Implement "system" scoped RBAC for the node endpoint
This commit updates the policies for baremetal nodes to understand scope checking and account for a member or read-only role. This is part of a broader series of changes across OpenStack to provide a consistent RBAC experience and improve security. This change also implements basic testing of the RBAC interface, and modifies the testing test_acl.py file to *both* delineate the tests to prevent yaml variable expansion collission as well as handle deprecated ACL testing so we can track our way through the API and disable deprecated tests from providing false errors. A notable difference between the testing is that members in the system role *have* rights under the system scope. Members accounts may be services such as nova-compute running the nova.virt.ironic driver. Co-Authored-By: Julia Kreger <juliaashleykreger@gmail.com> Change-Id: Id8365f150f8f5828b99627e1f31b0bc30f3a28f2
This commit is contained in:
parent
8e458d89bf
commit
b0d8d14065
|
@ -21,6 +21,7 @@ import sys
|
|||
from oslo_concurrency import lockutils
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log
|
||||
from oslo_log import versionutils
|
||||
from oslo_policy import opts
|
||||
from oslo_policy import policy
|
||||
|
||||
|
@ -137,190 +138,519 @@ default_policies = [
|
|||
# All of these may be overridden by configuration, but we can
|
||||
# depend on their existence throughout the code.
|
||||
|
||||
deprecated_node_create = policy.DeprecatedRule(
|
||||
name='baremetal:node:create',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_get = policy.DeprecatedRule(
|
||||
name='baremetal:node:get',
|
||||
check_str='rule:is_admin or rule:is_observer'
|
||||
)
|
||||
deprecated_node_list = policy.DeprecatedRule(
|
||||
name='baremetal:node:list',
|
||||
check_str='rule:baremetal:node:get'
|
||||
)
|
||||
deprecated_node_list_all = policy.DeprecatedRule(
|
||||
name='baremetal:node:list_all',
|
||||
check_str='rule:baremetal:node:get'
|
||||
)
|
||||
deprecated_node_update = policy.DeprecatedRule(
|
||||
name='baremetal:node:update',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_update_extra = policy.DeprecatedRule(
|
||||
name='baremetal:node:update_extra',
|
||||
check_str='rule:baremetal:node:update'
|
||||
)
|
||||
deprecated_node_update_instance_info = policy.DeprecatedRule(
|
||||
name='baremetal:node:update_instance_info',
|
||||
check_str='rule:baremetal:node:update'
|
||||
)
|
||||
deprecated_node_update_owner_provisioned = policy.DeprecatedRule(
|
||||
name='baremetal:node:update_owner_provisioned',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_delete = policy.DeprecatedRule(
|
||||
name='baremetal:node:delete',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_validate = policy.DeprecatedRule(
|
||||
name='baremetal:node:validate',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_set_maintenance = policy.DeprecatedRule(
|
||||
name='baremetal:node:set_maintenance',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_clear_maintenance = policy.DeprecatedRule(
|
||||
name='baremetal:node:clear_maintenance',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_get_boot_device = policy.DeprecatedRule(
|
||||
name='baremetal:node:get_boot_device',
|
||||
check_str='rule:is_admin or rule:is_observer'
|
||||
)
|
||||
deprecated_node_set_boot_device = policy.DeprecatedRule(
|
||||
name='baremetal:node:set_boot_device',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_get_indicator_state = policy.DeprecatedRule(
|
||||
name='baremetal:node:get_indicator_state',
|
||||
check_str='rule:is_admin or rule:is_observer'
|
||||
)
|
||||
deprecated_node_set_indicator_state = policy.DeprecatedRule(
|
||||
name='baremetal:node:set_indicator_state',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_inject_nmi = policy.DeprecatedRule(
|
||||
name='baremetal:node:inject_nmi',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_get_states = policy.DeprecatedRule(
|
||||
name='baremetal:node:get_states',
|
||||
check_str='rule:is_admin or rule:is_observer'
|
||||
)
|
||||
deprecated_node_set_power_state = policy.DeprecatedRule(
|
||||
name='baremetal:node:set_power_state',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_set_provision_state = policy.DeprecatedRule(
|
||||
name='baremetal:node:set_provision_state',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_set_raid_state = policy.DeprecatedRule(
|
||||
name='baremetal:node:set_raid_state',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_get_console = policy.DeprecatedRule(
|
||||
name='baremetal:node:get_console',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_set_console_state = policy.DeprecatedRule(
|
||||
name='baremetal:node:set_console_state',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_vif_list = policy.DeprecatedRule(
|
||||
name='baremetal:node:vif:list',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_vif_attach = policy.DeprecatedRule(
|
||||
name='baremetal:node:vif:attach',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_vif_detach = policy.DeprecatedRule(
|
||||
name='baremetal:node:vif:detach',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_traits_list = policy.DeprecatedRule(
|
||||
name='baremetal:node:traits:list',
|
||||
check_str='rule:is_admin or rule:is_observer'
|
||||
)
|
||||
deprecated_node_traits_set = policy.DeprecatedRule(
|
||||
name='baremetal:node:traits:set',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_traits_delete = policy.DeprecatedRule(
|
||||
name='baremetal:node:traits:delete',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_node_bios_get = policy.DeprecatedRule(
|
||||
name='baremetal:node:bios:get',
|
||||
check_str='rule:is_admin or rule:is_observer'
|
||||
)
|
||||
deprecated_bios_disable_cleaning = policy.DeprecatedRule(
|
||||
name='baremetal:node:disable_cleaning',
|
||||
check_str='rule:baremetal:node:update',
|
||||
)
|
||||
deprecated_node_reason = """
|
||||
The baremetal node API is now aware of system scope and default roles.
|
||||
Capability to fallback to legacy admin project policy configuration
|
||||
will be removed in the Xena release of Ironic.
