openstack
/
ironic
Code Issues Proposed changes

Implement "system" scoped RBAC for the node endpoint 

This commit updates the policies for baremetal nodes to understand
scope checking and account for a member or read-only role.

This is part of a broader series of changes across OpenStack
to provide a consistent RBAC experience and improve security.

This change also implements basic testing of the RBAC interface, and
modifies the testing test_acl.py file to *both* delineate the tests
to prevent yaml variable expansion collission as well as handle
deprecated ACL testing so we can track our way through the API
and disable deprecated tests from providing false errors.

A notable difference between the testing is that members in the
system role *have* rights under the system scope. Members accounts
may be services such as nova-compute running the nova.virt.ironic
driver.

Co-Authored-By: Julia Kreger <juliaashleykreger@gmail.com>
Change-Id: Id8365f150f8f5828b99627e1f31b0bc30f3a28f2
This commit is contained in:
Lance Bragstad 2020-11-18 20:14:45 +00:00 committed by Julia Kreger
parent 8e458d89bf
commit b0d8d14065
5 changed files with 2872 additions and 165 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

632
ironic/common/policy.py
View File

@ -21,6 +21,7 @@ import sys
from oslo_concurrency import lockutils
from oslo_config import cfg
from oslo_log import log
from oslo_log import versionutils
from oslo_policy import opts
from oslo_policy import policy
@ -137,190 +138,519 @@ default_policies = [
# All of these may be overridden by configuration, but we can
# depend on their existence throughout the code.
deprecated_node_create = policy.DeprecatedRule(
name='baremetal:node:create',
check_str='rule:is_admin'
)
deprecated_node_get = policy.DeprecatedRule(
name='baremetal:node:get',
check_str='rule:is_admin or rule:is_observer'
)
deprecated_node_list = policy.DeprecatedRule(
name='baremetal:node:list',
check_str='rule:baremetal:node:get'
)
deprecated_node_list_all = policy.DeprecatedRule(
name='baremetal:node:list_all',
check_str='rule:baremetal:node:get'
)
deprecated_node_update = policy.DeprecatedRule(
name='baremetal:node:update',
check_str='rule:is_admin'
)
deprecated_node_update_extra = policy.DeprecatedRule(
name='baremetal:node:update_extra',
check_str='rule:baremetal:node:update'
)
deprecated_node_update_instance_info = policy.DeprecatedRule(
name='baremetal:node:update_instance_info',
check_str='rule:baremetal:node:update'
)
deprecated_node_update_owner_provisioned = policy.DeprecatedRule(
name='baremetal:node:update_owner_provisioned',
check_str='rule:is_admin'
)
deprecated_node_delete = policy.DeprecatedRule(
name='baremetal:node:delete',
check_str='rule:is_admin'
)
deprecated_node_validate = policy.DeprecatedRule(
name='baremetal:node:validate',
check_str='rule:is_admin'
)
deprecated_node_set_maintenance = policy.DeprecatedRule(
name='baremetal:node:set_maintenance',
check_str='rule:is_admin'
)
deprecated_node_clear_maintenance = policy.DeprecatedRule(
name='baremetal:node:clear_maintenance',
check_str='rule:is_admin'
)
deprecated_node_get_boot_device = policy.DeprecatedRule(
name='baremetal:node:get_boot_device',
check_str='rule:is_admin or rule:is_observer'
)
deprecated_node_set_boot_device = policy.DeprecatedRule(
name='baremetal:node:set_boot_device',
check_str='rule:is_admin'
)
deprecated_node_get_indicator_state = policy.DeprecatedRule(
name='baremetal:node:get_indicator_state',
check_str='rule:is_admin or rule:is_observer'
)
deprecated_node_set_indicator_state = policy.DeprecatedRule(
name='baremetal:node:set_indicator_state',
check_str='rule:is_admin'
)
deprecated_node_inject_nmi = policy.DeprecatedRule(
name='baremetal:node:inject_nmi',
check_str='rule:is_admin'
)
deprecated_node_get_states = policy.DeprecatedRule(
name='baremetal:node:get_states',
check_str='rule:is_admin or rule:is_observer'
)
deprecated_node_set_power_state = policy.DeprecatedRule(
name='baremetal:node:set_power_state',
check_str='rule:is_admin'
)
deprecated_node_set_provision_state = policy.DeprecatedRule(
name='baremetal:node:set_provision_state',
check_str='rule:is_admin'
)
deprecated_node_set_raid_state = policy.DeprecatedRule(
name='baremetal:node:set_raid_state',
check_str='rule:is_admin'
)
deprecated_node_get_console = policy.DeprecatedRule(
name='baremetal:node:get_console',
check_str='rule:is_admin'
)
deprecated_node_set_console_state = policy.DeprecatedRule(
name='baremetal:node:set_console_state',
check_str='rule:is_admin'
)
deprecated_node_vif_list = policy.DeprecatedRule(
name='baremetal:node:vif:list',
check_str='rule:is_admin'
)
deprecated_node_vif_attach = policy.DeprecatedRule(
name='baremetal:node:vif:attach',
check_str='rule:is_admin'
)
deprecated_node_vif_detach = policy.DeprecatedRule(
name='baremetal:node:vif:detach',
check_str='rule:is_admin'
)
deprecated_node_traits_list = policy.DeprecatedRule(
name='baremetal:node:traits:list',
check_str='rule:is_admin or rule:is_observer'
)
deprecated_node_traits_set = policy.DeprecatedRule(
name='baremetal:node:traits:set',
check_str='rule:is_admin'
)
deprecated_node_traits_delete = policy.DeprecatedRule(
name='baremetal:node:traits:delete',
check_str='rule:is_admin'
)
deprecated_node_bios_get = policy.DeprecatedRule(
name='baremetal:node:bios:get',
check_str='rule:is_admin or rule:is_observer'
)
deprecated_bios_disable_cleaning = policy.DeprecatedRule(
name='baremetal:node:disable_cleaning',
check_str='rule:baremetal:node:update',
)
deprecated_node_reason = """
The baremetal node API is now aware of system scope and default roles.
Capability to fallback to legacy admin project policy configuration
will be removed in the Xena release of Ironic.
"""
node_policies = [
policy.DocumentedRuleDefault(
'baremetal:node:create',
'rule:is_admin',
'Create Node records',
[{'path': '/nodes', 'method': 'POST'}]),
name='baremetal:node:create',
check_str=SYSTEM_ADMIN,
scope_types=['system'],
description='Create Node records',
operations=[{'path': '/nodes', 'method': 'POST'}],
deprecated_rule=deprecated_node_create,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:get',
'rule:is_admin or rule:is_observer',
'Retrieve a single Node record',
[{'path': '/nodes/{node_ident}', 'method': 'GET'}]),
name='baremetal:node:get',
check_str=SYSTEM_READER,
scope_types=['system'],
description='Retrieve a single Node record',
operations=[{'path': '/nodes/{node_ident}', 'method': 'GET'}],
deprecated_rule=deprecated_node_get,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:list',
'rule:baremetal:node:get',
'Retrieve multiple Node records, filtered by owner',
[{'path': '/nodes', 'method': 'GET'},
{'path': '/nodes/detail', 'method': 'GET'}]),
name='baremetal:node:list',
check_str=SYSTEM_READER,
scope_types=['system'],
description='Retrieve multiple Node records, filtered by owner',
operations=[{'path': '/nodes', 'method': 'GET'},
{'path': '/nodes/detail', 'method': 'GET'}],
deprecated_rule=deprecated_node_list,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:list_all',
