Allow flavor creation for non admin projects

Heat's recent policy changes reduced the scope of context_is_admin to be super user privileged which affects Tacker for auto flavor creation. Handle devstack script changes to modify OS::Nova::Flavor rule to 'admin' role only in heat's policy.json. Modify manual installation guide to incorporate these additional steps. Co-Authored-By: Bharath Thiruveedula <bharath_ves@hotmail.com> Change-Id: I7aceb21cbfaa6c45efa5c815a9bf7a0a26babc77 Closes-Bug: #1595311
2016-06-22 13:48:22 -07:00 · 2016-06-22 13:48:22 -07:00 · 496f946ef3
parent ae9d314d71
commit 496f946ef3
5 changed files with 44 additions and 33 deletions
--- a/devstack/lib/tacker
+++ b/devstack/lib/tacker
@ -92,6 +92,8 @@ TACKER_NOVA_API_INSECURE=${TACKER_NOVA_API_INSECURE:-False}
 # Tell Tempest this project is present
 # TEMPEST_SERVICES+=,tacker

+HEAT_CONF_DIR=/etc/heat
+
 # Functions
 # ---------
 # Test if any Tacker services are enabled
@ -407,3 +409,9 @@ function tacker_register_default_vim {
    echo $default_vim_id
    iniset $TACKER_CONF nfvo_vim default_vim $DEFAULT_VIM_NAME
 }
+
+function modify_heat_flavor_policy_rule {
+    local policy_file=$HEAT_CONF_DIR/policy.json
+    # Allow non-admin projects with 'admin' roles to create flavors in Heat
+    sed -i 's/"resource_types:OS::Nova::Flavor": "rule:context_is_admin"/"resource_types:OS::Nova::Flavor": "role:admin"/' $policy_file
+}
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -30,6 +30,8 @@ if is_service_enabled tacker; then
        start_tacker_api
        echo_summary "Installing tacker horizon"
        tacker_horizon_install
+        echo_summary "Modifying Heat policy.json file"
+        modify_heat_flavor_policy_rule
        echo_summary "Setup initial tacker network"
        tacker_create_initial_network
        echo_summary "Upload OpenWrt image"
--- a/doc/source/install/manual_installation.rst
+++ b/doc/source/install/manual_installation.rst
@ -52,6 +52,14 @@ services after the below entry has been added.

 ..

+5). Modify heat's policy.json file under /etc/heat/policy.json file to allow
+ users in non-admin projects with 'admin' roles to create flavors.
+
+.. code-block:: ini
+
+   "resource_types:OS::Nova::Flavor": "role:admin"
+..
+
 Installing Tacker server
 ========================

--- a/tacker/tests/functional/base.py
+++ b/tacker/tests/functional/base.py
@ -17,9 +17,11 @@ import time
 from novaclient import client as nova_client
 from oslo_config import cfg
 from tempest_lib.tests import base
+import yaml

 from tacker.common.exceptions import TackerException
 from tacker.tests import constants
+from tacker.tests.utils import read_file
 from tacker import version

 from tackerclient.v1_0 import client as tacker_client
@ -32,22 +34,6 @@ class BaseTackerTest(base.TestCase):

    @classmethod
    def setUpClass(cls):
-        core_opts = [
-            cfg.StrOpt('username', default='tacker',
-                       help=('Username to use for tacker API requests')),
-            cfg.StrOpt('password', default = 'devstack',
-                       help=('Password to use for tacker API requests')),
-            cfg.StrOpt('project_name', default = 'service',
-                       help=('Project name to use for tacker API requests')),
-            cfg.StrOpt('auth_uri', default='http://127.0.0.1:5000',
-                       help=('The keystone auth URI')),
-        ]
-
-        keystone_authtoken = cfg.OptGroup(name='keystone_authtoken',
-                                          title='keystone options')
-        # Register the configuration options
-        cfg.CONF.register_opts(core_opts, group=keystone_authtoken)
-
        kwargs = {}

        cfg.CONF(args=['--config-file', '/etc/tacker/tacker.conf'],
@ -57,24 +43,27 @@ class BaseTackerTest(base.TestCase):

        cls.client = cls.tackerclient()

