openstack/tacker
Code Issues Proposed changes

Merge "Keep new RBAC disable by default & Gate fix for GLOBAL_VENV"

Browse Source
This commit is contained in:
Zuul 2024-09-06 04:33:16 +00:00 committed by Gerrit Code Review
commit 7be3fdf2a7
9 changed files with 39 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
.zuul.yaml
View File

@ -33,7 +33,7 @@
- compute2 - compute2
- nodeset: - nodeset:
name: openstack-k8s-4-nodes-jammy name: openstack-k8s-3-nodes-jammy
nodes: nodes:
- name: controller - name: controller
label: ubuntu-jammy label: ubuntu-jammy
@ -41,18 +41,11 @@
label: ubuntu-jammy label: ubuntu-jammy
- name: controller-k8s - name: controller-k8s
label: ubuntu-jammy label: ubuntu-jammy
- name: compute1
label: ubuntu-jammy
groups: groups:
- name: compute
nodes:
- controller-k8s
- compute1
- name: subnode - name: subnode
nodes: nodes:
- controller-tacker - controller-tacker
- controller-k8s - controller-k8s
- compute1
- name: switch - name: switch
nodes: nodes:
- controller - controller
@ -60,7 +53,6 @@
nodes: nodes:
- controller-tacker - controller-tacker
- controller-k8s - controller-k8s
- compute1
- job: - job:
name: tacker-functional-devstack-multinode-sol-parent name: tacker-functional-devstack-multinode-sol-parent
@ -105,8 +97,6 @@
OVN_L3_CREATE_PUBLIC_NETWORK: true OVN_L3_CREATE_PUBLIC_NETWORK: true
OVN_DBS_LOG_LEVEL: dbg OVN_DBS_LOG_LEVEL: dbg
Q_ML2_PLUGIN_MECHANISM_DRIVERS: ovn,logger Q_ML2_PLUGIN_MECHANISM_DRIVERS: ovn,logger
# TODO(ueha): Remove this workarround if the Zuul jobs succeed with GROBAL_VENV=true
GLOBAL_VENV: false
test_matrix_configs: [neutron] test_matrix_configs: [neutron]
zuul_work_dir: src/opendev.org/openstack/tacker zuul_work_dir: src/opendev.org/openstack/tacker
host-vars: host-vars:
@ -218,8 +208,6 @@
L2_AGENT_EXTENSIONS: qos L2_AGENT_EXTENSIONS: qos
ENABLE_CHASSIS_AS_GW: false ENABLE_CHASSIS_AS_GW: false
Q_ML2_PLUGIN_MECHANISM_DRIVERS: ovn,logger Q_ML2_PLUGIN_MECHANISM_DRIVERS: ovn,logger
# TODO(ueha): Remove this workarround if the Zuul jobs succeed with GROBAL_VENV=true
GLOBAL_VENV: false
devstack_services: devstack_services:
# To override the parent job's definitions. # To override the parent job's definitions.
tls-proxy: false tls-proxy: false
@ -404,7 +392,7 @@
description: | description: |
Abstraction multinodes job for SOL devstack-based kubernetes functional Abstraction multinodes job for SOL devstack-based kubernetes functional
tests tests
nodeset: openstack-k8s-4-nodes-jammy nodeset: openstack-k8s-3-nodes-jammy
pre-run: playbooks/devstack/pre.yaml pre-run: playbooks/devstack/pre.yaml
run: playbooks/devstack/run.yaml run: playbooks/devstack/run.yaml
post-run: playbooks/devstack/post.yaml post-run: playbooks/devstack/post.yaml
@ -543,7 +531,7 @@
USE_PYTHON3: true USE_PYTHON3: true
ENABLE_CHASSIS_AS_GW: false ENABLE_CHASSIS_AS_GW: false
Q_ML2_PLUGIN_MECHANISM_DRIVERS: ovn,logger Q_ML2_PLUGIN_MECHANISM_DRIVERS: ovn,logger
# TODO(ueha): Remove this workarround if the Zuul jobs succeed with GROBAL_VENV=true # TODO(ueha): Remove this workarround if the Zuul jobs succeed with GLOBAL_VENV=true
GLOBAL_VENV: false GLOBAL_VENV: false
devstack_services: devstack_services:
dstat: false dstat: false
@ -583,7 +571,7 @@
OVN_L3_CREATE_PUBLIC_NETWORK: true OVN_L3_CREATE_PUBLIC_NETWORK: true
OVN_DBS_LOG_LEVEL: dbg OVN_DBS_LOG_LEVEL: dbg
Q_ML2_PLUGIN_MECHANISM_DRIVERS: ovn,logger Q_ML2_PLUGIN_MECHANISM_DRIVERS: ovn,logger
# TODO(ueha): Remove this workarround if the Zuul jobs succeed with GROBAL_VENV=true # TODO(ueha): Remove this workarround if the Zuul jobs succeed with GLOBAL_VENV=true
GLOBAL_VENV: false GLOBAL_VENV: false
devstack_local_conf: devstack_local_conf:
post-config: post-config:

2
requirements.txt
View File

@ -27,7 +27,7 @@ oslo.db>=5.0.0 # Apache-2.0
oslo.log>=3.36.0 # Apache-2.0 oslo.log>=3.36.0 # Apache-2.0
oslo.messaging>=14.2.0 # Apache-2.0 oslo.messaging>=14.2.0 # Apache-2.0
oslo.middleware>=3.31.0 # Apache-2.0 oslo.middleware>=3.31.0 # Apache-2.0
oslo.policy>=3.6.0 # Apache-2.0 oslo.policy>=3.11.0 # Apache-2.0
oslo.privsep>=2.4.0 # Apache-2.0 oslo.privsep>=2.4.0 # Apache-2.0
oslo.reports>=1.18.0 # Apache-2.0 oslo.reports>=1.18.0 # Apache-2.0
oslo.rootwrap>=5.8.0 # Apache-2.0 oslo.rootwrap>=5.8.0 # Apache-2.0

25
tacker/policy.py
View File

@ -38,11 +38,17 @@ LOG = logging.getLogger(__name__)
_ENFORCER = None _ENFORCER = None
ADMIN_CTX_POLICY = 'context_is_admin' ADMIN_CTX_POLICY = 'context_is_admin'
# TODO(gmann): Remove setting the default value of config policy_file # TODO(gmann): Remove setting the default value of config options:
# once oslo_policy change the default value to 'policy.yaml'. # - 'policy_file' once oslo_policy change their default value to what is
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 # overridden here.
# - 'enforce_scope', and 'enforce_new_defaults' once cinder is ready with the
# new RBAC (oslo_policy enable them by default)
DEFAULT_POLICY_FILE = 'policy.yaml' DEFAULT_POLICY_FILE = 'policy.yaml'
opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE) opts.set_defaults(
cfg.CONF,
DEFAULT_POLICY_FILE,
enforce_scope=False,
enforce_new_defaults=False)
def reset(): def reset():
@ -52,12 +58,21 @@ def reset():
_ENFORCER = None _ENFORCER = None
def init(conf=cfg.CONF, policy_file=None): def init(conf=cfg.CONF, policy_file=None, suppress_deprecation_warnings=False):
"""Init an instance of the Enforcer class.""" """Init an instance of the Enforcer class."""
global _ENFORCER global _ENFORCER
if not _ENFORCER: if not _ENFORCER:
_ENFORCER = policy.Enforcer(conf, policy_file=policy_file) _ENFORCER = policy.Enforcer(conf, policy_file=policy_file)
# NOTE(gmann): Explicitly disable the warnings for policies
# changing their default check_str. During policy-defaults-refresh
# work, all the policy defaults have been changed and warning for
# each policy started filling the logs limit for various tool.
# Once we move to new defaults only world then we can enable these
# warning again.
_ENFORCER.suppress_default_change_warnings = True
if suppress_deprecation_warnings:
_ENFORCER.suppress_deprecation_warnings = True
register_rules(_ENFORCER) register_rules(_ENFORCER)
_ENFORCER.load_rules() _ENFORCER.load_rules()

