openstack/placement
Code Issues Proposed changes

Modify the placement API policies defaults and scope_type

Browse Source 
Placement API policies have been modified to drop the system
scope (every policy is now project scoped) and also modified
the defaults. Most of the policies are default to admin_or_service
role except reshape which is service role only and project resource
usage which is allowed for project reader and admin-or-service role.

Implement: policy-defaults-improvement
Change-Id: I806753e5b36a18be191a839256aaa84b511778f4
This commit is contained in:
Ghanshyam Mann
2022-11-24 21:23:40 -06:00
parent ff8bee1fbc
commit 636d65e3ef
26 changed files with 1134 additions and 306 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
placement/policies/aggregate.py
View File

@ -24,7 +24,7 @@ BASE_PATH = '/resource_providers/{uuid}/aggregates'
rules = [
policy.DocumentedRuleDefault(
LIST,
base.SYSTEM_READER,
base.ADMIN_OR_SERVICE,
"List resource provider aggregates.",
[
{
@ -32,11 +32,11 @@ rules = [
'path': BASE_PATH
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
UPDATE,
base.SYSTEM_ADMIN,
base.ADMIN_OR_SERVICE,
"Update resource provider aggregates.",
[
{
@ -44,7 +44,7 @@ rules = [
'path': BASE_PATH
}
],
scope_types=['system'],
scope_types=['project'],
),
]

20
placement/policies/allocation.py
View File

@ -27,7 +27,7 @@ ALLOC_DELETE = ALLOC_PREFIX % 'delete'
rules = [
policy.DocumentedRuleDefault(
name=ALLOC_MANAGE,
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN_OR_SERVICE,
description="Manage allocations.",
operations=[
{
@ -35,11 +35,11 @@ rules = [
'path': '/allocations'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=ALLOC_LIST,
check_str=base.SYSTEM_READER,
check_str=base.ADMIN_OR_SERVICE,
description="List allocations.",
operations=[
{
@ -47,11 +47,11 @@ rules = [
'path': '/allocations/{consumer_uuid}'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=ALLOC_UPDATE,
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN_OR_SERVICE,
description="Update allocations.",
operations=[
{
@ -59,11 +59,11 @@ rules = [
'path': '/allocations/{consumer_uuid}'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=ALLOC_DELETE,
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN_OR_SERVICE,
description="Delete allocations.",
operations=[
{
@ -71,11 +71,11 @@ rules = [
'path': '/allocations/{consumer_uuid}'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=RP_ALLOC_LIST,
check_str=base.SYSTEM_READER,
check_str=base.ADMIN_OR_SERVICE,
description="List resource provider allocations.",
operations=[
{
@ -83,7 +83,7 @@ rules = [
'path': '/resource_providers/{uuid}/allocations'
}
],
scope_types=['system'],
scope_types=['project'],
),
]

4
placement/policies/allocation_candidate.py
View File

@ -21,7 +21,7 @@ LIST = 'placement:allocation_candidates:list'
rules = [
policy.DocumentedRuleDefault(
name=LIST,
check_str=base.SYSTEM_READER,
check_str=base.ADMIN_OR_SERVICE,
description="List allocation candidates.",
operations=[
{
@ -29,7 +29,7 @@ rules = [
'path': '/allocation_candidates'
}
],
scope_types=['system'],
scope_types=['project'],
)
]

42
placement/policies/base.py
View File

@ -32,44 +32,44 @@ DEPRECATED_ADMIN_POLICY = policy.DeprecatedRule(
# RuleDefaults or DocumentedRuleDefaults, but we need to thoroughly vet the
# approach in oslo.policy and consume a new version. Until we have that done,
# let's continue using generic check strings.
SYSTEM_ADMIN = 'rule:system_admin_api'
SYSTEM_READER = 'rule:system_reader_api'
PROJECT_READER = 'rule:project_reader_api'
PROJECT_READER_OR_SYSTEM_READER = 'rule:system_or_project_reader'
ADMIN_OR_SERVICE = 'rule:admin_or_service_api'
SERVICE = 'rule:service_api'
ADMIN_OR_PROJECT_READER_OR_SERVICE = (
'rule:admin_or_project_reader_or_service_api')
rules = [
policy.RuleDefault(
"admin_api",
"role:admin",
description="Default rule for most placement APIs.",
scope_types=['system'],
deprecated_for_removal=True,
deprecated_reason=_DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY,
scope_types=['project'],
),
policy.RuleDefault(
name="system_admin_api",
check_str='role:admin and system_scope:all',
description="Default rule for System Admin APIs.",
deprecated_rule=DEPRECATED_ADMIN_POLICY
"service_api",
"role:service",
description="Default rule for service-to-service placement APIs.",
scope_types=['project'],
deprecated_rule=DEPRECATED_ADMIN_POLICY,
),
policy.RuleDefault(
name="system_reader_api",
check_str="role:reader and system_scope:all",
description="Default rule for System level read only APIs.",
deprecated_rule=DEPRECATED_ADMIN_POLICY
"admin_or_service_api",
"role:admin or role:service",
description="Default rule for most placement APIs.",
scope_types=['project'],
deprecated_rule=DEPRECATED_ADMIN_POLICY,
),
policy.RuleDefault(
name="project_reader_api",
check_str="role:reader and project_id:%(project_id)s",
description="Default rule for Project level read only APIs.",
description="Default rule for Project level reader APIs.",
deprecated_rule=DEPRECATED_ADMIN_POLICY
),
policy.RuleDefault(
name="system_or_project_reader",
check_str="rule:system_reader_api or rule:project_reader_api",
description="Default rule for System+Project read only APIs.",
deprecated_rule=DEPRECATED_ADMIN_POLICY
"admin_or_project_reader_or_service_api",
"role:admin or rule:project_reader_api or role:service",
description="Default rule for project level reader APIs.",
scope_types=['project'],
deprecated_rule=DEPRECATED_ADMIN_POLICY,
),
]

20
placement/policies/inventory.py
View File

@ -27,7 +27,7 @@ BASE_PATH = '/resource_providers/{uuid}/inventories'
rules = [
policy.DocumentedRuleDefault(
name=LIST,
check_str=base.SYSTEM_READER,
check_str=base.ADMIN_OR_SERVICE,
description="List resource provider inventories.",
operations=[
{
@ -35,11 +35,11 @@ rules = [
'path': BASE_PATH
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=CREATE,
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN_OR_SERVICE,
description="Create one resource provider inventory.",
operations=[
{
@ -47,11 +47,11 @@ rules = [
'path': BASE_PATH
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=SHOW,
check_str=base.SYSTEM_READER,
check_str=base.ADMIN_OR_SERVICE,
description="Show resource provider inventory.",
operations=[
{
@ -59,11 +59,11 @@ rules = [
'path': BASE_PATH + '/{resource_class}'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=UPDATE,
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN_OR_SERVICE,
description="Update resource provider inventory.",
operations=[
{
@ -75,11 +75,11 @@ rules = [
'path': BASE_PATH + '/{resource_class}'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=DELETE,
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN_OR_SERVICE,
description="Delete resource provider inventory.",
operations=[
{
@ -91,7 +91,7 @@ rules = [
'path': BASE_PATH + '/{resource_class}'
}
],
scope_types=['system'],
scope_types=['project'],
),
]

4
placement/policies/reshaper.py
View File

@ -22,7 +22,7 @@ RESHAPE = PREFIX % 'reshape'
rules = [
policy.DocumentedRuleDefault(
RESHAPE,
base.SYSTEM_ADMIN,
base.SERVICE,
"Reshape Inventory and Allocations.",
[
{
@ -30,7 +30,7 @@ rules = [
'path': '/reshaper'
}
],
scope_types=['system'],
scope_types=['project'],
),
]

