13858 Commits

Author SHA1 Message Date
Vishakha Agarwal
c903848043 Migrate keystone-dsvm-grenade-multinode job to Ubuntu Bionic
We have migrated the zuulv3 job to Bionic during Dec/Jan month.
 - http://lists.openstack.org/pipermail/openstack-discuss/2018-December/000837.html
 - https://etherpad.openstack.org/p/devstack-bionic
But that effort does not move all gate job to Bionic as there are
large amount of jobs are still legacy jobs. All the legacy jobs still
use Xenial as nodeset.

As per the decided runtime for Stein, we need to test everything on openstack
CI/CD on Bionic - https://governance.openstack.org/tc/reference/runtimes/stein.html

Below patch move the legacy base jobs to bionic which will move the derived jobs
automatically to bionic. These jobs are modified with branch variant so that they will use
Bionic node from stein onwards and xenial for all other stable branches
until stable/rocky.
- https://review.openstack.org/#/c/639096

This commit remove the overridden nodeset in keystone-dsvm-grenade-multinode
job so that it will start using the nodeset defined in parent job.

More Details:
- https://etherpad.openstack.org/p/legacy-job-bionic
- http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003614.html

Co-Authored-By: Ghanshyam Mann <gmann@ghanshyammann.com>

Depends-On: https://review.openstack.org/#/c/639096
Change-Id: I9ea9a5e9f56c3bd050dc0a3217dda96c06e823e0
2019-03-13 03:09:12 +00:00
Zuul
2c7bb275f9 Merge "Add hint for order of keys during distribution" 2019-03-12 21:35:12 +00:00
Colleen Murphy
f0c2e798f7 Remove publish-loci post job
The publishing credentials for this job are misconfigured in Zuul and
result in the whole post pipeline failing, which causes tarballs not to
be updated on tarballs.openstack.org[1]. Remove the misconfigured job to
get the post pipeline working again.

[1] http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-release.2019-03-11

Change-Id: I4d94a433ba32bce7ee926cdde487eeec980c6b8b
2019-03-11 16:45:38 +01:00
Pavlo Shchelokovskyy
261eeaa19b Add hint for order of keys during distribution
If the new primary key is not the first to be distributed after fernet
key rotation, there may be a small time window during the key
distribution when tokens issued by the node where fernet rotation was
performed can not be validated on the node where keys are being
distributed to.

Change-Id: I34b5cadd12815ee95c71d8c163504390a9e5e343
Closes-Bug: #1816927
2019-03-11 13:18:24 +00:00
Zuul
1a83263e25 Merge "Add driver support for app cred access rules" 2019-03-11 06:00:29 +00:00
Zuul
c9a039480b Merge "Add SQL migrations for app cred access rules" 2019-03-11 06:00:26 +00:00
Zuul
30e6a7f1f1 Merge "Add a permissive mode for access rules config" 2019-03-11 05:39:50 +00:00
Zuul
06855d0db1 Merge "Add manager for access rules config" 2019-03-11 05:37:01 +00:00
Zuul
ed45883380 Merge "Add JSON driver for access rules config" 2019-03-07 09:43:33 +00:00
Zuul
e8d9791c6e Merge "Drop py35 jobs" 2019-03-06 09:54:26 +00:00
Zuul
6e3f1f6e46 Merge "[api-ref] add domain level limit support" 2019-03-05 20:02:52 +00:00
Zuul
60622cc37b Merge "Release note for domain level limit" 2019-03-05 20:02:50 +00:00
Zuul
03f375e36e Merge "Update project depth check" 2019-03-05 20:02:48 +00:00
Zuul
7498e20e22 Merge "Add domain level support for strict-two-level-model" 2019-03-05 20:02:45 +00:00
Vishakha Agarwal
a022e27307 Drop py35 jobs
Python 3.5 was the target runtime for the Rocky release.
The current target py3 runtime for Stein is Python 3.6,
so there is no reason to keep testing against the older
version.

https://governance.openstack.org/tc/reference/runtimes/stein.html#python-runtime-for-stein

Change-Id: I618c0d263d4c0f497aef59f24215b60169948ea9
2019-03-05 10:56:57 +05:30
Zuul
e6e3857ffc Merge "Switch federation check jobs to opensuse" 2019-03-05 03:00:30 +00:00
Lance Bragstad
c83fcbc42a Remove service policies from policy.v3cloudsample.json
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default service behavior by
removing them.

