openstack/monasca-api
Code Issues Proposed changes

Change default authorized role

Browse Source 
monasca-user role is more sufficient then admin role.

Story: 2001895
Task: 14380
Change-Id: I16091dbd631a5e94d08598a23eeb3bdf97cf0a92
This commit is contained in:
Adrian Czarnecki
2018-04-23 12:30:03 +02:00
parent 9ebde65af9
commit 2e078cdd87
4 changed files with 30 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
devstack/files/monasca-api/api-config.yml
View File

@@ -123,7 +123,7 @@ middleware:
connPoolMinIdleTime: 600000 connPoolMinIdleTime: 600000
connRetryTimes: 2 connRetryTimes: 2
connRetryInterval: 50 connRetryInterval: 50
defaultAuthorizedRoles: [user, domainuser, domainadmin, monasca-user, admin] defaultAuthorizedRoles: [monasca-user]
readOnlyAuthorizedRoles: [monasca-read-only-user] readOnlyAuthorizedRoles: [monasca-read-only-user]
agentAuthorizedRoles: [monasca-agent] agentAuthorizedRoles: [monasca-agent]
delegateAuthorizedRole: admin delegateAuthorizedRole: admin

2
devstack/plugin.sh
View File

@@ -841,7 +841,7 @@ function configure_monasca_api_python {
iniset "$MONASCA_API_CONF" keystone_authtoken identity_uri "http://$SERVICE_HOST:35357" iniset "$MONASCA_API_CONF" keystone_authtoken identity_uri "http://$SERVICE_HOST:35357"
iniset "$MONASCA_API_CONF" keystone_authtoken auth_uri "http://$SERVICE_HOST:5000" iniset "$MONASCA_API_CONF" keystone_authtoken auth_uri "http://$SERVICE_HOST:5000"
iniset "$MONASCA_API_CONF" security default_authorized_roles "user, domainuser, domainadmin, monasca-user" iniset "$MONASCA_API_CONF" security default_authorized_roles "monasca-user"
iniset "$MONASCA_API_CONF" security agent_authorized_roles "monasca-agent" iniset "$MONASCA_API_CONF" security agent_authorized_roles "monasca-agent"
iniset "$MONASCA_API_CONF" security read_only_authorized_roles "monasca-read-only-user" iniset "$MONASCA_API_CONF" security read_only_authorized_roles "monasca-read-only-user"
iniset "$MONASCA_API_CONF" security delegate_authorized_roles "admin" iniset "$MONASCA_API_CONF" security delegate_authorized_roles "admin"

2
monasca_api/conf/security.py
View File

@@ -17,7 +17,7 @@
from oslo_config import cfg from oslo_config import cfg
security_opts = [ security_opts = [
cfg.ListOpt('default_authorized_roles', default=['admin'], cfg.ListOpt('default_authorized_roles', default=['monasca-user'],
help=''' help='''
Roles that are allowed full access to the API Roles that are allowed full access to the API
'''), '''),

