Merge "Fix CVE-2016-7404"
This commit is contained in:
commit
ed173776ca
|
@ -204,6 +204,7 @@ function create_magnum_conf {
|
||||||
--os-identity-api-version 3 role add \
|
--os-identity-api-version 3 role add \
|
||||||
--user $trustee_domain_admin_id --domain $trustee_domain_id \
|
--user $trustee_domain_admin_id --domain $trustee_domain_id \
|
||||||
admin
|
admin
|
||||||
|
iniset $MAGNUM_CONF trust cluster_user_trust True
|
||||||
iniset $MAGNUM_CONF trust trustee_domain_name magnum
|
iniset $MAGNUM_CONF trust trustee_domain_name magnum
|
||||||
iniset $MAGNUM_CONF trust trustee_domain_admin_name trustee_domain_admin
|
iniset $MAGNUM_CONF trust trustee_domain_admin_name trustee_domain_admin
|
||||||
iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD
|
iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD
|
||||||
|
|
|
@ -4,35 +4,37 @@
|
||||||
"default": "rule:admin_or_owner",
|
"default": "rule:admin_or_owner",
|
||||||
"admin_api": "rule:context_is_admin",
|
"admin_api": "rule:context_is_admin",
|
||||||
"admin_or_user": "is_admin:True or user_id:%(user_id)s",
|
"admin_or_user": "is_admin:True or user_id:%(user_id)s",
|
||||||
|
"cluster_user": "user_id:%(trustee_user_id)s",
|
||||||
|
"deny_cluster_user": "not domain_id:%(trustee_domain_id)s",
|
||||||
|
|
||||||
"bay:create": "rule:default",
|
"bay:create": "rule:deny_cluster_user",
|
||||||
"bay:delete": "rule:default",
|
"bay:delete": "rule:deny_cluster_user",
|
||||||
"bay:detail": "rule:default",
|
"bay:detail": "rule:deny_cluster_user",
|
||||||
"bay:get": "rule:default",
|
"bay:get": "rule:deny_cluster_user",
|
||||||
"bay:get_all": "rule:default",
|
"bay:get_all": "rule:deny_cluster_user",
|
||||||
"bay:update": "rule:default",
|
"bay:update": "rule:deny_cluster_user",
|
||||||
|
|
||||||
"baymodel:create": "rule:default",
|
"baymodel:create": "rule:deny_cluster_user",
|
||||||
"baymodel:delete": "rule:default",
|
"baymodel:delete": "rule:deny_cluster_user",
|
||||||
"baymodel:detail": "rule:default",
|
"baymodel:detail": "rule:deny_cluster_user",
|
||||||
"baymodel:get": "rule:default",
|
"baymodel:get": "rule:deny_cluster_user",
|
||||||
"baymodel:get_all": "rule:default",
|
"baymodel:get_all": "rule:deny_cluster_user",
|
||||||
"baymodel:update": "rule:default",
|
"baymodel:update": "rule:deny_cluster_user",
|
||||||
"baymodel:publish": "rule:admin_or_owner",
|
"baymodel:publish": "rule:admin_or_owner",
|
||||||
|
|
||||||
"cluster:create": "rule:default",
|
"cluster:create": "rule:deny_cluster_user",
|
||||||
"cluster:delete": "rule:default",
|
"cluster:delete": "rule:deny_cluster_user",
|
||||||
"cluster:detail": "rule:default",
|
"cluster:detail": "rule:deny_cluster_user",
|
||||||
"cluster:get": "rule:default",
|
"cluster:get": "rule:deny_cluster_user",
|
||||||
"cluster:get_all": "rule:default",
|
"cluster:get_all": "rule:deny_cluster_user",
|
||||||
"cluster:update": "rule:default",
|
"cluster:update": "rule:deny_cluster_user",
|
||||||
|
|
||||||
"clustertemplate:create": "rule:default",
|
"clustertemplate:create": "rule:deny_cluster_user",
|
||||||
"clustertemplate:delete": "rule:default",
|
"clustertemplate:delete": "rule:deny_cluster_user",
|
||||||
"clustertemplate:detail": "rule:default",
|
"clustertemplate:detail": "rule:deny_cluster_user",
|
||||||
"clustertemplate:get": "rule:default",
|
"clustertemplate:get": "rule:deny_cluster_user",
|
||||||
"clustertemplate:get_all": "rule:default",
|
"clustertemplate:get_all": "rule:deny_cluster_user",
|
||||||
"clustertemplate:update": "rule:default",
|
"clustertemplate:update": "rule:deny_cluster_user",
|
||||||
"clustertemplate:publish": "rule:admin_or_owner",
|
