Merge "Implement system scoped RBAC for conductor APIs"
This commit is contained in:
Zuul
Gerrit Code Review
commit
9c9c7c6b46
|
|
@ -1150,13 +1150,30 @@ volume_policies = [
|
|||
),
|
||||
]
|
||||
|
||||
|
||||
deprecated_conductor_get = policy.DeprecatedRule(
|
||||
name='baremetal:conductor:get',
|
||||
check_str='rule:is_admin or rule:is_observer'
|
||||
)
|
||||
deprecated_conductor_reason = """
|
||||
The baremetal conductor API is now aware of system scope and default
|
||||
roles.
|
||||
"""
|
||||
|
||||
conductor_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:conductor:get',
|
||||
'rule:is_admin or rule:is_observer',
|
||||
'Retrieve Conductor records',
|
||||
[{'path': '/conductors', 'method': 'GET'},
|
||||
{'path': '/conductors/{hostname}', 'method': 'GET'}]),
|
||||
name='baremetal:conductor:get',
|
||||
check_str=SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
description='Retrieve Conductor records',
|
||||
operations=[
|
||||
{'path': '/conductors', 'method': 'GET'},
|
||||
{'path': '/conductors/{hostname}', 'method': 'GET'}
|
||||
],
|
||||
deprecated_rule=deprecated_conductor_get,
|
||||
deprecated_reason=deprecated_conductor_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
]
|
||||
|
||||
allocation_policies = [
|
||||
|
|
|
|||
|
|
@ -1842,37 +1842,42 @@ conductors_get_admin:
|
|||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
conductors_get_member:
|
||||
path: '/v1/conductors'
|
||||
method: get
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
conductors_get_observer:
|
||||
path: '/v1/conductors'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 200
|
||||
|
||||
deprecated: true
|
||||
|
||||
conductors_hostname_get_admin:
|
||||
path: '/v1/conductors/{conductor_ident}'
|
||||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
conductors_hostname_get_member:
|
||||
path: '/v1/conductors/{conductor_ident}'
|
||||
method: get
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
conductors_hostname_get_observer:
|
||||
path: '/v1/conductors/{conductor_ident}'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
# Allocations - https://docs.openstack.org/api-ref/baremetal/#allocations-allocations
|
||||
|
||||
|
|
|
|||
|
|
@ -1601,43 +1601,36 @@ conductors_get_admin:
|
|||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 200
|
||||
skip_reason: not updated for scope testing
|
||||
|
||||
conductors_get_member:
|
||||
path: '/v1/conductors'
|
||||
method: get
|
||||
headers: *scoped_member_headers
|
||||
assert_status: 403
|
||||
skip_reason: not updated for scope testing
|
||||
assert_status: 200
|
||||
|
||||
conductors_get_observer:
|
||||
path: '/v1/conductors'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 200
|
||||
skip_reason: not updated for scope testing
|
||||
|
||||
|
||||
conductors_hostname_get_admin:
|
||||
path: '/v1/conductors/{conductor_ident}'
|
||||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 200
|
||||
skip_reason: not updated for scope testing
|
||||
|
||||
conductors_hostname_get_member:
|
||||
path: '/v1/conductors/{conductor_ident}'
|
||||
method: get
|
||||
headers: *scoped_member_headers
|
||||
assert_status: 403
|
||||
skip_reason: not updated for scope testing
|
||||
assert_status: 200
|
||||
|
||||
conductors_hostname_get_observer:
|
||||
path: '/v1/conductors/{conductor_ident}'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 200
|
||||
skip_reason: not updated for scope testing
|
||||
|
||||
# Allocations - https://docs.openstack.org/api-ref/baremetal/#allocations-allocations
|
||||
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ features:
|
|||
The Baremetal API, provided by the ironic-api process, now supports use of
|
||||
``system`` scoped ``keystone`` authentication for the following endpoints:
|
||||
nodes, ports, portgroups, chassis, drivers, driver vendor passthru,
|
||||
volume targets, volume connectors
|
||||
volume targets, volume connectors, conductors
|
||||
upgrade:
|
||||
- |
|
||||
Deprecated policy rules are not expressed via a default policy file
|
||||
|
|
|
|||
Loading…
Reference in New Issue