'rule:baremetal:node:get',
'Retrieve multiple Node records',
[{'path': '/nodes', 'method': 'GET'},
{'path': '/nodes/detail', 'method': 'GET'}]),
name='baremetal:node:list_all',
check_str=SYSTEM_READER,
scope_types=['system'],
description='Retrieve multiple Node records',
operations=[{'path': '/nodes', 'method': 'GET'},
{'path': '/nodes/detail', 'method': 'GET'}],
deprecated_rule=deprecated_node_list_all,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:update',
'rule:is_admin',
'Update Node records',
[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}]),
name='baremetal:node:update',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Update Node records',
operations=[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}],
deprecated_rule=deprecated_node_update,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
# TODO(TheJulia): Explicit RBAC testing needed for this.
policy.DocumentedRuleDefault(
'baremetal:node:update_extra',
'rule:baremetal:node:update',
'Update Node extra field',
[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}]),
name='baremetal:node:update_extra',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Update Node extra field',
operations=[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}],
deprecated_rule=deprecated_node_update_extra,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
# TODO(TheJulia): Explicit RBAC testing needed for this.
policy.DocumentedRuleDefault(
'baremetal:node:update_instance_info',
'rule:baremetal:node:update',
'Update Node instance_info field',
[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}]),
name='baremetal:node:update_instance_info',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Update Node instance_info field',
operations=[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}],
deprecated_rule=deprecated_node_update_instance_info,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
# TODO(TheJulia): Explicit RBAC testing needed for this.
policy.DocumentedRuleDefault(
'baremetal:node:update_owner_provisioned',
'rule:is_admin',
'Update Node owner even when Node is provisioned',
[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}]),
name='baremetal:node:update_owner_provisioned',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Update Node owner even when Node is provisioned',
operations=[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}],
deprecated_rule=deprecated_node_update_owner_provisioned,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
# TODO(TheJulia): Explicit RBAC testing needed for this... Maybe?
policy.DocumentedRuleDefault(
'baremetal:node:delete',
'rule:is_admin',
'Delete Node records',
[{'path': '/nodes/{node_ident}', 'method': 'DELETE'}]),
name='baremetal:node:delete',
check_str=SYSTEM_ADMIN,
scope_types=['system'],
description='Delete Node records',
operations=[{'path': '/nodes/{node_ident}', 'method': 'DELETE'}],
deprecated_rule=deprecated_node_delete,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:validate',
'rule:is_admin',
'Request active validation of Nodes',
[{'path': '/nodes/{node_ident}/validate', 'method': 'GET'}]),
name='baremetal:node:validate',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Request active validation of Nodes',
operations=[
{'path': '/nodes/{node_ident}/validate', 'method': 'GET'}
],
deprecated_rule=deprecated_node_validate,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:set_maintenance',
'rule:is_admin',
'Set maintenance flag, taking a Node out of service',
[{'path': '/nodes/{node_ident}/maintenance', 'method': 'PUT'}]),
name='baremetal:node:set_maintenance',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Set maintenance flag, taking a Node out of service',
operations=[
{'path': '/nodes/{node_ident}/maintenance', 'method': 'PUT'}
],
deprecated_rule=deprecated_node_set_maintenance,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:clear_maintenance',
'rule:is_admin',
'Clear maintenance flag, placing the Node into service again',
[{'path': '/nodes/{node_ident}/maintenance', 'method': 'DELETE'}]),
name='baremetal:node:clear_maintenance',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description=(
'Clear maintenance flag, placing the Node into service again'
),
operations=[
{'path': '/nodes/{node_ident}/maintenance', 'method': 'DELETE'}
],
deprecated_rule=deprecated_node_clear_maintenance,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
# NOTE(TheJulia): This should liekly be deprecated and be replaced with
# a cached object.
policy.DocumentedRuleDefault(
name='baremetal:node:get_boot_device',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Retrieve Node boot device metadata',
operations=[
{'path': '/nodes/{node_ident}/management/boot_device',
'method': 'GET'},
{'path': '/nodes/{node_ident}/management/boot_device/supported',
'method': 'GET'}
],
deprecated_rule=deprecated_node_get_boot_device,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
name='baremetal:node:set_boot_device',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Change Node boot device',
operations=[
{'path': '/nodes/{node_ident}/management/boot_device',
'method': 'PUT'}
],
deprecated_rule=deprecated_node_set_maintenance,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:get_boot_device',
'rule:is_admin or rule:is_observer',
'Retrieve Node boot device metadata',
[{'path': '/nodes/{node_ident}/management/boot_device',
'method': 'GET'},
{'path': '/nodes/{node_ident}/management/boot_device/supported',
'method': 'GET'}]),
name='baremetal:node:get_indicator_state',
check_str=SYSTEM_READER,
scope_types=['system'],
description='Retrieve Node indicators and their states',
operations=[
{'path': '/nodes/{node_ident}/management/indicators/'
'{component}/{indicator}',
'method': 'GET'},
{'path': '/nodes/{node_ident}/management/indicators',
'method': 'GET'}
],
deprecated_rule=deprecated_node_get_indicator_state,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:set_boot_device',
'rule:is_admin',
'Change Node boot device',
[{'path': '/nodes/{node_ident}/management/boot_device',
'method': 'PUT'}]),
name='baremetal:node:set_indicator_state',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Change Node indicator state',
operations=[
{'path': '/nodes/{node_ident}/management/indicators/'
'{component}/{indicator}',
'method': 'PUT'}
],
deprecated_rule=deprecated_node_set_indicator_state,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:get_indicator_state',
'rule:is_admin or rule:is_observer',
'Retrieve Node indicators and their states',
[{'path': '/nodes/{node_ident}/management/indicators/'
'{component}/{indicator}',
'method': 'GET'},
{'path': '/nodes/{node_ident}/management/indicators',
'method': 'GET'}]),
policy.DocumentedRuleDefault(
'baremetal:node:set_indicator_state',
'rule:is_admin',
'Change Node indicator state',
[{'path': '/nodes/{node_ident}/management/indicators/'
'{component}/{indicator}',
'method': 'PUT'}]),
name='baremetal:node:inject_nmi',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Inject NMI for a node',
operations=[