"clustertemplate:publish": "rule:admin_or_owner",
|
||||||
|
|
||||||
"quotas:get": "rule:default",
|
"quotas:get": "rule:default",
|
||||||
|
@ -41,9 +43,9 @@
|
||||||
"quotas:update": "rule:admin_api",
|
"quotas:update": "rule:admin_api",
|
||||||
"quotas:delete": "rule:admin_api",
|
"quotas:delete": "rule:admin_api",
|
||||||
|
|
||||||
"certificate:create": "rule:admin_or_user",
|
|
||||||
"certificate:get": "rule:admin_or_user",
|
|
||||||
"certificate:rotate_ca": "rule:admin_or_owner",
|
"certificate:rotate_ca": "rule:admin_or_owner",
|
||||||
|
"certificate:create": "rule:admin_or_user or rule:cluster_user",
|
||||||
|
"certificate:get": "rule:admin_or_user or rule:cluster_user",
|
||||||
|
|
||||||
"magnum-service:get_all": "rule:admin_api",
|
"magnum-service:get_all": "rule:admin_api",
|
||||||
"stats:get_all": "rule:admin_or_owner"
|
"stats:get_all": "rule:admin_or_owner"
|
||||||
|
|
|
@ -204,6 +204,7 @@ class KeystoneClientV3(object):
|
||||||
project=trustor_project_id,
|
project=trustor_project_id,
|
||||||
trustee_user=trustee_user,
|
trustee_user=trustee_user,
|
||||||
impersonation=True,
|
impersonation=True,
|
||||||
|
delegation_depth=0,
|
||||||
role_names=roles)
|
role_names=roles)
|
||||||
except Exception:
|
except Exception:
|
||||||
LOG.exception(_LE('Failed to create trust'))
|
LOG.exception(_LE('Failed to create trust'))
|
||||||
|
|
|
@ -20,6 +20,8 @@ from oslo_config import cfg
|
||||||
from oslo_policy import policy
|
from oslo_policy import policy
|
||||||
import pecan
|
import pecan
|
||||||
|
|
||||||
|
from magnum.common import clients
|
||||||
|
from magnum.common import context
|
||||||
from magnum.common import exception
|
from magnum.common import exception
|
||||||
|
|
||||||
|
|
||||||
|
@ -92,10 +94,20 @@ def enforce(context, rule=None, target=None,
|
||||||
if target is None:
|
if target is None:
|
||||||
target = {'project_id': context.project_id,
|
target = {'project_id': context.project_id,
|
||||||
'user_id': context.user_id}
|
'user_id': context.user_id}
|
||||||
|
add_policy_attributes(target)
|
||||||
return enforcer.enforce(rule, target, credentials,
|
return enforcer.enforce(rule, target, credentials,
|
||||||
do_raise=do_raise, exc=exc, *args, **kwargs)
|
do_raise=do_raise, exc=exc, *args, **kwargs)
|
||||||
|
|
||||||
|
|
||||||
|
def add_policy_attributes(target):
|
||||||
|
"""Adds extra information for policy enforcement to raw target object"""
|
||||||
|
admin_context = context.make_admin_context()
|
||||||
|
admin_osc = clients.OpenStackClients(admin_context)
|
||||||
|
trustee_domain_id = admin_osc.keystone().trustee_domain_id
|
||||||
|
target['trustee_domain_id'] = trustee_domain_id
|
||||||
|
return target
|
||||||
|
|
||||||
|
|
||||||
def enforce_wsgi(api_name, act=None):
|
def enforce_wsgi(api_name, act=None):
|
||||||
"""This is a decorator to simplify wsgi action policy rule check.
|
"""This is a decorator to simplify wsgi action policy rule check.
|
||||||
|
|
||||||
|
|
|
@ -22,15 +22,20 @@ LOG = logging.getLogger(__name__)
|
||||||
def create_trustee_and_trust(osc, cluster):
|
def create_trustee_and_trust(osc, cluster):
|
||||||
try:
|
try:
|
||||||
password = utils.generate_password(length=18)
|
password = utils.generate_password(length=18)
|
||||||
|
|
||||||
trustee = osc.keystone().create_trustee(
|
trustee = osc.keystone().create_trustee(
|
||||||
cluster.uuid,
|
"%s_%s" % (cluster.uuid, cluster.project_id),
|
||||||
password,
|
password,
|
||||||
)
|
)
|
||||||
|
|
||||||
cluster.trustee_username = trustee.name
|
cluster.trustee_username = trustee.name
|
||||||
cluster.trustee_user_id = trustee.id
|
cluster.trustee_user_id = trustee.id
|
||||||
