5380 Commits

Author SHA1 Message Date
Zuul
9b835f03d5 Merge "[NetApp] Implement security service update" 2021-03-17 04:19:37 +00:00
Goutham Pacha Ravi
6981031e31 Fix share server lookup
We were missing a join on the share network
subnets table to be able to affect a lookup
by share network ID.

Change-Id: Id121ba942c7840a7cd7574f08a524fd4dbe06f64
2021-03-16 10:41:07 -07:00
Zuul
e8810b2019 Merge "Fix traceback in scheduler-stats API" 2021-03-15 19:18:07 +00:00
Zuul
475eeafd8d Merge "Add security service update support to the container driver" 2021-03-15 14:03:31 +00:00
Douglas Viroel
ff91db3ece [NetApp] Implement security service update
This patch implements support for security service updates
for in use share networks. It works with all three security
service types. For 'active_directory' and 'kerberos', the 'domain'
attribute update isn't supported, since it can might affect
user's access to all related shares.

Change-Id: I8556e4e2e05deb9b116eacbd5afe2f7c5d77b44b
Depends-On: I129a794dfd2d179fa2b9a2fed050459d6f00b0de
Depends-On: I5fef50a17bc72ba66a3a9d6f786742bcb5745d7b
Implements: bp netapp-security-service-update
Co-Authored-By: Carlos Eduardo <ces.eduardo98@gmail.com>
Signed-off-by: Douglas Viroel <viroel@gmail.com>
2021-03-15 09:12:36 -03:00
Zuul
ec9088a3d7 Merge "Add security service update for in-use share networks" 2021-03-15 03:17:55 +00:00
Zuul
cd47a84a1e Merge "Change RBAC for share group snapshots" 2021-03-12 22:54:46 +00:00
Zuul
6783160613 Merge "Implement secure RBAC for share snapshots" 2021-03-12 22:54:24 +00:00
Zuul
81ce53ca28 Merge "Implement secure RBAC for share snapshot locations" 2021-03-12 22:54:19 +00:00
Eduardo Santos
733d6218e6 Add security service update support to the container driver
This implementation adds the functionality to add/update security services
to in use share networks using the container driver. The container driver will
also try to setup security services while creating share servers. Currently, the
only supported security service type is LDAP.

Co-Authored-By: Carlos Eduardo <ces.eduardo98@gmail.com>
Partially Implements: bp add-security-service-in-use-share-networks
Depends-On: I129a794dfd2d179fa2b9a2fed050459d6f00b0de

Change-Id: Ifb8b9ebe6eb0661844c794ca1a32e35105652f72
2021-03-12 18:43:53 -03:00
debeltrami
2bc27c5678 Add security service update for in-use share networks
This patch implements the update of security service's association
with in-use share networks. The following changes were added:

 - New share network APIs: `share_network_security_service_update`
 and `share_network_reset_state`.

 - A new `status` attribute was added to share network model to
 identify when it's in a modification state, called 'network_change'.
 Other supported status that were added: 'active' and 'error'.

 - New 'security_service_update_support' property was added to both
 share server and share network models, to identify when this resources
 are able to process security service update for in-use share networks.

 - New driver interface was added to support update of security service's
 configuration of a given share server.

DocImpact
APIImpact
Partially Implements: bp add-security-service-in-use-share-networks

Co-Authored-By: Carlos Eduardo <ces.eduardo98@gmail.com>
Co-Authored-By: Douglas Viroel <viroel@gmail.com>
Co-Authored-By: Andre Beltrami <debeltrami@gmail.com>

Change-Id: I129a794dfd2d179fa2b9a2fed050459d6f00b0de
2021-03-12 18:37:45 -03:00
Zuul
34627bea89 Merge "Implement secure RBAC for shares" 2021-03-12 18:37:39 +00:00
Zuul
39dbe2cb0f Merge "Implement secure RBAC for share types" 2021-03-12 18:27:57 +00:00
Zuul
61fd02c931 Merge "Implement secure RBAC for share replicas" 2021-03-12 18:06:03 +00:00
Zuul
d41c737c3e Merge "Implement secure RBAC for share servers" 2021-03-12 16:30:44 +00:00
Zuul
0070c7cddf Merge "Implement secure RBAC for share snapshot instances" 2021-03-12 16:13:24 +00:00
Zuul
af245f2850 Merge "Implement secure RBAC for share snapshot instance export locations" 2021-03-12 15:04:31 +00:00
Goutham Pacha Ravi
4c81cc4cec [ci] Part 2: Temporarily set docs job to non-voting
We set the check job to non-voting, but the
sporadic failures are occurring in the gate
queue as well. Unfortunate as it is, we're
still unable to fix the root cause.