{'path': '/nodes/{node_ident}/management/inject_nmi',
'method': 'PUT'}
],
deprecated_rule=deprecated_node_inject_nmi,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:inject_nmi',
'rule:is_admin',
'Inject NMI for a node',
[{'path': '/nodes/{node_ident}/management/inject_nmi',
'method': 'PUT'}]),
name='baremetal:node:get_states',
check_str=SYSTEM_READER,
scope_types=['system'],
description='View Node power and provision state',
operations=[{'path': '/nodes/{node_ident}/states', 'method': 'GET'}],
deprecated_rule=deprecated_node_get_states,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
name='baremetal:node:set_power_state',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Change Node power status',
operations=[
{'path': '/nodes/{node_ident}/states/power', 'method': 'PUT'}
],
deprecated_rule=deprecated_node_set_power_state,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
name='baremetal:node:set_provision_state',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Change Node provision status',
operations=[
{'path': '/nodes/{node_ident}/states/provision', 'method': 'PUT'}
],
deprecated_rule=deprecated_node_set_provision_state,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
name='baremetal:node:set_raid_state',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Change Node RAID status',
operations=[
{'path': '/nodes/{node_ident}/states/raid', 'method': 'PUT'}
],
deprecated_rule=deprecated_node_set_raid_state,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
name='baremetal:node:get_console',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Get Node console connection information',
operations=[
{'path': '/nodes/{node_ident}/states/console', 'method': 'GET'}
],
deprecated_rule=deprecated_node_get_console,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
name='baremetal:node:set_console_state',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Change Node console status',
operations=[
{'path': '/nodes/{node_ident}/states/console', 'method': 'PUT'}
],
deprecated_rule=deprecated_node_set_console_state,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:get_states',
'rule:is_admin or rule:is_observer',
'View Node power and provision state',
[{'path': '/nodes/{node_ident}/states', 'method': 'GET'}]),
name='baremetal:node:vif:list',
check_str=SYSTEM_READER,
scope_types=['system'],
description='List VIFs attached to node',
operations=[{'path': '/nodes/{node_ident}/vifs', 'method': 'GET'}],
deprecated_rule=deprecated_node_vif_list,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:set_power_state',
'rule:is_admin',
'Change Node power status',
[{'path': '/nodes/{node_ident}/states/power', 'method': 'PUT'}]),
name='baremetal:node:vif:attach',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Attach a VIF to a node',
operations=[{'path': '/nodes/{node_ident}/vifs', 'method': 'POST'}],
deprecated_rule=deprecated_node_vif_attach,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:set_provision_state',
'rule:is_admin',
'Change Node provision status',
[{'path': '/nodes/{node_ident}/states/provision', 'method': 'PUT'}]),
policy.DocumentedRuleDefault(
'baremetal:node:set_raid_state',
'rule:is_admin',
'Change Node RAID status',
[{'path': '/nodes/{node_ident}/states/raid', 'method': 'PUT'}]),
policy.DocumentedRuleDefault(
'baremetal:node:get_console',
'rule:is_admin',
'Get Node console connection information',
[{'path': '/nodes/{node_ident}/states/console', 'method': 'GET'}]),
policy.DocumentedRuleDefault(
'baremetal:node:set_console_state',
'rule:is_admin',
'Change Node console status',
[{'path': '/nodes/{node_ident}/states/console', 'method': 'PUT'}]),
name='baremetal:node:vif:detach',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Detach a VIF from a node',
operations=[
{'path': '/nodes/{node_ident}/vifs/{node_vif_ident}',
'method': 'DELETE'}
],
deprecated_rule=deprecated_node_vif_detach,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:vif:list',
'rule:is_admin',
'List VIFs attached to node',
[{'path': '/nodes/{node_ident}/vifs', 'method': 'GET'}]),
name='baremetal:node:traits:list',
check_str=SYSTEM_READER,
scope_types=['system'],
description='List node traits',
operations=[{'path': '/nodes/{node_ident}/traits', 'method': 'GET'}],
deprecated_rule=deprecated_node_traits_list,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:vif:attach',
'rule:is_admin',
'Attach a VIF to a node',
[{'path': '/nodes/{node_ident}/vifs', 'method': 'POST'}]),
name='baremetal:node:traits:set',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Add a trait to, or replace all traits of, a node',
operations=[
{'path': '/nodes/{node_ident}/traits', 'method': 'PUT'},
{'path': '/nodes/{node_ident}/traits/{trait}', 'method': 'PUT'}
],
deprecated_rule=deprecated_node_traits_set,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:vif:detach',
'rule:is_admin',
'Detach a VIF from a node',
[{'path': '/nodes/{node_ident}/vifs/{node_vif_ident}',
'method': 'DELETE'}]),
name='baremetal:node:traits:delete',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Remove one or all traits from a node',
operations=[
{'path': '/nodes/{node_ident}/traits', 'method': 'DELETE'},
{'path': '/nodes/{node_ident}/traits/{trait}',
'method': 'DELETE'}
],
deprecated_rule=deprecated_node_traits_delete,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:traits:list',
'rule:is_admin or rule:is_observer',
'List node traits',
[{'path': '/nodes/{node_ident}/traits', 'method': 'GET'}]),
name='baremetal:node:bios:get',
check_str=SYSTEM_READER,
scope_types=['system'],
description='Retrieve Node BIOS information',
operations=[
{'path': '/nodes/{node_ident}/bios', 'method': 'GET'},
{'path': '/nodes/{node_ident}/bios/{setting}', 'method': 'GET'}
],
deprecated_rule=deprecated_node_bios_get,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:node:traits:set',
'rule:is_admin',
'Add a trait to, or replace all traits of, a node',
[{'path': '/nodes/{node_ident}/traits', 'method': 'PUT'},
{'path': '/nodes/{node_ident}/traits/{trait}', 'method': 'PUT'}]),
policy.DocumentedRuleDefault(
'baremetal:node:traits:delete',
'rule:is_admin',
'Remove one or all traits from a node',
[{'path': '/nodes/{node_ident}/traits', 'method': 'DELETE'},
{'path': '/nodes/{node_ident}/traits/{trait}',
'method': 'DELETE'}]),
policy.DocumentedRuleDefault(
'baremetal:node:bios:get',
'rule:is_admin or rule:is_observer',
'Retrieve Node BIOS information',
[{'path': '/nodes/{node_ident}/bios', 'method': 'GET'},
{'path': '/nodes/{node_ident}/bios/{setting}', 'method': 'GET'}]),
policy.DocumentedRuleDefault(
'baremetal:node:disable_cleaning',
'rule:baremetal:node:update',
'Disable Node disk cleaning',
[{'path': '/nodes/{node_ident}', 'method': 'PATCH'}]),
name='baremetal:node:disable_cleaning',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Disable Node disk cleaning',
operations=[
{'path': '/nodes/{node_ident}', 'method': 'PATCH'}
],
deprecated_rule=deprecated_bios_disable_cleaning,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
]
port_policies = [