cluster.trustee_password = password
|
cluster.trustee_password = password
|
||||||
trust = osc.keystone().create_trust(trustee.id)
|
|
||||||
|
trust = osc.keystone().create_trust(
|
||||||
|
cluster.trustee_user_id)
|
||||||
cluster.trust_id = trust.id
|
cluster.trust_id = trust.id
|
||||||
|
|
||||||
except Exception:
|
except Exception:
|
||||||
LOG.exception(
|
LOG.exception(
|
||||||
_LE('Failed to create trustee and trust for Cluster: %s'),
|
_LE('Failed to create trustee and trust for Cluster: %s'),
|
||||||
|
@ -41,9 +46,11 @@ def create_trustee_and_trust(osc, cluster):
|
||||||
|
|
||||||
def delete_trustee_and_trust(osc, context, cluster):
|
def delete_trustee_and_trust(osc, context, cluster):
|
||||||
try:
|
try:
|
||||||
|
kst = osc.keystone()
|
||||||
|
|
||||||
# The cluster which is upgraded from Liberty doesn't have trust_id
|
# The cluster which is upgraded from Liberty doesn't have trust_id
|
||||||
if cluster.trust_id:
|
if cluster.trust_id:
|
||||||
osc.keystone().delete_trust(context, cluster)
|
kst.delete_trust(context, cluster)
|
||||||
except Exception:
|
except Exception:
|
||||||
# Exceptions are already logged by keystone().delete_trust
|
# Exceptions are already logged by keystone().delete_trust
|
||||||
pass
|
pass
|
||||||
|
|
|
@ -18,6 +18,17 @@ trust_group = cfg.OptGroup(name='trust',
|
||||||
title='Trustee options for the magnum services')
|
title='Trustee options for the magnum services')
|
||||||
|
|
||||||
trust_opts = [
|
trust_opts = [
|
||||||
|
cfg.BoolOpt('cluster_user_trust',
|
||||||
|
default=False,
|
||||||
|
help=_('This setting controls whether to assign a trust to'
|
||||||
|
' the cluster user or not. You will need to set it to'
|
||||||
|
' True for clusters with volume_driver=cinder or'
|
||||||
|
' registry_enabled=true in the underlying cluster'
|
||||||
|
' template to work. This is a potential security risk'
|
||||||
|
' since the trust gives instances OpenStack API access'
|
||||||
|
" to the cluster's project. Note that this setting"
|
||||||
|
' does not affect per-cluster trusts assigned to the'
|
||||||
|
'Magnum service user.')),
|
||||||
cfg.StrOpt('trustee_domain_id',
|
cfg.StrOpt('trustee_domain_id',
|
||||||
help=_('Id of the domain to create trustee for clusters')),
|
help=_('Id of the domain to create trustee for clusters')),
|
||||||
cfg.StrOpt('trustee_domain_name',
|
cfg.StrOpt('trustee_domain_name',
|
||||||
|
|
|
@ -26,6 +26,8 @@ from sqlalchemy.orm.exc import MultipleResultsFound
|
||||||
from sqlalchemy.orm.exc import NoResultFound
|
from sqlalchemy.orm.exc import NoResultFound
|
||||||
from sqlalchemy.sql import func
|
from sqlalchemy.sql import func
|
||||||
|
|
||||||
|
from magnum.common import clients
|
||||||
|
from magnum.common import context as request_context
|
||||||
from magnum.common import exception
|
from magnum.common import exception
|
||||||
import magnum.conf
|
import magnum.conf
|
||||||
from magnum.db import api
|
from magnum.db import api
|
||||||
|
@ -122,8 +124,21 @@ class Connection(api.Connection):
|
||||||
if context.is_admin and context.all_tenants:
|
if context.is_admin and context.all_tenants:
|
||||||
return query
|
return query
|
||||||
|
|
||||||
if context.project_id:
|
admin_context = request_context.make_admin_context(all_tenants=True)
|
||||||
|
osc = clients.OpenStackClients(admin_context)
|
||||||
|
kst = osc.keystone()
|
||||||
|
|
||||||
|
# User in a regular project (not in the trustee domain)
|
||||||
|
if context.project_id and context.domain_id != kst.trustee_domain_id:
|
||||||
query = query.filter_by(project_id=context.project_id)
|
query = query.filter_by(project_id=context.project_id)
