diff --git a/placement/policies/reshaper.py b/placement/policies/reshaper.py index e66951196..4ba3fb0e8 100644 --- a/placement/policies/reshaper.py +++ b/placement/policies/reshaper.py @@ -11,6 +11,7 @@ # under the License. +from oslo_log import versionutils from oslo_policy import policy from placement.policies import base @@ -19,10 +20,19 @@ from placement.policies import base PREFIX = 'placement:reshaper:%s' RESHAPE = PREFIX % 'reshape' +deprecated_reshape = policy.DeprecatedRule( + name=RESHAPE, + check_str=base.RULE_ADMIN_API, +) + +DEPRECATED_REASON = """ +The reshape API now supports scoped rule by default. +""" + rules = [ policy.DocumentedRuleDefault( RESHAPE, - base.RULE_ADMIN_API, + base.SYSTEM_ADMIN, "Reshape Inventory and Allocations.", [ { @@ -30,7 +40,11 @@ rules = [ 'path': '/reshaper' } ], - scope_types=['system']), + scope_types=['system'], + deprecated_rule=deprecated_reshape, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY, + ), ] diff --git a/placement/tests/functional/gabbits/reshaper-legacy-rbac.yaml b/placement/tests/functional/gabbits/reshaper-legacy-rbac.yaml new file mode 100644 index 000000000..022bf4c5b --- /dev/null +++ b/placement/tests/functional/gabbits/reshaper-legacy-rbac.yaml @@ -0,0 +1,90 @@ +--- +fixtures: + - LegacyRBACPolicyFixture + +vars: + - &project_id $ENVIRON['PROJECT_ID'] + - &project_admin_headers + x-auth-token: user + x-roles: admin,member,reader + x-project-id: *project_id + accept: application/json + content-type: application/json + openstack-api-version: placement latest + - &project_member_headers + x-auth-token: user + x-roles: member,reader + x-project-id: *project_id + accept: application/json + content-type: application/json + openstack-api-version: placement latest + +tests: + +- name: create parent resource provider + POST: /resource_providers + request_headers: *project_admin_headers + data: + name: $ENVIRON['RP_NAME'] + uuid: $ENVIRON['RP_UUID'] + status: 200 + +- name: create inventory for the parent resource provider + POST: /resource_providers/$ENVIRON['RP_UUID']/inventories + request_headers: *project_admin_headers + data: + resource_class: DISK_GB + total: 2048 + reserved: 512 + min_unit: 10 + max_unit: 1024 + step_size: 10 + allocation_ratio: 1.0 + status: 201 + +- name: create a child provider + POST: /resource_providers + request_headers: *project_admin_headers + data: + uuid: 04914444-41ae-4ff3-ab56-ded01552cd1e + name: 636f2798-9599-4371-a3ed-e7b2128aef97 + parent_provider_uuid: $ENVIRON['RP_UUID'] + status: 200 + +- name: project member cannot reshape + POST: /reshaper + request_headers: *project_member_headers + data: + inventories: + $ENVIRON['RP_UUID']: + resource_provider_generation: 1 + inventories: [] + 04914444-41ae-4ff3-ab56-ded01552cd1e: + resource_provider_generation: 0 + inventories: + DISK_GB: + total: 2048 + step_size: 10 + min_unit: 10 + max_unit: 1200 + allocations: {} + status: 403 + +- name: project admin can reshape + POST: /reshaper + request_headers: *project_admin_headers + data: + inventories: + $ENVIRON['RP_UUID']: + resource_provider_generation: 1 + inventories: {} + 04914444-41ae-4ff3-ab56-ded01552cd1e: + resource_provider_generation: 0 + inventories: + DISK_GB: + total: 2048 + step_size: 10 + min_unit: 10 + max_unit: 1200 + allocations: {} + status: 204 diff --git a/placement/tests/functional/gabbits/reshaper-secure-rbac.yaml b/placement/tests/functional/gabbits/reshaper-secure-rbac.yaml new file mode 100644 index 000000000..e5b1da5b0 --- /dev/null +++ b/placement/tests/functional/gabbits/reshaper-secure-rbac.yaml @@ -0,0 +1,168 @@ +--- +fixtures: + - SecureRBACPolicyFixture + +vars: + - &project_id $ENVIRON['PROJECT_ID'] + - &system_admin_headers + x-auth-token: user + x-roles: admin,member,reader + accept: application/json + content-type: application/json + openstack-api-version: placement latest + openstack-system-scope: all + - &system_reader_headers + x-auth-token: user + x-roles: reader + accept: application/json + content-type: application/json + openstack-api-version: placement latest + openstack-system-scope: all + - &project_admin_headers + x-auth-token: user + x-roles: admin,member,reader + x-project-id: *project_id + accept: application/json + content-type: application/json + openstack-api-version: placement latest + - &project_member_headers + x-auth-token: user + x-roles: member,reader + x-project-id: *project_id + accept: application/json + content-type: application/json + openstack-api-version: placement latest + - &project_reader_headers + x-auth-token: user + x-roles: reader + x-project-id: *project_id + accept: application/json + content-type: application/json + openstack-api-version: placement latest + +tests: + +- name: create parent resource provider + POST: /resource_providers + request_headers: *system_admin_headers + data: + name: $ENVIRON['RP_NAME'] + uuid: $ENVIRON['RP_UUID'] + status: 200 + +- name: create inventory for the parent resource provider + POST: /resource_providers/$ENVIRON['RP_UUID']/inventories + request_headers: *system_admin_headers + data: + resource_class: DISK_GB + total: 2048 + reserved: 512 + min_unit: 10 + max_unit: 1024 + step_size: 10 + allocation_ratio: 1.0 + status: 201 + +- name: create a child provider + POST: /resource_providers + request_headers: *system_admin_headers + data: + uuid: 04914444-41ae-4ff3-ab56-ded01552cd1e + name: 636f2798-9599-4371-a3ed-e7b2128aef97 + parent_provider_uuid: $ENVIRON['RP_UUID'] + status: 200 + +- name: project reader cannot reshape + POST: /reshaper + request_headers: *project_reader_headers + data: + inventories: + $ENVIRON['RP_UUID']: + resource_provider_generation: 1 + inventories: [] + 04914444-41ae-4ff3-ab56-ded01552cd1e: + resource_provider_generation: 0 + inventories: + DISK_GB: + total: 2048 + step_size: 10 + min_unit: 10 + max_unit: 1200 + allocations: {} + status: 403 + +- name: project member cannot reshape + POST: /reshaper + request_headers: *project_member_headers + data: + inventories: + $ENVIRON['RP_UUID']: + resource_provider_generation: 1 + inventories: [] + 04914444-41ae-4ff3-ab56-ded01552cd1e: + resource_provider_generation: 0 + inventories: + DISK_GB: + total: 2048 + step_size: 10 + min_unit: 10 + max_unit: 1200 + allocations: {} + status: 403 + +- name: project admin cannot reshape + POST: /reshaper + request_headers: *project_admin_headers + data: + inventories: + $ENVIRON['RP_UUID']: + resource_provider_generation: 1 + inventories: {} + 04914444-41ae-4ff3-ab56-ded01552cd1e: + resource_provider_generation: 0 + inventories: + DISK_GB: + total: 2048 + step_size: 10 + min_unit: 10 + max_unit: 1200 + allocations: {} + status: 403 + +- name: system reader cannot reshape + POST: /reshaper + request_headers: *system_reader_headers + data: + inventories: + $ENVIRON['RP_UUID']: + resource_provider_generation: 1 + inventories: [] + 04914444-41ae-4ff3-ab56-ded01552cd1e: + resource_provider_generation: 0 + inventories: + DISK_GB: + total: 2048 + step_size: 10 + min_unit: 10 + max_unit: 1200 + allocations: {} + status: 403 + +- name: system admin can reshape + POST: /reshaper + request_headers: *system_admin_headers + data: + inventories: + $ENVIRON['RP_UUID']: + resource_provider_generation: 1 + inventories: {} + 04914444-41ae-4ff3-ab56-ded01552cd1e: + resource_provider_generation: 0 + inventories: + DISK_GB: + total: 2048 + step_size: 10 + min_unit: 10 + max_unit: 1200 + allocations: {} + status: 204