71
ironic/tests/unit/api/test_acl.py
View File

@ -55,6 +55,7 @@ class TestACLBase(base.BaseApiTest):
self.mock_random_topic = rtopic.start()
self.mock_random_topic.side_effect = exception.TemporaryFailure
self.addCleanup(rtopic.stop)
self._set_test_config()
def _make_app(self):
cfg.CONF.set_override('auth_strategy', 'keystone')
@ -64,6 +65,10 @@ class TestACLBase(base.BaseApiTest):
def _create_test_data(self):
pass
@abc.abstractmethod
def _set_test_config(self):
pass
def _check_skip(self, **kwargs):
if kwargs.get('skip_reason'):
self.skipTest(kwargs.get('skip_reason'))
@ -74,7 +79,8 @@ class TestACLBase(base.BaseApiTest):
def _test_request(self, path, params=None, headers=None, method='get',
body=None, assert_status=None,
assert_dict_contains=None,
assert_list_length=None):
assert_list_length=None,
deprecated=None):
path = path.format(**self.format_data)
self.mock_auth.side_effect = self._fake_process_request
@ -91,7 +97,6 @@ class TestACLBase(base.BaseApiTest):
if headers:
for k, v in headers.items():
rheaders[k] = v.format(**self.format_data)
if method == 'get':
response = self.get_json(
path,
@ -138,9 +143,20 @@ class TestACLBase(base.BaseApiTest):
else:
assert False, 'Unimplemented test method: %s' % method
if assert_status:
if not (bool(deprecated)
and ('403' in response.status or '500' in response.status)
and cfg.CONF.oslo_policy.enforce_scope
and cfg.CONF.oslo_policy.enforce_new_defaults):
# NOTE(TheJulia): Everything, once migrated, should
# return a 403.
self.assertEqual(assert_status, response.status_int)
else:
self.assertTrue(
'403' in response.status or '500' in response.status)
# We can't check the contents of the response if there is no
# response.
return
if not bool(deprecated):
self.assertIsNotNone(assert_status,
'Tests must include an assert_status')
@ -182,7 +198,7 @@ class TestRBACBasic(TestACLBase):
@ddt.ddt
class TestRBACModelBeforeScopes(TestACLBase):
class TestRBACModelBeforeScopesBase(TestACLBase):
def _create_test_data(self):
allocated_node_id = 31
@ -241,6 +257,17 @@ class TestRBACModelBeforeScopes(TestACLBase):
'volume_connector_ident': fake_db_volume_connector['uuid'],
})
@ddt.ddt
class TestRBACModelBeforeScopes(TestRBACModelBeforeScopesBase):
def _set_test_config(self):
# NOTE(TheJulia): Sets default test conditions, in the event
# oslo_policy defaults change.
cfg.CONF.set_override('enforce_scope', False, group='oslo_policy')
cfg.CONF.set_override('enforce_new_defaults', False,
group='oslo_policy')
@ddt.file_data('test_rbac_legacy.yaml')
@ddt.unpack
def test_rbac_legacy(self, **kwargs):
@ -250,15 +277,35 @@ class TestRBACModelBeforeScopes(TestACLBase):
@ddt.ddt
class TestRBACScoped(TestRBACModelBeforeScopes):
"""Test Scoped ACL access using our existing access policy."""
def setUp(self):
super(TestRBACScoped, self).setUp()
"""Test Scoped RBAC access using our existing access policy."""
def _set_test_config(self):
# NOTE(TheJulia): This test class is as like a canary.
# The operational intent is for it to kind of provide
# a safety net as we're changing policy rules so we can
# incremently disable the ones we *know* will no longer work
# while we also enable the new ones in another test class with
# the appropriate scope friendly chagnges. In other words, two
# test changes will be needed for each which should also reduce
# risk of accidential policy changes. It may just be Julia being
# super risk-adverse, just let her roll with it and we will delete
# this class later.
# NOTE(TheJulia): This test class runs with test_rbac_legacy.yaml!
cfg.CONF.set_override('enforce_scope', True, group='oslo_policy')
cfg.CONF.set_override('enforce_new_defaults', True,
group='oslo_policy')
# NOTE(TheJulia): The purpose of this class is to execute the legacy
# RBAC tests with the new configuration, which forces us to
# explicity mark each test as a deprecated test later on. That
# functionality will be added in a later patch when needed,
@ddt.file_data('test_rbac_legacy.yaml')
def test_scoped_canary(self, **kwargs):
self._check_skip(**kwargs)
self._test_request(**kwargs)
@ddt.ddt
class TestRBACScopedRequests(TestRBACModelBeforeScopesBase):
@ddt.file_data('test_rbac_system_scoped.yaml')
@ddt.unpack
def test_system_scoped(self, **kwargs):
self._check_skip(**kwargs)
self._test_request(**kwargs)