Change-Id: Ifa2282481ee3fc544c1d50ac8e8972b0d3a5332e
Closes-Bug: 1804462
2019-03-04 15:39:27 +00:00
Colleen Murphy
f475783f14 Switch federation check jobs to opensuse
Ubuntu Xenial is nearing its end of life, so it's not ideal to keep
testing on it and the QA team is driving an effort to move everyone away
from it[1]. However, our non-voting federation jobs rely on the
Shibboleth service provider Apache module, which does not work on Ubuntu
Bionic[2]. Since the keystone devstack plugin now has support for CentOS
and openSUSE, let's transition away from Ubuntu for this testing.

The reason to choose openSUSE rather then CentOS is that the Shibboleth
service provider package for CentOS relies on an external repository and
is not included in either the base CentOS distro or EPEL. The
shibboleth-sp package for openSUSE is included in the base distro
packages.

[1] http://lists.openstack.org/pipermail/openstack-discuss/2019-February/003129.html
[2] https://bugs.launchpad.net/ubuntu/+source/shibboleth-sp2/+bug/1776489

Change-Id: I89a8af9c45ff513c854c048880854990a6d12278
2019-03-04 11:37:59 +01:00
Colleen Murphy
e8aa678a2b Add driver support for app cred access rules
Change-Id: Iff51313de8b2dc8c71efa901d4eab5ab417234d3
2019-03-03 18:33:49 +01:00
Colleen Murphy
182524d971 Add SQL migrations for app cred access rules
Change-Id: Ic49e5b32073633d6dad469073931d808843d82bd
2019-03-03 18:33:49 +01:00
Colleen Murphy
02540b7de6 Add a permissive mode for access rules config
In the case that operators want to allow users to have unrestricted
ability to create access rules for application credentials, add a config
option to allow them to not have to create access rules config files.

bp whitelist-extension-for-app-creds

Change-Id: I10939b83cd6e72f0205f0191c7df9bca2cef8483
2019-03-03 18:33:49 +01:00
Colleen Murphy
e1d31eda34 Add manager for access rules config
Expose the access rules config driver as a manager. The unit tests are
light because the main functionality is tested for the driver directly.

bp whitelist-extension-for-app-creds

Change-Id: I8988dadfe5f82d9b9d6563246b692add8ea4f22f
2019-03-03 18:33:49 +01:00
Colleen Murphy
f028ca4edd Add JSON driver for access rules config
The access rules config driver will read a JSON file that represents
rules for accessing service APIs. This is to support application
credential access rules, which will be checked against the configured
rules upon creation. The name for this new API is borrowed from Istio's
near identical concept[1].

[1] https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1/#AccessRule

bp whitelist-extension-for-app-creds

Change-Id: If8b9c1e9df55874052dfd9b99fbcea6e06c1ca35
2019-03-03 18:33:11 +01:00
Zuul
7076d704ab Merge "Remove protocol policies from v3cloudsample.json" 2019-03-02 03:03:45 +00:00
Zuul
a7030824f5 Merge "Add role assignment test coverage for system admin" 2019-03-01 23:20:01 +00:00
Zuul
1c9add5881 Merge "Add role assignment test coverage for system members" 2019-03-01 23:19:59 +00:00
Zuul
38e71cbf9b Merge "Reorganize role assignment tests for system users" 2019-03-01 23:19:57 +00:00
Zuul
bf7ca0bc7d Merge "Implement system reader for role_assignments" 2019-03-01 22:29:54 +00:00
Zuul
60ae125107 Merge "Remove endpoint policies from policy.v3cloudsample.json" 2019-03-01 21:29:45 +00:00
Zuul
a0f31d14bb Merge "Add domain level limit support - API" 2019-03-01 12:28:18 +00:00
Lance Bragstad
24b8db9e06 Remove protocol policies from v3cloudsample.json
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default protocol
behavior by removing them.

Related-Bug: 1806762
Closes-Bug: 1804518
Change-Id: Ia839555d8211596213311c4246135cdae4f46ab2
2019-02-28 16:24:56 +00:00
Lance Bragstad
537c6769eb Add tests for project users interacting with services
This commit introduces some tests that show how project users
are expected to behave with the services API. A subsequent patch
will clean up the new obsolete policies in the
policy.v3cloudsample.json file.

