Test for correctly formed but invalid data when creating an Inventory.
This increases the coverage of the inventory handler from gabbi.
Race condition and ConcurrentUpdateDetected scenarios are not
covered as those are hard to cause from a gabbi test.
Change-Id: I603558c08d540aa53918252a0a9a050701456f5a
A case where a non-existent resource provider in an allocation PUT
request could raise a 400 was not covered. Now it is.
This still leave a ConcurrentUpdateDetected exception (which can
lead to 409) not covered. There's no simple way to cause such a
thing from a gabbi test.
Change-Id: I98243b679ba8101663d459cb9a76f7015078aff7
The same policy rule (os_compute_api:os-server-groups) is being used
for all actions (show, index, delete, create) for server_groups REST
APIs. It is thus impossible to provide different RBAC for specific
actions based on roles. To address this changes are made to have
separate policy rules for each of action.
It has been argued that index and show may not need separate policy
rules, but most other places in nova (and OpenStack in general) do
have separate policy rules for each action. This affords the ultimate
flexibility to deployers, who can obviously use the same rule if
that is what they want. One example where show and index may be
different is that if show is restricted based on some criteria, such
that a user is able to see some resources within the tenant but not
others, then list would need to be disallowed to prevent the user
from using list to see resources they cannot show.
Change-Id: Ica9e07f6e80257902b4a0cc44b65fd6bad008bba
Closes-Bug: #1636157
The pick_context_manager method will use a connection to a cell
database if one is present in the RequestContext, else it falls
back on the global main_context_manager in the DB API.
Currently, there are several places in our DB API code where
pick_context_manager isn't used because in a real scenario, each
cell is in a separate process where main_context_manager points
to its local database. This causes problems for testing though,
because we are unable to patch the DB API to simulate switching
between multiple 'main' databases in our functional tests because
of the global nature of main_context_manager.
This replaces all uses of main_context_manager with
pick_context_manager to:
1. Make switching between multiple databases able to work in
functional tests
2. Fix any possible cases where pick_context_manager is not
used for a DB API method that could be called from the
API using target_cell
Change-Id: I31e3170e0953cefbf49bfc84b29edab514c90cb5
/resource_providers/{uuid}/aggregates
GET for a list of aggregate uuids associated with this resource
provider
PUT to set the list of aggregate uuids associated with this this
provider
The API requests map directly to set_ and get_ aggregates on the
ResourceProvider object.
This is implemented as placement API microversion 1.1. To make that
easier a raise_404_if_not_version helper method is added to the
microversion module.
The new rest_api_version_history doc is updated to reflect this
new version.
Change-Id: I514c15c7d387cf25bf7986d07baccf0e7a785f46
Partially-Implements: blueprint generic-resource-pools-ocata
Add support for checking min_unit, max_unit and step_size when
making allocations to the placement API. When the constraints are
violated a new exception InvalidAllocationConstraintsViolated is
raised.
Change-Id: I18596a3c0f2b0049aaccd0f3e73aef90b684c4a8
Closes-Bug: #1623545
This is the initial set of docs for the placement API
service introduced in the Newton release.
We still have to flesh out the API reference in detail
but this gets us started.
The deployment steps are taken from how devstack does
this today.
Change-Id: Ic2436d92a7cefaeb1ae67ed878da968444f2f18d
* Removed leading space before asterisks in listings
which causes list to be wrapped in blockquote tag [0]
* Removed redundant empty lines in code
[0] http://docs.openstack.org/newton/config-reference/compute/config-options.html
Change-Id: I4c26650b08e1f89cd8a0ffa3a35c87e66873f0f5
Implements: blueprint centralize-config-options-ocata
The following warning appears in the unit test logs a number of times.
"UserWarning: This test uses methods that set internal oslo_db
state, but it does not claim to use the database. This will conflict
with the setup of tests that do use the database and cause failures
later."
Note that this warning is only emitted once per unit test worker, so new
offenders will show up in the logs each time you fix a test until they
are all gone.
This patch is intended to be merged after all the existing warnings are
addressed by other patches in this series:
https://review.openstack.org/#/q/topic:bug/1568414
Change-Id: I91909a356187bac70fa2fa920cebf3888410ae01
Closes-Bug: #1568414
Add informative messages to the 404 error response from
nova/objects/resource_provider.py
For the method _update_inventory_in_db() from resource_provider.py,
gabbi test validation is not added since it is not being used and
from the placement API you create an inventory but then call
set_inventory or add_inventory on a resource_provider.
Similar change, i.e. adding informative messages to 404 error can be
done for api tests from inventory.yaml and usage.yaml
It includes adding informative logging in code for 404 exceptions and
adding gabbi tests for those.