|
||||
"""
|
||||
|
||||
|
||||
node_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:create',
|
||||
'rule:is_admin',
|
||||
'Create Node records',
|
||||
[{'path': '/nodes', 'method': 'POST'}]),
|
||||
name='baremetal:node:create',
|
||||
check_str=SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Create Node records',
|
||||
operations=[{'path': '/nodes', 'method': 'POST'}],
|
||||
deprecated_rule=deprecated_node_create,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:get',
|
||||
'rule:is_admin or rule:is_observer',
|
||||
'Retrieve a single Node record',
|
||||
[{'path': '/nodes/{node_ident}', 'method': 'GET'}]),
|
||||
name='baremetal:node:get',
|
||||
check_str=SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
description='Retrieve a single Node record',
|
||||
operations=[{'path': '/nodes/{node_ident}', 'method': 'GET'}],
|
||||
deprecated_rule=deprecated_node_get,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:list',
|
||||
'rule:baremetal:node:get',
|
||||
'Retrieve multiple Node records, filtered by owner',
|
||||
[{'path': '/nodes', 'method': 'GET'},
|
||||
{'path': '/nodes/detail', 'method': 'GET'}]),
|
||||
name='baremetal:node:list',
|
||||
check_str=SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
description='Retrieve multiple Node records, filtered by owner',
|
||||
operations=[{'path': '/nodes', 'method': 'GET'},
|
||||
{'path': '/nodes/detail', 'method': 'GET'}],
|
||||
deprecated_rule=deprecated_node_list,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:list_all',
|
||||
'rule:baremetal:node:get',
|
||||
'Retrieve multiple Node records',
|
||||
[{'path': '/nodes', 'method': 'GET'},
|
||||
{'path': '/nodes/detail', 'method': 'GET'}]),
|
||||
name='baremetal:node:list_all',
|
||||
check_str=SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
description='Retrieve multiple Node records',
|
||||
operations=[{'path': '/nodes', 'method': 'GET'},
|
||||
{'path': '/nodes/detail', 'method': 'GET'}],
|
||||
deprecated_rule=deprecated_node_list_all,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:update',
|
||||
'rule:is_admin',
|
||||
'Update Node records',
|
||||
[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}]),
|
||||
name='baremetal:node:update',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Update Node records',
|
||||
operations=[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}],
|
||||
deprecated_rule=deprecated_node_update,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
# TODO(TheJulia): Explicit RBAC testing needed for this.
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:update_extra',
|
||||
'rule:baremetal:node:update',
|
||||
'Update Node extra field',
|
||||
[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}]),
|
||||
name='baremetal:node:update_extra',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Update Node extra field',
|
||||
operations=[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}],
|
||||
deprecated_rule=deprecated_node_update_extra,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
# TODO(TheJulia): Explicit RBAC testing needed for this.
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:update_instance_info',
|
||||
'rule:baremetal:node:update',
|
||||
'Update Node instance_info field',
|
||||
[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}]),
|
||||
name='baremetal:node:update_instance_info',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Update Node instance_info field',
|
||||
operations=[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}],
|
||||
deprecated_rule=deprecated_node_update_instance_info,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
# TODO(TheJulia): Explicit RBAC testing needed for this.
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:update_owner_provisioned',
|
||||
'rule:is_admin',
|
||||
'Update Node owner even when Node is provisioned',
|
||||
[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}]),
|
||||
name='baremetal:node:update_owner_provisioned',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Update Node owner even when Node is provisioned',
|
||||
operations=[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}],
|
||||
deprecated_rule=deprecated_node_update_owner_provisioned,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
# TODO(TheJulia): Explicit RBAC testing needed for this... Maybe?
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:delete',
|
||||
'rule:is_admin',
|
||||
'Delete Node records',
|
||||
[{'path': '/nodes/{node_ident}', 'method': 'DELETE'}]),
|
||||
name='baremetal:node:delete',
|
||||
check_str=SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Delete Node records',
|
||||
operations=[{'path': '/nodes/{node_ident}', 'method': 'DELETE'}],
|
||||
deprecated_rule=deprecated_node_delete,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:validate',
|
||||
'rule:is_admin',
|
||||
'Request active validation of Nodes',
|
||||
[{'path': '/nodes/{node_ident}/validate', 'method': 'GET'}]),
|
||||
name='baremetal:node:validate',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Request active validation of Nodes',
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}/validate', 'method': 'GET'}
|
||||
],
|
||||
deprecated_rule=deprecated_node_validate,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:set_maintenance',
|
||||
'rule:is_admin',
|
||||
'Set maintenance flag, taking a Node out of service',
|
||||
[{'path': '/nodes/{node_ident}/maintenance', 'method': 'PUT'}]),
|
||||
name='baremetal:node:set_maintenance',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Set maintenance flag, taking a Node out of service',
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}/maintenance', 'method': 'PUT'}
|
||||
],
|
||||
deprecated_rule=deprecated_node_set_maintenance,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:clear_maintenance',
|
||||
'rule:is_admin',
|
||||
'Clear maintenance flag, placing the Node into service again',
|
||||
[{'path': '/nodes/{node_ident}/maintenance', 'method': 'DELETE'}]),
|
||||
name='baremetal:node:clear_maintenance',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description=(
|
||||
'Clear maintenance flag, placing the Node into service again'
|
||||
),
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}/maintenance', 'method': 'DELETE'}
|
||||
],
|
||||
deprecated_rule=deprecated_node_clear_maintenance,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