20
placement/policies/resource_class.py
View File

@ -26,7 +26,7 @@ DELETE = PREFIX % 'delete'
rules = [
policy.DocumentedRuleDefault(
name=LIST,
check_str=base.SYSTEM_READER,
check_str=base.ADMIN_OR_SERVICE,
description="List resource classes.",
operations=[
{
@ -34,11 +34,11 @@ rules = [
'path': '/resource_classes'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=CREATE,
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN_OR_SERVICE,
description="Create resource class.",
operations=[
{
@ -46,11 +46,11 @@ rules = [
'path': '/resource_classes'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=SHOW,
check_str=base.SYSTEM_READER,
check_str=base.ADMIN_OR_SERVICE,
description="Show resource class.",
operations=[
{
@ -58,11 +58,11 @@ rules = [
'path': '/resource_classes/{name}'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=UPDATE,
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN_OR_SERVICE,
description="Update resource class.",
operations=[
{
@ -70,11 +70,11 @@ rules = [
'path': '/resource_classes/{name}'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=DELETE,
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN_OR_SERVICE,
description="Delete resource class.",
operations=[
{
@ -82,7 +82,7 @@ rules = [
'path': '/resource_classes/{name}'
}
],
scope_types=['system'],
scope_types=['project'],
),
]

20
placement/policies/resource_provider.py
View File

@ -26,7 +26,7 @@ DELETE = PREFIX % 'delete'
rules = [
policy.DocumentedRuleDefault(
name=LIST,
check_str=base.SYSTEM_READER,
check_str=base.ADMIN_OR_SERVICE,
description="List resource providers.",
operations=[
{
@ -34,11 +34,11 @@ rules = [
'path': '/resource_providers'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=CREATE,
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN_OR_SERVICE,
description="Create resource provider.",
operations=[
{
@ -46,11 +46,11 @@ rules = [
'path': '/resource_providers'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=SHOW,
check_str=base.SYSTEM_READER,
check_str=base.ADMIN_OR_SERVICE,
description="Show resource provider.",
operations=[
{
@ -58,11 +58,11 @@ rules = [
'path': '/resource_providers/{uuid}'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=UPDATE,
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN_OR_SERVICE,
description="Update resource provider.",
operations=[
{
@ -70,11 +70,11 @@ rules = [
'path': '/resource_providers/{uuid}'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=DELETE,
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN_OR_SERVICE,
description="Delete resource provider.",
operations=[
{
@ -82,7 +82,7 @@ rules = [
'path': '/resource_providers/{uuid}'
}
],
scope_types=['system'],
scope_types=['project'],
),
]

28
placement/policies/trait.py
View File

@ -30,7 +30,7 @@ TRAITS_DELETE = TRAITS_PREFIX % 'delete'
rules = [
policy.DocumentedRuleDefault(
name=TRAITS_LIST,
check_str=base.SYSTEM_READER,
check_str=base.ADMIN_OR_SERVICE,
description="List traits.",
operations=[
{
@ -38,11 +38,11 @@ rules = [
'path': '/traits'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=TRAITS_SHOW,
check_str=base.SYSTEM_READER,
check_str=base.ADMIN_OR_SERVICE,
description="Show trait.",
operations=[
{
@ -50,11 +50,11 @@ rules = [
'path': '/traits/{name}'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=TRAITS_UPDATE,
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN_OR_SERVICE,
description="Update trait.",
operations=[
{
@ -62,11 +62,11 @@ rules = [
'path': '/traits/{name}'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=TRAITS_DELETE,
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN_OR_SERVICE,
description="Delete trait.",
operations=[
{
@ -74,11 +74,11 @@ rules = [
'path': '/traits/{name}'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=RP_TRAIT_LIST,
check_str=base.SYSTEM_READER,
check_str=base.ADMIN_OR_SERVICE,
description="List resource provider traits.",
operations=[
{
@ -86,11 +86,11 @@ rules = [
'path': '/resource_providers/{uuid}/traits'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=RP_TRAIT_UPDATE,
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN_OR_SERVICE,
description="Update resource provider traits.",
operations=[
{
@ -98,11 +98,11 @@ rules = [
'path': '/resource_providers/{uuid}/traits'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=RP_TRAIT_DELETE,
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN_OR_SERVICE,
description="Delete resource provider traits.",
operations=[
{
@ -110,7 +110,7 @@ rules = [
'path': '/resource_providers/{uuid}/traits'
}
],
scope_types=['system'],
scope_types=['project'],
),
]

11
placement/policies/usage.py
View File

@ -22,7 +22,7 @@ TOTAL_USAGES = 'placement:usages'
rules = [
policy.DocumentedRuleDefault(
name=PROVIDER_USAGES,
check_str=base.SYSTEM_READER,
check_str=base.ADMIN_OR_SERVICE,
description="List resource provider usages.",
operations=[
{
@ -30,11 +30,14 @@ rules = [
'path': '/resource_providers/{uuid}/usages'
}
],
scope_types=['system'],
scope_types=['project'],
),
policy.DocumentedRuleDefault(
name=TOTAL_USAGES,
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
# NOTE(gmann): Admin in any project (legacy admin) can get usage of
# other project. Project member or reader roles can see usage of
# their project only.
check_str=base.ADMIN_OR_PROJECT_READER_OR_SERVICE,
description="List total resource usages for a given project.",
operations=[
{
@ -42,7 +45,7 @@ rules = [
'path': '/usages'
}
],
scope_types=['system', 'project'],
scope_types=['project'],
),
]

8
placement/tests/functional/fixtures/gabbits.py
View File

@ -107,8 +107,16 @@ class APIFixture(fixture.GabbiFixture):
os.environ['RP_UUID'] = uuidutils.generate_uuid()
os.environ['RP_NAME'] = uuidutils.generate_uuid()
os.environ['RP_UUID1'] = uuidutils.generate_uuid()
os.environ['RP_NAME1'] = uuidutils.generate_uuid()
os.environ['RP_UUID2'] = uuidutils.generate_uuid()
os.environ['RP_NAME2'] = uuidutils.generate_uuid()
os.environ['CUSTOM_RES_CLASS'] = 'CUSTOM_IRON_NFV'
os.environ['CUSTOM_RES_CLASS1'] = 'CUSTOM_IRON_NFV1'
os.environ['CUSTOM_RES_CLASS2'] = 'CUSTOM_IRON_NFV2'
os.environ['PROJECT_ID'] = uuidutils.generate_uuid()
os.environ['ADMIN_PROJECT_ID'] = uuidutils.generate_uuid()
os.environ['SERVICE_PROJECT_ID'] = uuidutils.generate_uuid()
os.environ['USER_ID'] = uuidutils.generate_uuid()
os.environ['PROJECT_ID_ALT'] = uuidutils.generate_uuid()
os.environ['USER_ID_ALT'] = uuidutils.generate_uuid()

5
placement/tests/functional/gabbits/aggregate-legacy-rbac.yaml
View File

@ -110,11 +110,10 @@ tests:
response_json_paths:
$.aggregates.`len`: 2
- name: system reader can list aggregates
- name: system reader cannot list aggregates
GET: /resource_providers/$ENVIRON['RP_UUID']/aggregates
request_headers: *system_reader_headers
response_json_paths:
$.aggregates.`len`: 2
status: 403
- name: project admin can list aggregates
GET: /resource_providers/$ENVIRON['RP_UUID']/aggregates

