Merge "Keep new RBAC disable by default & Gate fix for GLOBAL_VENV"
This commit is contained in:
Zuul
Gerrit Code Review
commit
7be3fdf2a7
20
.zuul.yaml
20
.zuul.yaml
@ -33,7 +33,7 @@
|
||||
- compute2
|
||||
|
||||
- nodeset:
|
||||
name: openstack-k8s-4-nodes-jammy
|
||||
name: openstack-k8s-3-nodes-jammy
|
||||
nodes:
|
||||
- name: controller
|
||||
label: ubuntu-jammy
|
||||
@ -41,18 +41,11 @@
|
||||
label: ubuntu-jammy
|
||||
- name: controller-k8s
|
||||
label: ubuntu-jammy
|
||||
- name: compute1
|
||||
label: ubuntu-jammy
|
||||
groups:
|
||||
- name: compute
|
||||
nodes:
|
||||
- controller-k8s
|
||||
- compute1
|
||||
- name: subnode
|
||||
nodes:
|
||||
- controller-tacker
|
||||
- controller-k8s
|
||||
- compute1
|
||||
- name: switch
|
||||
nodes:
|
||||
- controller
|
||||
@ -60,7 +53,6 @@
|
||||
nodes:
|
||||
- controller-tacker
|
||||
- controller-k8s
|
||||
- compute1
|
||||
|
||||
- job:
|
||||
name: tacker-functional-devstack-multinode-sol-parent
|
||||
@ -105,8 +97,6 @@
|
||||
OVN_L3_CREATE_PUBLIC_NETWORK: true
|
||||
OVN_DBS_LOG_LEVEL: dbg
|
||||
Q_ML2_PLUGIN_MECHANISM_DRIVERS: ovn,logger
|
||||
# TODO(ueha): Remove this workarround if the Zuul jobs succeed with GROBAL_VENV=true
|
||||
GLOBAL_VENV: false
|
||||
test_matrix_configs: [neutron]
|
||||
zuul_work_dir: src/opendev.org/openstack/tacker
|
||||
host-vars:
|
||||
@ -218,8 +208,6 @@
|
||||
L2_AGENT_EXTENSIONS: qos
|
||||
ENABLE_CHASSIS_AS_GW: false
|
||||
Q_ML2_PLUGIN_MECHANISM_DRIVERS: ovn,logger
|
||||
# TODO(ueha): Remove this workarround if the Zuul jobs succeed with GROBAL_VENV=true
|
||||
GLOBAL_VENV: false
|
||||
devstack_services:
|
||||
# To override the parent job's definitions.
|
||||
tls-proxy: false
|
||||
@ -404,7 +392,7 @@
|
||||
description: |
|
||||
Abstraction multinodes job for SOL devstack-based kubernetes functional
|
||||
tests
|
||||
nodeset: openstack-k8s-4-nodes-jammy
|
||||
nodeset: openstack-k8s-3-nodes-jammy
|
||||
pre-run: playbooks/devstack/pre.yaml
|
||||
run: playbooks/devstack/run.yaml
|
||||
post-run: playbooks/devstack/post.yaml
|
||||
@ -543,7 +531,7 @@
|
||||
USE_PYTHON3: true
|
||||
ENABLE_CHASSIS_AS_GW: false
|
||||
Q_ML2_PLUGIN_MECHANISM_DRIVERS: ovn,logger
|
||||
# TODO(ueha): Remove this workarround if the Zuul jobs succeed with GROBAL_VENV=true
|
||||
# TODO(ueha): Remove this workarround if the Zuul jobs succeed with GLOBAL_VENV=true
|
||||
GLOBAL_VENV: false
|
||||
devstack_services:
|
||||
dstat: false
|
||||
@ -583,7 +571,7 @@
|
||||
OVN_L3_CREATE_PUBLIC_NETWORK: true
|
||||
OVN_DBS_LOG_LEVEL: dbg
|
||||
Q_ML2_PLUGIN_MECHANISM_DRIVERS: ovn,logger
|
||||
# TODO(ueha): Remove this workarround if the Zuul jobs succeed with GROBAL_VENV=true
|
||||
# TODO(ueha): Remove this workarround if the Zuul jobs succeed with GLOBAL_VENV=true
|
||||
GLOBAL_VENV: false
|
||||
devstack_local_conf:
|
||||
post-config:
|
||||
|
||||
@ -27,7 +27,7 @@ oslo.db>=5.0.0 # Apache-2.0
|
||||
oslo.log>=3.36.0 # Apache-2.0
|
||||
oslo.messaging>=14.2.0 # Apache-2.0
|
||||
oslo.middleware>=3.31.0 # Apache-2.0
|
||||
oslo.policy>=3.6.0 # Apache-2.0
|
||||
oslo.policy>=3.11.0 # Apache-2.0
|
||||
oslo.privsep>=2.4.0 # Apache-2.0
|
||||
oslo.reports>=1.18.0 # Apache-2.0
|
||||
oslo.rootwrap>=5.8.0 # Apache-2.0
|
||||
|
||||
@ -38,11 +38,17 @@ LOG = logging.getLogger(__name__)
|
||||
_ENFORCER = None
|
||||
ADMIN_CTX_POLICY = 'context_is_admin'
