This commit implements the access control for all FM APIs. An incomplete
list of FM APIs can be found at
"https://docs.starlingx.io/api-ref/fault/api-ref-fm-v1-fault.html". Unit
tests will be created in other task.
All access control rules can be overwritten through file
"/etc/fm/policy.yaml". Any change in file "/etc/fm/policy.yaml" is
automatically detected by policy engine and the rules are updated.
Differently from other APIs, which have as default rule to enforce that
all users using the API are present in either project "admin" or
"services", all read-only actions (GET requests) of FM API are allowed
for any user, so it only requires "reader" role (that is the lowest
role). Other actions require the user to have "admin" role and to be
present in either project "admin" or "services".
As all system users of StarlingX have "admin" role and are present in
either project "admin" or "services", the default rules for FM API
allows any system users to execute any action, so there should be no
regression with the change introduced here.
To test the access control of FM API, the following commands will be
used:
fm alarm-list
fm alarm-show <uuid>
fm alarm-summary
fm alarm-delete <uuid>
fm event-list
fm event-show <uuid>
fm event-suppress --alarm_id <alarm_id>
fm event-suppress-list
fm event-unsuppress --alarm_id <alarm_id>
fm event-unsuppress-all
On test plan, these commands will be reffered as "test commands".
Note: there is one FM API that is not tested by the commands above,
that is the creation of alarms ("fm_api:alarm:create"). This API will
be tested indirectly by observing the system successfully creating
alarms in the deployed environment.
Test Plan:
PASS: Successfully deploy an AIO-SX using an Debian image with this
commit present. Successfully create, through openstack CLI, the users:
'testreader' with role 'reader' in project 'admin',
'adminsvc' with role 'admin' in project 'services' and
'otheradmin' with role 'admin' in project 'notadminproject'.
Create openrc files for all new users. Note: the other user that will be
used is the already existing 'admin' with role 'admin' in project
'admin'.
PASS: In the deployed AIO-SX, check the behavior of test commands
through different users: for "admin" and "adminsvc" users, all commands
are successful; for users "testreader" and "otheradmin", only the
commands "alarm-delete", "event-suppress", "event-unsuppress" and
"event-unsuppress-all" fail. Observe also that the system is able to
create alarms during its operation.
PASS: In the deployed AIO-SX, add the following lines in file
"/etc/fm/policy.yaml":
fm_api:alarm:create: role:admin
fm_api:alarm:delete: role:admin
fm_api:alarm:get: role:admin
fm_api:alarm:modify: role:admin
fm_api:event_log:get: role:admin
fm_api:event_suppression:get: role:admin
fm_api:event_suppression:modify: role:admin
and check that all test commands are successful through user
"otheradmin" and that all test commands fail through user "testreader".
Observe also that the system is able to create alarms during its
operation.
PASS: In the deployed AIO-SX, to assert that public API works without
authentication, execute the commands:
"curl -v http://<MGMT_IP>:18002/" and
"curl -v http://<MGMT_IP>:18002/v1/" and
verify that they are accepted and that the HTTP response is 200,
and execute the commands:
"curl -v http://<MGMT_IP>:18002/v1/alarms" and
"curl -v http://<MGMT_IP>:18002/v1/event_log" and
verify that they are rejected and that the HTTP response is 401.
PASS: In the deployed AIO-SX, check through Horizon interface that Fault
Management works correctly (showing alarms and events, allowing events
to be suppressed).
PASS: Repeat all tests above changing the deploy to AIO-DX using an
CentOS image.
Story: 2010149
Task: 46123
Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
Change-Id: I3db6d0464d8d53c4dfbc761663be1712141b8b93
Some of the fault components rely on having all the dependencies
installed in the StarlingX ISO so having missing dependencies listed
in the spec files is not an issue. However, when we take those compo-
nents and run them in a non StarlingX installation these problems
started to arise.
This patch is the result of the analysis of all imports and a manual
execution of the fault components in opensuse. This is a summary of
the findings:
- fm-api: This component imports `fm_core` which is provided by
`fm-common` but not listed in the dependencies. Same
case for `six` module.
- fm-mgr: `fmManager` links to `libfmcommon` but is not listed in the
requirements. Also, it expects to find the `/etc/fm/events.yaml`
file which is provided by `fm-doc`.
- fm-rest-api: A set of imports that are missing. This component also
depends on other StarlingX compoments.
- python-fmclient: Missing python imports.
Story: 2006684
Task: 36971
Change-Id: I6719ab8a8d9a35d105be1c6f7dac57b855da543e
Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com>
The rpmlint tool complains about having duplicated files in these
two packages. The %fdupes macro helps to remove these duplicated
files and thus pass rpmlint checks.
Story: 2006508
Task: 36867
Change-Id: I031352e06c74da65dc62b9a6c51dbb87371432d1
Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com>
These files are part of OBS infrastructure and shouldn't be part of
this repository.
Story: 2006508
Task: 36862
Change-Id: I8cc056a49a888352d8dbb03b2a55e86549e6a45a
Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com>
All opensuse version are being standardize with the same format,
this requires that all components will change from 1.0 to 1.0.0.
Story: 2006508
Task: 36811
Change-Id: I301759895e4ed816633daa6595d5f60f2f1d59c7
Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com>
The rpmlintrc files helps to configure the behavior of the rpm linter
executed by the opensuse build system. This patch adds the rpmlintrc
files that were defined in the opensuse build system.
Story: 2006508
Task: 36799
Change-Id: If75264e809bb78bbcff1dd474b1a5fc1819ac193
Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com>
As the tarballs are now created by the _service definition in the
opensuse build system, it requires now to include the specfiles
within the tarballs. This means that the `-n` option needs to be
set for `%autosetup`.
Story: 2006508
Task: 36780
Change-Id: Ib89a440d4911200ead2a3a35d731564e86b0b447
Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com>
In the opensuse build system (OBS) the `_service` files are being
standardized to generate tarballs with gz compression. The fault's
specfiles were created before this decision, therefore an update
in the extension is required.
Story: 2006508
Task: 36670
Change-Id: I96cb185a9a0e089e4f8e184e8fdeaa709f77915e
Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com>
This is a tox job to scan the RPM specfiles and do some
initial sanity checks and use the OpenDev Spec-Cleaner tool, this
is not a 'linter' per-se, but will output a diff of recommended
changes for the specfile.
Initial disable cleaning our default CentOS specfiles since we
know they need work, we can enable this later.
This uses the speclint script in starlingx/integ a proposed
by the Depends-On.
The recommended guildline for openSUSE is located here:
https://en.opensuse.org/openSUSE:Specfile_guidelines
Fix up fm-rest-api opensuse specfile
Depends-On: https://review.opendev.org/664995
Change-Id: I46da780a667569a9dccedd551d955c983e9601cd
Signed-off-by: Saul Wold <sgw@linux.intel.com>
This commit adds the RPM specfile that supports openSUSE, these
include the _service file which creates the tarball, the changes
files and specfile itself.
These are all built via the OpenBuildService (OBS) and can be
found here:
https://build.opensuse.org/project/show/Cloud:StarlingX:2.0
Change-Id: I676aae8cb9554eab2740232fd0dd77e0ed876506
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Joao Victor Portal