|
||||
# NOTE(TheJulia): This should liekly be deprecated and be replaced with
|
||||
# a cached object.
|
||||
policy.DocumentedRuleDefault(
|
||||
name='baremetal:node:get_boot_device',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Retrieve Node boot device metadata',
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}/management/boot_device',
|
||||
'method': 'GET'},
|
||||
{'path': '/nodes/{node_ident}/management/boot_device/supported',
|
||||
'method': 'GET'}
|
||||
],
|
||||
deprecated_rule=deprecated_node_get_boot_device,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='baremetal:node:set_boot_device',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Change Node boot device',
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}/management/boot_device',
|
||||
'method': 'PUT'}
|
||||
],
|
||||
deprecated_rule=deprecated_node_set_maintenance,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:get_boot_device',
|
||||
'rule:is_admin or rule:is_observer',
|
||||
'Retrieve Node boot device metadata',
|
||||
[{'path': '/nodes/{node_ident}/management/boot_device',
|
||||
'method': 'GET'},
|
||||
{'path': '/nodes/{node_ident}/management/boot_device/supported',
|
||||
'method': 'GET'}]),
|
||||
name='baremetal:node:get_indicator_state',
|
||||
check_str=SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
description='Retrieve Node indicators and their states',
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}/management/indicators/'
|
||||
'{component}/{indicator}',
|
||||
'method': 'GET'},
|
||||
{'path': '/nodes/{node_ident}/management/indicators',
|
||||
'method': 'GET'}
|
||||
],
|
||||
deprecated_rule=deprecated_node_get_indicator_state,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:set_boot_device',
|
||||
'rule:is_admin',
|
||||
'Change Node boot device',
|
||||
[{'path': '/nodes/{node_ident}/management/boot_device',
|
||||
'method': 'PUT'}]),
|
||||
name='baremetal:node:set_indicator_state',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Change Node indicator state',
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}/management/indicators/'
|
||||
'{component}/{indicator}',
|
||||
'method': 'PUT'}
|
||||
],
|
||||
deprecated_rule=deprecated_node_set_indicator_state,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:get_indicator_state',
|
||||
'rule:is_admin or rule:is_observer',
|
||||
'Retrieve Node indicators and their states',
|
||||
[{'path': '/nodes/{node_ident}/management/indicators/'
|
||||
'{component}/{indicator}',
|
||||
'method': 'GET'},
|
||||
{'path': '/nodes/{node_ident}/management/indicators',
|
||||
'method': 'GET'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:set_indicator_state',
|
||||
'rule:is_admin',
|
||||
'Change Node indicator state',
|
||||
[{'path': '/nodes/{node_ident}/management/indicators/'
|
||||
'{component}/{indicator}',
|
||||
'method': 'PUT'}]),
|
||||
name='baremetal:node:inject_nmi',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Inject NMI for a node',
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}/management/inject_nmi',
|
||||
'method': 'PUT'}
|
||||
],
|
||||
deprecated_rule=deprecated_node_inject_nmi,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:inject_nmi',
|
||||
'rule:is_admin',
|
||||
'Inject NMI for a node',
|
||||
[{'path': '/nodes/{node_ident}/management/inject_nmi',
|
||||
'method': 'PUT'}]),
|
||||
name='baremetal:node:get_states',
|
||||
check_str=SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
description='View Node power and provision state',
|
||||
operations=[{'path': '/nodes/{node_ident}/states', 'method': 'GET'}],
|
||||
deprecated_rule=deprecated_node_get_states,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='baremetal:node:set_power_state',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Change Node power status',
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}/states/power', 'method': 'PUT'}
|
||||
],
|
||||
deprecated_rule=deprecated_node_set_power_state,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='baremetal:node:set_provision_state',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Change Node provision status',
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}/states/provision', 'method': 'PUT'}
|
||||
],
|
||||
deprecated_rule=deprecated_node_set_provision_state,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='baremetal:node:set_raid_state',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Change Node RAID status',
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}/states/raid', 'method': 'PUT'}
|
||||
],
|
||||
deprecated_rule=deprecated_node_set_raid_state,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='baremetal:node:get_console',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Get Node console connection information',
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}/states/console', 'method': 'GET'}
|
||||
],
|
||||
deprecated_rule=deprecated_node_get_console,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='baremetal:node:set_console_state',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Change Node console status',
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}/states/console', 'method': 'PUT'}
|
||||
],
|
||||
deprecated_rule=deprecated_node_set_console_state,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:get_states',
|
||||
'rule:is_admin or rule:is_observer',
|
||||
'View Node power and provision state',
|
||||
[{'path': '/nodes/{node_ident}/states', 'method': 'GET'}]),
|
||||
name='baremetal:node:vif:list',
|
||||
check_str=SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
description='List VIFs attached to node',
|
||||
operations=[{'path': '/nodes/{node_ident}/vifs', 'method': 'GET'}],
|
||||
deprecated_rule=deprecated_node_vif_list,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:set_power_state',
|
||||
'rule:is_admin',
|
||||
'Change Node power status',
|
||||
[{'path': '/nodes/{node_ident}/states/power', 'method': 'PUT'}]),
|
||||
name='baremetal:node:vif:attach',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Attach a VIF to a node',
|
||||
operations=[{'path': '/nodes/{node_ident}/vifs', 'method': 'POST'}],
|
||||
deprecated_rule=deprecated_node_vif_attach,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:set_provision_state',
|
||||
'rule:is_admin',
|
||||
'Change Node provision status',
|
||||