89
placement/tests/functional/gabbits/aggregate-secure-rbac.yaml
View File

@ -6,6 +6,22 @@ fixtures:
vars:
- &project_id $ENVIRON['PROJECT_ID']
- &admin_project_id $ENVIRON['ADMIN_PROJECT_ID']
- &service_project_id $ENVIRON['SERVICE_PROJECT_ID']
- &admin_headers
x-auth-token: user
x-roles: admin
x-project-id: admin_project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &service_headers
x-auth-token: user
x-roles: service
x-project-id: service_project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &system_admin_headers
x-auth-token: user
x-roles: admin,member,reader
@ -46,14 +62,30 @@ vars:
tests:
- name: system admin can create new resource provider
- name: admin can create new resource provider
POST: /resource_providers
request_headers: *system_admin_headers
request_headers: *admin_headers
data:
name: $ENVIRON['RP_NAME']
uuid: $ENVIRON['RP_UUID']
status: 200
- name: service can create new resource provider
POST: /resource_providers
request_headers: *service_headers
data:
name: $ENVIRON['RP_NAME1']
uuid: $ENVIRON['RP_UUID1']
status: 200
- name: project admin can create new resource provider
POST: /resource_providers
request_headers: *project_admin_headers
data:
name: $ENVIRON['RP_NAME2']
uuid: $ENVIRON['RP_UUID2']
status: 200
- name: system reader cannot update aggregates
PUT: /resource_providers/$ENVIRON['RP_UUID']/aggregates
request_headers: *system_reader_headers
@ -64,15 +96,35 @@ tests:
- *agg_2
status: 403
- name: project admin cannot update aggregates
PUT: /resource_providers/$ENVIRON['RP_UUID']/aggregates
- name: project admin can update aggregates
PUT: /resource_providers/$ENVIRON['RP_UUID2']/aggregates
request_headers: *project_admin_headers
data:
resource_provider_generation: 0
aggregates:
- *agg_1
- *agg_2
status: 403
status: 200
- name: admin can update aggregates
PUT: /resource_providers/$ENVIRON['RP_UUID']/aggregates
request_headers: *admin_headers
data:
resource_provider_generation: 0
aggregates:
- *agg_1
- *agg_2
status: 200
- name: service can update aggregates
PUT: /resource_providers/$ENVIRON['RP_UUID1']/aggregates
request_headers: *service_headers
data:
resource_provider_generation: 0
aggregates:
- *agg_1
- *agg_2
status: 200
- name: project member cannot update aggregates
PUT: /resource_providers/$ENVIRON['RP_UUID']/aggregates
@ -94,7 +146,7 @@ tests:
- *agg_2
status: 403
- name: system admin can update aggregates
- name: system admin cannot update aggregates
PUT: /resource_providers/$ENVIRON['RP_UUID']/aggregates
request_headers: *system_admin_headers
data:
@ -102,24 +154,35 @@ tests:
aggregates:
- *agg_1
- *agg_2
status: 200
status: 403
- name: system admin can list aggregates
- name: system admin cannot list aggregates
GET: /resource_providers/$ENVIRON['RP_UUID']/aggregates
request_headers: *system_admin_headers
response_json_paths:
$.aggregates.`len`: 2
status: 403
- name: system reader can list aggregates
- name: system reader cannot list aggregates
GET: /resource_providers/$ENVIRON['RP_UUID']/aggregates
request_headers: *system_reader_headers
status: 403
- name: admin can list aggregates
GET: /resource_providers/$ENVIRON['RP_UUID']/aggregates
request_headers: *admin_headers
response_json_paths:
$.aggregates.`len`: 2
- name: project admin cannot list aggregates
- name: service can list aggregates
GET: /resource_providers/$ENVIRON['RP_UUID']/aggregates
request_headers: *service_headers
response_json_paths:
$.aggregates.`len`: 2
- name: project admin can list aggregates
GET: /resource_providers/$ENVIRON['RP_UUID']/aggregates
request_headers: *project_admin_headers
status: 403
response_json_paths:
$.aggregates.`len`: 2
- name: project member cannot list aggregates
GET: /resource_providers/$ENVIRON['RP_UUID']/aggregates

4
placement/tests/functional/gabbits/allocation-candidates-legacy-rbac.yaml
View File

@ -47,10 +47,10 @@ tests:
request_headers: *system_admin_headers
status: 200
- name: system reader can get allocation candidates
- name: system reader cannot get allocation candidates
GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
request_headers: *system_reader_headers
status: 200
status: 403
- name: project admin can get allocation candidates
GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100

38
placement/tests/functional/gabbits/allocation-candidates-secure-rbac.yaml
View File

@ -4,6 +4,22 @@ fixtures:
vars:
- &project_id $ENVIRON['PROJECT_ID']
- &admin_project_id $ENVIRON['ADMIN_PROJECT_ID']
- &service_project_id $ENVIRON['SERVICE_PROJECT_ID']
- &admin_headers
x-auth-token: user
x-roles: admin
x-project-id: admin_project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &service_headers
x-auth-token: user
x-roles: service
x-project-id: service_project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &system_admin_headers
x-auth-token: user
x-roles: admin,member,reader
@ -42,20 +58,30 @@ vars:
tests:
- name: system admin can get allocation candidates
- name: admin can get allocation candidates
GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
request_headers: *admin_headers
status: 200
- name: service can get allocation candidates
GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
request_headers: *service_headers
status: 200
- name: system admin cannot get allocation candidates
GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
request_headers: *system_admin_headers
status: 200
status: 403
- name: system reader can get allocation candidates
- name: system reader cannot get allocation candidates
GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
request_headers: *system_reader_headers
status: 200
status: 403
- name: project admin cannot get allocation candidates
- name: project admin can get allocation candidates
GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
request_headers: *project_admin_headers
status: 403
status: 200
- name: project member cannot get allocation candidates
GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100

6
placement/tests/functional/gabbits/allocations-legacy-rbac.yaml
View File

@ -157,9 +157,10 @@ tests:
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *system_admin_headers
- name: system reader can list allocation
- name: system reader cannot list allocation
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *system_reader_headers
status: 403
- name: project admin can list allocation
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
@ -179,9 +180,10 @@ tests:
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations
request_headers: *system_admin_headers
- name: system reader can list allocations for resource provider
- name: system reader cannot list allocations for resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations
request_headers: *system_reader_headers
status: 403
- name: project admin can list allocations for resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations

204
placement/tests/functional/gabbits/allocations-secure-rbac.yaml
View File

@ -6,6 +6,26 @@ fixtures:
vars:
- &project_id $ENVIRON['PROJECT_ID']
- &admin_project_id $ENVIRON['ADMIN_PROJECT_ID']
- &service_project_id $ENVIRON['SERVICE_PROJECT_ID']
- &admin_headers
x-auth-token: user
x-roles: admin
x-project-id: admin_project_id
accept: application/json
content-type: application/json
# We need 1.37 here because 1.38 required consumer_type which these
# allocations do not have.
openstack-api-version: placement 1.37
- &service_headers
x-auth-token: user
x-roles: service
x-project-id: service_project_id
accept: application/json
content-type: application/json
# We need 1.37 here because 1.38 required consumer_type which these
# allocations do not have.
openstack-api-version: placement 1.37
- &system_admin_headers
x-auth-token: user
x-roles: admin,member,reader
@ -56,17 +76,33 @@ vars:
tests:
- name: system admin can create resource provider
- name: admin can create resource provider
POST: /resource_providers
request_headers: *system_admin_headers
request_headers: *admin_headers
data:
name: $ENVIRON['RP_NAME']
uuid: $ENVIRON['RP_UUID']
status: 200
- name: system admin can set inventories
PUT: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *system_admin_headers
- name: service can create resource providers
POST: /resource_providers
request_headers: *service_headers
data:
name: $ENVIRON['RP_NAME1']
uuid: $ENVIRON['RP_UUID1']
status: 200
- name: project admin can create resource providers
POST: /resource_providers
request_headers: *project_admin_headers
data:
name: $ENVIRON['RP_NAME2']
uuid: $ENVIRON['RP_UUID2']
status: 200
- name: project admin can set inventories
PUT: /resource_providers/$ENVIRON['RP_UUID2']/inventories
request_headers: *project_admin_headers
data:
resource_provider_generation: 0
inventories:
@ -78,9 +114,37 @@ tests:
total: 96
status: 200
- name: project admin cannot update allocation
- name: service can set inventories
PUT: /resource_providers/$ENVIRON['RP_UUID1']/inventories
request_headers: *service_headers
data:
resource_provider_generation: 0
inventories:
DISK_GB:
total: 2048
min_unit: 10
max_unit: 1024
VCPU:
total: 96
status: 200
- name: admin can set inventories
PUT: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *admin_headers
data:
resource_provider_generation: 0
inventories:
DISK_GB:
total: 2048
min_unit: 10
max_unit: 1024
VCPU:
total: 96
status: 200
- name: admin can update allocation
PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_admin_headers
request_headers: *admin_headers
data:
allocations:
$ENVIRON['RP_UUID']:
@ -90,7 +154,35 @@ tests:
consumer_generation: null
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
status: 403
status: 204
- name: service can update allocation
PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *service_headers
data:
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 1
DISK_GB: 20
consumer_generation: 1
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
status: 204
- name: project admin can update allocation
PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_admin_headers
data:
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 1
DISK_GB: 20
consumer_generation: 2
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
status: 204
- name: project member cannot update allocation
PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
@ -134,7 +226,7 @@ tests:
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
status: 403
- name: system admin can update allocation
- name: system admin cannot update allocation
PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *system_admin_headers
data:
@ -146,20 +238,29 @@ tests:
consumer_generation: null
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
status: 204
status: 403
- name: system admin can list allocation
- name: admin can list allocation
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *admin_headers
- name: service can list allocation
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *service_headers
- name: system admin cannot list allocation
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *system_admin_headers
status: 403
- name: system reader can list allocation
- name: system reader cannot list allocation
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *system_reader_headers
status: 403
- name: project admin cannot list allocation
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_admin_headers
status: 403
- name: project member cannot list allocation
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
@ -171,18 +272,27 @@ tests:
request_headers: *project_reader_headers
status: 403
- name: system admin can list allocations for resource provider
- name: admin can list allocations for resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations
request_headers: *admin_headers
- name: service can list allocations for resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations
request_headers: *service_headers
- name: system admin cannot list allocations for resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations
request_headers: *system_admin_headers
status: 403
- name: system reader can list allocations for resource provider
- name: system reader cannot list allocations for resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations
request_headers: *system_reader_headers
status: 403
- name: project admin cannot list allocations for resource provider
- name: project admin can list allocations for resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations
request_headers: *project_admin_headers
status: 403
- name: project member cannot list allocations for resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations
@ -209,20 +319,20 @@ tests:
DISK_GB: 40
status: 403
- name: project admin cannot manage allocations
- name: project admin can manage allocations
POST: /allocations
request_headers: *project_admin_headers
data:
a0b15655-273a-4b3d-9792-2e579b7d5ad9:
consumer_generation: 1
b0b15655-273a-4b3d-9792-2e579b7d5ad9:
consumer_generation: null
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
allocations:
$ENVIRON['RP_UUID']:
$ENVIRON['RP_UUID2']:
resources:
VCPU: 8
DISK_GB: 40
status: 403
status: 204
- name: project member cannot manage allocations
POST: /allocations
@ -254,7 +364,7 @@ tests:
DISK_GB: 40
status: 403
- name: system admin can manage allocations
- name: system admin cannot manage allocations
POST: /allocations
request_headers: *system_admin_headers
data:
@ -267,12 +377,42 @@ tests:
resources:
VCPU: 8
DISK_GB: 40
status: 403
- name: admin can manage allocations
POST: /allocations
request_headers: *admin_headers
data:
a0b15655-273a-4b3d-9792-2e579b7d5ad9:
consumer_generation: 3
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 8
DISK_GB: 40
status: 204
- name: project admin cannot delete allocations
DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
- name: service can manage allocations
POST: /allocations
request_headers: *service_headers
data:
c0b15655-273a-4b3d-9792-2e579b7d5ad9:
consumer_generation: null
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
allocations:
$ENVIRON['RP_UUID1']:
resources:
VCPU: 8
DISK_GB: 40
status: 204
- name: project admin can delete allocations
DELETE: /allocations/b0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_admin_headers
status: 403
status: 204
- name: project member cannot delete allocations
DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
@ -289,7 +429,17 @@ tests:
request_headers: *system_reader_headers
status: 403
- name: system admin can delete allocations
- name: system admin cannot delete allocations
DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *system_admin_headers
status: 403
- name: admin can delete allocations
DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *admin_headers
status: 204
- name: service can delete allocations
DELETE: /allocations/c0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *service_headers
status: 204

10
placement/tests/functional/gabbits/inventory-legacy-rbac.yaml
View File

@ -93,12 +93,10 @@ tests:
$.resource_provider_generation: 0
$.inventories: {}
- name: system reader can list inventories
- name: system reader cannot list inventories
GET: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories
request_headers: *system_reader_headers
response_json_paths:
$.resource_provider_generation: 0
$.inventories: {}
status: 403
- name: project admin can list inventories
GET: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories
@ -195,10 +193,10 @@ tests:
request_headers: *system_admin_headers
status: 200
- name: system reader can show inventory
- name: system reader cannot show inventory
GET: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories/DISK_GB
request_headers: *system_reader_headers
status: 200
status: 403
- name: project admin can show inventory
GET: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories/DISK_GB