|
||||||
|
# Match project ID component in trustee user's user name against
|
||||||
|
# cluster's project_id to associate per-cluster trustee users who have
|
||||||
|
# no project information with the project their clusters/cluster models
|
||||||
|
# reside in. This is equivalent to the project filtering above.
|
||||||
|
elif context.domain_id == kst.trustee_domain_id:
|
||||||
|
user_name = kst.client.users.get(context.user_id).name
|
||||||
|
user_project = user_name.split('_', 2)[1]
|
||||||
|
query = query.filter_by(project_id=user_project)
|
||||||
else:
|
else:
|
||||||
query = query.filter_by(user_id=context.user_id)
|
query = query.filter_by(user_id=context.user_id)
|
||||||
|
|
||||||
|
|
|
@ -49,11 +49,6 @@ auth_json=$(cat << EOF
|
||||||
"password": "$TRUSTEE_PASSWORD"
|
"password": "$TRUSTEE_PASSWORD"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
|
||||||
"scope": {
|
|
||||||
"OS-TRUST:trust": {
|
|
||||||
"id": "$TRUST_ID"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -75,11 +75,6 @@ auth_json=$(cat << EOF
|
||||||
"password": "$TRUSTEE_PASSWORD"
|
"password": "$TRUSTEE_PASSWORD"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
|
||||||
"scope": {
|
|
||||||
"OS-TRUST:trust": {
|
|
||||||
"id": "$TRUST_ID"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
|
||||||
write_files:
|
write_files:
|
||||||
- path: /etc/sysconfig/heat-params
|
- path: /etc/sysconfig/heat-params
|
||||||
owner: "root:root"
|
owner: "root:root"
|
||||||
permissions: "0644"
|
permissions: "0600"
|
||||||
content: |
|
content: |
|
||||||
KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS"
|
KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS"
|
||||||
KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS"
|
KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS"
|
||||||
|
|
|
@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
|
||||||
write_files:
|
write_files:
|
||||||
- path: /etc/sysconfig/heat-params
|
- path: /etc/sysconfig/heat-params
|
||||||
owner: "root:root"
|
owner: "root:root"
|
||||||
permissions: "0644"
|
permissions: "0600"
|
||||||
content: |
|
content: |
|
||||||
KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV"
|
KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV"
|
||||||
KUBE_MASTER_IP="$KUBE_MASTER_IP"
|
KUBE_MASTER_IP="$KUBE_MASTER_IP"
|
||||||
|
|
|
@ -150,11 +150,6 @@ def get_user_token(config):
|
||||||
"password": "%(trustee_password)s"
|
"password": "%(trustee_password)s"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
|
||||||
"scope": {
|
|
||||||
"OS-TRUST:trust": {
|
|
||||||
"id": "%(trust_id)s"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -162,7 +157,6 @@ def get_user_token(config):
|
||||||
params = {
|
params = {
|
||||||
'trustee_user_id': config['TRUSTEE_USER_ID'],
|
'trustee_user_id': config['TRUSTEE_USER_ID'],
|
||||||
'trustee_password': config['TRUSTEE_PASSWORD'],
|
'trustee_password': config['TRUSTEE_PASSWORD'],
|
||||||
'trust_id': config['TRUST_ID']
|
|
||||||
}
|
}
|
||||||
creds = creds_str % params
|
creds = creds_str % params
|
||||||
headers = {'Content-Type': 'application/json'}
|
headers = {'Content-Type': 'application/json'}
|
||||||
|
|
|
@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
|
||||||
write_files:
|
write_files:
|
||||||
- path: /etc/sysconfig/heat-params
|
- path: /etc/sysconfig/heat-params
|
||||||
owner: "root:root"
|
owner: "root:root"
|
||||||
permissions: "0644"
|
permissions: "0600"
|
||||||
content: |
|
content: |
|
||||||
WAIT_HANDLE_ENDPOINT="$WAIT_HANDLE_ENDPOINT"
|
WAIT_HANDLE_ENDPOINT="$WAIT_HANDLE_ENDPOINT"
|
||||||
WAIT_HANDLE_TOKEN="$WAIT_HANDLE_TOKEN"
|
WAIT_HANDLE_TOKEN="$WAIT_HANDLE_TOKEN"
|
||||||
|
|
|
@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
|
||||||
write_files:
|
write_files:
|
||||||
- path: /etc/sysconfig/heat-params
|
- path: /etc/sysconfig/heat-params
|
||||||
owner: "root:root"
|
owner: "root:root"
|
||||||
permissions: "0644"
|
permissions: "0600"
|
||||||
content: |
|
content: |
|
||||||
WAIT_HANDLE_ENDPOINT="$WAIT_HANDLE_ENDPOINT"
|
WAIT_HANDLE_ENDPOINT="$WAIT_HANDLE_ENDPOINT"
|
||||||
WAIT_HANDLE_TOKEN="$WAIT_HANDLE_TOKEN"
|
WAIT_HANDLE_TOKEN="$WAIT_HANDLE_TOKEN"
|
||||||
|
|
|
@ -21,6 +21,7 @@ import six
|
||||||
from magnum.common import clients
|
from magnum.common import clients
|
||||||
from magnum.common import exception
|
from magnum.common import exception
|
||||||
import magnum.conf
|
import magnum.conf
|
||||||
|
from magnum.i18n import _LE
|
||||||
from magnum.i18n import _LW
|
from magnum.i18n import _LW
|
||||||
|
|
||||||
from requests import exceptions as req_exceptions
|
from requests import exceptions as req_exceptions
|
||||||
|
@ -245,7 +246,20 @@ class BaseTemplateDefinition(TemplateDefinition):
