openstack
/
placement
Code Issues Proposed changes

Merge "Implement secure RBAC for allocations"

This commit is contained in:
Zuul 2021-02-03 18:39:00 +00:00 committed by Gerrit Code Review
parent d67116a56c b8e648f13a
commit ca3dcb008d
3 changed files with 631 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
placement/policies/allocation.py
View File

@ -11,6 +11,7 @@
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from placement.policies import base
@ -24,66 +25,107 @@ ALLOC_MANAGE = ALLOC_PREFIX % 'manage'
ALLOC_UPDATE = ALLOC_PREFIX % 'update'
ALLOC_DELETE = ALLOC_PREFIX % 'delete'
DEPRECATED_REASON = """
The allocation API now supports read-only roles by default.
"""
deprecated_manage_allocations = policy.DeprecatedRule(
name=ALLOC_MANAGE,
check_str=base.RULE_ADMIN_API
)
deprecated_list_allocation = policy.DeprecatedRule(
name=ALLOC_LIST,
check_str=base.RULE_ADMIN_API
)
deprecated_update_allocation = policy.DeprecatedRule(
name=ALLOC_UPDATE,
check_str=base.RULE_ADMIN_API
)
deprecated_delete_allocation = policy.DeprecatedRule(
name=ALLOC_DELETE,
check_str=base.RULE_ADMIN_API
)
deprecated_list_resource_provider_allocations = policy.DeprecatedRule(
name=RP_ALLOC_LIST,
check_str=base.RULE_ADMIN_API,
)
rules = [
policy.DocumentedRuleDefault(
ALLOC_MANAGE,
base.RULE_ADMIN_API,
"Manage allocations.",
[
name=ALLOC_MANAGE,
check_str=base.SYSTEM_ADMIN,
description="Manage allocations.",
operations=[
{
'method': 'POST',
'path': '/allocations'
}
],
scope_types=['system'],
deprecated_rule=deprecated_manage_allocations,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
ALLOC_LIST,
base.RULE_ADMIN_API,
"List allocations.",
[
name=ALLOC_LIST,
check_str=base.SYSTEM_READER,
description="List allocations.",
operations=[
{
'method': 'GET',
'path': '/allocations/{consumer_uuid}'
}
],
scope_types=['system']
scope_types=['system'],
deprecated_rule=deprecated_list_allocation,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
ALLOC_UPDATE,
base.RULE_ADMIN_API,
"Update allocations.",
[
name=ALLOC_UPDATE,
check_str=base.SYSTEM_ADMIN,
description="Update allocations.",
operations=[
{
'method': 'PUT',
'path': '/allocations/{consumer_uuid}'
}
],
scope_types=['system'],
deprecated_rule=deprecated_update_allocation,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
ALLOC_DELETE,
base.RULE_ADMIN_API,
"Delete allocations.",
[
name=ALLOC_DELETE,
check_str=base.SYSTEM_ADMIN,
description="Delete allocations.",
operations=[
{
'method': 'DELETE',
'path': '/allocations/{consumer_uuid}'
}
],
scope_types=['system'],
deprecated_rule=deprecated_delete_allocation,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
RP_ALLOC_LIST,
base.RULE_ADMIN_API,
"List resource provider allocations.",
[
name=RP_ALLOC_LIST,
check_str=base.SYSTEM_READER,
description="List resource provider allocations.",
operations=[
{
'method': 'GET',
'path': '/resource_providers/{uuid}/allocations'
}
],
scope_types=['system'],
deprecated_rule=deprecated_list_resource_provider_allocations,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
]

283
placement/tests/functional/gabbits/allocations-legacy-rbac.yaml Normal file
View File

