Commit Graph

12 Commits (master)

Author SHA1 Message Date
Joao Victor Portal 99eba3afb8 Implement access control for FM API
This commit implements the access control for all FM APIs. An incomplete
list of FM APIs can be found at
"". Unit
tests will be created in other task.

All access control rules can be overwritten through file
"/etc/fm/policy.yaml". Any change in file "/etc/fm/policy.yaml" is
automatically detected by policy engine and the rules are updated.

Differently from other APIs, which have as default rule to enforce that
all users using the API are present in either project "admin" or
"services", all read-only actions (GET requests) of FM API are allowed
for any user, so it only requires "reader" role (that is the lowest
role). Other actions require the user to have "admin" role and to be
present in either project "admin" or "services".

As all system users of StarlingX have "admin" role and are present in
either project "admin" or "services", the default rules for FM API
allows any system users to execute any action, so there should be no
regression with the change introduced here.

To test the access control of FM API, the following commands will be
fm alarm-list
fm alarm-show <uuid>
fm alarm-summary
fm alarm-delete <uuid>
fm event-list
fm event-show <uuid>
fm event-suppress --alarm_id <alarm_id>
fm event-suppress-list
fm event-unsuppress --alarm_id <alarm_id>
fm event-unsuppress-all
On test plan, these commands will be reffered as "test commands".

Note: there is one FM API that is not tested by the commands above,
that is the creation of alarms ("fm_api:alarm:create"). This API will
be tested indirectly by observing the system successfully creating
alarms in the deployed environment.

Test Plan:

PASS: Successfully deploy an AIO-SX using an Debian image with this
commit present. Successfully create, through openstack CLI, the users:
'testreader' with role 'reader' in project 'admin',
'adminsvc' with role 'admin' in project 'services' and
'otheradmin' with role 'admin' in project 'notadminproject'.
Create openrc files for all new users. Note: the other user that will be
used is the already existing 'admin' with role 'admin' in project
PASS: In the deployed AIO-SX, check the behavior of test commands
through different users: for "admin" and "adminsvc" users, all commands
are successful; for users "testreader" and "otheradmin", only the
commands "alarm-delete", "event-suppress", "event-unsuppress" and
"event-unsuppress-all" fail. Observe also that the system is able to
create alarms during its operation.
PASS: In the deployed AIO-SX, add the following lines in file
fm_api:alarm:create: role:admin
fm_api:alarm:delete: role:admin
fm_api:alarm:get: role:admin
fm_api:alarm:modify: role:admin
fm_api:event_log:get: role:admin
fm_api:event_suppression:get: role:admin
fm_api:event_suppression:modify: role:admin
and check that all test commands are successful through user
"otheradmin" and that all test commands fail through user "testreader".
Observe also that the system is able to create alarms during its
PASS: In the deployed AIO-SX, to assert that public API works without
authentication, execute the commands:
"curl -v http://<MGMT_IP>:18002/" and
"curl -v http://<MGMT_IP>:18002/v1/" and
verify that they are accepted and that the HTTP response is 200,
and execute the commands:
"curl -v http://<MGMT_IP>:18002/v1/alarms" and
"curl -v http://<MGMT_IP>:18002/v1/event_log" and
verify that they are rejected and that the HTTP response is 401.
PASS: In the deployed AIO-SX, check through Horizon interface that Fault
Management works correctly (showing alarms and events, allowing events
to be suppressed).
PASS: Repeat all tests above changing the deploy to AIO-DX using an
CentOS image.

Story: 2010149
Task: 46123

Signed-off-by: Joao Victor Portal <>
Change-Id: I3db6d0464d8d53c4dfbc761663be1712141b8b93
2022-08-26 10:54:39 -03:00
Erich Cordoba d235681165 Add missing Requires to fault components for opensuse
Some of the fault components rely on having all the dependencies
installed in the StarlingX ISO so having missing dependencies listed
in the spec files is not an issue. However, when we take those compo-
nents and run them in a non StarlingX installation these problems
started to arise.

This patch is the result of the analysis of all imports and a manual
execution of the fault components in opensuse. This is a summary of
the findings:

- fm-api: This component imports `fm_core` which is provided by
          `fm-common` but not listed in the dependencies. Same
          case for `six` module.
- fm-mgr: `fmManager` links to `libfmcommon` but is not listed in the
          requirements. Also, it expects to find the `/etc/fm/events.yaml`
          file which is provided by `fm-doc`.
- fm-rest-api: A set of imports that are missing. This component also
               depends on other StarlingX compoments.
- python-fmclient: Missing python imports.