[{'path': '/nodes/{node_ident}/states/provision', 'method': 'PUT'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:set_raid_state',
|
||||
'rule:is_admin',
|
||||
'Change Node RAID status',
|
||||
[{'path': '/nodes/{node_ident}/states/raid', 'method': 'PUT'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:get_console',
|
||||
'rule:is_admin',
|
||||
'Get Node console connection information',
|
||||
[{'path': '/nodes/{node_ident}/states/console', 'method': 'GET'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:set_console_state',
|
||||
'rule:is_admin',
|
||||
'Change Node console status',
|
||||
[{'path': '/nodes/{node_ident}/states/console', 'method': 'PUT'}]),
|
||||
name='baremetal:node:vif:detach',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Detach a VIF from a node',
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}/vifs/{node_vif_ident}',
|
||||
'method': 'DELETE'}
|
||||
],
|
||||
deprecated_rule=deprecated_node_vif_detach,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:vif:list',
|
||||
'rule:is_admin',
|
||||
'List VIFs attached to node',
|
||||
[{'path': '/nodes/{node_ident}/vifs', 'method': 'GET'}]),
|
||||
name='baremetal:node:traits:list',
|
||||
check_str=SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
description='List node traits',
|
||||
operations=[{'path': '/nodes/{node_ident}/traits', 'method': 'GET'}],
|
||||
deprecated_rule=deprecated_node_traits_list,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:vif:attach',
|
||||
'rule:is_admin',
|
||||
'Attach a VIF to a node',
|
||||
[{'path': '/nodes/{node_ident}/vifs', 'method': 'POST'}]),
|
||||
name='baremetal:node:traits:set',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Add a trait to, or replace all traits of, a node',
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}/traits', 'method': 'PUT'},
|
||||
{'path': '/nodes/{node_ident}/traits/{trait}', 'method': 'PUT'}
|
||||
],
|
||||
deprecated_rule=deprecated_node_traits_set,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:vif:detach',
|
||||
'rule:is_admin',
|
||||
'Detach a VIF from a node',
|
||||
[{'path': '/nodes/{node_ident}/vifs/{node_vif_ident}',
|
||||
'method': 'DELETE'}]),
|
||||
name='baremetal:node:traits:delete',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Remove one or all traits from a node',
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}/traits', 'method': 'DELETE'},
|
||||
{'path': '/nodes/{node_ident}/traits/{trait}',
|
||||
'method': 'DELETE'}
|
||||
],
|
||||
deprecated_rule=deprecated_node_traits_delete,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:traits:list',
|
||||
'rule:is_admin or rule:is_observer',
|
||||
'List node traits',
|
||||
[{'path': '/nodes/{node_ident}/traits', 'method': 'GET'}]),
|
||||
name='baremetal:node:bios:get',
|
||||
check_str=SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
description='Retrieve Node BIOS information',
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}/bios', 'method': 'GET'},
|
||||
{'path': '/nodes/{node_ident}/bios/{setting}', 'method': 'GET'}
|
||||
],
|
||||
deprecated_rule=deprecated_node_bios_get,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:traits:set',
|
||||
'rule:is_admin',
|
||||
'Add a trait to, or replace all traits of, a node',
|
||||
[{'path': '/nodes/{node_ident}/traits', 'method': 'PUT'},
|
||||
{'path': '/nodes/{node_ident}/traits/{trait}', 'method': 'PUT'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:traits:delete',
|
||||
'rule:is_admin',
|
||||
'Remove one or all traits from a node',
|
||||
[{'path': '/nodes/{node_ident}/traits', 'method': 'DELETE'},
|
||||
{'path': '/nodes/{node_ident}/traits/{trait}',
|
||||
'method': 'DELETE'}]),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:bios:get',
|
||||
'rule:is_admin or rule:is_observer',
|
||||
'Retrieve Node BIOS information',
|
||||
[{'path': '/nodes/{node_ident}/bios', 'method': 'GET'},
|
||||
{'path': '/nodes/{node_ident}/bios/{setting}', 'method': 'GET'}]),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:node:disable_cleaning',
|
||||
'rule:baremetal:node:update',
|
||||
'Disable Node disk cleaning',
|
||||
[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}]),
|
||||
name='baremetal:node:disable_cleaning',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Disable Node disk cleaning',
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}', 'method': 'PATCH'}
|
||||
],
|
||||
deprecated_rule=deprecated_bios_disable_cleaning,
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
]
|
||||
|
||||
port_policies = [
|
||||
|
|
|
@ -55,6 +55,7 @@ class TestACLBase(base.BaseApiTest):
|
|||
self.mock_random_topic = rtopic.start()
|
||||
self.mock_random_topic.side_effect = exception.TemporaryFailure
|
||||
self.addCleanup(rtopic.stop)
|
||||
self._set_test_config()
|
||||
|
||||
def _make_app(self):
|
||||
cfg.CONF.set_override('auth_strategy', 'keystone')
|
||||
|
@ -64,6 +65,10 @@ class TestACLBase(base.BaseApiTest):
|
|||
def _create_test_data(self):
|
||||
pass
|
||||
|
||||
@abc.abstractmethod
|
||||
def _set_test_config(self):
|
||||
pass
|
||||
|
||||
def _check_skip(self, **kwargs):
|
||||
if kwargs.get('skip_reason'):
|
||||
self.skipTest(kwargs.get('skip_reason'))
|
||||
|
@ -74,7 +79,8 @@ class TestACLBase(base.BaseApiTest):
|
|||
def _test_request(self, path, params=None, headers=None, method='get',
|
||||
body=None, assert_status=None,
|
||||
assert_dict_contains=None,
|
||||
assert_list_length=None):
|
||||
assert_list_length=None,
|
||||
deprecated=None):
|
||||
path = path.format(**self.format_data)
|
||||
self.mock_auth.side_effect = self._fake_process_request
|
||||
|
||||
|
@ -91,7 +97,6 @@ class TestACLBase(base.BaseApiTest):
|
|||
if headers:
|
||||
for k, v in headers.items():
|
||||
rheaders[k] = v.format(**self.format_data)
|
||||
|
||||
if method == 'get':
|
||||
response = self.get_json(
|
||||
path,
|
||||
|
@ -138,9 +143,20 @@ class TestACLBase(base.BaseApiTest):
|
|||
else:
|
||||
assert False, 'Unimplemented test method: %s' % method
|
||||
|
||||
if assert_status:
|
||||
if not (bool(deprecated)
|
||||
and ('403' in response.status or '500' in response.status)
|
||||
and cfg.CONF.oslo_policy.enforce_scope
|
||||
and cfg.CONF.oslo_policy.enforce_new_defaults):
|
||||
# NOTE(TheJulia): Everything, once migrated, should
|
||||
# return a 403.
|
||||
self.assertEqual(assert_status, response.status_int)
|
||||
else:
|
||||
self.assertTrue(
|
||||
'403' in response.status or '500' in response.status)