96
ironic/tests/unit/api/test_rbac_legacy.yaml
View File

@ -46,6 +46,7 @@ nodes_post_admin:
name: node
driver: fake-driverz
assert_status: 503
deprecated: true
nodes_post_member:
path: '/v1/nodes'
@ -53,6 +54,7 @@ nodes_post_member:
headers: *member_headers
body: *node_post_body
assert_status: 403
deprecated: true
nodes_post_observer:
path: '/v1/nodes'
@ -60,6 +62,7 @@ nodes_post_observer:
headers: *observer_headers
body: *node_post_body
assert_status: 403
deprecated: true
nodes_get_node_admin:
path: '/v1/nodes/{node_ident}'
@ -69,12 +72,14 @@ nodes_get_node_admin:
uuid: '{node_ident}'
driver: 'fake-driverz'
assert_status: 200
deprecated: true
nodes_get_node_member:
path: '/v1/nodes/{node_ident}'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
nodes_get_node_observer:
path: '/v1/nodes/{node_ident}'
@ -84,6 +89,7 @@ nodes_get_node_observer:
uuid: '{node_ident}'
driver: 'fake-driverz'
assert_status: 200
deprecated: true
nodes_get_node_other_admin:
path: '/v1/nodes/{node_ident}'
@ -94,6 +100,7 @@ nodes_get_node_other_admin:
# This just represents the *current* state, not what the world should be
# in the end.
assert_status: 200
deprecated: true
nodes_get_admin:
path: '/v1/nodes'
@ -102,6 +109,7 @@ nodes_get_admin:
assert_list_length:
nodes: 2
assert_status: 200
deprecated: true
nodes_get_other_admin:
path: '/v1/nodes'
@ -110,42 +118,49 @@ nodes_get_other_admin:
assert_list_length:
nodes: 2
assert_status: 200
deprecated: true
nodes_detail_get_admin:
path: '/v1/nodes/detail'
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
nodes_detail_get_member:
path: '/v1/nodes/detail'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
nodes_detail_get_observer:
path: '/v1/nodes/detail'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
nodes_node_ident_get_admin:
path: '/v1/nodes/{node_ident}'
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
nodes_node_ident_get_member:
path: '/v1/nodes/{node_ident}'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
nodes_node_ident_get_observer:
path: '/v1/nodes/{node_ident}'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
nodes_node_ident_patch_admin:
path: '/v1/nodes/{node_ident}'
@ -156,6 +171,7 @@ nodes_node_ident_patch_admin:
path: /extra
value: {'test': 'testing'}
assert_status: 503
deprecated: true
nodes_node_ident_patch_member:
path: '/v1/nodes/{node_ident}'
@ -163,6 +179,7 @@ nodes_node_ident_patch_member:
headers: *member_headers
body: *extra_patch
assert_status: 403
deprecated: true
nodes_node_ident_patch_observer:
path: '/v1/nodes/{node_ident}'
@ -170,24 +187,28 @@ nodes_node_ident_patch_observer:
headers: *observer_headers
body: *extra_patch
assert_status: 403
deprecated: true
nodes_node_ident_delete_admin:
path: '/v1/nodes/{node_ident}'
method: delete
headers: *admin_headers
assert_status: 503
deprecated: true
nodes_node_ident_delete_member:
path: '/v1/nodes/{node_ident}'
method: delete
headers: *member_headers
assert_status: 403
deprecated: true
nodes_node_ident_delete_observer:
path: '/v1/nodes/{node_ident}'
method: delete
headers: *observer_headers
assert_status: 403
deprecated: true
# Node Management - https://docs.openstack.org/api-ref/baremetal/?expanded=#node-management-nodes
@ -196,54 +217,63 @@ nodes_validate_get_admin:
method: get
headers: *admin_headers
assert_status: 503
deprecated: true
nodes_validate_get_member:
path: '/v1/nodes/{node_ident}/validate'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
nodes_validate_get_observer:
path: '/v1/nodes/{node_ident}/validate'
method: get
headers: *observer_headers
assert_status: 403
deprecated: true
nodes_maintenance_put_admin:
path: '/v1/nodes/{node_ident}/maintenance'
method: put
headers: *admin_headers
assert_status: 503
deprecated: true
nodes_maintenance_put_member:
path: '/v1/nodes/{node_ident}/maintenance'
method: put
headers: *member_headers
assert_status: 403
deprecated: true
nodes_maintenance_put_observer:
path: '/v1/nodes/{node_ident}/maintenance'
method: put
headers: *observer_headers
assert_status: 403
deprecated: true
nodes_maintenance_delete_admin:
path: '/v1/nodes/{node_ident}/maintenance'
method: delete
headers: *admin_headers
assert_status: 503
deprecated: true
nodes_maintenance_delete_member:
path: '/v1/nodes/{node_ident}/maintenance'
method: delete
headers: *member_headers
assert_status: 403
deprecated: true
nodes_maintenance_delete_observer:
path: '/v1/nodes/{node_ident}/maintenance'
method: delete
headers: *observer_headers
assert_status: 403
deprecated: true
nodes_management_boot_device_put_admin:
path: '/v1/nodes/{node_ident}/management/boot_device'
@ -252,6 +282,7 @@ nodes_management_boot_device_put_admin:
body: &boot_device_body
boot_device: pxe
assert_status: 503
deprecated: true
nodes_management_boot_device_put_member:
path: '/v1/nodes/{node_ident}/management/boot_device'
@ -259,6 +290,7 @@ nodes_management_boot_device_put_member:
headers: *member_headers
body: *boot_device_body
assert_status: 403
deprecated: true
nodes_management_boot_device_put_observer:
path: '/v1/nodes/{node_ident}/management/boot_device'
@ -266,42 +298,49 @@ nodes_management_boot_device_put_observer:
headers: *observer_headers
body: *boot_device_body
assert_status: 403
deprecated: true
nodes_management_boot_device_get_admin:
path: '/v1/nodes/{node_ident}/management/boot_device'