Story: 2006684
Task: 36971

Change-Id: I6719ab8a8d9a35d105be1c6f7dac57b855da543e
Signed-off-by: Erich Cordoba <>
2019-10-08 18:24:30 -05:00
Zuul fb8dc46a59 Merge "Adding %fdupes macro to python-fmclient and fm-rest-api in opensuse" 2019-10-08 13:43:05 +00:00
Erich Cordoba 4e6ed39d61 Adding %fdupes macro to python-fmclient and fm-rest-api in opensuse
The rpmlint tool complains about having duplicated files in these
two packages. The %fdupes macro helps to remove these duplicated
files and thus pass rpmlint checks.

Story: 2006508
Task: 36867

Change-Id: I031352e06c74da65dc62b9a6c51dbb87371432d1
Signed-off-by: Erich Cordoba <>
2019-10-01 11:43:25 -05:00
Erich Cordoba 61d9addb2c Delete _service files from git.
These files are part of OBS infrastructure and shouldn't be part of
this repository.

Story: 2006508
Task: 36862

Change-Id: I8cc056a49a888352d8dbb03b2a55e86549e6a45a
Signed-off-by: Erich Cordoba <>
2019-09-30 13:27:21 -05:00
Zuul c0c901620a Merge "Adding rpmlintrc files for opensuse building" 2019-09-30 15:51:07 +00:00
Erich Cordoba 6da9811491 Set version to 1.0.0 in opensuse specfiles
All opensuse version are being standardize with the same format,
this requires that all components will change from 1.0 to 1.0.0.

Story: 2006508
Task: 36811

Change-Id: I301759895e4ed816633daa6595d5f60f2f1d59c7
Signed-off-by: Erich Cordoba <>
2019-09-25 15:35:15 -05:00
Erich Cordoba c9755220c3 Adding rpmlintrc files for opensuse building
The rpmlintrc files helps to configure the behavior of the rpm linter
executed by the opensuse build system. This patch adds the rpmlintrc
files that were defined in the opensuse build system.

Story: 2006508
Task: 36799

Change-Id: If75264e809bb78bbcff1dd474b1a5fc1819ac193
Signed-off-by: Erich Cordoba <>
2019-09-25 06:16:04 -05:00
Erich Cordoba 6f0ec9c4fc Change %autosetup for opensuse specfiles
As the tarballs are now created by the _service definition in the
opensuse build system, it requires now to include the specfiles
within the tarballs. This means that the `-n` option needs to be
set for `%autosetup`.

Story: 2006508
Task: 36780

Change-Id: Ib89a440d4911200ead2a3a35d731564e86b0b447
Signed-off-by: Erich Cordoba <>
2019-09-24 15:17:28 -05:00
Erich Cordoba 79b32861f0 Change tarball extension from xz to gz in opensuse specfiles.
In the opensuse build system (OBS) the `_service` files are being
standardized to generate tarballs with gz compression. The fault's
specfiles were created before this decision, therefore an update
in the extension is required.

Story: 2006508
Task: 36670

Change-Id: I96cb185a9a0e089e4f8e184e8fdeaa709f77915e
Signed-off-by: Erich Cordoba <>
2019-09-17 17:30:00 -05:00
Saul Wold 91af45019b Tox: add tox job and requirements to improve specfiles
This is a tox job to scan the RPM specfiles and do some
initial sanity checks and use the OpenDev Spec-Cleaner tool, this
is not a 'linter' per-se, but will output a diff of recommended
changes for the specfile.

Initial disable cleaning our default CentOS specfiles since we
know they need work, we can enable this later.

This uses the speclint script in starlingx/integ a proposed
by the Depends-On.

The recommended guildline for openSUSE is located here:

Fix up fm-rest-api opensuse specfile

Change-Id: I46da780a667569a9dccedd551d955c983e9601cd
Signed-off-by: Saul Wold <>
2019-07-16 13:15:24 -07:00
Saul Wold 59aa18cf57 Add openSUSE spec files
This commit adds the RPM specfile that supports openSUSE, these
include the _service file which creates the tarball, the changes
files and specfile itself.

These are all built via the OpenBuildService (OBS) and can be
found here:

Change-Id: I676aae8cb9554eab2740232fd0dd77e0ed876506
Signed-off-by: Saul Wold <>
2019-06-20 15:53:29 -07:00