|
||||
# We can't check the contents of the response if there is no
|
||||
# response.
|
||||
return
|
||||
if not bool(deprecated):
|
||||
self.assertIsNotNone(assert_status,
|
||||
'Tests must include an assert_status')
|
||||
|
||||
|
@ -182,7 +198,7 @@ class TestRBACBasic(TestACLBase):
|
|||
|
||||
|
||||
@ddt.ddt
|
||||
class TestRBACModelBeforeScopes(TestACLBase):
|
||||
class TestRBACModelBeforeScopesBase(TestACLBase):
|
||||
|
||||
def _create_test_data(self):
|
||||
allocated_node_id = 31
|
||||
|
@ -241,6 +257,17 @@ class TestRBACModelBeforeScopes(TestACLBase):
|
|||
'volume_connector_ident': fake_db_volume_connector['uuid'],
|
||||
})
|
||||
|
||||
|
||||
@ddt.ddt
|
||||
class TestRBACModelBeforeScopes(TestRBACModelBeforeScopesBase):
|
||||
|
||||
def _set_test_config(self):
|
||||
# NOTE(TheJulia): Sets default test conditions, in the event
|
||||
# oslo_policy defaults change.
|
||||
cfg.CONF.set_override('enforce_scope', False, group='oslo_policy')
|
||||
cfg.CONF.set_override('enforce_new_defaults', False,
|
||||
group='oslo_policy')
|
||||
|
||||
@ddt.file_data('test_rbac_legacy.yaml')
|
||||
@ddt.unpack
|
||||
def test_rbac_legacy(self, **kwargs):
|
||||
|
@ -250,15 +277,35 @@ class TestRBACModelBeforeScopes(TestACLBase):
|
|||
|
||||
@ddt.ddt
|
||||
class TestRBACScoped(TestRBACModelBeforeScopes):
|
||||
"""Test Scoped ACL access using our existing access policy."""
|
||||
|
||||
def setUp(self):
|
||||
super(TestRBACScoped, self).setUp()
|
||||
"""Test Scoped RBAC access using our existing access policy."""
|
||||
|
||||
def _set_test_config(self):
|
||||
# NOTE(TheJulia): This test class is as like a canary.
|
||||
# The operational intent is for it to kind of provide
|
||||
# a safety net as we're changing policy rules so we can
|
||||
# incremently disable the ones we *know* will no longer work
|
||||
# while we also enable the new ones in another test class with
|
||||
# the appropriate scope friendly chagnges. In other words, two
|
||||
# test changes will be needed for each which should also reduce
|
||||
# risk of accidential policy changes. It may just be Julia being
|
||||
# super risk-adverse, just let her roll with it and we will delete
|
||||
# this class later.
|
||||
# NOTE(TheJulia): This test class runs with test_rbac_legacy.yaml!
|
||||
cfg.CONF.set_override('enforce_scope', True, group='oslo_policy')
|
||||
cfg.CONF.set_override('enforce_new_defaults', True,
|
||||
group='oslo_policy')
|
||||
# NOTE(TheJulia): The purpose of this class is to execute the legacy
|
||||
# RBAC tests with the new configuration, which forces us to
|
||||
# explicity mark each test as a deprecated test later on. That
|
||||
# functionality will be added in a later patch when needed,
|
||||
|
||||
@ddt.file_data('test_rbac_legacy.yaml')
|
||||
def test_scoped_canary(self, **kwargs):
|
||||
self._check_skip(**kwargs)
|
||||
self._test_request(**kwargs)
|
||||
|
||||
|
||||
@ddt.ddt
|
||||
class TestRBACScopedRequests(TestRBACModelBeforeScopesBase):
|
||||
|
||||
@ddt.file_data('test_rbac_system_scoped.yaml')
|
||||
@ddt.unpack
|
||||
def test_system_scoped(self, **kwargs):
|
||||
self._check_skip(**kwargs)
|
||||
self._test_request(**kwargs)
|
||||
|
|
|
@ -46,6 +46,7 @@ nodes_post_admin:
|
|||
name: node
|
||||
driver: fake-driverz
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_post_member:
|
||||
path: '/v1/nodes'
|
||||
|
@ -53,6 +54,7 @@ nodes_post_member:
|
|||
headers: *member_headers
|
||||
body: *node_post_body
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_post_observer:
|
||||
path: '/v1/nodes'
|
||||
|
@ -60,6 +62,7 @@ nodes_post_observer:
|
|||
headers: *observer_headers
|
||||
body: *node_post_body
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_get_node_admin:
|
||||
path: '/v1/nodes/{node_ident}'
|
||||
|
@ -69,12 +72,14 @@ nodes_get_node_admin:
|
|||
uuid: '{node_ident}'
|
||||
driver: 'fake-driverz'
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
nodes_get_node_member:
|
||||
path: '/v1/nodes/{node_ident}'
|
||||
method: get
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_get_node_observer:
|
||||
path: '/v1/nodes/{node_ident}'
|
||||
|
@ -84,6 +89,7 @@ nodes_get_node_observer:
|
|||
uuid: '{node_ident}'
|
||||
driver: 'fake-driverz'
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
nodes_get_node_other_admin:
|
||||
path: '/v1/nodes/{node_ident}'
|
||||
|
@ -94,6 +100,7 @@ nodes_get_node_other_admin:
|
|||
# This just represents the *current* state, not what the world should be
|
||||
# in the end.
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
nodes_get_admin:
|
||||
path: '/v1/nodes'
|
||||
|
@ -102,6 +109,7 @@ nodes_get_admin:
|
|||
assert_list_length:
|
||||
nodes: 2
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
nodes_get_other_admin:
|
||||
path: '/v1/nodes'
|
||||
|
@ -110,42 +118,49 @@ nodes_get_other_admin:
|
|||
assert_list_length:
|
||||
nodes: 2
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
nodes_detail_get_admin:
|
||||
path: '/v1/nodes/detail'
|
||||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
nodes_detail_get_member:
|
||||
path: '/v1/nodes/detail'
|
||||
method: get
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_detail_get_observer:
|
||||
path: '/v1/nodes/detail'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
nodes_node_ident_get_admin:
|
||||
path: '/v1/nodes/{node_ident}'
|
||||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
nodes_node_ident_get_member:
|
||||
path: '/v1/nodes/{node_ident}'
|
||||
method: get
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_node_ident_get_observer:
|
||||
path: '/v1/nodes/{node_ident}'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
nodes_node_ident_patch_admin:
|
||||
path: '/v1/nodes/{node_ident}'
|
||||
|
@ -156,6 +171,7 @@ nodes_node_ident_patch_admin:
|
|||
path: /extra
|
||||
value: {'test': 'testing'}
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_node_ident_patch_member:
|
||||
path: '/v1/nodes/{node_ident}'
|
||||
|
@ -163,6 +179,7 @@ nodes_node_ident_patch_member:
|
|||
headers: *member_headers
|
||||
body: *extra_patch
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_node_ident_patch_observer:
|
||||
path: '/v1/nodes/{node_ident}'
|
||||
|
@ -170,24 +187,28 @@ nodes_node_ident_patch_observer:
|
|||
headers: *observer_headers
|
||||
body: *extra_patch
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_node_ident_delete_admin:
|
||||
path: '/v1/nodes/{node_ident}'
|
||||
method: delete
|
||||
headers: *admin_headers
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_node_ident_delete_member:
|
||||
path: '/v1/nodes/{node_ident}'
|
||||
method: delete
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_node_ident_delete_observer:
|
||||
path: '/v1/nodes/{node_ident}'
|
||||
method: delete
|
||||
headers: *observer_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
# Node Management - https://docs.openstack.org/api-ref/baremetal/?expanded=#node-management-nodes
|
||||
|
||||
|
@ -196,54 +217,63 @@ nodes_validate_get_admin:
|
|||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_validate_get_member:
|
||||
path: '/v1/nodes/{node_ident}/validate'
|
||||
method: get
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_validate_get_observer:
|
||||
path: '/v1/nodes/{node_ident}/validate'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_maintenance_put_admin:
|
||||
path: '/v1/nodes/{node_ident}/maintenance'
|
||||
method: put
|
||||
headers: *admin_headers
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_maintenance_put_member:
|
||||
path: '/v1/nodes/{node_ident}/maintenance'
|
||||
method: put
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_maintenance_put_observer:
|
||||
path: '/v1/nodes/{node_ident}/maintenance'
|
||||
method: put
|
||||
headers: *observer_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_maintenance_delete_admin:
|
||||
path: '/v1/nodes/{node_ident}/maintenance'
|
||||
method: delete
|
||||
headers: *admin_headers
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_maintenance_delete_member:
|
||||
path: '/v1/nodes/{node_ident}/maintenance'
|
||||
method: delete
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_maintenance_delete_observer:
|
||||
path: '/v1/nodes/{node_ident}/maintenance'
|
||||
method: delete
|
||||
headers: *observer_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_management_boot_device_put_admin:
|
||||
path: '/v1/nodes/{node_ident}/management/boot_device'
|
||||
|
@ -252,6 +282,7 @@ nodes_management_boot_device_put_admin:
|
|||
body: &boot_device_body
|
||||
boot_device: pxe
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_management_boot_device_put_member:
|
||||
path: '/v1/nodes/{node_ident}/management/boot_device'
|
||||
|
@ -259,6 +290,7 @@ nodes_management_boot_device_put_member:
|
|||
headers: *member_headers
|
||||
body: *boot_device_body
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_management_boot_device_put_observer:
|
||||
path: '/v1/nodes/{node_ident}/management/boot_device'
|
||||
|
@ -266,42 +298,49 @@ nodes_management_boot_device_put_observer:
|
|||
headers: *observer_headers
|
||||
body: *boot_device_body
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_management_boot_device_get_admin:
|
||||
path: '/v1/nodes/{node_ident}/management/boot_device'
|
||||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_management_boot_device_get_member:
|
||||
path: '/v1/nodes/{node_ident}/management/boot_device'
|
||||
method: get
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_management_boot_device_get_observer:
|
||||
path: '/v1/nodes/{node_ident}/management/boot_device'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_management_boot_device_supported_get_admin:
|
||||
path: '/v1/nodes/{node_ident}/management/boot_device/supported'
|
||||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_management_boot_device_supported_get_member:
|
||||
path: '/v1/nodes/{node_ident}/management/boot_device/supported'
|
||||
method: get
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_management_boot_device_supported_get_observer:
|
||||
path: '/v1/nodes/{node_ident}/management/boot_device/supported'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_management_inject_nmi_put_admin:
|
||||
path: '/v1/nodes/{node_ident}/management/inject_nmi'
|
||||
|
@ -309,6 +348,7 @@ nodes_management_inject_nmi_put_admin:
|
|||
headers: *admin_headers
|
||||
body: {}
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_management_inject_nmi_put_member:
|
||||
path: '/v1/nodes/{node_ident}/management/inject_nmi'
|
||||
|
@ -316,6 +356,7 @@ nodes_management_inject_nmi_put_member:
|
|||
headers: *member_headers
|
||||
body: {}
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_management_inject_nmi_put_observer:
|
||||
path: '/v1/nodes/{node_ident}/management/inject_nmi'
|
||||
|
@ -323,25 +364,28 @@ nodes_management_inject_nmi_put_observer:
|
|||
headers: *observer_headers
|
||||
body: {}
|
||||
assert_status: 403
|
||||
|
||||
deprecated: true
|
||||
|
||||
nodes_states_get_admin:
|
||||