|
||||||
extra_params['trustee_user_id'] = cluster.trustee_user_id
|
extra_params['trustee_user_id'] = cluster.trustee_user_id
|
||||||
extra_params['trustee_username'] = cluster.trustee_username
|
extra_params['trustee_username'] = cluster.trustee_username
|
||||||
extra_params['trustee_password'] = cluster.trustee_password
|
extra_params['trustee_password'] = cluster.trustee_password
|
||||||
extra_params['trust_id'] = cluster.trust_id
|
|
||||||
|
# Only pass trust ID into the template when it is needed.
|
||||||
|
if (cluster_template.volume_driver == 'rexray' or
|
||||||
|
cluster_template.registry_enabled):
|
||||||
|
if CONF.trust.cluster_user_trust:
|
||||||
|
extra_params['trust_id'] = cluster.trust_id
|
||||||
|
else:
|
||||||
|
missing_setting = ('trust/cluster_user_trust = True')
|
||||||
|
msg = _LE('This cluster can only be created with %s in '
|
||||||
|
'magnum.conf')
|
||||||
|
raise exception.ConfigInvalid(msg % missing_setting)
|
||||||
|
else:
|
||||||
|
extra_params['trust_id'] = ""
|
||||||
|
|
||||||
extra_params['auth_url'] = context.auth_url
|
extra_params['auth_url'] = context.auth_url
|
||||||
|
|
||||||
return super(BaseTemplateDefinition,
|
return super(BaseTemplateDefinition,
|
||||||
|
|
|
@ -63,11 +63,6 @@ write_files:
|
||||||
"password": "$TRUSTEE_PASSWORD"
|
"password": "$TRUSTEE_PASSWORD"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
|
||||||
"scope": {
|
|
||||||
"OS-TRUST:trust": {
|
|
||||||
"id": "$TRUST_ID"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -90,11 +90,6 @@ write_files:
|
||||||
"password": "$TRUSTEE_PASSWORD"
|
"password": "$TRUSTEE_PASSWORD"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
|
||||||
"scope": {
|
|
||||||
"OS-TRUST:trust": {
|
|
||||||
"id": "$TRUST_ID"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
|
||||||
write_files:
|
write_files:
|
||||||
- path: /etc/sysconfig/heat-params
|
- path: /etc/sysconfig/heat-params
|
||||||
owner: "root:root"
|
owner: "root:root"
|
||||||
permissions: "0644"
|
permissions: "0600"
|
||||||
content: |
|
content: |
|
||||||
KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS"
|
KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS"
|
||||||
KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS"
|
KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS"
|
||||||
|
|
|
@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
|
||||||
write_files:
|
write_files:
|
||||||
- path: /etc/sysconfig/heat-params
|
- path: /etc/sysconfig/heat-params
|
||||||
owner: "root:root"
|
owner: "root:root"
|
||||||
permissions: "0644"
|
permissions: "0600"
|
||||||
content: |
|
content: |
|
||||||
KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV"
|
KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV"
|
||||||
KUBE_MASTER_IP="$KUBE_MASTER_IP"
|
KUBE_MASTER_IP="$KUBE_MASTER_IP"
|
||||||
|
|
|
@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
|
||||||
write_files:
|
write_files:
|
||||||
- path: /etc/sysconfig/heat-params
|
- path: /etc/sysconfig/heat-params
|
||||||
owner: "root:root"
|
owner: "root:root"
|
||||||
permissions: "0644"
|
permissions: "0600"
|
||||||
content: |
|
content: |
|
||||||
MESOS_MASTERS_IPS="$MESOS_MASTERS_IPS"
|
MESOS_MASTERS_IPS="$MESOS_MASTERS_IPS"
|
||||||
EXECUTOR_REGISTRATION_TIMEOUT="$EXECUTOR_REGISTRATION_TIMEOUT"
|
EXECUTOR_REGISTRATION_TIMEOUT="$EXECUTOR_REGISTRATION_TIMEOUT"
|
||||||
|
|
|
@ -26,6 +26,7 @@ import pecan
|
||||||
import testscenarios
|
import testscenarios
|
||||||
|
|
||||||
from magnum.common import context as magnum_context
|
from magnum.common import context as magnum_context
|
||||||
|
from magnum.common import keystone as magnum_keystone
|
||||||
from magnum.objects import base as objects_base
|
from magnum.objects import base as objects_base
|
||||||
from magnum.tests import conf_fixture
|
from magnum.tests import conf_fixture
|
||||||
from magnum.tests import fake_notifier
|
from magnum.tests import fake_notifier
|
||||||
|
@ -63,11 +64,18 @@ class TestCase(base.BaseTestCase):
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
trustee_domain_id = '12345678-9012-3456-7890-123456789abc'
|
||||||
|
|
||||||
self.context = magnum_context.RequestContext(
|
self.context = magnum_context.RequestContext(
|
||||||
auth_token_info=token_info,
|
auth_token_info=token_info,
|
||||||
project_id='fake_project',
|
project_id='fake_project',
|
||||||
user_id='fake_user')
|
user_id='fake_user')
|
||||||
|
|
||||||
|
self.global_mocks = {}
|
||||||
|
|
||||||
|
self.keystone_client = magnum_keystone.KeystoneClientV3(self.context)
|
||||||
|
|
||||||
self.policy = self.useFixture(policy_fixture.PolicyFixture())