Change-Id: I5a70441ee493ef6f5a5db1957000ee1134e3e5df
Partial-Bug: #1918707
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2021-03-11 23:25:25 -08:00
Zuul
0a2ae6ff51 Merge "Add config option to set per_share_size_limit." 2021-03-12 05:07:37 +00:00
Zuul
c730272f22 Merge "Implement secure RBAC for share type extra spec" 2021-03-12 03:15:51 +00:00
Zuul
e83517b662 Merge "Add share server limits" 2021-03-12 02:59:45 +00:00
Zuul
367a7be1ee Merge "[NetApp] Add support for FPolicy native mode" 2021-03-11 22:14:23 +00:00
Goutham Pacha Ravi
470ecda876 [ci] Temporarily set docs job to non-voting
We're seeing sporadic failures of this job and
the rate of failures is increasing in the past
couple of days. Since we're at feature freeze and
the doc is being built fine, we decided to set
this job to non-voting and investigate the failure
while allowing feature patches to merge.

Partial-Bug: #1918707
Change-Id: I2233f951f87e38d82d7963a57695e9cf84cbf558
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2021-03-11 09:21:49 -08:00
Douglas Viroel
0b04d8d671 [NetApp] Add support for FPolicy native mode
This patch adds support for automated creation of FPolicy policies
and association to a share. The FPolicy configuration can be added using
 the extra-specs 'netapp:fpolicy_extensions_to_include',
'netapp:fpolicy_extensions_to_exclude' and 'netapp:fpolicy_file_operations'.

Change-Id: I661de95bfb6f8e68b3a8c58663bb6055e9b809f6
Implements: bp netapp-fpolicy-support
Signed-off-by: Douglas Viroel <viroel@gmail.com>
2021-03-11 10:46:51 -03:00
Zuul
1515701df0 Merge "[NetApp] Fix security service configuration for LDAP servers" 2021-03-11 12:48:58 +00:00
Zuul
a9c6ed03eb Merge "Clean up some policy code" 2021-03-11 02:53:26 +00:00
Lance Bragstad
f1ed7c3c72 Implement secure RBAC for shares
This commit updates the policies for
shares to understand scope checking and
account for a read-only role. This is
part of a broader series of changes
across OpenStack to provide a consistent
RBAC experience and improve security.

Change-Id: I6d947fa5f51f6a462f0ce5b1f4b3c00d3a10b024
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2021-03-10 17:15:17 -08:00
Lance Bragstad
fcd559f24d Implement secure RBAC for share replicas
This commit updates the policies for share
replicas to understand scope checking and
account for a read-only role. This is part
of a broader series of changes across
OpenStack to provide a consistent RBAC
experience and improve security.

Change-Id: I1656585bf66ad17468e5d2cfef039fc90b6dec50
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2021-03-10 15:46:09 -08:00
Goutham Pacha Ravi
9243d994b0 Change RBAC for share group snapshots
Allow project administrators to force
delete and reset status on share group
snapshots by default since that delegation
may be desirable in the cloud and it
does not violate tenancy.

Change-Id: Ib9b9b306be9073c4cea9b2d190d3325f29c7bd3f
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2021-03-10 12:33:20 -08:00
Lance Bragstad
ce55a993c8 Implement secure RBAC for share snapshots
This commit updates the policies for share
snapshots to understand scope checking and
account for a read-only role. This is part
of a broader series of changes across
OpenStack to provide a consistent RBAC experience
and improve security.

Change-Id: I8d9702c587aa6716310be2ff7f11e370616e2d3b
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2021-03-10 12:29:40 -08:00
Douglas Viroel
8943e57ee6 [NetApp] Fix security service configuration for LDAP servers
This patch fixes some issues with LDAP client configuration on
ONTAP SVMs. With ldap security service, users should be able to
configure a LDAP client that can be used for authentication and
name mapping. The name service switch order remains: ldap,files.
Issues fixed:
- The driver now identifies when user provide a Active Directory
  domain or a Linux/Unix LDAP server IP and sets the correct schema.
- LDAP configuration parameter `servers` was replaced by `ldap-servers`
  in ONTAP 9.2, and now accepts host names too.
- Fix DNS configuration for LDAP security service
- User can now specify base search DN for LDAP queries, which can be
  mandatory for Unix/Linux servers, using the security service `ou`
  parameter.