path: '/v1/nodes/{node_ident}/states'
|
||||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
nodes_states_get_member:
|
||||
path: '/v1/nodes/{node_ident}/states'
|
||||
method: get
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_states_get_observer:
|
||||
path: '/v1/nodes/{node_ident}/states'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
nodes_states_power_put_admin:
|
||||
path: '/v1/nodes/{node_ident}/states/power'
|
||||
|
@ -350,6 +394,7 @@ nodes_states_power_put_admin:
|
|||
body: &power_body
|
||||
target: "power on"
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_states_power_put_member:
|
||||
path: '/v1/nodes/{node_ident}/states/power'
|
||||
|
@ -357,6 +402,7 @@ nodes_states_power_put_member:
|
|||
headers: *member_headers
|
||||
body: *power_body
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_states_power_put_observer:
|
||||
path: '/v1/nodes/{node_ident}/states/power'
|
||||
|
@ -364,6 +410,7 @@ nodes_states_power_put_observer:
|
|||
headers: *observer_headers
|
||||
body: *power_body
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_states_provision_put_admin:
|
||||
path: '/v1/nodes/{node_ident}/states/provision'
|
||||
|
@ -372,6 +419,7 @@ nodes_states_provision_put_admin:
|
|||
body: &provision_body
|
||||
target: deploy
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_states_provision_put_member:
|
||||
path: '/v1/nodes/{node_ident}/states/provision'
|
||||
|
@ -379,6 +427,7 @@ nodes_states_provision_put_member:
|
|||
headers: *member_headers
|
||||
body: *provision_body
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_states_provision_put_observer:
|
||||
path: '/v1/nodes/{node_ident}/states/provision'
|
||||
|
@ -386,6 +435,7 @@ nodes_states_provision_put_observer:
|
|||
headers: *observer_headers
|
||||
body: *provision_body
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_states_raid_put_admin:
|
||||
path: '/v1/nodes/{node_ident}/states/raid'
|
||||
|
@ -398,6 +448,7 @@ nodes_states_raid_put_admin:
|
|||
is_root_volume: true
|
||||
raid_level: 1
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_states_raid_put_member:
|
||||
path: '/v1/nodes/{node_ident}/states/raid'
|
||||
|
@ -405,6 +456,7 @@ nodes_states_raid_put_member:
|
|||
headers: *member_headers
|
||||
body: *raid_body
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_states_raid_put_observer:
|
||||
path: '/v1/nodes/{node_ident}/states/raid'
|
||||
|
@ -412,24 +464,28 @@ nodes_states_raid_put_observer:
|
|||
headers: *observer_headers
|
||||
body: *raid_body
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_states_console_get_admin:
|
||||
path: '/v1/nodes/{node_ident}/states/console'
|
||||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_states_console_get_member:
|
||||
path: '/v1/nodes/{node_ident}/states/console'
|
||||
method: get
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_states_console_get_admin:
|
||||
path: '/v1/nodes/{node_ident}/states/console'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_states_console_put_admin:
|
||||
path: '/v1/nodes/{node_ident}/states/console'
|
||||
|
@ -438,6 +494,7 @@ nodes_states_console_put_admin:
|
|||
body: &console_body_put
|
||||
enabled: true
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_states_console_put_member:
|
||||
path: '/v1/nodes/{node_ident}/states/console'
|
||||
|
@ -445,6 +502,7 @@ nodes_states_console_put_member:
|
|||
headers: *member_headers
|
||||
body: *console_body_put
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_states_console_put_observer:
|
||||
path: '/v1/nodes/{node_ident}/states/console'
|
||||
|
@ -452,8 +510,9 @@ nodes_states_console_put_observer:
|
|||
headers: *observer_headers
|
||||
body: *console_body_put
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
# Node Traits - https://docs.openstack.org/api-ref/baremetal/?expanded=#node-vendor-passthru-nodes
|
||||
# Node Vendor Passthrough - https://docs.openstack.org/api-ref/baremetal/?expanded=#node-vendor-passthru-nodes
|
||||
|
||||
# Calls conductor upon the get as a task is required.
|
||||
nodes_vendor_passthru_methods_get_admin:
|
||||
|
@ -553,18 +612,21 @@ nodes_traits_get_admin:
|
|||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
nodes_traits_get_member:
|
||||
path: '/v1/nodes/{node_ident}/traits'
|
||||
method: get
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_traits_get_observer:
|
||||
path: '/v1/nodes/{node_ident}/traits'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
nodes_traits_put_admin:
|
||||
path: '/v1/nodes/{node_ident}/traits'
|
||||
|
@ -575,6 +637,7 @@ nodes_traits_put_admin:
|
|||
traits:
|
||||
- CUSTOM_TRAIT1
|
||||
- HW_CPU_X86_VMX
|
||||
deprecated: true
|
||||
|
||||
nodes_traits_put_member:
|
||||
path: '/v1/nodes/{node_ident}/traits'
|
||||
|
@ -582,6 +645,7 @@ nodes_traits_put_member:
|
|||
headers: *member_headers
|
||||
assert_status: 403
|
||||
body: *traits_body
|
||||
deprecated: true
|
||||
|
||||
nodes_traits_put_observer:
|
||||
path: '/v1/nodes/{node_ident}/traits'
|
||||
|
@ -589,60 +653,70 @@ nodes_traits_put_observer:
|
|||
headers: *observer_headers
|
||||
assert_status: 403
|
||||
body: *traits_body
|
||||
deprecated: true
|
||||
|
||||
nodes_traits_delete_admin:
|
||||
path: '/v1/nodes/{node_ident}/traits/{trait}'
|
||||
method: delete
|
||||
headers: *admin_headers
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_traits_delete_member:
|
||||
path: '/v1/nodes/{node_ident}/traits/{trait}'
|
||||
method: delete
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_traits_delete_observer:
|
||||
path: '/v1/nodes/{node_ident}/traits/{trait}'
|
||||
method: delete
|
||||
headers: *observer_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_traits_trait_put_admin:
|
||||
path: '/v1/nodes/{node_ident}/traits/CUSTOM_TRAIT2'
|
||||
method: put
|
||||
headers: *admin_headers
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_traits_trait_put_member:
|
||||
path: '/v1/nodes/{node_ident}/traits/CUSTOM_TRAIT2'
|
||||
method: put
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_traits_trait_put_observer:
|
||||
path: '/v1/nodes/{node_ident}/traits/CUSTOM_TRAIT2'
|
||||
method: put
|
||||
headers: *observer_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_traits_trait_delete_admin:
|
||||
path: '/v1/nodes/{node_ident}/traits/{trait}'
|
||||
method: delete
|
||||
headers: *admin_headers
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_traits_trait_delete_member:
|
||||
path: '/v1/nodes/{node_ident}/traits/{trait}'
|
||||
method: delete
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_traits_trait_delete_observer:
|
||||
path: '/v1/nodes/{node_ident}/traits/{trait}'