|
self.policy = self.useFixture(policy_fixture.PolicyFixture())
|
||||||
|
|
||||||
self.useFixture(fixtures.MockPatchObject(
|
self.useFixture(fixtures.MockPatchObject(
|
||||||
|
@ -89,9 +97,22 @@ class TestCase(base.BaseTestCase):
|
||||||
|
|
||||||
p = mock.patch.object(magnum_context, 'make_context',
|
p = mock.patch.object(magnum_context, 'make_context',
|
||||||
side_effect=make_context)
|
side_effect=make_context)
|
||||||
|
|
||||||
|
self.global_mocks['magnum.common.context.make_context'] = p
|
||||||
|
|
||||||
|
q = mock.patch.object(magnum_keystone.KeystoneClientV3,
|
||||||
|
'trustee_domain_id',
|
||||||
|
return_value=trustee_domain_id)
|
||||||
|
|
||||||
|
self.global_mocks[
|
||||||
|
'magnum.common.keystone.KeystoneClientV3.trustee_domain_id'] = q
|
||||||
|
|
||||||
self.mock_make_context = p.start()
|
self.mock_make_context = p.start()
|
||||||
self.addCleanup(p.stop)
|
self.addCleanup(p.stop)
|
||||||
|
|
||||||
|
self.mock_make_trustee_domain_id = q.start()
|
||||||
|
self.addCleanup(q.stop)
|
||||||
|
|
||||||
self.useFixture(conf_fixture.ConfFixture())
|
self.useFixture(conf_fixture.ConfFixture())
|
||||||
self.useFixture(fixtures.NestedTempfile())
|
self.useFixture(fixtures.NestedTempfile())
|
||||||
|
|
||||||
|
@ -104,6 +125,12 @@ class TestCase(base.BaseTestCase):
|
||||||
|
|
||||||
self.addCleanup(reset_pecan)
|
self.addCleanup(reset_pecan)
|
||||||
|
|
||||||
|
def start_global(self, name):
|
||||||
|
self.global_mocks[name].start()
|
||||||
|
|
||||||
|
def stop_global(self, name):
|
||||||
|
self.global_mocks[name].stop()
|
||||||
|
|
||||||
def _restore_obj_registry(self):
|
def _restore_obj_registry(self):
|
||||||
objects_base.MagnumObjectRegistry._registry._obj_classes \
|
objects_base.MagnumObjectRegistry._registry._obj_classes \
|
||||||
= self._base_test_obj_backup
|
= self._base_test_obj_backup
|
||||||
|
|
|
@ -55,6 +55,19 @@ class KeystoneClientTest(base.TestCase):
|
||||||
admin_tenant_name='service',
|
admin_tenant_name='service',
|
||||||
group=ksconf.CFG_LEGACY_GROUP)
|
group=ksconf.CFG_LEGACY_GROUP)
|
||||||
|
|
||||||
|
# Disable global mocking for trustee_domain_id
|
||||||
|
self.stop_global(
|
||||||
|
'magnum.common.keystone.KeystoneClientV3.trustee_domain_id')
|
||||||
|
|
||||||
|
def tearDown(self):
|
||||||
|
# Re-enable global mocking for trustee_domain_id. We need this because
|
||||||
|
# mock blows up when trying to stop an already stopped patch (which it
|
||||||
|
# will do due to the addCleanup() in base.TestCase).
|
||||||
|
self.start_global(
|
||||||
|
'magnum.common.keystone.KeystoneClientV3.trustee_domain_id')
|
||||||
|
|
||||||
|
super(KeystoneClientTest, self).tearDown()
|
||||||
|
|
||||||
def test_client_with_password(self, mock_ks):
|
def test_client_with_password(self, mock_ks):
|
||||||
self.ctx.is_admin = True
|
self.ctx.is_admin = True
|
||||||
ks_client = keystone.KeystoneClientV3(self.ctx)
|
ks_client = keystone.KeystoneClientV3(self.ctx)
|
||||||
|
@ -136,6 +149,7 @@ class KeystoneClientTest(base.TestCase):
|
||||||
ks_client.create_trust(trustee_user='888888')
|
ks_client.create_trust(trustee_user='888888')
|
||||||
|
|
||||||
mock_ks.return_value.trusts.create.assert_called_once_with(
|
mock_ks.return_value.trusts.create.assert_called_once_with(
|
||||||
|
delegation_depth=0,
|
||||||
trustor_user='123456', project='654321',
|
trustor_user='123456', project='654321',
|
||||||
trustee_user='888888', role_names=['role1', 'role2'],
|
trustee_user='888888', role_names=['role1', 'role2'],
|
||||||
impersonation=True)
|
impersonation=True)
|
||||||
|
@ -152,6 +166,7 @@ class KeystoneClientTest(base.TestCase):
|
||||||
ks_client.create_trust(trustee_user='888888')
|
ks_client.create_trust(trustee_user='888888')
|
||||||
|
|
||||||
mock_ks.return_value.trusts.create.assert_called_once_with(
|
mock_ks.return_value.trusts.create.assert_called_once_with(
|
||||||
|
delegation_depth=0,
|
||||||
trustor_user='123456', project='654321',
|
trustor_user='123456', project='654321',
|
||||||
trustee_user='888888', role_names=['role3'],
|
trustee_user='888888', role_names=['role3'],
|
||||||
impersonation=True)
|
impersonation=True)
|
||||||
|
|
|
@ -37,6 +37,7 @@ class TrustManagerTestCase(base.BaseTestCase):
|
||||||
mock_generate_password.return_value = mock_password
|
mock_generate_password.return_value = mock_password
|
||||||
mock_cluster = mock.MagicMock()
|
mock_cluster = mock.MagicMock()
|
||||||
mock_cluster.uuid = 'mock_cluster_uuid'
|
mock_cluster.uuid = 'mock_cluster_uuid'
|
||||||
|
mock_cluster.project_id = 'mock_cluster_project_id'
|
||||||
mock_keystone = mock.MagicMock()
|