235
placement/tests/functional/gabbits/inventory-secure-rbac.yaml
View File

@ -4,6 +4,22 @@ fixtures:
vars:
- &project_id $ENVIRON['PROJECT_ID']
- &admin_project_id $ENVIRON['ADMIN_PROJECT_ID']
- &service_project_id $ENVIRON['SERVICE_PROJECT_ID']
- &admin_headers
x-auth-token: user
x-roles: admin
x-project-id: admin_project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &service_headers
x-auth-token: user
x-roles: service
x-project-id: service_project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &system_admin_headers
x-auth-token: user
x-roles: admin,member,reader
@ -42,33 +58,62 @@ vars:
tests:
- name: system admin can create resource providers
- name: admin can create resource providers
POST: /resource_providers
request_headers: *system_admin_headers
request_headers: *admin_headers
data:
name: $ENVIRON['RP_NAME']
uuid: $ENVIRON['RP_UUID']
status: 200
response_json_paths:
$.uuid: $ENVIRON['RP_UUID']
- name: system admin can list inventories
- name: service can create resource providers
POST: /resource_providers
request_headers: *service_headers
data:
name: $ENVIRON['RP_NAME1']
uuid: $ENVIRON['RP_UUID1']
status: 200
response_json_paths:
$.uuid: $ENVIRON['RP_UUID1']
- name: project admin can create resource providers
POST: /resource_providers
request_headers: *project_admin_headers
data:
name: $ENVIRON['RP_NAME2']
uuid: $ENVIRON['RP_UUID2']
status: 200
response_json_paths:
$.uuid: $ENVIRON['RP_UUID2']
- name: admin can list inventories
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *system_admin_headers
request_headers: *admin_headers
response_json_paths:
$.resource_provider_generation: 0
$.inventories: {}
- name: system reader can list inventories
- name: service can list inventories
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *service_headers
response_json_paths:
$.resource_provider_generation: 0
$.inventories: {}
- name: system reader cannot list inventories
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *system_reader_headers
status: 403
- name: project admin can list inventories
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *project_admin_headers
response_json_paths:
$.resource_provider_generation: 0
$.inventories: {}
- name: project admin cannot list inventories
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *project_admin_headers
status: 403
- name: project member cannot list inventories
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *project_member_headers
@ -79,8 +124,8 @@ tests:
request_headers: *project_reader_headers
status: 403
- name: project admin cannot create an inventory
POST: /resource_providers/$ENVIRON['RP_UUID']/inventories
- name: project admin can create an inventory
POST: /resource_providers/$ENVIRON['RP_UUID2']/inventories
request_headers: *project_admin_headers
data:
resource_class: DISK_GB
@ -90,7 +135,9 @@ tests:
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 403
status: 201
response_headers:
location: $SCHEME://$NETLOC/resource_providers/$ENVIRON['RP_UUID2']/inventories/DISK_GB
- name: project member cannot create an inventory
POST: /resource_providers/$ENVIRON['RP_UUID']/inventories
@ -131,9 +178,22 @@ tests:
allocation_ratio: 1.0
status: 403
- name: system admin can create an inventory
- name: system admin cannot create an inventory
POST: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *system_admin_headers
data:
resource_class: DISK_GB
total: 2048
reserved: 512
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 403
- name: admin can create an inventory
POST: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *admin_headers
data:
resource_class: DISK_GB
total: 2048
@ -146,10 +206,25 @@ tests:
response_headers:
location: $SCHEME://$NETLOC/resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
- name: project admin cannot show inventory
- name: service can create an inventory
POST: /resource_providers/$ENVIRON['RP_UUID1']/inventories
request_headers: *service_headers
data:
resource_class: DISK_GB
total: 2048
reserved: 512
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 201
response_headers:
location: $SCHEME://$NETLOC/resource_providers/$ENVIRON['RP_UUID1']/inventories/DISK_GB
- name: project admin can show inventory
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
request_headers: *project_admin_headers
status: 403
status: 200
- name: project member cannot show inventory
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
@ -161,18 +236,28 @@ tests:
request_headers: *project_reader_headers
status: 403
- name: system reader can show inventory
- name: system reader cannot show inventory
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
request_headers: *system_reader_headers
status: 200
status: 403
- name: system admin can show inventory
- name: system admin cannot show inventory
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
request_headers: *system_admin_headers
status: 403
- name: admin can show inventory
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
request_headers: *admin_headers
status: 200
- name: project admin cannot update inventory
PUT: $LAST_URL
- name: service can show inventory
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
request_headers: *service_headers
status: 200
- name: project admin can update inventory
PUT: /resource_providers/$ENVIRON['RP_UUID2']/inventories/DISK_GB
request_headers: *project_admin_headers
data:
resource_provider_generation: 1
@ -182,7 +267,7 @@ tests:
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 403
status: 200
- name: project member cannot update inventory
PUT: $LAST_URL
@ -223,9 +308,22 @@ tests:
allocation_ratio: 1.0
status: 403
- name: system admin can update inventory
- name: system admin cannot update inventory
PUT: $LAST_URL
request_headers: *system_admin_headers
data:
resource_provider_generation: 1
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 403
- name: admin can update inventory
PUT: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
request_headers: *admin_headers
data:
resource_provider_generation: 1
total: 2048
@ -236,8 +334,21 @@ tests:
allocation_ratio: 1.0
status: 200
- name: project admin cannot update all inventories
PUT: /resource_providers/$ENVIRON['RP_UUID']/inventories
- name: service can update inventory
PUT: /resource_providers/$ENVIRON['RP_UUID1']/inventories/DISK_GB
request_headers: *service_headers
data:
resource_provider_generation: 1
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 200
- name: project admin can update all inventories
PUT: /resource_providers/$ENVIRON['RP_UUID2']/inventories
request_headers: *project_admin_headers
data:
resource_provider_generation: 2
@ -251,7 +362,7 @@ tests:
allocation_ratio: 1.0
VCPU:
total: 8
status: 403
status: 200
- name: project member cannot update all inventories
PUT: /resource_providers/$ENVIRON['RP_UUID']/inventories
@ -304,9 +415,26 @@ tests:
total: 8
status: 403
- name: system admin can update all inventories
- name: system admin cannot update all inventories
PUT: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *system_admin_headers
data:
resource_provider_generation: 2
inventories:
DISK_GB:
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
VCPU:
total: 8
status: 403
- name: admin can update all inventories
PUT: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *admin_headers
data:
resource_provider_generation: 2
inventories:
@ -321,10 +449,27 @@ tests:
total: 8
status: 200
- name: project admin cannot delete a specific inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
- name: service can update all inventories
PUT: /resource_providers/$ENVIRON['RP_UUID1']/inventories
request_headers: *service_headers
data:
resource_provider_generation: 2
inventories:
DISK_GB:
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
VCPU:
total: 8
status: 200
- name: project admin can delete a specific inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID2']/inventories/DISK_GB
request_headers: *project_admin_headers
status: 403
status: 204
- name: project member cannot delete a specific inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
@ -341,15 +486,25 @@ tests:
request_headers: *system_reader_headers
status: 403
- name: system admin can delete a specific inventory
- name: system admin cannot delete a specific inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
request_headers: *system_admin_headers
status: 403
- name: admin can delete a specific inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
request_headers: *admin_headers
status: 204
- name: project admin cannot delete all inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID']/inventories
- name: service can delete a specific inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID1']/inventories/DISK_GB
request_headers: *service_headers
status: 204
- name: project admin can delete all inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID2']/inventories
request_headers: *project_admin_headers
status: 403
status: 204
- name: project member cannot delete all inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID']/inventories
@ -366,7 +521,17 @@ tests:
request_headers: *system_reader_headers
status: 403
- name: system admin can delete all inventory
- name: system admin cannot delete all inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *system_admin_headers
status: 403
- name: admin can delete all inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *admin_headers
status: 204
- name: service can delete all inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID1']/inventories
request_headers: *service_headers
status: 204

62
placement/tests/functional/gabbits/reshaper-secure-rbac.yaml
View File

@ -4,6 +4,22 @@ fixtures:
vars:
- &project_id $ENVIRON['PROJECT_ID']
- &admin_project_id $ENVIRON['ADMIN_PROJECT_ID']
- &service_project_id $ENVIRON['SERVICE_PROJECT_ID']
- &admin_headers
x-auth-token: user
x-roles: admin
x-project-id: admin_project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &service_headers
x-auth-token: user
x-roles: service
x-project-id: service_project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &system_admin_headers
x-auth-token: user
x-roles: admin,member,reader
@ -44,7 +60,7 @@ tests:
- name: create parent resource provider
POST: /resource_providers
request_headers: *system_admin_headers
request_headers: *admin_headers
data:
name: $ENVIRON['RP_NAME']
uuid: $ENVIRON['RP_UUID']
@ -52,7 +68,7 @@ tests:
- name: create inventory for the parent resource provider
POST: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *system_admin_headers
request_headers: *admin_headers
data:
resource_class: DISK_GB
total: 2048
@ -65,7 +81,7 @@ tests:
- name: create a child provider
POST: /resource_providers
request_headers: *system_admin_headers
request_headers: *admin_headers
data:
uuid: 04914444-41ae-4ff3-ab56-ded01552cd1e
name: 636f2798-9599-4371-a3ed-e7b2128aef97
@ -148,9 +164,47 @@ tests:
allocations: {}
status: 403
- name: system admin can reshape
- name: system admin cannot reshape
POST: /reshaper
request_headers: *system_admin_headers
data:
inventories:
$ENVIRON['RP_UUID']:
resource_provider_generation: 1
inventories: {}
04914444-41ae-4ff3-ab56-ded01552cd1e:
resource_provider_generation: 0
inventories:
DISK_GB:
total: 2048
step_size: 10
min_unit: 10
max_unit: 1200
allocations: {}
status: 403
- name: admin cannot reshape
POST: /reshaper
request_headers: *admin_headers
data:
inventories:
$ENVIRON['RP_UUID']:
resource_provider_generation: 1
inventories: {}
04914444-41ae-4ff3-ab56-ded01552cd1e:
resource_provider_generation: 0
inventories:
DISK_GB:
total: 2048
step_size: 10
min_unit: 10
max_unit: 1200
allocations: {}
status: 403
- name: service can reshape
POST: /reshaper
request_headers: *service_headers
data:
inventories:
$ENVIRON['RP_UUID']:

130
placement/tests/functional/gabbits/resource-classes-secure-rbac.yaml
View File