Change-Id: Ib05e5bf96c992aa498d3812aea5e80dbe1a56377
Related-Bug: 1804462
2019-02-28 15:02:34 +00:00
Zuul
169bf3e677 Merge "Add shibboleth config to log output" 2019-02-28 13:17:39 +00:00
Zuul
fc9a82f011 Merge "Implement system admin role in groups API" 2019-02-28 13:16:31 +00:00
Zuul
fbfc863fb6 Merge "Implement system member test coverage for groups" 2019-02-28 13:08:10 +00:00
Zuul
4bb6a62eba Merge "Implement system reader role for groups" 2019-02-28 13:08:08 +00:00
Zuul
a28a8520de Merge "Add tests for project users interacting with protocols" 2019-02-28 05:45:18 +00:00
Zuul
6ebec7a049 Merge "Add tests for domain users interacting with protocols" 2019-02-28 05:45:16 +00:00
Zuul
7e1d8ee6d2 Merge "Implement system admin role in protocol API" 2019-02-28 05:45:14 +00:00
Zuul
4141c99542 Merge "Add protocol tests for system member role" 2019-02-28 04:50:20 +00:00
Zuul
a0091f6a09 Merge "Remove role policies from policy.v3cloudsample.json" 2019-02-28 03:46:50 +00:00
Zuul
00780232c6 Merge "Add tests for project users interacting with roles" 2019-02-28 03:46:48 +00:00
Zuul
9cd43a2e6d Merge "Add tests for domain users interacting with roles" 2019-02-28 03:30:25 +00:00
Zuul
9f10f08045 Merge "Update protocol policies for system reader" 2019-02-28 01:59:23 +00:00
Zuul
73684876c9 Merge "Remove domain policies from policy.v3cloudsample.json" 2019-02-27 22:00:59 +00:00
Lance Bragstad
6d756ad612 Remove role policies from policy.v3cloudsample.json
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default role behavior by
removing them.

Note that these changes are slightly different from the
policy.v3cloudsample.json role policies, hence the removed tests. In
policy.v3cloudsample.json, domain users were allowed to get and list
global roles. So were project users. This behavior is changing because
global roles are considered global resources of the deployment, and
they should be managed by system users. Domain users should be able to
add and remove domain specific roles, which will come in a subsequent
series of patches. This approach is being taken because it is a safer
default for a system level resource (global roles) and still allows
the same functionality for domain users through domain-specific roles.

Change-Id: Iddaa59024a1dcefd4d791b95413602865888c1ff
Closes-Bug: 1806713
2019-02-27 21:57:17 +00:00
Lance Bragstad
512f0b4f7b Add tests for project users interacting with roles
This commit introduces test coverage that explicitly shows how
project users are expected to behave global role resources. A
subsequent patch will clean up the now obsolete policies in the
policy.v3cloudsample.json policy file.

Change-Id: Id0dc3022ab294e73aeaa87e130bea4809f8c982b
Partial-Bug: 1806713
2019-02-27 21:56:15 +00:00
Lance Bragstad
31eecfb2a4 Add tests for domain users interacting with roles
This commit adds explicit tests that show how domain users
are expected to behave with global roles. A subsequent patch
will do the same for project users.

Note that these changes are slightly different from the
policy.v3cloudsample.json role policies. In policy.v3cloudsample.json,
domain users were allowed to get and list global roles. So were
project users. This behavior is changing because global roles are
considered global resources of the deployment, and they should be
managed by system users. Domain users should be able to add and remove
domain specific roles, which will come in a subsequent series of
patches. This approach is being taken because it is a safer default
for a system level resource (roles) and still allows the same
functionality for domain users through domain-specific roles.

Change-Id: Ia1a7adf4431042ecea1b41e3c589c55112183ab5
Partial-Bug: 1806713
Partial-Bug: 1805400
2019-02-27 21:56:15 +00:00
Zuul
66fa3bbf0a Merge "Update role policies for system admin" 2019-02-27 18:42:42 +00:00
Zuul
a4fa5bac5d Merge "Add tests for domain users interacting with services" 2019-02-27 18:33:44 +00:00