starlingx/distcloud
Code Issues Proposed changes
9824f80d95
distcloud/distributedcloud/dcmanager/api/controllers/v1/sw_update_options.py
Joao Victor Portal 28a4b568b1 Implement access control for DC API 
This commit implements access control for DC API. The reference doc can
be found at
"https://docs.starlingx.io/api-ref/distcloud/api-ref-dcmanager-v1.html".
Unit tests and YAML file support will be done in other tasks.

The access control implementation for GET requests requires the user to
have "reader" role and to be present in either "admin" or "services"
project. For other requests, it requires the user to have "admin" role
and to be present in either "admin" or "services" project. Requests
using public API URLs require no credentials.

As all default system users of StarlingX have "admin" role and are
present in either project "admin" or "services", there should be no
regression with the change introduced here.

The implementation done here is a little bit different from the one done
for sysinv and FM APIs, because the routing of requests is not done when
"before()" method of Pecan hooks are called, so the controller is not
defined at this point.

To test the access control of DC API, the following commands are used
(long list of parameters is replaced by "<params>"):

dcmanager subcloud add <params>
dcmanager subcloud manage subcloud2
dcmanager subcloud list
dcmanager subcloud delete subcloud2
dcmanager subcloud-deploy upload <params>
dcmanager subcloud-deploy show
dcmanager alarm summary
dcmanager patch-strategy create
dcmanager patch-strategy show
dcmanager patch-strategy apply
dcmanager patch-strategy abort
dcmanager patch-strategy delete
dcmanager strategy-config update <params> subcloud1
dcmanager strategy-config list
dcmanager strategy-config delete subcloud1
dcmanager subcloud-group add --name group01
dcmanager subcloud-group update --description test group01
dcmanager subcloud-group list
dcmanager subcloud-group delete group01
dcmanager subcloud-backup create --subcloud subcloud1

On test plan, these commands are reffered as "test commands".

The access control is not implemented for "dcdbsync" and "dcorch"
servers. Also, it is also not implemented for action POST
"/v1.0/notifications" in dcmanager API server, as it it is only called
indirectly by sysinv controllers.

Test Plan:

PASS: Successfully deploy a Distributed Cloud (with 1 subcloud) using a
CentOS image with this commit present. Successfully create, through
openstack CLI, the users: 'testreader' with role 'reader' in project
'admin', 'adminsvc' with role 'admin' in project 'services' and
'otheradmin' with role 'admin' in project 'notadminproject'. Create
openrc files for all new users. Note: the other user used is the already
existing 'admin' with role 'admin' in project 'admin'.
PASS: In the deployed DC, check the behavior of test commands through
different users: for "admin" and "adminsvc" users, all commands are
successful; for "testreader" user, only the test commands ending with
"list" or "summary" (GET requests) are successful; for "otheradmin"
user, all commands fail.
PASS: In the deployed DC, to assert that public API works without
authentication, execute the command "curl -v http://<MGMT_IP>:8119/" and
verify that it is accepted and that the HTTP response is 200, and
execute the command "curl -v http://<MGMT_IP>:8119/v1.0/subclouds" and
verify that it is rejected and that the HTTP response is 401.
PASS: In the deployed DC, check through Horizon interface that DC
management works correctly with default admin user.

Story: 2010149
Task: 46287

Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
Change-Id: Icfe24fd62096c7bf0bbb1f97e819dee5aac675e4
2022-09-22 18:26:35 -03:00