method: get
headers: *admin_headers
assert_status: 503
deprecated: true
nodes_management_boot_device_get_member:
path: '/v1/nodes/{node_ident}/management/boot_device'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
nodes_management_boot_device_get_observer:
path: '/v1/nodes/{node_ident}/management/boot_device'
method: get
headers: *observer_headers
assert_status: 503
deprecated: true
nodes_management_boot_device_supported_get_admin:
path: '/v1/nodes/{node_ident}/management/boot_device/supported'
method: get
headers: *admin_headers
assert_status: 503
deprecated: true
nodes_management_boot_device_supported_get_member:
path: '/v1/nodes/{node_ident}/management/boot_device/supported'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
nodes_management_boot_device_supported_get_observer:
path: '/v1/nodes/{node_ident}/management/boot_device/supported'
method: get
headers: *observer_headers
assert_status: 503
deprecated: true
nodes_management_inject_nmi_put_admin:
path: '/v1/nodes/{node_ident}/management/inject_nmi'
@ -309,6 +348,7 @@ nodes_management_inject_nmi_put_admin:
headers: *admin_headers
body: {}
assert_status: 503
deprecated: true
nodes_management_inject_nmi_put_member:
path: '/v1/nodes/{node_ident}/management/inject_nmi'
@ -316,6 +356,7 @@ nodes_management_inject_nmi_put_member:
headers: *member_headers
body: {}
assert_status: 403
deprecated: true
nodes_management_inject_nmi_put_observer:
path: '/v1/nodes/{node_ident}/management/inject_nmi'
@ -323,25 +364,28 @@ nodes_management_inject_nmi_put_observer:
headers: *observer_headers
body: {}
assert_status: 403
deprecated: true
nodes_states_get_admin:
path: '/v1/nodes/{node_ident}/states'
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
nodes_states_get_member:
path: '/v1/nodes/{node_ident}/states'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
nodes_states_get_observer:
path: '/v1/nodes/{node_ident}/states'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
nodes_states_power_put_admin:
path: '/v1/nodes/{node_ident}/states/power'
@ -350,6 +394,7 @@ nodes_states_power_put_admin:
body: &power_body
target: "power on"
assert_status: 503
deprecated: true
nodes_states_power_put_member:
path: '/v1/nodes/{node_ident}/states/power'
@ -357,6 +402,7 @@ nodes_states_power_put_member:
headers: *member_headers
body: *power_body
assert_status: 403
deprecated: true
nodes_states_power_put_observer:
path: '/v1/nodes/{node_ident}/states/power'
@ -364,6 +410,7 @@ nodes_states_power_put_observer:
headers: *observer_headers
body: *power_body
assert_status: 403
deprecated: true
nodes_states_provision_put_admin:
path: '/v1/nodes/{node_ident}/states/provision'
@ -372,6 +419,7 @@ nodes_states_provision_put_admin:
body: &provision_body
target: deploy
assert_status: 503
deprecated: true
nodes_states_provision_put_member:
path: '/v1/nodes/{node_ident}/states/provision'
@ -379,6 +427,7 @@ nodes_states_provision_put_member:
headers: *member_headers
body: *provision_body
assert_status: 403
deprecated: true
nodes_states_provision_put_observer:
path: '/v1/nodes/{node_ident}/states/provision'
@ -386,6 +435,7 @@ nodes_states_provision_put_observer:
headers: *observer_headers
body: *provision_body
assert_status: 403
deprecated: true
nodes_states_raid_put_admin:
path: '/v1/nodes/{node_ident}/states/raid'
@ -398,6 +448,7 @@ nodes_states_raid_put_admin:
is_root_volume: true
raid_level: 1
assert_status: 503
deprecated: true
nodes_states_raid_put_member:
path: '/v1/nodes/{node_ident}/states/raid'
@ -405,6 +456,7 @@ nodes_states_raid_put_member:
headers: *member_headers
body: *raid_body
assert_status: 403
deprecated: true
nodes_states_raid_put_observer:
path: '/v1/nodes/{node_ident}/states/raid'
@ -412,24 +464,28 @@ nodes_states_raid_put_observer:
headers: *observer_headers
body: *raid_body
assert_status: 403
deprecated: true
nodes_states_console_get_admin:
path: '/v1/nodes/{node_ident}/states/console'
method: get
headers: *admin_headers
assert_status: 503
deprecated: true
nodes_states_console_get_member:
path: '/v1/nodes/{node_ident}/states/console'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
nodes_states_console_get_admin:
path: '/v1/nodes/{node_ident}/states/console'
method: get
headers: *observer_headers
assert_status: 403
deprecated: true
nodes_states_console_put_admin:
path: '/v1/nodes/{node_ident}/states/console'
@ -438,6 +494,7 @@ nodes_states_console_put_admin:
body: &console_body_put
enabled: true
assert_status: 503
deprecated: true
nodes_states_console_put_member:
path: '/v1/nodes/{node_ident}/states/console'
@ -445,6 +502,7 @@ nodes_states_console_put_member:
headers: *member_headers
body: *console_body_put
assert_status: 403
deprecated: true
nodes_states_console_put_observer:
path: '/v1/nodes/{node_ident}/states/console'
@ -452,8 +510,9 @@ nodes_states_console_put_observer:
headers: *observer_headers
body: *console_body_put
assert_status: 403
deprecated: true
# Node Traits - https://docs.openstack.org/api-ref/baremetal/?expanded=#node-vendor-passthru-nodes
# Node Vendor Passthrough - https://docs.openstack.org/api-ref/baremetal/?expanded=#node-vendor-passthru-nodes
# Calls conductor upon the get as a task is required.
nodes_vendor_passthru_methods_get_admin:
@ -553,18 +612,21 @@ nodes_traits_get_admin:
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
