Implement system scoped RBAC for baremetal drivers

This commit updates the policies for baremetal drivers to understand scope
checking and account for a read-only role. This is part of a broader series of
changes across OpenStack to provide a consistent RBAC experience and improve
security.

Change-Id: I7e2f205a5fbc186bfdaf2f5f58fb3b07abc9765d

ironic/common/policy.py

@@ -898,24 +898,62 @@ chassis_policies = [
     ),
 ]
 
+
+deprecated_driver_get = policy.DeprecatedRule(
+    name='baremetal:driver:get',
+    check_str='rule:is_admin or rule:is_observer'
+)
+deprecated_driver_get_properties = policy.DeprecatedRule(
+    name='baremetal:driver:get_properties',
+    check_str='rule:is_admin or rule:is_observer'
+)
+deprecated_driver_get_raid_properties = policy.DeprecatedRule(
+    name='baremetal:driver:get_raid_logical_disk_properties',
+    check_str='rule:is_admin or rule:is_observer'
+)
+deprecated_driver_reason = """
+The baremetal driver API is now aware of system scope and default roles.
+"""
+
 driver_policies = [
     policy.DocumentedRuleDefault(
-        'baremetal:driver:get',
-        'rule:is_admin or rule:is_observer',
-        'View list of available drivers',
-        [{'path': '/drivers', 'method': 'GET'},
-         {'path': '/drivers/{driver_name}', 'method': 'GET'}]),
+        name='baremetal:driver:get',
+        check_str=SYSTEM_READER,
+        scope_types=['system'],
+        description='View list of available drivers',
+        operations=[
+            {'path': '/drivers', 'method': 'GET'},
+            {'path': '/drivers/{driver_name}', 'method': 'GET'}
+        ],
+        deprecated_rule=deprecated_driver_get,
+        deprecated_reason=deprecated_driver_reason,
+        deprecated_since=versionutils.deprecated.WALLABY
+    ),
     policy.DocumentedRuleDefault(
-        'baremetal:driver:get_properties',
-        'rule:is_admin or rule:is_observer',
-        'View driver-specific properties',
-        [{'path': '/drivers/{driver_name}/properties', 'method': 'GET'}]),
+        name='baremetal:driver:get_properties',
+        check_str=SYSTEM_READER,
+        scope_types=['system'],
+        description='View driver-specific properties',
+        operations=[
+            {'path': '/drivers/{driver_name}/properties', 'method': 'GET'}
+        ],
+        deprecated_rule=deprecated_driver_get_properties,
+        deprecated_reason=deprecated_driver_reason,
+        deprecated_since=versionutils.deprecated.WALLABY
+    ),
     policy.DocumentedRuleDefault(
-        'baremetal:driver:get_raid_logical_disk_properties',
-        'rule:is_admin or rule:is_observer',
-        'View driver-specific RAID metadata',
-        [{'path': '/drivers/{driver_name}/raid/logical_disk_properties',
-          'method': 'GET'}]),
+        name='baremetal:driver:get_raid_logical_disk_properties',
+        check_str=SYSTEM_READER,
+        scope_types=['system'],
+        description='View driver-specific RAID metadata',
+        operations=[
+            {'path': '/drivers/{driver_name}/raid/logical_disk_properties',
+             'method': 'GET'}
+        ],
+        deprecated_rule=deprecated_driver_get_raid_properties,
+        deprecated_reason=deprecated_driver_reason,
+        deprecated_since=versionutils.deprecated.WALLABY
+    ),
 ]
 
 vendor_passthru_policies = [

ironic/tests/unit/api/test_acl.py

@@ -220,7 +220,8 @@ class TestRBACModelBeforeScopesBase(TestACLBase):
             internal_info={'tenant_vif_port_id': fake_vif_port_id})
         fake_db_portgroup = db_utils.create_test_portgroup(
             node_id=fake_db_node['id'])
-        fake_db_chassis = db_utils.create_test_chassis()
+        fake_db_chassis = db_utils.create_test_chassis(
+            drivers=['fake-hardware', 'fake-driverz', 'fake-driver'])
         fake_db_deploy_template = db_utils.create_test_deploy_template()
         fake_db_conductor = db_utils.create_test_conductor()
         fake_db_volume_target = db_utils.create_test_volume_target(

ironic/tests/unit/api/test_rbac_legacy.yaml

@@ -1545,76 +1545,84 @@ drivers_get_admin:
   method: get
   headers: *admin_headers
   assert_status: 200
+  deprecated: true
 
 drivers_get_member:
   path: '/v1/drivers'
   method: get
   headers: *member_headers
   assert_status: 403
+  deprecated: true
 
 drivers_get_observer:
   path: '/v1/drivers'
   method: get
   headers: *observer_headers
   assert_status: 200
+  deprecated: true
 
-# TODO(TheJulia): This is presently returning a 404,
-# except it should not be. :\
 drivers_driver_name_get_admin:
   path: '/v1/drivers/{driver_name}'
   method: get
   headers: *admin_headers
   assert_status: 404
+  deprecated: true
 
 drivers_driver_name_get_member:
   path: '/v1/drivers/{driver_name}'
   method: get
   headers: *member_headers
   assert_status: 403
+  deprecated: true
 