@ -4,6 +4,22 @@ fixtures:
vars:
- &project_id $ENVIRON['PROJECT_ID']
- &admin_project_id $ENVIRON['ADMIN_PROJECT_ID']
- &service_project_id $ENVIRON['SERVICE_PROJECT_ID']
- &admin_headers
x-auth-token: user
x-roles: admin
x-project-id: admin_project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &service_headers
x-auth-token: user
x-roles: service
x-project-id: service_project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &system_admin_headers
x-auth-token: user
x-roles: admin,member,reader
@ -42,10 +58,11 @@ vars:
tests:
- name: project admin cannot list resource classes
- name: project admin can list resource classes
GET: /resource_classes
request_headers: *project_admin_headers
status: 403
response_json_paths:
$.resource_classes.`len`: 21 # Number of standard resource classes
- name: project member cannot list resource classes
GET: /resource_classes
@ -57,24 +74,54 @@ tests:
request_headers: *project_reader_headers
status: 403
- name: system reader can list resource classes
- name: system reader cannot list resource classes
GET: /resource_classes
request_headers: *system_reader_headers
response_json_paths:
$.resource_classes.`len`: 21 # Number of standard resource classes
status: 403
- name: system admin can list resource classes
- name: system admin cannot list resource classes
GET: /resource_classes
request_headers: *system_admin_headers
status: 403
- name: admin can list resource classes
GET: /resource_classes
request_headers: *admin_headers
response_json_paths:
$.resource_classes.`len`: 21 # Number of standard resource classes
- name: project admin cannot create resource classes
- name: service can list resource classes
GET: /resource_classes
request_headers: *service_headers
response_json_paths:
$.resource_classes.`len`: 21 # Number of standard resource classes
- name: admin can create resource classes
POST: /resource_classes
request_headers: *admin_headers
data:
name: CUSTOM_RES_CLASS_POLICY
status: 201
response_headers:
location: //resource_classes/CUSTOM_RES_CLASS_POLICY/
- name: service can create resource classes
POST: /resource_classes
request_headers: *service_headers
data:
name: CUSTOM_RES_CLASS_POLICY1
status: 201
response_headers:
location: //resource_classes/CUSTOM_RES_CLASS_POLICY1/
- name: project admin can create resource classes
POST: /resource_classes
request_headers: *project_admin_headers
data:
name: CUSTOM_RES_CLASS_POLICY
status: 403
name: CUSTOM_RES_CLASS_POLICY2
status: 201
response_headers:
location: //resource_classes/CUSTOM_RES_CLASS_POLICY2/
- name: project member cannot create resource classes
POST: /resource_classes
@ -97,19 +144,18 @@ tests:
name: CUSTOM_RES_CLASS_POLICY
status: 403
- name: system admin can create resource classes
- name: system admin cannot create resource classes
POST: /resource_classes
request_headers: *system_admin_headers
data:
name: CUSTOM_RES_CLASS_POLICY
status: 201
response_headers:
location: //resource_classes/CUSTOM_RES_CLASS_POLICY/
status: 403
- name: project admin cannot show resource class
- name: project admin can show resource class
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
request_headers: *project_admin_headers
status: 403
response_json_paths:
$.name: CUSTOM_RES_CLASS_POLICY
- name: project member cannot show resource class
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
@ -121,22 +167,42 @@ tests:
request_headers: *project_reader_headers
status: 403
- name: system reader can show resource class
- name: system reader cannot show resource class
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
request_headers: *system_reader_headers
response_json_paths:
$.name: CUSTOM_RES_CLASS_POLICY
status: 403
- name: system admin can show resource class
- name: system admin cannot show resource class
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
request_headers: *system_admin_headers
status: 403
- name: admin can show resource class
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
request_headers: *admin_headers
response_json_paths:
$.name: CUSTOM_RES_CLASS_POLICY
- name: project admin cannot update resource class
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
- name: service can show resource class
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
request_headers: *service_headers
response_json_paths:
$.name: CUSTOM_RES_CLASS_POLICY
- name: project admin can update resource class
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY2
request_headers: *project_admin_headers
status: 403
status: 201
- name: admin can update resource class
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *admin_headers
status: 201
- name: service can update resource class
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY1
request_headers: *service_headers
status: 201
- name: project member cannot update resource class
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
@ -156,13 +222,13 @@ tests:
- name: system admin cannot update resource class
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *system_admin_headers
status: 201
- name: project admin cannot delete resource class
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *project_admin_headers
status: 403
- name: project admin can delete resource class
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY2
request_headers: *project_admin_headers
status: 204
- name: project member cannot delete resource class
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *project_member_headers
@ -181,4 +247,14 @@ tests:
- name: system admin cannot delete resource class
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *system_admin_headers
status: 403
- name: admin can delete resource class
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *admin_headers
status: 204
- name: service can delete resource class
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY1
request_headers: *service_headers
status: 204

10
placement/tests/functional/gabbits/resource-provider-legacy-rbac.yaml
View File

@ -48,11 +48,10 @@ tests:
response_json_paths:
$.resource_providers: []
- name: system reader can list resource providers
- name: system reader cannot list resource providers
GET: /resource_providers
request_headers: *system_reader_headers
response_json_paths:
$.resource_providers: []
status: 403
- name: project admin can list resource providers
GET: /resource_providers
@ -124,11 +123,10 @@ tests:
response_json_paths:
$.uuid: $ENVIRON['RP_UUID']
- name: system reader can show resource provider
- name: system reader cannot show resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']
request_headers: *system_reader_headers
response_json_paths:
$.uuid: $ENVIRON['RP_UUID']
status: 403
- name: project admin can show resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']

150
placement/tests/functional/gabbits/resource-provider-secure-rbac.yaml
View File

@ -4,6 +4,22 @@ fixtures:
vars:
- &project_id $ENVIRON['PROJECT_ID']
- &admin_project_id $ENVIRON['ADMIN_PROJECT_ID']
- &service_project_id $ENVIRON['SERVICE_PROJECT_ID']
- &admin_headers
x-auth-token: user
x-roles: admin
x-project-id: admin_project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &service_headers
x-auth-token: user
x-roles: service
x-project-id: service_project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &system_admin_headers
x-auth-token: user
x-roles: admin,member,reader
@ -42,22 +58,33 @@ vars:
tests:
- name: system admin can list resource providers
- name: admin can list resource providers
GET: /resource_providers
request_headers: *admin_headers
response_json_paths:
$.resource_providers: []
- name: service can list resource providers
GET: /resource_providers
request_headers: *service_headers
response_json_paths:
$.resource_providers: []
- name: system admin cannot list resource providers
GET: /resource_providers
request_headers: *system_admin_headers
response_json_paths:
$.resource_providers: []
status: 403
- name: system reader can list resource providers
- name: system reader cannot list resource providers
GET: /resource_providers
request_headers: *system_reader_headers
response_json_paths:
$.resource_providers: []
status: 403
- name: project admin cannot list resource providers
- name: project admin can list resource providers
GET: /resource_providers
request_headers: *project_admin_headers
status: 403
response_json_paths:
$.resource_providers: []
- name: project member cannot list resource providers
GET: /resource_providers
@ -69,9 +96,9 @@ tests:
request_headers: *project_reader_headers
status: 403
- name: system admin can create resource providers
- name: admin can create resource providers
POST: /resource_providers
request_headers: *system_admin_headers
request_headers: *admin_headers
data:
name: $ENVIRON['RP_NAME']
uuid: $ENVIRON['RP_UUID']
@ -79,6 +106,24 @@ tests:
response_json_paths:
$.uuid: $ENVIRON['RP_UUID']
- name: service can create resource providers
POST: /resource_providers
request_headers: *service_headers
data:
name: $ENVIRON['RP_NAME1']
uuid: $ENVIRON['RP_UUID1']
status: 200
response_json_paths:
$.uuid: $ENVIRON['RP_UUID1']
- name: system admin cannot create resource providers
POST: /resource_providers
request_headers: *system_admin_headers
data:
name: $ENVIRON['RP_NAME']
uuid: $ENVIRON['RP_UUID']
status: 403
- name: system reader cannot create resource providers
POST: /resource_providers
request_headers: *system_reader_headers
@ -87,13 +132,15 @@ tests:
uuid: $ENVIRON['RP_UUID']
status: 403
- name: project admin cannot create resource providers
- name: project admin can create resource providers
POST: /resource_providers
request_headers: *project_admin_headers
data:
name: $ENVIRON['RP_NAME']
uuid: $ENVIRON['RP_UUID']
status: 403
name: $ENVIRON['RP_NAME2']
uuid: $ENVIRON['RP_UUID2']
status: 200
response_json_paths:
$.uuid: $ENVIRON['RP_UUID2']
- name: project member cannot create resource providers
POST: /resource_providers
@ -111,22 +158,33 @@ tests:
uuid: $ENVIRON['RP_UUID']
status: 403
- name: system admin can show resource provider
- name: admin can show resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']
request_headers: *admin_headers
response_json_paths:
$.uuid: $ENVIRON['RP_UUID']
- name: service can show resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']
request_headers: *service_headers
response_json_paths:
$.uuid: $ENVIRON['RP_UUID']
- name: system admin cannot show resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']
request_headers: *system_admin_headers
response_json_paths:
$.uuid: $ENVIRON['RP_UUID']
status: 403
- name: system reader can show resource provider
- name: system reader cannot show resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']
request_headers: *system_reader_headers
response_json_paths:
$.uuid: $ENVIRON['RP_UUID']
status: 403
- name: project admin cannot show resource provider
- name: project admin can show resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']
request_headers: *project_admin_headers
status: 403
response_json_paths:
$.uuid: $ENVIRON['RP_UUID']
- name: project member cannot show resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']
@ -138,9 +196,9 @@ tests:
request_headers: *project_reader_headers
status: 403
- name: system admin can update resource provider
- name: admin can update resource provider
PUT: /resource_providers/$ENVIRON['RP_UUID']
request_headers: *system_admin_headers
request_headers: *admin_headers
data:
name: new name
status: 200
@ -148,6 +206,23 @@ tests:
$.name: new name
$.uuid: $ENVIRON['RP_UUID']
- name: service can update resource provider
PUT: /resource_providers/$ENVIRON['RP_UUID']
request_headers: *service_headers
data:
name: new name2
status: 200
response_json_paths:
$.name: new name2
$.uuid: $ENVIRON['RP_UUID']
- name: system admin cannot update resource provider
PUT: /resource_providers/$ENVIRON['RP_UUID']
request_headers: *system_admin_headers
data:
name: new name
status: 403
- name: system reader cannot update resource provider
PUT: /resource_providers/$ENVIRON['RP_UUID']
request_headers: *system_reader_headers
@ -155,12 +230,15 @@ tests:
name: new name
status: 403
- name: project admin cannot update resource provider
- name: project admin can update resource provider
PUT: /resource_providers/$ENVIRON['RP_UUID']
request_headers: *project_admin_headers
data:
name: new name
status: 403
name: new name3
status: 200
response_json_paths:
$.name: new name3
$.uuid: $ENVIRON['RP_UUID']
- name: project member cannot update resource provider
PUT: /resource_providers/$ENVIRON['RP_UUID']
@ -181,10 +259,10 @@ tests:
request_headers: *system_reader_headers
status: 403
- name: project admin cannot delete resource provider
DELETE: /resource_providers/$ENVIRON['RP_UUID']
- name: project admin can delete resource provider
DELETE: /resource_providers/$ENVIRON['RP_UUID2']
request_headers: *project_admin_headers
status: 403
status: 204
- name: project member cannot delete resource provider
DELETE: /resource_providers/$ENVIRON['RP_UUID']
@ -196,7 +274,17 @@ tests:
request_headers: *project_reader_headers
status: 403
- name: system admin can delete resource provider
- name: system admin cannot delete resource provider
DELETE: /resource_providers/$ENVIRON['RP_UUID']
request_headers: *system_admin_headers
status: 403
- name: admin can delete resource provider
DELETE: /resource_providers/$ENVIRON['RP_UUID']
request_headers: *admin_headers
status: 204
- name: service can delete resource provider
DELETE: /resource_providers/$ENVIRON['RP_UUID1']
request_headers: *service_headers
status: 204