nodes_traits_get_member:
path: '/v1/nodes/{node_ident}/traits'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
nodes_traits_get_observer:
path: '/v1/nodes/{node_ident}/traits'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
nodes_traits_put_admin:
path: '/v1/nodes/{node_ident}/traits'
@ -575,6 +637,7 @@ nodes_traits_put_admin:
traits:
- CUSTOM_TRAIT1
- HW_CPU_X86_VMX
deprecated: true
nodes_traits_put_member:
path: '/v1/nodes/{node_ident}/traits'
@ -582,6 +645,7 @@ nodes_traits_put_member:
headers: *member_headers
assert_status: 403
body: *traits_body
deprecated: true
nodes_traits_put_observer:
path: '/v1/nodes/{node_ident}/traits'
@ -589,60 +653,70 @@ nodes_traits_put_observer:
headers: *observer_headers
assert_status: 403
body: *traits_body
deprecated: true
nodes_traits_delete_admin:
path: '/v1/nodes/{node_ident}/traits/{trait}'
method: delete
headers: *admin_headers
assert_status: 503
deprecated: true
nodes_traits_delete_member:
path: '/v1/nodes/{node_ident}/traits/{trait}'
method: delete
headers: *member_headers
assert_status: 403
deprecated: true
nodes_traits_delete_observer:
path: '/v1/nodes/{node_ident}/traits/{trait}'
method: delete
headers: *observer_headers
assert_status: 403
deprecated: true
nodes_traits_trait_put_admin:
path: '/v1/nodes/{node_ident}/traits/CUSTOM_TRAIT2'
method: put
headers: *admin_headers
assert_status: 503
deprecated: true
nodes_traits_trait_put_member:
path: '/v1/nodes/{node_ident}/traits/CUSTOM_TRAIT2'
method: put
headers: *member_headers
assert_status: 403
deprecated: true
nodes_traits_trait_put_observer:
path: '/v1/nodes/{node_ident}/traits/CUSTOM_TRAIT2'
method: put
headers: *observer_headers
assert_status: 403
deprecated: true
nodes_traits_trait_delete_admin:
path: '/v1/nodes/{node_ident}/traits/{trait}'
method: delete
headers: *admin_headers
assert_status: 503
deprecated: true
nodes_traits_trait_delete_member:
path: '/v1/nodes/{node_ident}/traits/{trait}'
method: delete
headers: *member_headers
assert_status: 403
deprecated: true
nodes_traits_trait_delete_observer:
path: '/v1/nodes/{node_ident}/traits/{trait}'
method: delete
headers: *observer_headers
assert_status: 403
deprecated: true
# VIFS - https://docs.openstack.org/api-ref/baremetal/#vifs-virtual-interfaces-of-nodes
# TODO(TheJulia): VIFS will need fairly exhaustive testing given the use path.
@ -655,18 +729,21 @@ nodes_vifs_get_admin:
method: get
headers: *admin_headers
assert_status: 503
deprecated: true
nodes_vifs_get_member:
path: '/v1/nodes/{node_ident}/vifs'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
nodes_vifs_get_observer:
path: '/v1/nodes/{node_ident}/vifs'
method: get
headers: *observer_headers
assert_status: 403
deprecated: true
nodes_vifs_post_admin:
path: '/v1/nodes/{node_ident}/vifs'
@ -675,6 +752,7 @@ nodes_vifs_post_admin:
assert_status: 503
body: &vif_body
id: ee21d58f-5de2-4956-85ff-33935ea1ca00
deprecated: true
nodes_vifs_post_member:
path: '/v1/nodes/{node_ident}/vifs'
@ -682,6 +760,7 @@ nodes_vifs_post_member:
headers: *member_headers
assert_status: 403
body: *vif_body
deprecated: true
nodes_vifs_post_observer:
path: '/v1/nodes/{node_ident}/vifs'
@ -689,6 +768,7 @@ nodes_vifs_post_observer:
headers: *observer_headers
assert_status: 403
body: *vif_body
deprecated: true
# This calls the conductor, hence not status 403.
nodes_vifs_node_vif_ident_delete_admin:
@ -696,18 +776,21 @@ nodes_vifs_node_vif_ident_delete_admin:
method: delete
headers: *admin_headers
assert_status: 503
deprecated: true
nodes_vifs_node_vif_ident_delete_member:
path: '/v1/nodes/{node_ident}/vifs/{vif_ident}'
method: delete
headers: *member_headers
assert_status: 403
deprecated: true
nodes_vifs_node_vif_ident_delete_observer:
path: '/v1/nodes/{node_ident}/vifs/{vif_ident}'
method: delete
headers: *observer_headers
assert_status: 403
deprecated: true
# Indicators - https://docs.openstack.org/api-ref/baremetal/#indicators-management
@ -716,18 +799,21 @@ nodes_management_indicators_get_admin:
method: get
headers: *admin_headers
assert_status: 503
deprecated: true
nodes_management_indicators_get_member:
path: '/v1/nodes/{node_ident}/management/indicators'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
nodes_management_indicators_get_observer:
path: '/v1/nodes/{node_ident}/management/indicators'
method: get
headers: *observer_headers
assert_status: 503
deprecated: true
nodes_management_indicators_component_get_allow:
path: '/v1/nodes/{node_ident}/management/indicators/{component}'
@ -1578,36 +1664,42 @@ nodes_bios_get_admin:
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
nodes_bios_get_member:
path: '/v1/nodes/{node_ident}/bios'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
nodes_bios_get_observer:
path: '/v1/nodes/{node_ident}/bios'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
nodes_bios_bios_setting_get_admin:
path: '/v1/nodes/{node_ident}/bios/{bios_setting}'
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
nodes_bios_bios_setting_get_member:
path: '/v1/nodes/{node_ident}/bios/{bios_setting}'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
nodes_bios_bios_setting_get_observer:
path: '/v1/nodes/{node_ident}/bios/{bios_setting}'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
# Conductors - https://docs.openstack.org/api-ref/baremetal/#allocations-allocations