-# TODO(TheJulia): This is presently returning a 404,
-# except it should not be. :\
 drivers_driver_name_get_observer:
   path: '/v1/drivers/{driver_name}'
   method: get
   headers: *observer_headers
   assert_status: 404
+  deprecated: true
 
 drivers_properties_get_admin:
   path: '/v1/drivers/{driver_name}/properties'
   method: get
   headers: *admin_headers
   assert_status: 404
+  deprecated: true
 
 drivers_properties_get_member:
   path: '/v1/drivers/{driver_name}/properties'
   method: get
   headers: *member_headers
   assert_status: 403
+  deprecated: true
 
 drivers_properties_get_observer:
   path: '/v1/drivers/{driver_name}/properties'
   method: get
   headers: *observer_headers
   assert_status: 404
+  deprecated: true
 
 drivers_raid_logical_disk_properties_get_admin:
   path: '/v1/drivers/{driver_name}/raid/logical_disk_properties'
   method: get
   headers: *admin_headers
   assert_status: 404
+  deprecated: true
 
 drivers_raid_logical_disk_properties_get_member:
   path: '/v1/drivers/{driver_name}/raid/logical_disk_properties'
   method: get
   headers: *member_headers
   assert_status: 403
+  deprecated: true
 
 drivers_raid_logical_disk_properties_get_observer:
   path: '/v1/drivers/{driver_name}/raid/logical_disk_properties'
   method: get
   headers: *observer_headers
   assert_status: 404
+  deprecated: true
 
 # Driver vendor passthru - https://docs.openstack.org/api-ref/baremetal/#driver-vendor-passthru-drivers
 

ironic/tests/unit/api/test_rbac_system_scoped.yaml

@@ -1449,88 +1449,72 @@ drivers_get_admin:
   method: get
   headers: *admin_headers
   assert_status: 200
-  skip_reason: not updated for scope testing
 
 drivers_get_member:
   path: '/v1/drivers'
   method: get
   headers: *scoped_member_headers
-  assert_status: 403
-  skip_reason: not updated for scope testing
+  assert_status: 200
 
 drivers_get_observer:
   path: '/v1/drivers'
   method: get
   headers: *observer_headers
   assert_status: 200
-  skip_reason: not updated for scope testing
 
-# TODO(TheJulia): This is presently returning a 404,
-# except it should not be. :\
 drivers_driver_name_get_admin:
   path: '/v1/drivers/{driver_name}'
   method: get
   headers: *admin_headers
   assert_status: 404
-  skip_reason: not updated for scope testing
 
 drivers_driver_name_get_member:
   path: '/v1/drivers/{driver_name}'
   method: get
   headers: *scoped_member_headers
-  assert_status: 403
-  skip_reason: not updated for scope testing
+  assert_status: 404
 
-# TODO(TheJulia): This is presently returning a 404,
-# except it should not be. :\
 drivers_driver_name_get_observer:
   path: '/v1/drivers/{driver_name}'
   method: get
   headers: *observer_headers
   assert_status: 404
-  skip_reason: not updated for scope testing
 
 drivers_properties_get_admin:
   path: '/v1/drivers/{driver_name}/properties'
   method: get
   headers: *admin_headers
   assert_status: 404
-  skip_reason: not updated for scope testing
 
 drivers_properties_get_member:
   path: '/v1/drivers/{driver_name}/properties'
   method: get
   headers: *scoped_member_headers
-  assert_status: 403
-  skip_reason: not updated for scope testing
+  assert_status: 404
 
 drivers_properties_get_observer:
   path: '/v1/drivers/{driver_name}/properties'
   method: get
   headers: *observer_headers
   assert_status: 404
-  skip_reason: not updated for scope testing
 
 drivers_raid_logical_disk_properties_get_admin:
   path: '/v1/drivers/{driver_name}/raid/logical_disk_properties'
   method: get
   headers: *admin_headers
   assert_status: 404
-  skip_reason: not updated for scope testing
 
 drivers_raid_logical_disk_properties_get_member:
   path: '/v1/drivers/{driver_name}/raid/logical_disk_properties'
   method: get
   headers: *scoped_member_headers
-  assert_status: 403
-  skip_reason: not updated for scope testing
+  assert_status: 404
 
 drivers_raid_logical_disk_properties_get_observer:
   path: '/v1/drivers/{driver_name}/raid/logical_disk_properties'
   method: get
   headers: *observer_headers
   assert_status: 404
-  skip_reason: not updated for scope testing
 
 # Driver vendor passthru - https://docs.openstack.org/api-ref/baremetal/#driver-vendor-passthru-drivers
 

releasenotes/notes/system-scoped-authentication-28e3651de250bea8.yaml

@@ -3,7 +3,7 @@ features:
   - |
     The Baremetal API, provided by the ironic-api process, now supports use of
     ``system`` scoped ``keystone`` authentication for the following endpoints:
-    nodes, ports, portgroups, chassis
+    nodes, ports, portgroups, chassis, drivers
 upgrade:
   - |
     Deprecated policy rules are not expressed via a default policy file