This can be done in follow up patch.
Change-Id: If53f84ac5f7521e9926b97bdcce3cf77ec5b4ffd
Closes-Bug: #1634115
In order to facilitate a future extraction of the placement service
we want to record the association between a resource provider and an
arbitrary aggregate uuid in its own table.
A PlacementAggregate model is joined from ResourceProvider via
ResourceProviderAggregate. Note that this structure is used so we can
join on ids instead of strings (the uuids). A direct mapping between
ResourceProvider uuid and Aggregate uuid was mooted earlier in the year
but was determined to be suboptimal.
The name 'placement_aggregates' is used as the least problematic of
several choices after discussion amongst several parties.
The data will be used by the forthcoming get_ and set_aggregates
methods on the ResourceProvider object.
Change-Id: Id0355cb022f68e962af306ff04cf724d22b68d19
Partially-Implements: blueprint generic-resource-pools-ocata
With the update to oslotest 2.11.0, we're missing testscenarios
now in the unit test environment[1], so depend on it.
1: https://review.openstack.org/#/c/385274/
Change-Id: I57da89ade9eb3fcf920ec6d333db7577ee3ef138
A number of tests in test_compute_mgr.py patch the event reporter to
prevent database poison warnings but otherwise don't assert on the event
reporter behaviour. Replace those individual mocks with a fixture that
stubs out the event reporter in the test setUp.
Change-Id: I57233259065d887b38a79850a05177fcbbdfb8c3
Related-Bug: #1568414
The ResourceProvider.set_inventory() method was not raising NotFound
when an Inventory object in the supplied InventoryList object was using
a resource class that did not exist in the resource class cache. This
patch fixes that by having the string_from_id() and id_from_string()
methods of the resource class cache raise ResourceClassNotFound instead
of returning None. We raise specific ResourceClassNotFound and
InventoryWithResourceClassNotFound exception subclasses to differentiate
in the inventory API handler between an unknown resource class and a
known resource class that doesn't exist in a given resource provider's
inventory.
We return a 400 Not Found when InventoryWithResourceClassNotFound is
raised on updating a single inventory, but return a 409 Conflict when
InventoryWithResourceClassNotFound is raised on updating a set of
inventory records since in the latter scenario, it represents a race
condition that frankly should not occur.
Change-Id: I350b02dcdbaa9d30d885cd085f60daa6b53a7745
Prior to Ib563b0ea the passphrase used by CryptsetupEncryptor and
LuksEncryptor had any leading zeros per hexadecimal digit removed, for
example 0x04 or 04 would turn into 0x4 or 4. As a result any volume
encrypted prior to the release of Newton used a modified passphrase that
was different to that stored by the key manager being used in the
environment.
To correct this for LuksEncryptor volumes permission denied errors are
now caught when attempting to open a volume. A second attempt to open
the volume is then made using a mangled passphrase. If successful the
correct passphrase is then added to the volume before the mangled
passphrase is finally removed. This workaround can be removed in a
future release once it is safe to assume that all LuksEncryptor volumes
have had any mangled passphrases replaced in this way.
This isn't possible for CryptsetupEncryptor volumes as the plain mode
used by cryptsetup does not provide a way for adding and removing keys.
As such on a permission denied error a second attempt is made to open
the volume using a mangled passphrase. Unlike the above workaround this
cannot be removed in a future release.
Change-Id: I7096463c5eba951dd6322ee6965435e877ca0371
Partial-bug: #1633518
This sets up a basic framework for policy checking in the placement API
and replaces the current admin check.
There are some limitations here based on oslo.policy limitations. It
turns out that policy rule defaults can only be registered if a policy
file is also used. Since we don't have immediate plans for a placement
policy file the issue is avoided by loading the necessary rule when
policy.Enforcer is initialized. There is also no support for generating
policy files using the oslopolicy CLI scripts. This can all be addressed
later when we determine a path for separating placement policy from Nova
or merging it together.
Although there is an existing nova.policy the changes for placement
policy are implemented in nova.api.openstack.placement.policy to
ease any later extraction that may happen. This is straightforward
because the placement policy code doesn't use any code from
nova.policy.
Co-Authored-By: Chris Dent <cdent@anticdent.org>
Change-Id: Ia62158e0eed50a34114718ee724b038f577c7e87
Partially-Implements: bp placement-api-policy-authz
The build_requests.instance column is a serialized
instance object, and the instances.user_data column
is MediumText, so the build_requests.instance column
itself needs to be at least MediumText in size for MySQL.
Change-Id: I7d65df37c02750593037744543ad15e5bc64e913
Closes-Bug: #1635446