+    @classmethod
+    def get_credentials(cls):
+        vim_params = yaml.load(read_file('local-vim.yaml'))
+        vim_params['auth_url'] += '/v2.0'
+        return vim_params
+
    @classmethod
    def tackerclient(cls):
-        username = cfg.CONF.keystone_authtoken.username
-        password = cfg.CONF.keystone_authtoken.password
-        tenant_name = cfg.CONF.keystone_authtoken.project_name
-        auth_uri = cfg.CONF.keystone_authtoken.auth_uri + '/v2.0'
-        return tacker_client.Client(username=username, password=password,
-                                    tenant_name=tenant_name,
-                                    auth_url=auth_uri)
+        vim_params = cls.get_credentials()
+        return tacker_client.Client(username=vim_params['username'],
+                                    password=vim_params['password'],
+                                    tenant_name=vim_params['project_name'],
+                                    auth_url=vim_params['auth_url'])

    @classmethod
    def novaclient(cls):
-        username = 'nfv_user'
-        password = 'devstack'
-        tenant_name = 'nfv'
-        auth_uri = cfg.CONF.keystone_authtoken.auth_uri + '/v2.0'
-        return nova_client.Client('2', username, password, tenant_name,
-                                  auth_uri)
+        vim_params = cls.get_credentials()
+        return nova_client.Client('2', vim_params['username'],
+                                  vim_params['password'],
+                                  vim_params['project_name'],
+                                  vim_params['auth_url'])

    @classmethod
    def wait_until_vnf_status(cls, vnf_id, target_status, timeout,
--- a/tacker/tests/functional/vnfm/test_tosca_vnf.py
+++ b/tacker/tests/functional/vnfm/test_tosca_vnf.py
@ -68,17 +68,19 @@ class VnfTestToscaCreate(base.BaseTackerTest):
 class VnfTestToscaCreateFlavorCreation(base.BaseTackerTest):
    def test_create_delete_vnf_tosca_no_monitoring(self):
        data = dict()
+        vnfd_name = 'tosca_vnfd_with_auto_flavor'
        data['tosca'] = read_file('sample-tosca-vnfd-flavor.yaml')
        toscal = data['tosca']
-        tosca_arg = {'vnfd': {'attributes': {'vnfd': toscal}}}
+        tosca_arg = {'vnfd': {'name': vnfd_name, 'attributes': {'vnfd':
+                                                                toscal}}}

        # Create vnfd with tosca template
        vnfd_instance = self.client.create_vnfd(body=tosca_arg)
        self.assertIsNotNone(vnfd_instance)

        # Create vnf with vnfd_id
+        vnf_name = 'tosca_vnf_with_auto_flavor'
        vnfd_id = vnfd_instance['vnfd']['id']
-        vnf_name = 'test_tosca_vnf_with_cirros_no_monitoring'
        vnf_arg = {'vnf': {'vnfd_id': vnfd_id, 'name': vnf_name}}
        vnf_instance = self.client.create_vnf(body=vnf_arg)

@ -121,9 +123,11 @@ class VnfTestToscaCreateFlavorCreation(base.BaseTackerTest):
 class VnfTestToscaCreateImageCreation(base.BaseTackerTest):
    def test_create_delete_vnf_tosca_no_monitoring(self):
        data = dict()
+        vnfd_name = 'tosca_vnfd_with_auto_image'
        data['tosca'] = read_file('sample-tosca-vnfd-image.yaml')
        toscal = data['tosca']
-        tosca_arg = {'vnfd': {'attributes': {'vnfd': toscal}}}
+        tosca_arg = {'vnfd': {'name': vnfd_name, 'attributes': {'vnfd':
+                                                                toscal}}}

        # Create vnfd with tosca template
        vnfd_instance = self.client.create_vnfd(body=tosca_arg)
@ -131,7 +135,7 @@ class VnfTestToscaCreateImageCreation(base.BaseTackerTest):

        # Create vnf with vnfd_id
        vnfd_id = vnfd_instance['vnfd']['id']
-        vnf_name = 'test_tosca_vnf_with_cirros_no_monitoring'
+        vnf_name = 'tosca_vnf_with_auto_image'
        vnf_arg = {'vnf': {'vnfd_id': vnfd_id, 'name': vnf_name}}
        vnf_instance = self.client.create_vnf(body=vnf_arg)