openstack/tacker
Code Issues Proposed changes
Files
master
tacker/tacker/tests/unit/policies
History
Ghanshyam Mann ef79698632 Keep new RBAC disable by default & Gate fix for GLOBAL_VENV 
This commit squash the multiple changes:

Changes 1:
Keep new RBAC disable by default

oslo.policy has enabled the new RBAC config options
enforce_scope and enforce_new_defaults by default[1][2].

Tacker implemented the new RBAC in previous cycle with new
RBAC disable by default. To give more time to operator, let's
continue the same setting in this release also.

Also, there are many test modification is needed for the new
RBAC (using the new RBAC default role in tests)

Unit tests log a lot of policy warnings, suppressing those[3]
-https://fa3204066787dd37fd86-ea893277118f144d3b928cfbb4823c04.ssl.cf1.rackcdn.com/926089/1/check/openstack-tox-py311/9df6631/testr_results.html

As oslo.policy enable them by default, we override the setting
for the Tacker.

NOTE: there is no change in behaviour, tacker continue with the
old RBAC as default.

ref: https://review.opendev.org/c/openstack/requirements/+/925464

[1] https://review.opendev.org/c/openstack/oslo.policy/+/924283
[2] https://review.opendev.org/c/openstack/releases/+/925032

Change 2:
Co-Authored-By: Ayumu Ueha <ueha.ayumu@fujitsu.com>

This fixes the issues when "Set GLOBAL_VENV=true".

1: When running python in the subprocess on venv, the library import
   may fail to execute properly.
   This patch changes the command passed to subprocess from "python"
   to "sys.executable" [4].

2: Remove compute node from nodeset for kubernetes jobs because it is
   not used in kubernetes jobs and to save the resources.
   Also left "GLOBAL_VENV=false" on the jobs related kubernetes to avoid
   the issue of setup on kuryr-kubernetes.

[4] https://docs.python.org/3/library/sys.html#sys.executable

[3]
-----------
  File "/home/zuul/src/opendev.org/openstack/tacker/tacker/policy.py", line 209, in authorize
    result = _ENFORCER.authorize(action, target, credentials,
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/zuul/src/opendev.org/openstack/tacker/.tox/py311/lib/python3.11/site-packages/oslo_policy/policy.py", line 1189, in authorize
    return self.enforce(
           ^^^^^^^^^^^^^
  File "/home/zuul/src/opendev.org/openstack/tacker/.tox/py311/lib/python3.11/site-packages/oslo_policy/policy.py", line 1093, in enforce
    raise exc(*args, **kwargs)
tacker.common.exceptions.PolicyNotAuthorized: Policy doesn't allow os_nfv_orchestration_api:vnf_instances:cancel to be performed.
-----------

Change-Id: I4f736660e3b1079883a7434847222f6a6589377f
2024-09-05 10:41:19 -07:00
..
__init__.py
Add testing framework for RBAC
2024-03-05 18:28:44 -08:00
base.py
Keep new RBAC disable by default & Gate fix for GLOBAL_VENV
2024-09-05 10:41:19 -07:00
test_vnf_lcm.py
Add new default roles in vnf-lcm API policies
2024-03-13 18:16:55 +00:00
test_vnf_package.py
Add new default roles in vnf-package API policies
2024-03-13 18:17:04 +00:00