3
tacker/sol_refactored/conductor/vnflcm_driver_v2.py
View File

@ -16,6 +16,7 @@
import os import os
import pickle import pickle
import subprocess import subprocess
import sys
from oslo_log import log as logging from oslo_log import log as logging
from oslo_utils import uuidutils from oslo_utils import uuidutils
@ -119,7 +120,7 @@ class VnfLcmDriverV2(object):
# script is relative path to Definitions/xxx.yaml # script is relative path to Definitions/xxx.yaml
script_path = os.path.join(tmp_csar_dir, "Definitions", script) script_path = os.path.join(tmp_csar_dir, "Definitions", script)
out = subprocess.run(["python3", script_path], out = subprocess.run([sys.executable, script_path],
input=pickle.dumps(script_dict), input=pickle.dumps(script_dict),
stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout=subprocess.PIPE, stderr=subprocess.PIPE)

5
tacker/sol_refactored/infra_drivers/openstack/openstack.py
View File

@ -19,6 +19,7 @@ import os
import pickle import pickle
import re import re
import subprocess import subprocess
import sys
import yaml import yaml
from dateutil import parser from dateutil import parser
@ -672,7 +673,7 @@ class Openstack(object):
tmp_csar_dir = vnfd.make_tmp_csar_dir() tmp_csar_dir = vnfd.make_tmp_csar_dir()
script_path = os.path.join(tmp_csar_dir, script) script_path = os.path.join(tmp_csar_dir, script)
out = subprocess.run(["python3", script_path], out = subprocess.run([sys.executable, script_path],
input=pickle.dumps(vnfc_param), input=pickle.dumps(vnfc_param),
stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout=subprocess.PIPE, stderr=subprocess.PIPE)
vnfd.remove_tmp_csar_dir(tmp_csar_dir) vnfd.remove_tmp_csar_dir(tmp_csar_dir)
@ -889,7 +890,7 @@ class Openstack(object):
script_path = os.path.join( script_path = os.path.join(
os.path.dirname(__file__), "userdata_main.py") os.path.dirname(__file__), "userdata_main.py")
out = subprocess.run(["python3", script_path], out = subprocess.run([sys.executable, script_path],
input=pickle.dumps(script_dict), input=pickle.dumps(script_dict),
stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout=subprocess.PIPE, stderr=subprocess.PIPE)

2
tacker/tests/base.py
View File

@ -156,7 +156,7 @@ class BaseTestCase(testtools.TestCase):
cfg.CONF.set_override('state_path', self.temp_dir) cfg.CONF.set_override('state_path', self.temp_dir)
self.setup_config() self.setup_config()
policy.init() policy.init(suppress_deprecation_warnings=True)
self.addCleanup(policy.reset) self.addCleanup(policy.reset)
self.addCleanup(mock.patch.stopall) self.addCleanup(mock.patch.stopall)
self.addCleanup(CONF.reset) self.addCleanup(CONF.reset)

2
tacker/tests/unit/api/v2/test_api_v2.py
View File

@ -1049,7 +1049,7 @@ class JSONV2TestCase(APIv2TestBase, testlib_api.WebTestCase):
def test_get_keystone_strip_admin_only_attribute(self): def test_get_keystone_strip_admin_only_attribute(self):
tenant_id = _uuid() tenant_id = _uuid()
# Inject rule in policy engine # Inject rule in policy engine
policy.init() policy.init(suppress_deprecation_warnings=True)
common_policy._rules['get_network:name'] = common_policy.parse_rule( common_policy._rules['get_network:name'] = common_policy.parse_rule(
"rule:admin_only") "rule:admin_only")
res = self._test_get(tenant_id, tenant_id, 200) res = self._test_get(tenant_id, tenant_id, 200)