@ -0,0 +1,283 @@
---
# Test the CRUD operations on /resource_providers/{uuid}/aggregates* using a
# system administrator context.
fixtures:
- LegacyRBACPolicyFixture
vars:
- &project_id $ENVIRON['PROJECT_ID']
- &system_admin_headers
x-auth-token: user
x-roles: admin,member,reader
accept: application/json
content-type: application/json
openstack-api-version: placement latest
openstack-system-scope: all
- &system_reader_headers
x-auth-token: user
x-roles: reader
accept: application/json
content-type: application/json
openstack-api-version: placement latest
openstack-system-scope: all
- &project_admin_headers
x-auth-token: user
x-roles: admin,member,reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &project_member_headers
x-auth-token: user
x-roles: member,reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &project_reader_headers
x-auth-token: user
x-roles: reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &agg_1 f918801a-5e54-4bee-9095-09a9d0c786b8
- &agg_2 a893eb5c-e2a0-4251-ab26-f71d3b0cfc0b
tests:
- name: system admin can create resource provider
POST: /resource_providers
request_headers: *system_admin_headers
data:
name: $ENVIRON['RP_NAME']
uuid: $ENVIRON['RP_UUID']
status: 200
- name: system admin can set inventories
PUT: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *system_admin_headers
data:
resource_provider_generation: 0
inventories:
DISK_GB:
total: 2048
min_unit: 10
max_unit: 1024
VCPU:
total: 96
status: 200
- name: project admin can update allocation
PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_admin_headers
data:
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 1
DISK_GB: 20
consumer_generation: null
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
status: 204
- name: project admin can delete allocations
DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_admin_headers
status: 204
- name: project member cannot update allocation
PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_member_headers
data:
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 1
DISK_GB: 20
consumer_generation: null
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
status: 403
- name: project reader cannot update allocation
PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_reader_headers
data:
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 1
DISK_GB: 20
consumer_generation: null
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
status: 403
- name: system reader cannot update allocation
PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *system_reader_headers
data:
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 1
DISK_GB: 20
consumer_generation: null
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
status: 403
- name: system admin can update allocation
PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *system_admin_headers
data:
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 1
DISK_GB: 20
consumer_generation: null
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
status: 204
- name: system admin can list allocation
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *system_admin_headers
- name: system reader can list allocation
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *system_reader_headers
- name: project admin can list allocation
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_admin_headers
- name: project member cannot list allocation
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_member_headers
status: 403
- name: project reader cannot list allocation
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_reader_headers
status: 403
- name: system admin can list allocations for resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations
request_headers: *system_admin_headers
- name: system reader can list allocations for resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations
request_headers: *system_reader_headers
- name: project admin can list allocations for resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations
request_headers: *project_admin_headers
- name: project member cannot list allocations for resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations
request_headers: *project_member_headers
status: 403
- name: project reader cannot list allocations for resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations
request_headers: *project_reader_headers
status: 403
- name: system reader cannot manage allocations
POST: /allocations
request_headers: *system_reader_headers
data:
a0b15655-273a-4b3d-9792-2e579b7d5ad9:
consumer_generation: 1
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 8
DISK_GB: 40
status: 403
- name: project member cannot manage allocations
POST: /allocations
request_headers: *project_member_headers
data:
a0b15655-273a-4b3d-9792-2e579b7d5ad9:
consumer_generation: 1
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 8
DISK_GB: 40
status: 403
- name: project reader cannot manage allocations
POST: /allocations
request_headers: *project_reader_headers
data:
a0b15655-273a-4b3d-9792-2e579b7d5ad9:
consumer_generation: 1
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 8
DISK_GB: 40
status: 403
- name: project admin can manage allocations
POST: /allocations
request_headers: *project_admin_headers
data:
a0b15655-273a-4b3d-9792-2e579b7d5ad9:
consumer_generation: 1
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 4
DISK_GB: 20
status: 204
- name: system admin can manage allocations
POST: /allocations
request_headers: *system_admin_headers
data:
a0b15655-273a-4b3d-9792-2e579b7d5ad9:
consumer_generation: 2
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 8
DISK_GB: 40
status: 204
- name: project member cannot delete allocations
DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_member_headers
status: 403
- name: project reader cannot delete allocations
DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_reader_headers
status: 403
- name: system reader cannot delete allocations
DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *system_reader_headers
status: 403
- name: system admin can delete allocations
DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *system_admin_headers
status: 204

285
placement/tests/functional/gabbits/allocations-secure-rbac.yaml Normal file
View File