mock_keystone = mock.MagicMock()
|
||||||
mock_trustee = mock.MagicMock()
|
mock_trustee = mock.MagicMock()
|
||||||
mock_trustee.id = 'mock_trustee_id'
|
mock_trustee.id = 'mock_trustee_id'
|
||||||
|
@ -52,7 +53,7 @@ class TrustManagerTestCase(base.BaseTestCase):
|
||||||
trust_manager.create_trustee_and_trust(self.osc, mock_cluster)
|
trust_manager.create_trustee_and_trust(self.osc, mock_cluster)
|
||||||
|
|
||||||
mock_keystone.create_trustee.assert_called_once_with(
|
mock_keystone.create_trustee.assert_called_once_with(
|
||||||
mock_cluster.uuid,
|
'%s_%s' % (mock_cluster.uuid, mock_cluster.project_id),
|
||||||
mock_password,
|
mock_password,
|
||||||
)
|
)
|
||||||
mock_keystone.create_trust.assert_called_once_with(
|
mock_keystone.create_trust.assert_called_once_with(
|
||||||
|
|
|
@ -181,6 +181,11 @@ class TestHandler(db_base.DbTestCase):
|
||||||
mock_poller.poll_and_check.return_value = loopingcall.LoopingCallDone()
|
mock_poller.poll_and_check.return_value = loopingcall.LoopingCallDone()
|
||||||
mock_heat_poller_class.return_value = mock_poller
|
mock_heat_poller_class.return_value = mock_poller
|
||||||
osc = mock.sentinel.osc
|
osc = mock.sentinel.osc
|
||||||
|
|
||||||
|
def return_keystone():
|
||||||
|
return self.keystone_client
|
||||||
|
|
||||||
|
osc.keystone = return_keystone
|
||||||
mock_openstack_client_class.return_value = osc
|
mock_openstack_client_class.return_value = osc
|
||||||
mock_dr = mock.MagicMock()
|
mock_dr = mock.MagicMock()
|
||||||
mock_driver.return_value = mock_dr
|
mock_driver.return_value = mock_dr
|
||||||
|
|
|
@ -194,7 +194,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
||||||
'trustee_username': 'fake_trustee',
|
'trustee_username': 'fake_trustee',
|
||||||
'trustee_password': 'fake_trustee_password',
|
'trustee_password': 'fake_trustee_password',
|
||||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
'trust_id': '',
|
||||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||||
'insecure_registry_url': '10.0.0.1:5000',
|
'insecure_registry_url': '10.0.0.1:5000',
|
||||||
'kube_version': 'fake-version',
|
'kube_version': 'fake-version',
|
||||||
|
@ -236,6 +236,10 @@ class TestClusterConductorWithK8s(base.TestCase):
|
||||||
'RegionOne',
|
'RegionOne',
|
||||||
group='docker_registry')
|
group='docker_registry')
|
||||||
|
|
||||||
|
CONF.set_override('cluster_user_trust',
|
||||||
|
True,
|
||||||
|
group='trust')
|
||||||
|
|
||||||
(template_path,
|
(template_path,
|
||||||
definition,
|
definition,
|
||||||
env_files) = mock_driver()._extract_template_definition(self.context,
|
env_files) = mock_driver()._extract_template_definition(self.context,
|
||||||
|
@ -350,7 +354,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
||||||
'ssh_key_name': 'keypair_id',
|
'ssh_key_name': 'keypair_id',
|
||||||
'tenant_name': 'fake_tenant',
|
'tenant_name': 'fake_tenant',
|
||||||
'tls_disabled': False,
|
'tls_disabled': False,
|
||||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
'trust_id': '',
|
||||||
'trustee_domain_id': 'trustee_domain_id',
|
'trustee_domain_id': 'trustee_domain_id',
|
||||||
'trustee_password': 'fake_trustee_password',
|
'trustee_password': 'fake_trustee_password',
|
||||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||||
|
@ -421,7 +425,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
||||||
'trustee_username': 'fake_trustee',
|
'trustee_username': 'fake_trustee',
|
||||||
'trustee_password': 'fake_trustee_password',
|
'trustee_password': 'fake_trustee_password',
|
||||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
'trust_id': '',
|
||||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||||
'cluster_uuid': self.cluster_dict['uuid'],
|
'cluster_uuid': self.cluster_dict['uuid'],
|
||||||
'magnum_url': self.mock_osc.magnum_url.return_value,
|
'magnum_url': self.mock_osc.magnum_url.return_value,
|
||||||
|
@ -488,7 +492,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
||||||
'trustee_username': 'fake_trustee',
|
'trustee_username': 'fake_trustee',
|
||||||
'trustee_password': 'fake_trustee_password',
|
'trustee_password': 'fake_trustee_password',
|
||||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
'trust_id': '',
|
||||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||||
'cluster_uuid': self.cluster_dict['uuid'],
|
'cluster_uuid': self.cluster_dict['uuid'],
|
||||||
'magnum_url': self.mock_osc.magnum_url.return_value,
|
'magnum_url': self.mock_osc.magnum_url.return_value,
|
||||||
|
@ -686,7 +690,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
||||||
'trustee_username': 'fake_trustee',
|
'trustee_username': 'fake_trustee',
|
||||||