248 lines
9.2 KiB
Python
Raw Blame History

# Copyright (c) 2017 Ericsson AB.
# Copyright (c) 2017-2022 Wind River Systems, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
from oslo_config import cfg
from oslo_log import log as logging
import pecan
from pecan import expose
from pecan import request
from dccommon import consts as dccommon_consts
from dcmanager.api.controllers import restcomm
from dcmanager.api.policies import sw_update_options as sw_update_options_policy
from dcmanager.api import policy
from dcmanager.common import exceptions
from dcmanager.common.i18n import _
from dcmanager.common import utils
from dcmanager.db import api as db_api
from dcmanager.rpc import client as rpc_client
CONF = cfg.CONF
LOG = logging.getLogger(__name__)
class SwUpdateOptionsController(object):
def __init__(self):
super(SwUpdateOptionsController, self).__init__()
self.rpc_client = rpc_client.ManagerClient()
@expose(generic=True, template='json')
def index(self):
# Route the request to specific methods with parameters
pass
@index.when(method='GET', template='json')
def get(self, subcloud_ref=None):
"""Get details about software update options.
:param subcloud: name or id of subcloud (optional)
"""
policy.authorize(sw_update_options_policy.POLICY_ROOT % "get", {},
restcomm.extract_credentials_for_policy())
context = restcomm.extract_context_from_environ()
if subcloud_ref is None:
# List of all subcloud options requested.
# Prepend the all clouds default options to the result.
result = dict()
result['sw-update-options'] = list()
default_sw_update_opts_dict = utils.get_sw_update_opts(
context)
result['sw-update-options'].append(default_sw_update_opts_dict)
subclouds = db_api.sw_update_opts_get_all_plus_subcloud_info(
context)
for subcloud, sw_update_opts in subclouds:
if sw_update_opts:
result['sw-update-options'].append(
db_api.sw_update_opts_w_name_db_model_to_dict(
sw_update_opts, subcloud.name))
return result
elif subcloud_ref == dccommon_consts.DEFAULT_REGION_NAME:
# Default options requested, guaranteed to succeed
return utils.get_sw_update_opts(context)
else:
# Specific subcloud options requested
if subcloud_ref.isdigit():
# Look up subcloud as an ID
try:
subcloud = db_api.subcloud_get(context, subcloud_ref)
except exceptions.SubcloudNotFound:
pecan.abort(404, _('Subcloud not found'))
else:
# Look up subcloud by name
try:
subcloud = db_api.subcloud_get_by_name(context,
subcloud_ref)
except exceptions.SubcloudNameNotFound:
pecan.abort(404, _('Subcloud not found'))
try:
return utils.get_sw_update_opts(
context, subcloud_id=subcloud.id)
except Exception as e:
pecan.abort(404, _('%s') % e)
@index.when(method='POST', template='json')
def post(self, subcloud_ref=None):
"""Update or create sw update options.
:param subcloud: name or id of subcloud (optional)
"""
# Note creating or updating subcloud specific options require
# setting all options.
policy.authorize(sw_update_options_policy.POLICY_ROOT % "update", {},
restcomm.extract_credentials_for_policy())
context = restcomm.extract_context_from_environ()
payload = eval(request.body)
if not payload:
pecan.abort(400, _('Body required'))
if subcloud_ref == dccommon_consts.DEFAULT_REGION_NAME:
# update default options
subcloud_name = dccommon_consts.SW_UPDATE_DEFAULT_TITLE
if db_api.sw_update_opts_default_get(context):
# entry already in db, update it.
try:
sw_update_opts_ref = db_api.sw_update_opts_default_update(
context,
payload['storage-apply-type'],
payload['worker-apply-type'],
payload['max-parallel-workers'],
payload['alarm-restriction-type'],
payload['default-instance-action'])
except Exception as e:
LOG.exception(e)
raise e
else:
# no entry in db, create one.
try:
sw_update_opts_ref = db_api.sw_update_opts_default_create(
context,
payload['storage-apply-type'],
payload['worker-apply-type'],
payload['max-parallel-workers'],
payload['alarm-restriction-type'],
payload['default-instance-action'])
except Exception as e:
LOG.exception(e)
raise e
else:
# update subcloud options
if subcloud_ref.isdigit():
# Look up subcloud as an ID
try:
subcloud = db_api.subcloud_get(context, subcloud_ref)
except exceptions.SubcloudNotFound:
pecan.abort(404, _('Subcloud not found'))
subcloud_name = subcloud.name
else:
# Look up subcloud by name
try:
subcloud = db_api.subcloud_get_by_name(context,
subcloud_ref)
except exceptions.SubcloudNameNotFound:
pecan.abort(404, _('Subcloud not found'))
subcloud_name = subcloud_ref
sw_update_opts = db_api.sw_update_opts_get(context,
subcloud.id)
if sw_update_opts is None:
sw_update_opts_ref = db_api.sw_update_opts_create(
context,
subcloud.id,
payload['storage-apply-type'],
payload['worker-apply-type'],
payload['max-parallel-workers'],
payload['alarm-restriction-type'],
payload['default-instance-action'])
else:
# a row is present in table, update
sw_update_opts_ref = db_api.sw_update_opts_update(
context,
subcloud.id,
payload['storage-apply-type'],
payload['worker-apply-type'],
payload['max-parallel-workers'],
payload['alarm-restriction-type'],
payload['default-instance-action'])
return db_api.sw_update_opts_w_name_db_model_to_dict(
sw_update_opts_ref, subcloud_name)
@index.when(method='delete', template='json')
def delete(self, subcloud_ref):
"""Delete the software update options."""
policy.authorize(sw_update_options_policy.POLICY_ROOT % "delete", {},
restcomm.extract_credentials_for_policy())
context = restcomm.extract_context_from_environ()
if subcloud_ref == dccommon_consts.DEFAULT_REGION_NAME:
# Delete defaults.
# Note by deleting these, the next get will repopulate with
# the global constants.
try:
db_api.sw_update_opts_default_destroy(context)
except Exception:
return
else:
if subcloud_ref.isdigit():
# Look up subcloud as an ID
try:
subcloud = db_api.subcloud_get(context, subcloud_ref)
except exceptions.SubcloudNotFound:
pecan.abort(404, _('Subcloud not found'))
else:
# Look up subcloud by name
try:
subcloud = db_api.subcloud_get_by_name(context,
subcloud_ref)
except exceptions.SubcloudNameNotFound:
pecan.abort(404, _('Subcloud not found'))
# Delete the subcloud specific options
if db_api.sw_update_opts_get(context, subcloud.id):
db_api.sw_update_opts_destroy(context, subcloud.id)
else:
pecan.abort(404, _('Subcloud patch options not found'))
View Git Blame Copy Permalink