188
placement/tests/functional/gabbits/traits-secure-rbac.yaml
View File

@ -4,6 +4,22 @@ fixtures:
vars:
- &project_id $ENVIRON['PROJECT_ID']
- &admin_project_id $ENVIRON['ADMIN_PROJECT_ID']
- &service_project_id $ENVIRON['SERVICE_PROJECT_ID']
- &admin_headers
x-auth-token: user
x-roles: admin
x-project-id: admin_project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &service_headers
x-auth-token: user
x-roles: service
x-project-id: service_project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &system_admin_headers
x-auth-token: user
x-roles: admin,member,reader
@ -42,10 +58,20 @@ vars:
tests:
- name: project admin cannot list traits
- name: admin can list traits
GET: /traits
request_headers: *admin_headers
status: 200
- name: service can list traits
GET: /traits
request_headers: *service_headers
status: 200
- name: project admin can list traits
GET: /traits
request_headers: *project_admin_headers
status: 403
status: 200
- name: project member cannot list traits
GET: /traits
@ -57,21 +83,31 @@ tests:
request_headers: *project_reader_headers
status: 403
- name: system reader can list traits
- name: system reader cannot list traits
GET: /traits
request_headers: *system_reader_headers
status: 200
status: 403
- name: system admin can list traits
- name: system admin cannot list traits
GET: /traits
request_headers: *system_admin_headers
status: 200
- name: project admin cannot create trait
PUT: /traits/CUSTOM_TRAIT_X
request_headers: *project_admin_headers
status: 403
- name: admin can create trait
PUT: /traits/CUSTOM_TRAIT_X
request_headers: *admin_headers
status: 201
- name: service can create trait
PUT: /traits/CUSTOM_TRAIT_X1
request_headers: *service_headers
status: 201
- name: project admin can create trait
PUT: /traits/CUSTOM_TRAIT_X2
request_headers: *project_admin_headers
status: 201
- name: project member cannot create trait
PUT: /traits/CUSTOM_TRAIT_X
request_headers: *project_member_headers
@ -87,15 +123,25 @@ tests:
request_headers: *system_reader_headers
status: 403
- name: system admin can create trait
- name: system admin cannot create trait
PUT: /traits/CUSTOM_TRAIT_X
request_headers: *system_admin_headers
status: 201
status: 403
- name: project admin cannot show trait
- name: admin can show trait
GET: /traits/CUSTOM_TRAIT_X
request_headers: *admin_headers
status: 204
- name: service can show trait
GET: /traits/CUSTOM_TRAIT_X
request_headers: *service_headers
status: 204
- name: project admin can show trait
GET: /traits/CUSTOM_TRAIT_X
request_headers: *project_admin_headers
status: 403
status: 204
- name: project member cannot show trait
GET: /traits/CUSTOM_TRAIT_X
@ -107,28 +153,54 @@ tests:
request_headers: *project_reader_headers
status: 403
- name: system reader can show trait
- name: system reader cannot show trait
GET: /traits/CUSTOM_TRAIT_X
request_headers: *system_reader_headers
status: 204
status: 403
- name: system admin can show trait
- name: system admin cannot show trait
GET: /traits/CUSTOM_TRAIT_X
request_headers: *system_admin_headers
status: 204
status: 403
- name: system admin can create resource provider
- name: admin can create resource provider
POST: /resource_providers
request_headers: *system_admin_headers
request_headers: *admin_headers
data:
name: $ENVIRON['RP_NAME']
uuid: $ENVIRON['RP_UUID']
status: 200
- name: project admin cannot list resource provider traits
- name: service can create resource providers
POST: /resource_providers
request_headers: *service_headers
data:
name: $ENVIRON['RP_NAME1']
uuid: $ENVIRON['RP_UUID1']
status: 200
- name: project admin can create resource providers
POST: /resource_providers
request_headers: *project_admin_headers
data:
name: $ENVIRON['RP_NAME2']
uuid: $ENVIRON['RP_UUID2']
status: 200
- name: admin can list resource provider traits
GET: /resource_providers/$ENVIRON['RP_UUID']/traits
request_headers: *admin_headers
status: 200
- name: service can list resource provider traits
GET: /resource_providers/$ENVIRON['RP_UUID']/traits
request_headers: *service_headers
status: 200
- name: project admin can list resource provider traits
GET: /resource_providers/$ENVIRON['RP_UUID']/traits
request_headers: *project_admin_headers
status: 403
status: 200
- name: project member cannot list resource provider traits
GET: /resource_providers/$ENVIRON['RP_UUID']/traits
@ -140,23 +212,23 @@ tests:
request_headers: *project_reader_headers
status: 403
- name: system reader can list resource provider traits
- name: system reader cannot list resource provider traits
GET: /resource_providers/$ENVIRON['RP_UUID']/traits
request_headers: *system_reader_headers
status: 200
status: 403
- name: system admin can list resource provider traits
- name: system admin cannot list resource provider traits
GET: /resource_providers/$ENVIRON['RP_UUID']/traits
request_headers: *system_admin_headers
status: 200
- name: project admin cannot update resource provider traits
PUT: /resource_providers/$ENVIRON['RP_UUID']/traits
request_headers: *project_admin_headers
status: 403
- name: project admin can update resource provider traits
PUT: /resource_providers/$ENVIRON['RP_UUID2']/traits
request_headers: *project_admin_headers
status: 200
data:
traits:
- CUSTOM_TRAIT_X
- CUSTOM_TRAIT_X2
resource_provider_generation: 0
- name: project member cannot update resource provider traits
@ -186,19 +258,37 @@ tests:
- CUSTOM_TRAIT_X
resource_provider_generation: 0
- name: system admin can update resource provider traits
- name: system admin cannot update resource provider traits
PUT: /resource_providers/$ENVIRON['RP_UUID']/traits
request_headers: *system_admin_headers
status: 403
data:
traits:
- CUSTOM_TRAIT_X
resource_provider_generation: 0
- name: admin can update resource provider traits
PUT: /resource_providers/$ENVIRON['RP_UUID']/traits
request_headers: *admin_headers
status: 200
data:
traits:
- CUSTOM_TRAIT_X
resource_provider_generation: 0
- name: project admin cannot delete resource provider traits
DELETE: /resource_providers/$ENVIRON['RP_UUID']/traits
- name: service can update resource provider traits
PUT: /resource_providers/$ENVIRON['RP_UUID1']/traits
request_headers: *service_headers
status: 200
data:
traits:
- CUSTOM_TRAIT_X1
resource_provider_generation: 0
- name: project admin can delete resource provider traits
DELETE: /resource_providers/$ENVIRON['RP_UUID2']/traits
request_headers: *project_admin_headers
status: 403
status: 204
- name: project member cannot delete resource provider traits
DELETE: /resource_providers/$ENVIRON['RP_UUID']/traits
@ -215,15 +305,25 @@ tests:
request_headers: *system_reader_headers
status: 403
- name: system admin can delete resource provider traits
- name: system admin cannot delete resource provider traits
DELETE: /resource_providers/$ENVIRON['RP_UUID']/traits
request_headers: *system_admin_headers
status: 403
- name: admin can delete resource provider traits
DELETE: /resource_providers/$ENVIRON['RP_UUID']/traits
request_headers: *admin_headers
status: 204
- name: project admin cannot delete trait
DELETE: /traits/CUSTOM_TRAIT_X
- name: service can delete resource provider traits
DELETE: /resource_providers/$ENVIRON['RP_UUID1']/traits
request_headers: *service_headers
status: 204
- name: project admin can delete trait
DELETE: /traits/CUSTOM_TRAIT_X2
request_headers: *project_admin_headers
status: 403
status: 204
- name: project member cannot delete trait
DELETE: /traits/CUSTOM_TRAIT_X
@ -243,4 +343,14 @@ tests:
- name: system admin cannot delete trait
DELETE: /traits/CUSTOM_TRAIT_X
request_headers: *system_admin_headers
status: 403
- name: admin can delete trait
DELETE: /traits/CUSTOM_TRAIT_X
request_headers: *admin_headers
status: 204
- name: service can delete trait
DELETE: /traits/CUSTOM_TRAIT_X1
request_headers: *service_headers
status: 204