'trustee_password': 'fake_trustee_password',
|
'trustee_password': 'fake_trustee_password',
|
||||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
'trust_id': '',
|
||||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||||
'insecure_registry_url': '10.0.0.1:5000',
|
'insecure_registry_url': '10.0.0.1:5000',
|
||||||
'kube_version': 'fake-version',
|
'kube_version': 'fake-version',
|
||||||
|
|
|
@ -37,6 +37,7 @@ class TestClusterConductorWithMesos(base.TestCase):
|
||||||
'http_proxy': 'http_proxy',
|
'http_proxy': 'http_proxy',
|
||||||
'https_proxy': 'https_proxy',
|
'https_proxy': 'https_proxy',
|
||||||
'no_proxy': 'no_proxy',
|
'no_proxy': 'no_proxy',
|
||||||
|
'registry_enabled': False,
|
||||||
'server_type': 'vm',
|
'server_type': 'vm',
|
||||||
'volume_driver': 'volume_driver',
|
'volume_driver': 'volume_driver',
|
||||||
'labels': {'rexray_preempt': 'False',
|
'labels': {'rexray_preempt': 'False',
|
||||||
|
@ -117,7 +118,7 @@ class TestClusterConductorWithMesos(base.TestCase):
|
||||||
'trustee_username': 'fake_trustee',
|
'trustee_username': 'fake_trustee',
|
||||||
'trustee_password': 'fake_trustee_password',
|
'trustee_password': 'fake_trustee_password',
|
||||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
'trust_id': '',
|
||||||
'volume_driver': 'volume_driver',
|
'volume_driver': 'volume_driver',
|
||||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||||
'region_name': self.mock_osc.cinder_region_name.return_value,
|
'region_name': self.mock_osc.cinder_region_name.return_value,
|
||||||
|
@ -171,7 +172,7 @@ class TestClusterConductorWithMesos(base.TestCase):
|
||||||
'trustee_username': 'fake_trustee',
|
'trustee_username': 'fake_trustee',
|
||||||
'trustee_password': 'fake_trustee_password',
|
'trustee_password': 'fake_trustee_password',
|
||||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
'trust_id': '',
|
||||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||||
'region_name': self.mock_osc.cinder_region_name.return_value,
|
'region_name': self.mock_osc.cinder_region_name.return_value,
|
||||||
'username': 'mesos_user',
|
'username': 'mesos_user',
|
||||||
|
@ -227,7 +228,7 @@ class TestClusterConductorWithMesos(base.TestCase):
|
||||||
'trustee_username': 'fake_trustee',
|
'trustee_username': 'fake_trustee',
|
||||||
'trustee_password': 'fake_trustee_password',
|
'trustee_password': 'fake_trustee_password',
|
||||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
'trust_id': '',
|
||||||
'volume_driver': 'volume_driver',
|
'volume_driver': 'volume_driver',
|
||||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||||
'region_name': self.mock_osc.cinder_region_name.return_value,
|
'region_name': self.mock_osc.cinder_region_name.return_value,
|
||||||
|
@ -285,7 +286,7 @@ class TestClusterConductorWithMesos(base.TestCase):
|
||||||
'trustee_username': 'fake_trustee',
|
'trustee_username': 'fake_trustee',
|
||||||
'trustee_password': 'fake_trustee_password',
|
'trustee_password': 'fake_trustee_password',
|
||||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
'trust_id': '',
|
||||||
'volume_driver': 'volume_driver',
|
'volume_driver': 'volume_driver',
|
||||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||||
'region_name': self.mock_osc.cinder_region_name.return_value,
|
'region_name': self.mock_osc.cinder_region_name.return_value,
|
||||||
|
|
|
@ -74,6 +74,12 @@ class TestClusterConductorWithSwarm(base.TestCase):
|
||||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
||||||
'coe_version': 'fake-version'
|
'coe_version': 'fake-version'
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# We need this due to volume_driver=rexray
|
||||||
|
CONF.set_override('cluster_user_trust',
|
||||||
|
True,
|
||||||
|
group='trust')
|
||||||
|
|
||||||
osc_patcher = mock.patch('magnum.common.clients.OpenStackClients')
|
osc_patcher = mock.patch('magnum.common.clients.OpenStackClients')
|
||||||
self.mock_osc_class = osc_patcher.start()
|
self.mock_osc_class = osc_patcher.start()
|
||||||
self.addCleanup(osc_patcher.stop)
|
self.addCleanup(osc_patcher.stop)
|
||||||
|
@ -280,7 +286,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
|
||||||
'trustee_username': 'fake_trustee',
|
'trustee_username': 'fake_trustee',
|
||||||
'trustee_password': 'fake_trustee_password',
|
'trustee_password': 'fake_trustee_password',
|
||||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
'trust_id': '',
|
||||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||||
'swarm_version': 'fake-version',
|
'swarm_version': 'fake-version',
|
||||||
'swarm_strategy': u'spread',
|
'swarm_strategy': u'spread',
|
||||||
|
|
Loading…
Reference in New Issue