@ -0,0 +1,285 @@
---
# Test the CRUD operations on /resource_providers/{uuid}/aggregates* using a
# system administrator context.
fixtures:
- SecureRBACPolicyFixture
vars:
- &project_id $ENVIRON['PROJECT_ID']
- &system_admin_headers
x-auth-token: user
x-roles: admin,member,reader
accept: application/json
content-type: application/json
openstack-api-version: placement latest
openstack-system-scope: all
- &system_reader_headers
x-auth-token: user
x-roles: reader
accept: application/json
content-type: application/json
openstack-api-version: placement latest
openstack-system-scope: all
- &project_admin_headers
x-auth-token: user
x-roles: admin,member,reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &project_member_headers
x-auth-token: user
x-roles: member,reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &project_reader_headers
x-auth-token: user
x-roles: reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &agg_1 f918801a-5e54-4bee-9095-09a9d0c786b8
- &agg_2 a893eb5c-e2a0-4251-ab26-f71d3b0cfc0b
tests:
- name: system admin can create resource provider
POST: /resource_providers
request_headers: *system_admin_headers
data:
name: $ENVIRON['RP_NAME']
uuid: $ENVIRON['RP_UUID']
status: 200
- name: system admin can set inventories
PUT: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *system_admin_headers
data:
resource_provider_generation: 0
inventories:
DISK_GB:
total: 2048
min_unit: 10
max_unit: 1024
VCPU:
total: 96
status: 200
- name: project admin cannot update allocation
PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_admin_headers
data:
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 1
DISK_GB: 20
consumer_generation: null
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
status: 403
- name: project member cannot update allocation
PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_member_headers
data:
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 1
DISK_GB: 20
consumer_generation: null
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
status: 403
- name: project reader cannot update allocation
PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_reader_headers
data:
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 1
DISK_GB: 20
consumer_generation: null
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
status: 403
- name: system reader cannot update allocation
PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *system_reader_headers
data:
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 1
DISK_GB: 20
consumer_generation: null
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
status: 403
- name: system admin can update allocation
PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *system_admin_headers
data:
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 1
DISK_GB: 20
consumer_generation: null
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
status: 204
- name: system admin can list allocation
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *system_admin_headers
- name: system reader can list allocation
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *system_reader_headers
- name: project admin cannot list allocation
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_admin_headers
status: 403
- name: project member cannot list allocation
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_member_headers
status: 403
- name: project reader cannot list allocation
GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_reader_headers
status: 403
- name: system admin can list allocations for resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations
request_headers: *system_admin_headers
- name: system reader can list allocations for resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations
request_headers: *system_reader_headers
- name: project admin cannot list allocations for resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations
request_headers: *project_admin_headers
status: 403
- name: project member cannot list allocations for resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations
request_headers: *project_member_headers
status: 403
- name: project reader cannot list allocations for resource provider
GET: /resource_providers/$ENVIRON['RP_UUID']/allocations
request_headers: *project_reader_headers
status: 403
- name: system reader cannot manage allocations
POST: /allocations
request_headers: *system_reader_headers
data:
a0b15655-273a-4b3d-9792-2e579b7d5ad9:
consumer_generation: 1
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 8
DISK_GB: 40
status: 403
- name: project admin cannot manage allocations
POST: /allocations
request_headers: *project_admin_headers
data:
a0b15655-273a-4b3d-9792-2e579b7d5ad9:
consumer_generation: 1
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 8
DISK_GB: 40
status: 403
- name: project member cannot manage allocations
POST: /allocations
request_headers: *project_member_headers
data:
a0b15655-273a-4b3d-9792-2e579b7d5ad9:
consumer_generation: 1
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 8
DISK_GB: 40
status: 403
- name: project reader cannot manage allocations
POST: /allocations
request_headers: *project_reader_headers
data:
a0b15655-273a-4b3d-9792-2e579b7d5ad9:
consumer_generation: 1
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 8
DISK_GB: 40
status: 403
- name: system admin can manage allocations
POST: /allocations
request_headers: *system_admin_headers
data:
a0b15655-273a-4b3d-9792-2e579b7d5ad9:
consumer_generation: 1
project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784
user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70
allocations:
$ENVIRON['RP_UUID']:
resources:
VCPU: 8
DISK_GB: 40
status: 204
- name: project admin cannot delete allocations
DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_admin_headers
status: 403
- name: project member cannot delete allocations
DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_member_headers
status: 403
- name: project reader cannot delete allocations
DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *project_reader_headers
status: 403
- name: system reader cannot delete allocations
DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *system_reader_headers
status: 403
- name: system admin can delete allocations
DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9
request_headers: *system_admin_headers
status: 204