9aee309999
This commit does two different changes: it changes the policy engine to oslo_policy and restrict access to sysinv API to users of projects 'admin' or 'services'. The policy engine deprecated is the one present in the file "sysinv/sysinv/sysinv/sysinv/openstack/common/policy.py" (780 lines). This file is no longer used by this repository and was not deleted because it is used by other repositories, like starlingx/update. The library oslo_policy is used in its place. In fact, the deprecated engine seems to be an ancient version of oslo_policy. The library oslo_policy changed the default format of configuration files from JSON to YAML, so the configuration files named "policy.json" were changed to "policy.yaml". The file that initializes and wraps oslo_policy ("sysinv/sysinv/sysinv/sysinv/common/policy.py") contains the minimal implementation to use this library. The access to sysinv API, before this commit, was restricted to users with role "admin" or "administrator" from any project. This commit restricts the access to users with role "admin" of projects "admin" or "services". This change should not cause problems, because role "administrator" doesn't exist and because all users from Starlingx are from projects "admin" or "services". This change is needed to avoid access from admin users of other projects. To test custom policy rules set in the file "/etc/sysinv/policy.yaml", it will be used the Service Parameter API actions create/apply/modify/ delete/get (commands "system service-parameter-[add/apply/modify/delete/ list]". To test default policy for sysinv API commands, it will be used the command to change the system description (PATCH "/v1/isystems", command "system modify --description='test'"). On test plan, these commands will be reffered as "test commands". Any change in the file "/etc/sysinv/policy.yaml" is detected by policy engine and rules are updated. Test Plan: PASS: Successfully deploy an AIO-SX using an Debian image with this commit present. Successfully create, through openstack CLI, the users: 'testreader' with role 'reader' in project 'admin', 'adminsvc' with role 'admin' in project 'services' and 'otheradmin' with role 'admin' in project 'notadminproject'. Create openrc files for all new users. Note: the other user that will be used is the already existing 'admin' with role 'admin' in project 'admin'. PASS: In the deployed AIO-SX, check the behavior of test commands through different users: for "admin" and "adminsvc" users, all commands are successful; for user "testreader", only "service-parameter-list" command is successful and for user "otheradmin" no command is successful. PASS: In the deployed AIO-SX, add the following lines in file "/etc/sysinv/policy.yaml": config_api:service_parameter:add: role:reader config_api:service_parameter:apply: role:reader config_api:service_parameter:delete: role:reader config_api:service_parameter:get: role:reader config_api:service_parameter:modify: role:reader and check the behavior of test commands through different users: for "admin" and "adminsvc" users, all commands are successful; for users "testreader" and "otheradmin", all commands are successful except the change in the system description ("system modify --description='test'"). PASS: In the deployed AIO-SX, to assert that public API works without authentication, execute the commands: "curl -v http://<MGMT_IP>:6385/v1/" and "curl -v http://<MGMT_IP>:6385/v1/isystems/mgmtvlan" and verify that they are accepted and that the HTTP response is 200, and execute the commands: "curl -v http://<MGMT_IP>:6385/v1/isystems/" and "curl -v http://<MGMT_IP>:6385/v1/service_parameter" and verify that they are rejected and that the HTTP response is 401. PASS: Repeat all tests above changing the deploy to AIO-DX using an CentOS image. PASS: Successfully execute Debian AIO-SX daily regression and sanity tests using an image containing this change. Story: 2010149 Task: 45984 Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com> Change-Id: Id7aa387e154afb1441a8484b076cdc97f2fc46cb |
||
---|---|---|
.. | ||
config |