41
monasca_api/tests/test_alarms.py
View File

@@ -189,7 +189,7 @@ class TestAlarmsStateHistory(AlarmTestBase):
response = self.simulate_request( response = self.simulate_request(
u'/v2.0/alarms/%s/state-history/' % ALARM_HISTORY[u"alarm_id"], u'/v2.0/alarms/%s/state-history/' % ALARM_HISTORY[u"alarm_id"],
headers={ headers={
'X-Roles': 'admin', 'X-Roles': CONF.security.default_authorized_roles[0],
'X-Tenant-Id': TENANT_ID, 'X-Tenant-Id': TENANT_ID,
}) })
@@ -241,7 +241,9 @@ class TestAlarmDefinition(AlarmTestBase):
} }
response = self.simulate_request("/v2.0/alarm-definitions/", response = self.simulate_request("/v2.0/alarm-definitions/",
headers={'X-Roles': 'admin', 'X-Tenant-Id': TENANT_ID}, headers={'X-Roles':
CONF.security.default_authorized_roles[0],
'X-Tenant-Id': TENANT_ID},
method="POST", method="POST",
body=json.dumps(alarm_def)) body=json.dumps(alarm_def))
@@ -297,7 +299,9 @@ class TestAlarmDefinition(AlarmTestBase):
alarm_def[u'expression'] = expression alarm_def[u'expression'] = expression
expected_data[u'expression'] = expression expected_data[u'expression'] = expression
response = self.simulate_request("/v2.0/alarm-definitions/", response = self.simulate_request("/v2.0/alarm-definitions/",
headers={'X-Roles': 'admin', 'X-Tenant-Id': TENANT_ID}, headers={'X-Roles':
CONF.security.default_authorized_roles[0],
'X-Tenant-Id': TENANT_ID},
method="POST", method="POST",
body=json.dumps(alarm_def)) body=json.dumps(alarm_def))
@@ -321,7 +325,8 @@ class TestAlarmDefinition(AlarmTestBase):
for expression in bad_expressions: for expression in bad_expressions:
alarm_def[u'expression'] = expression alarm_def[u'expression'] = expression
self.simulate_request("/v2.0/alarm-definitions/", self.simulate_request("/v2.0/alarm-definitions/",
headers={'X-Roles': 'admin', 'X-Tenant-Id': TENANT_ID}, headers={'X-Roles': CONF.security.default_authorized_roles[0],
'X-Tenant-Id': TENANT_ID},
method="POST", method="POST",
body=json.dumps(alarm_def)) body=json.dumps(alarm_def))
@@ -400,7 +405,9 @@ class TestAlarmDefinition(AlarmTestBase):
} }
result = self.simulate_request("/v2.0/alarm-definitions/%s" % expected_def[u'id'], result = self.simulate_request("/v2.0/alarm-definitions/%s" % expected_def[u'id'],
headers={'X-Roles': 'admin', 'X-Tenant-Id': TENANT_ID}, headers={'X-Roles':
CONF.security.default_authorized_roles[0],
'X-Tenant-Id': TENANT_ID},
method="PUT", method="PUT",
body=json.dumps(alarm_def)) body=json.dumps(alarm_def))
@@ -416,7 +423,7 @@ class TestAlarmDefinition(AlarmTestBase):
self.simulate_request( self.simulate_request(
"/v2.0/alarm-definitions/", "/v2.0/alarm-definitions/",
headers={ headers={
'X-Roles': 'admin', 'X-Roles': CONF.security.default_authorized_roles[0],
'X-Tenant-Id': TENANT_ID}, 'X-Tenant-Id': TENANT_ID},
method="PATCH", method="PATCH",
body=json.dumps(alarm_def)) body=json.dumps(alarm_def))
@@ -431,7 +438,7 @@ class TestAlarmDefinition(AlarmTestBase):
self.simulate_request( self.simulate_request(
"/v2.0/alarm-definitions/", "/v2.0/alarm-definitions/",
headers={ headers={
'X-Roles': 'admin', 'X-Roles': CONF.security.default_authorized_roles[0],
'X-Tenant-Id': TENANT_ID}, 'X-Tenant-Id': TENANT_ID},
method="PUT", method="PUT",
body=json.dumps(alarm_def)) body=json.dumps(alarm_def))
@@ -443,7 +450,7 @@ class TestAlarmDefinition(AlarmTestBase):
self.simulate_request( self.simulate_request(
"/v2.0/alarm-definitions/", "/v2.0/alarm-definitions/",
headers={ headers={
'X-Roles': 'admin', 'X-Roles': CONF.security.default_authorized_roles[0],
'X-Tenant-Id': TENANT_ID}, 'X-Tenant-Id': TENANT_ID},
method="DELETE") method="DELETE")
@@ -519,7 +526,9 @@ class TestAlarmDefinition(AlarmTestBase):
} }
result = self.simulate_request("/v2.0/alarm-definitions/%s" % expected_def[u'id'], result = self.simulate_request("/v2.0/alarm-definitions/%s" % expected_def[u'id'],
headers={'X-Roles': 'admin', 'X-Tenant-Id': TENANT_ID}, headers={'X-Roles':
CONF.security.default_authorized_roles[0],
'X-Tenant-Id': TENANT_ID},
method="PATCH", method="PATCH",
body=json.dumps(alarm_def)) body=json.dumps(alarm_def))
@@ -629,7 +638,9 @@ class TestAlarmDefinition(AlarmTestBase):
} }
result = self.simulate_request("/v2.0/alarm-definitions/%s" % expected_def[u'id'], result = self.simulate_request("/v2.0/alarm-definitions/%s" % expected_def[u'id'],
headers={'X-Roles': 'admin', 'X-Tenant-Id': TENANT_ID}, headers={'X-Roles':
CONF.security.default_authorized_roles[0],
'X-Tenant-Id': TENANT_ID},
method="PUT", method="PUT",
body=json.dumps(alarm_def)) body=json.dumps(alarm_def))
@@ -641,7 +652,9 @@ class TestAlarmDefinition(AlarmTestBase):
del alarm_def[key] del alarm_def[key]
self.simulate_request("/v2.0/alarm-definitions/%s" % expected_def[u'id'], self.simulate_request("/v2.0/alarm-definitions/%s" % expected_def[u'id'],
headers={'X-Roles': 'admin', 'X-Tenant-Id': TENANT_ID}, headers={'X-Roles':
CONF.security.default_authorized_roles[0],
'X-Tenant-Id': TENANT_ID},
method="PUT", method="PUT",
body=json.dumps(alarm_def)) body=json.dumps(alarm_def))
self.assertEqual(self.srmock.status, "422 Unprocessable Entity", self.assertEqual(self.srmock.status, "422 Unprocessable Entity",
@@ -683,7 +696,7 @@ class TestAlarmDefinition(AlarmTestBase):
response = self.simulate_request( response = self.simulate_request(
'/v2.0/alarm-definitions/%s' % (expected_data[u'id']), '/v2.0/alarm-definitions/%s' % (expected_data[u'id']),
headers={ headers={
'X-Roles': 'admin', 'X-Roles': CONF.security.default_authorized_roles[0],
'X-Tenant-Id': TENANT_ID, 'X-Tenant-Id': TENANT_ID,
}) })
@@ -722,7 +735,7 @@ class TestAlarmDefinition(AlarmTestBase):
response = self.simulate_request( response = self.simulate_request(
'/v2.0/alarm-definitions/%s' % (expected_data[u'id']), '/v2.0/alarm-definitions/%s' % (expected_data[u'id']),
headers={ headers={
'X-Roles': 'admin', 'X-Roles': CONF.security.default_authorized_roles[0],
'X-Tenant-Id': TENANT_ID, 'X-Tenant-Id': TENANT_ID,
}) })
@@ -760,7 +773,7 @@ class TestAlarmDefinition(AlarmTestBase):
response = self.simulate_request( response = self.simulate_request(
'/v2.0/alarm-definitions/%s' % (expected_data[u'id']), '/v2.0/alarm-definitions/%s' % (expected_data[u'id']),
headers={ headers={
'X-Roles': 'admin', 'X-Roles': CONF.security.default_authorized_roles[0],
'X-Tenant-Id': TENANT_ID, 'X-Tenant-Id': TENANT_ID,
} }
) )