|
||||
|
||||
# TODO(gmann): Remove setting the default value of config policy_file
|
||||
# once oslo_policy change the default value to 'policy.yaml'.
|
||||
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
|
||||
# TODO(gmann): Remove setting the default value of config options:
|
||||
# - 'policy_file' once oslo_policy change their default value to what is
|
||||
# overridden here.
|
||||
# - 'enforce_scope', and 'enforce_new_defaults' once cinder is ready with the
|
||||
# new RBAC (oslo_policy enable them by default)
|
||||
DEFAULT_POLICY_FILE = 'policy.yaml'
|
||||
opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
|
||||
opts.set_defaults(
|
||||
cfg.CONF,
|
||||
DEFAULT_POLICY_FILE,
|
||||
enforce_scope=False,
|
||||
enforce_new_defaults=False)
|
||||
|
||||
|
||||
def reset():
|
||||
@ -52,12 +58,21 @@ def reset():
|
||||
_ENFORCER = None
|
||||
|
||||
|
||||
def init(conf=cfg.CONF, policy_file=None):
|
||||
def init(conf=cfg.CONF, policy_file=None, suppress_deprecation_warnings=False):
|
||||
"""Init an instance of the Enforcer class."""
|
||||
|
||||
global _ENFORCER
|
||||
if not _ENFORCER:
|
||||
_ENFORCER = policy.Enforcer(conf, policy_file=policy_file)
|
||||
# NOTE(gmann): Explicitly disable the warnings for policies
|
||||
# changing their default check_str. During policy-defaults-refresh
|
||||
# work, all the policy defaults have been changed and warning for
|
||||
# each policy started filling the logs limit for various tool.
|
||||
# Once we move to new defaults only world then we can enable these
|
||||
# warning again.
|
||||
_ENFORCER.suppress_default_change_warnings = True
|
||||
if suppress_deprecation_warnings:
|
||||
_ENFORCER.suppress_deprecation_warnings = True
|
||||
register_rules(_ENFORCER)
|
||||
_ENFORCER.load_rules()
|
||||
|
||||
|
||||
@ -16,6 +16,7 @@
|
||||
import os
|
||||
import pickle
|
||||
import subprocess
|
||||
import sys
|
||||
|
||||
from oslo_log import log as logging
|
||||
from oslo_utils import uuidutils
|
||||
@ -119,7 +120,7 @@ class VnfLcmDriverV2(object):
|
||||
# script is relative path to Definitions/xxx.yaml
|
||||
script_path = os.path.join(tmp_csar_dir, "Definitions", script)
|
||||
|
||||
out = subprocess.run(["python3", script_path],
|
||||
out = subprocess.run([sys.executable, script_path],
|
||||
input=pickle.dumps(script_dict),
|
||||
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
|
||||
|
||||
@ -19,6 +19,7 @@ import os
|
||||
import pickle
|
||||
import re
|
||||
import subprocess
|
||||
import sys
|
||||
import yaml
|
||||
|
||||
from dateutil import parser
|
||||
@ -672,7 +673,7 @@ class Openstack(object):
|
||||
|
||||
tmp_csar_dir = vnfd.make_tmp_csar_dir()
|
||||
script_path = os.path.join(tmp_csar_dir, script)
|
||||
out = subprocess.run(["python3", script_path],
|
||||
out = subprocess.run([sys.executable, script_path],
|
||||
input=pickle.dumps(vnfc_param),
|
||||
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
vnfd.remove_tmp_csar_dir(tmp_csar_dir)
|
||||
@ -889,7 +890,7 @@ class Openstack(object):
|
||||
script_path = os.path.join(
|
||||
os.path.dirname(__file__), "userdata_main.py")
|
||||
|
||||
out = subprocess.run(["python3", script_path],
|
||||
out = subprocess.run([sys.executable, script_path],
|
||||
input=pickle.dumps(script_dict),
|
||||
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
|
||||
|
||||
@ -156,7 +156,7 @@ class BaseTestCase(testtools.TestCase):
