBasic):
|
||||
self.assertTrue(self.service.storage.find_recordset.called)
|
||||
n, ctx, target = designate.central.service.policy.check.call_args[0]
|
||||
self.assertEqual('find_recordset', n)
|
||||
self.assertEqual({'tenant_id': 't'}, target)
|
||||
self.assertEqual({'project_id': 't'}, target)
|
||||
|
||||
def test_update_recordset_fail_on_changes(self):
|
||||
self.service.storage.get_zone.return_value = RoObject()
|
||||
@ -1298,7 +1300,7 @@ class CentralZoneTestCase(CentralBasic):
|
||||
'zone_name': 'example.org.',
|
||||
'zone_type': 'foo',
|
||||
'recordset_id': '9c85d9b0-1e9d-4e99-aede-a06664f1af2e',
|
||||
'tenant_id': '2'}, target)
|
||||
'project_id': '2'}, target)
|
||||
|
||||
def test__update_recordset_in_storage(self):
|
||||
recordset = mock.Mock()
|
||||
@ -1532,7 +1534,7 @@ class CentralZoneTestCase(CentralBasic):
|
||||
self.service.count_recordsets(self.context)
|
||||
n, ctx, target = designate.central.service.policy.check.call_args[0]
|
||||
self.assertEqual('count_recordsets', n)
|
||||
self.assertEqual({'tenant_id': None}, target)
|
||||
self.assertEqual({'project_id': None}, target)
|
||||
self.assertEqual(
|
||||
{},
|
||||
self.service.storage.count_recordsets.call_args[0][1]
|
||||
@ -1587,7 +1589,7 @@ class CentralZoneTestCase(CentralBasic):
|
||||
'zone_type': 'foo',
|
||||
'recordset_id': CentralZoneTestCase.recordset__id,
|
||||
'recordset_name': 'rs',
|
||||
'tenant_id': '2'}, target)
|
||||
'project_id': '2'}, target)
|
||||
|
||||
def test_create_record_worker(self):
|
||||
self._test_create_record()
|
||||
@ -1689,7 +1691,7 @@ class CentralZoneTestCase(CentralBasic):
|
||||
'record_id': CentralZoneTestCase.record__id,
|
||||
'recordset_id': CentralZoneTestCase.recordset__id_2,
|
||||
'recordset_name': 'foo',
|
||||
'tenant_id': 2}, target)
|
||||
'project_id': 2}, target)
|
||||
|
||||
def test_update_record_fail_on_changes(self):
|
||||
self.service.storage.get_zone.return_value = RoObject(
|
||||
@ -1789,7 +1791,7 @@ class CentralZoneTestCase(CentralBasic):
|
||||
'record_id': 'abc12a-1e9d-4e99-aede-a06664f1af2e',
|
||||
'recordset_id': 'abc12a-1e9d-4e99-aede-a06664f1af2e',
|
||||
'recordset_name': 'rsn',
|
||||
'tenant_id': 'tid'}, target)
|
||||
'project_id': 'tid'}, target)
|
||||
|
||||
def test__update_record_in_storage(self):
|
||||
self.service._update_zone_in_storage = mock.Mock()
|
||||
@ -1893,7 +1895,7 @@ class CentralZoneTestCase(CentralBasic):
|
||||
'record_id': CentralZoneTestCase.record__id_2,
|
||||
'recordset_id': CentralZoneTestCase.recordset__id_2,
|
||||
'recordset_name': 'rsn',
|
||||
'tenant_id': 'tid'}, target)
|
||||
'project_id': 'tid'}, target)
|
||||
|
||||
def test_delete_record_in_storage(self):
|
||||
self.service._delete_record_in_storage(
|
||||
@ -1911,7 +1913,7 @@ class CentralZoneTestCase(CentralBasic):
|
||||
self.service.count_records(self.context)
|
||||
t, ctx, target = designate.central.service.policy.check.call_args[0]
|
||||
self.assertEqual('count_records', t)
|
||||
self.assertEqual({'tenant_id': None}, target)
|
||||
self.assertEqual({'project_id': None}, target)
|
||||
|
||||
def test_sync_zones(self):
|
||||
self.service._sync_zone = mock.Mock()
|
||||
@ -1938,7 +1940,7 @@ class CentralZoneTestCase(CentralBasic):
|
||||
|
||||
t, ctx, target = designate.central.service.policy.check.call_args[0]
|
||||
self.assertEqual('diagnostics_sync_zone', t)
|
||||
self.assertEqual({'tenant_id': 'tid',
|
||||
self.assertEqual({'project_id': 'tid',
|
||||
'zone_id': CentralZoneTestCase.zone__id,
|
||||
'zone_name': 'n'}, target)
|
||||
|
||||
@ -1965,7 +1967,7 @@ class CentralZoneTestCase(CentralBasic):
|
||||
'record_id': CentralZoneTestCase.record__id,
|
||||
'recordset_id': CentralZoneTestCase.recordset__id,
|
||||
'recordset_name': 'n',
|
||||
'tenant_id': 'tid'}, target)
|
||||
'project_id': 'tid'}, target)
|
||||
|
||||
def test_ping(self):
|
||||
self.service.storage.ping.return_value = True
|
||||
@ -2118,7 +2120,7 @@ class CentralZoneExportTests(CentralBasic):
|
||||
n, ctx, target = designate.central.service.policy.check.call_args[0]
|
||||
|
||||
# Check arguments to policy
|
||||
self.assertEqual('t', target['tenant_id'])
|
||||
self.assertEqual('t', target['project_id'])
|
||||
|
||||
# Check output
|
||||
self.assertEqual(CentralZoneTestCase.zone__id, out.zone_id)
|
||||
|
@ -0,0 +1,4 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Adds support for keystone default roles and scoped tokens.
|
Loading…
Reference in New Issue
Block a user