2
tacker/tests/unit/policies/base.py
View File

@ -46,7 +46,7 @@ class BasePolicyTest(base.TestCase):
# policy and initialize again so that rule will be re-loaded # policy and initialize again so that rule will be re-loaded
# considering the enforce_new_defaults new value. # considering the enforce_new_defaults new value.
policy.reset() policy.reset()
policy.init() policy.init(suppress_deprecation_warnings=True)
self.addCleanup(policy.reset) self.addCleanup(policy.reset)
self.admin_project_id = uuids.admin_project_id self.admin_project_id = uuids.admin_project_id

12
tacker/tests/unit/test_policy.py
View File

@ -54,14 +54,14 @@ class PolicyFileTestCase(base.BaseTestCase):
action = "example:test" action = "example:test"
with open(tmpfilename, "w") as policyfile: with open(tmpfilename, "w") as policyfile:
policyfile.write("""{"example:test": ""}""") policyfile.write("""{"example:test": ""}""")
policy.init() policy.init(suppress_deprecation_warnings=True)
policy.enforce(self.context, action, self.target) policy.enforce(self.context, action, self.target)
with open(tmpfilename, "w") as policyfile: with open(tmpfilename, "w") as policyfile:
policyfile.write("""{"example:test": "!"}""") policyfile.write("""{"example:test": "!"}""")
# NOTE(vish): reset stored policy cache so we don't have to # NOTE(vish): reset stored policy cache so we don't have to
# sleep(1) # sleep(1)
policy._POLICY_CACHE = {} policy._POLICY_CACHE = {}
policy.init() policy.init(suppress_deprecation_warnings=True)
self.assertRaises(exceptions.PolicyNotAuthorized, self.assertRaises(exceptions.PolicyNotAuthorized,
policy.enforce, policy.enforce,
self.context, self.context,
@ -76,7 +76,7 @@ class PolicyTestCase(base.BaseTestCase):
policy.reset() policy.reset()
self.addCleanup(policy.reset) self.addCleanup(policy.reset)
# NOTE(vish): preload rules to circumvent reloading from file # NOTE(vish): preload rules to circumvent reloading from file
policy.init() policy.init(suppress_deprecation_warnings=True)
rules = { rules = {
"true": '@', "true": '@',
"example:allowed": '@', "example:allowed": '@',
@ -178,7 +178,7 @@ class DefaultPolicyTestCase(base.BaseTestCase):
super(DefaultPolicyTestCase, self).setUp() super(DefaultPolicyTestCase, self).setUp()
self.skipTest("Not ready yet") self.skipTest("Not ready yet")
policy.reset() policy.reset()
policy.init() policy.init(suppress_deprecation_warnings=True)
self.addCleanup(policy.reset) self.addCleanup(policy.reset)
self.rules = { self.rules = {
@ -228,7 +228,7 @@ class TackerPolicyTestCase(base.BaseTestCase):
super(TackerPolicyTestCase, self).setUp() super(TackerPolicyTestCase, self).setUp()
self.skipTest("Not ready yet") self.skipTest("Not ready yet")
policy.reset() policy.reset()
policy.init() policy.init(suppress_deprecation_warnings=True)
self.addCleanup(policy.reset) self.addCleanup(policy.reset)
self.admin_only_legacy = "role:admin" self.admin_only_legacy = "role:admin"
self.admin_or_owner_legacy = "role:admin or tenant_id:%(tenant_id)s" self.admin_or_owner_legacy = "role:admin or tenant_id:%(tenant_id)s"
@ -477,7 +477,7 @@ class TackerPolicyTestCase(base.BaseTestCase):
# Trigger a policy with rule admin_or_owner # Trigger a policy with rule admin_or_owner
action = "create_network" action = "create_network"
target = {'tenant_id': 'fake'} target = {'tenant_id': 'fake'}
policy.init() policy.init(suppress_deprecation_warnings=True)
self.assertRaises(exceptions.PolicyCheckError, self.assertRaises(exceptions.PolicyCheckError,
policy.enforce, policy.enforce,
self.context, action, target) self.context, action, target)