2209
ironic/tests/unit/api/test_rbac_system_scoped.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

29
releasenotes/notes/system-scoped-authentication-28e3651de250bea8.yaml Normal file
View File

@ -0,0 +1,29 @@
---
features:
- |
The Baremetal API, provided by the ironic-api process, now supports use of
``system`` scoped ``keystone`` authentication for the node endpoint.
upgrade:
- |
Deprecated policy rules are not expressed via a default policy file
generation from the source code. The generated default policy file
indicates the new default policies with notes on the deprecation
to which ``oslo.policy`` falls back to, until the
``[oslo_policy]enforce_scope`` and ``[oslo_policy]enforce_new_defaults``
have been set to ``True``.
Please see the `Victoria policy configuration <https://docs.openstack.org/ironic/victoria/configuration/policy.html>`_
documentation to reference prior policy configuration.
- |
Operators are encouraged to move to ``system`` scope based authentication
by setting ``[oslo_policy]enforce_scope`` and
``[oslo_policy]enforce_new_defaults``. This requires a migration from
using an ``admin project`` with the ``baremetal_admin`` and
``baremetal_observer``. System wide administrators using ``system``
scoped ``admin`` and ``reader`` accounts superceed the deprecated
model.
deprecations:
- |
Use of an ``admin project`` with ironic is deprecated. With this the
custom roles, ``baremetal_admin`` and ``baremetal_observer`` are also
deprecated. Please migrate to using a ``system`` scoped account with the
``admin`` and ``reader`` roles, respectively.