Closes-Bug: #1916534
Change-Id: Ieaa53abbe50e7b708e508c132dfc4bb36b71a4f5
Signed-off-by: Douglas Viroel <viroel@gmail.com>
2021-03-10 16:00:46 -03:00
Zuul
fbb8e6b510 Merge "Implement secure RBAC for share group type specs" 2021-03-10 02:12:05 +00:00
Zuul
e979cb529c Merge "Implement secure RBAC for share instances" 2021-03-10 01:03:45 +00:00
Zuul
b0bba79b52 Merge "Implement secure RBAC for share instance export location" 2021-03-10 00:58:15 +00:00
Zuul
f4837fe95a Merge "Implement secure RBAC for share networks" 2021-03-10 00:58:10 +00:00
Zuul
ca9b6d2333 Merge "Implement secure RBAC for share network subnets" 2021-03-10 00:58:06 +00:00
Zuul
c39995df6f Merge "Implement secure RBAC for share replica locations" 2021-03-10 00:49:55 +00:00
Zuul
44008289ef Merge "Implement secure RBAC for share groups" 2021-03-09 19:04:08 +00:00
Zuul
374d754f2c Merge "Implement secure RBAC for share group types" 2021-03-09 17:44:10 +00:00
Zuul
8523d323e7 Merge "Adding Zadara Manila driver" 2021-03-09 17:44:03 +00:00
Lance Bragstad
904089f308 Implement secure RBAC for share type extra spec
This commit updates the policies for share type extra spec to understand scope
checking and account for a read-only role. This is part of a broader series of
changes across OpenStack to provide a consistent RBAC experience and improve
security.

Change-Id: Ib2f71bdbe22f092016df25a7118abf3337f8cb8d
2021-03-09 17:23:52 +00:00
Lance Bragstad
3388e9aeec Implement secure RBAC for share snapshot instances
This commit updates the policies for share snapshot instances to understand
scope checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC experience and
improve security.

Change-Id: I6ec289e82d8f37ea7e832476345a3cac42662280
2021-03-09 17:22:44 +00:00
Zuul
217438084b Merge "Implement secure RBAC for group snapshots" 2021-03-09 17:17:20 +00:00
kpdev
0045293942 Add config option to set per_share_size_limit.
This feature allows admin to set share size limit for a project.
The defaults will either come from the default values
set in the quota configuration option or via manila.conf
if the user has configured default values for quotas there.

The quota_per_share_gigabytes defaults to -1["No Limit"] always
unless changed in manila.conf by admin.

Closes-Bug: #1811943

Change-Id: Ida126c8c419b8bf4d2a194f061a0809d52b47ab8
2021-03-09 11:58:17 +01:00
Lance Bragstad
81cbc2395b Implement secure RBAC for share group type specs
This commit updates the policies for share group type specs to understand scope
checking and account for a read-only role. This is part of a broader series of
changes across OpenStack to provide a consistent RBAC experience and improve
security.

Change-Id: Ie1b72459ae060693badb6fe864454836a4ff1300
2021-03-09 03:36:11 +00:00
Lance Bragstad
3ecad318bd Implement secure RBAC for share network subnets
This commit updates the policies for share network subnets to understand scope
checking and account for a read-only role. This is part of a broader series of
changes across OpenStack to provide a consistent RBAC experience and improve
security.

Change-Id: I2c90a40a7950be0463c3bc1bcf0b2d41cb6aeaa7
2021-03-09 00:53:00 +00:00
Lance Bragstad
19d182c429 Implement secure RBAC for share networks
This commit updates the policies for share networks to understand scope
checking and account for a read-only role. This is part of a broader series of
changes across OpenStack to provide a consistent RBAC experience and improve
security.

Change-Id: Ie5e87c73e97d4a464ec91db8fba1c5d3e9abfff5
2021-03-09 00:52:33 +00:00
silvacarloss
2fb871cb89 Add share server limits
Add two new capabilities to manila. It is possible to set limits
to share server size and share instances in a share server by
setting `max_share_server_size` and `max_shares_per_share_server`
in a backend stanza.

Change-Id: I3170478d3aa2d09cb2adc32233dc57bc59029a56
Partially-Implements: bp new-share-server-limits
DocImpact
2021-03-08 21:35:06 -03:00
Lance Bragstad
a7eb825721 Implement secure RBAC for share group types
This commit updates the policies for
share group types to understand scope
checking and account for a read-only role.
This is part of a broader series of
changes across OpenStack to provide a
consistent RBAC experience and improve
security.

Also fix the HTTP method in the policy
doc for this API.

Change-Id: I8b95e1e70f74052e5bd4af1ba29842420bafd0b2
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2021-03-08 16:18:55 -08:00
Lance Bragstad
18d96c1426 Implement secure RBAC for share groups
This commit updates the policies for share groups
to understand scope checking and account for a
read-only role. This is part of a broader series
of changes across OpenStack to provide a
consistent RBAC experience and improve security.

Change-Id: I71d63179131c5dbe75a2de7339fa4df70243e83f
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2021-03-08 15:50:22 -08:00