|
||||
cfg.CONF.set_override('state_path', self.temp_dir)
|
||||
|
||||
self.setup_config()
|
||||
policy.init()
|
||||
policy.init(suppress_deprecation_warnings=True)
|
||||
self.addCleanup(policy.reset)
|
||||
self.addCleanup(mock.patch.stopall)
|
||||
self.addCleanup(CONF.reset)
|
||||
|
||||
@ -1049,7 +1049,7 @@ class JSONV2TestCase(APIv2TestBase, testlib_api.WebTestCase):
|
||||
def test_get_keystone_strip_admin_only_attribute(self):
|
||||
tenant_id = _uuid()
|
||||
# Inject rule in policy engine
|
||||
policy.init()
|
||||
policy.init(suppress_deprecation_warnings=True)
|
||||
common_policy._rules['get_network:name'] = common_policy.parse_rule(
|
||||
"rule:admin_only")
|
||||
res = self._test_get(tenant_id, tenant_id, 200)
|
||||
|
||||
@ -46,7 +46,7 @@ class BasePolicyTest(base.TestCase):
|
||||
# policy and initialize again so that rule will be re-loaded
|
||||
# considering the enforce_new_defaults new value.
|
||||
policy.reset()
|
||||
policy.init()
|
||||
policy.init(suppress_deprecation_warnings=True)
|
||||
self.addCleanup(policy.reset)
|
||||
|
||||
self.admin_project_id = uuids.admin_project_id
|
||||
|
||||
@ -54,14 +54,14 @@ class PolicyFileTestCase(base.BaseTestCase):
|
||||
action = "example:test"
|
||||
with open(tmpfilename, "w") as policyfile:
|
||||
policyfile.write("""{"example:test": ""}""")
|
||||
policy.init()
|
||||
policy.init(suppress_deprecation_warnings=True)
|
||||
policy.enforce(self.context, action, self.target)
|
||||
with open(tmpfilename, "w") as policyfile:
|
||||
policyfile.write("""{"example:test": "!"}""")
|
||||
# NOTE(vish): reset stored policy cache so we don't have to
|
||||
# sleep(1)
|
||||
policy._POLICY_CACHE = {}
|
||||
policy.init()
|
||||
policy.init(suppress_deprecation_warnings=True)
|
||||
self.assertRaises(exceptions.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context,
|
||||
@ -76,7 +76,7 @@ class PolicyTestCase(base.BaseTestCase):
|
||||
policy.reset()
|
||||
self.addCleanup(policy.reset)
|
||||
# NOTE(vish): preload rules to circumvent reloading from file
|
||||
policy.init()
|
||||
policy.init(suppress_deprecation_warnings=True)
|
||||
rules = {
|
||||
"true": '@',
|
||||
"example:allowed": '@',
|
||||
@ -178,7 +178,7 @@ class DefaultPolicyTestCase(base.BaseTestCase):
|
||||
super(DefaultPolicyTestCase, self).setUp()
|
||||
self.skipTest("Not ready yet")
|
||||
policy.reset()
|
||||
policy.init()
|
||||
policy.init(suppress_deprecation_warnings=True)
|
||||
self.addCleanup(policy.reset)
|
||||
|
||||
self.rules = {
|
||||
@ -228,7 +228,7 @@ class TackerPolicyTestCase(base.BaseTestCase):
|
||||
super(TackerPolicyTestCase, self).setUp()
|
||||
self.skipTest("Not ready yet")
|
||||
policy.reset()
|
||||
policy.init()
|
||||
policy.init(suppress_deprecation_warnings=True)
|
||||
self.addCleanup(policy.reset)
|
||||
self.admin_only_legacy = "role:admin"
|
||||
self.admin_or_owner_legacy = "role:admin or tenant_id:%(tenant_id)s"
|
||||
@ -477,7 +477,7 @@ class TackerPolicyTestCase(base.BaseTestCase):
|
||||
# Trigger a policy with rule admin_or_owner
|
||||
action = "create_network"
|
||||
target = {'tenant_id': 'fake'}
|
||||
policy.init()
|
||||
policy.init(suppress_deprecation_warnings=True)
|
||||
self.assertRaises(exceptions.PolicyCheckError,
|
||||
policy.enforce,
|
||||
self.context, action, target)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user