|
||||
method: delete
|
||||
headers: *observer_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
# VIFS - https://docs.openstack.org/api-ref/baremetal/#vifs-virtual-interfaces-of-nodes
|
||||
# TODO(TheJulia): VIFS will need fairly exhaustive testing given the use path.
|
||||
|
@ -655,18 +729,21 @@ nodes_vifs_get_admin:
|
|||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_vifs_get_member:
|
||||
path: '/v1/nodes/{node_ident}/vifs'
|
||||
method: get
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_vifs_get_observer:
|
||||
path: '/v1/nodes/{node_ident}/vifs'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_vifs_post_admin:
|
||||
path: '/v1/nodes/{node_ident}/vifs'
|
||||
|
@ -675,6 +752,7 @@ nodes_vifs_post_admin:
|
|||
assert_status: 503
|
||||
body: &vif_body
|
||||
id: ee21d58f-5de2-4956-85ff-33935ea1ca00
|
||||
deprecated: true
|
||||
|
||||
nodes_vifs_post_member:
|
||||
path: '/v1/nodes/{node_ident}/vifs'
|
||||
|
@ -682,6 +760,7 @@ nodes_vifs_post_member:
|
|||
headers: *member_headers
|
||||
assert_status: 403
|
||||
body: *vif_body
|
||||
deprecated: true
|
||||
|
||||
nodes_vifs_post_observer:
|
||||
path: '/v1/nodes/{node_ident}/vifs'
|
||||
|
@ -689,6 +768,7 @@ nodes_vifs_post_observer:
|
|||
headers: *observer_headers
|
||||
assert_status: 403
|
||||
body: *vif_body
|
||||
deprecated: true
|
||||
|
||||
# This calls the conductor, hence not status 403.
|
||||
nodes_vifs_node_vif_ident_delete_admin:
|
||||
|
@ -696,18 +776,21 @@ nodes_vifs_node_vif_ident_delete_admin:
|
|||
method: delete
|
||||
headers: *admin_headers
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_vifs_node_vif_ident_delete_member:
|
||||
path: '/v1/nodes/{node_ident}/vifs/{vif_ident}'
|
||||
method: delete
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_vifs_node_vif_ident_delete_observer:
|
||||
path: '/v1/nodes/{node_ident}/vifs/{vif_ident}'
|
||||
method: delete
|
||||
headers: *observer_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
# Indicators - https://docs.openstack.org/api-ref/baremetal/#indicators-management
|
||||
|
||||
|
@ -716,18 +799,21 @@ nodes_management_indicators_get_admin:
|
|||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_management_indicators_get_member:
|
||||
path: '/v1/nodes/{node_ident}/management/indicators'
|
||||
method: get
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_management_indicators_get_observer:
|
||||
path: '/v1/nodes/{node_ident}/management/indicators'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 503
|
||||
deprecated: true
|
||||
|
||||
nodes_management_indicators_component_get_allow:
|
||||
path: '/v1/nodes/{node_ident}/management/indicators/{component}'
|
||||
|
@ -1578,36 +1664,42 @@ nodes_bios_get_admin:
|
|||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
nodes_bios_get_member:
|
||||
path: '/v1/nodes/{node_ident}/bios'
|
||||
method: get
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_bios_get_observer:
|
||||
path: '/v1/nodes/{node_ident}/bios'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
nodes_bios_bios_setting_get_admin:
|
||||
path: '/v1/nodes/{node_ident}/bios/{bios_setting}'
|
||||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
nodes_bios_bios_setting_get_member:
|
||||
path: '/v1/nodes/{node_ident}/bios/{bios_setting}'
|
||||
method: get
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
nodes_bios_bios_setting_get_observer:
|
||||
path: '/v1/nodes/{node_ident}/bios/{bios_setting}'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
# Conductors - https://docs.openstack.org/api-ref/baremetal/#allocations-allocations
|
||||
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,29 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
The Baremetal API, provided by the ironic-api process, now supports use of
|
||||
``system`` scoped ``keystone`` authentication for the node endpoint.
|
||||
upgrade:
|
||||
- |
|
||||
Deprecated policy rules are not expressed via a default policy file
|
||||
generation from the source code. The generated default policy file
|
||||
indicates the new default policies with notes on the deprecation
|
||||
to which ``oslo.policy`` falls back to, until the
|
||||
``[oslo_policy]enforce_scope`` and ``[oslo_policy]enforce_new_defaults``
|
||||
have been set to ``True``.
|
||||
Please see the `Victoria policy configuration <https://docs.openstack.org/ironic/victoria/configuration/policy.html>`_
|
||||
documentation to reference prior policy configuration.
|
||||
- |
|
||||
Operators are encouraged to move to ``system`` scope based authentication
|
||||
by setting ``[oslo_policy]enforce_scope`` and
|
||||
``[oslo_policy]enforce_new_defaults``. This requires a migration from
|
||||
using an ``admin project`` with the ``baremetal_admin`` and
|
||||
``baremetal_observer``. System wide administrators using ``system``
|
||||
scoped ``admin`` and ``reader`` accounts superceed the deprecated
|
||||
model.
|
||||
deprecations:
|
||||
- |
|
||||
Use of an ``admin project`` with ironic is deprecated. With this the
|
||||
custom roles, ``baremetal_admin`` and ``baremetal_observer`` are also
|
||||
deprecated. Please migrate to using a ``system`` scoped account with the
|
||||
``admin`` and ``reader`` roles, respectively.
|
Loading…
Reference in New Issue