86
placement/tests/functional/gabbits/usage-secure-rbac.yaml
View File

@ -5,6 +5,22 @@ fixtures:
vars:
- &project_id $ENVIRON['PROJECT_ID']
- &project_id_alt $ENVIRON['PROJECT_ID_ALT']
- &admin_project_id $ENVIRON['ADMIN_PROJECT_ID']
- &service_project_id $ENVIRON['SERVICE_PROJECT_ID']
- &admin_headers
x-auth-token: user
x-roles: admin
x-project-id: admin_project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &service_headers
x-auth-token: user
x-roles: service
x-project-id: service_project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &system_admin_headers
x-auth-token: user
x-roles: admin,member,reader
@ -64,18 +80,34 @@ vars:
tests:
- name: system admin can create resource provider
- name: admin can create resource provider
POST: /resource_providers
request_headers: *system_admin_headers
request_headers: *admin_headers
data:
name: $ENVIRON['RP_NAME']
uuid: $ENVIRON['RP_UUID']
status: 200
- name: project admin cannot list provider usage
- name: project admin can list provider usage
GET: /resource_providers/$ENVIRON['RP_UUID']/usages
request_headers: *project_admin_headers
status: 403
status: 200
response_json_paths:
usages: {}
- name: admin can list provider usage
GET: /resource_providers/$ENVIRON['RP_UUID']/usages
request_headers: *admin_headers
status: 200
response_json_paths:
usages: {}
- name: service can list provider usage
GET: /resource_providers/$ENVIRON['RP_UUID']/usages
request_headers: *service_headers
status: 200
response_json_paths:
usages: {}
- name: project member cannot list provider usage
GET: /resource_providers/$ENVIRON['RP_UUID']/usages
@ -87,19 +119,15 @@ tests:
request_headers: *project_reader_headers
status: 403
- name: system reader can list provider usage
- name: system reader cannot list provider usage
GET: /resource_providers/$ENVIRON['RP_UUID']/usages
request_headers: *system_reader_headers
status: 200
response_json_paths:
usages: {}
status: 403
- name: system admin can list provider usage
- name: system admin cannot list provider usage
GET: /resource_providers/$ENVIRON['RP_UUID']/usages
request_headers: *system_admin_headers
status: 200
response_json_paths:
usages: {}
status: 403
- name: project admin can get total usage for project
GET: /usages?project_id=$ENVIRON['PROJECT_ID']
@ -124,10 +152,22 @@ tests:
# Make sure users from other projects can't snoop around for usage on projects
# they have no business knowing about.
- name: project admin cannot get total usage for unauthorized project
- name: project member cannot get total usage for unauthorized project
GET: /usages?project_id=$ENVIRON['PROJECT_ID']
request_headers: *alt_project_member_headers
status: 403
- name: project reader cannot get total usage for unauthorized project
GET: /usages?project_id=$ENVIRON['PROJECT_ID']
request_headers: *alt_project_reader_headers
status: 403
# Admin in any project(legacy admin) will be able to get usage on other
# projects.
- name: admin can get total usage for other project
GET: /usages?project_id=$ENVIRON['PROJECT_ID']
request_headers: *alt_project_admin_headers
status: 403
status: 200
- name: project member cannot get total usage for unauthorized project
GET: /usages?project_id=$ENVIRON['PROJECT_ID']
@ -139,16 +179,26 @@ tests:
request_headers: *alt_project_reader_headers
status: 403
- name: system reader can get total usage for project
- name: admin can get total usage for project
GET: /usages?project_id=$ENVIRON['PROJECT_ID']
request_headers: *system_reader_headers
request_headers: *admin_headers
status: 200
response_json_paths:
usages: {}
- name: system admin can get total usage for project
- name: service can get total usage for project
GET: /usages?project_id=$ENVIRON['PROJECT_ID']
request_headers: *system_admin_headers
request_headers: *service_headers
status: 200
response_json_paths:
usages: {}
- name: system reader cannot get total usage for project
GET: /usages?project_id=$ENVIRON['PROJECT_ID']
request_headers: *system_reader_headers
status: 403
- name: system admin cannot get total usage for project
GET: /usages?project_id=$ENVIRON['PROJECT_ID']
request_headers: *system_admin_headers
status: 403

38
releasenotes/notes/policy-defaults-refresh-d903d15cd51ac1a8.yaml Normal file
View File

@ -0,0 +1,38 @@
---
features:
- |
The Placement policies have been modified to drop the system scope. Every
API policy is scoped to project. This means that system scoped users
will get 403 permission denied error.
Currently, Placement supports the following default roles:
* ``admin`` (Legacy admin)
* ``service``
* ``project reader`` (for project resource usage)
For the details on what changed from the existing policy, please refer
to the `RBAC new guidelines`_. We have implemented phase-1 and phase-2
of the `RBAC new guidelines`_.
Currently, scope checks and new defaults are disabled by default. You can
enable them by switching the below config option in ``placement.conf``
file::
[oslo_policy]
enforce_new_defaults=True
enforce_scope=True
upgrade:
- |
All the placement policies have been dropped the system scope and they
are now project scoped only. The scope of policy is not overridable in
policy.yaml. If you have enabled the scope enforcement and using system
scope token to access placement APIs, you need to switch to the project
scope token. Enforce scope is not enabled by default but it will be enabled
by default in the future release. The old defaults are deprecated but
enforced by default which will be removed in the future release.
``placement:reshaper:reshape`` policy default has been changed to
``service`` role only.
.. _`RBAC new guidelines`: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html