This commit implements the access control for all FM APIs. An incomplete
list of FM APIs can be found at
"https://docs.starlingx.io/api-ref/fault/api-ref-fm-v1-fault.html". Unit
tests will be created in other task.
All access control rules can be overwritten through file
"/etc/fm/policy.yaml". Any change in file "/etc/fm/policy.yaml" is
automatically detected by policy engine and the rules are updated.
Differently from other APIs, which have as default rule to enforce that
all users using the API are present in either project "admin" or
"services", all read-only actions (GET requests) of FM API are allowed
for any user, so it only requires "reader" role (that is the lowest
role). Other actions require the user to have "admin" role and to be
present in either project "admin" or "services".
As all system users of StarlingX have "admin" role and are present in
either project "admin" or "services", the default rules for FM API
allows any system users to execute any action, so there should be no
regression with the change introduced here.
To test the access control of FM API, the following commands will be
used:
fm alarm-list
fm alarm-show <uuid>
fm alarm-summary
fm alarm-delete <uuid>
fm event-list
fm event-show <uuid>
fm event-suppress --alarm_id <alarm_id>
fm event-suppress-list
fm event-unsuppress --alarm_id <alarm_id>
fm event-unsuppress-all
On test plan, these commands will be reffered as "test commands".
Note: there is one FM API that is not tested by the commands above,
that is the creation of alarms ("fm_api:alarm:create"). This API will
be tested indirectly by observing the system successfully creating
alarms in the deployed environment.
Test Plan:
PASS: Successfully deploy an AIO-SX using an Debian image with this
commit present. Successfully create, through openstack CLI, the users:
'testreader' with role 'reader' in project 'admin',
'adminsvc' with role 'admin' in project 'services' and
'otheradmin' with role 'admin' in project 'notadminproject'.
Create openrc files for all new users. Note: the other user that will be
used is the already existing 'admin' with role 'admin' in project
'admin'.
PASS: In the deployed AIO-SX, check the behavior of test commands
through different users: for "admin" and "adminsvc" users, all commands
are successful; for users "testreader" and "otheradmin", only the
commands "alarm-delete", "event-suppress", "event-unsuppress" and
"event-unsuppress-all" fail. Observe also that the system is able to
create alarms during its operation.
PASS: In the deployed AIO-SX, add the following lines in file
"/etc/fm/policy.yaml":
fm_api:alarm:create: role:admin
fm_api:alarm:delete: role:admin
fm_api:alarm:get: role:admin
fm_api:alarm:modify: role:admin
fm_api:event_log:get: role:admin
fm_api:event_suppression:get: role:admin
fm_api:event_suppression:modify: role:admin
and check that all test commands are successful through user
"otheradmin" and that all test commands fail through user "testreader".
Observe also that the system is able to create alarms during its
operation.
PASS: In the deployed AIO-SX, to assert that public API works without
authentication, execute the commands:
"curl -v http://<MGMT_IP>:18002/" and
"curl -v http://<MGMT_IP>:18002/v1/" and
verify that they are accepted and that the HTTP response is 200,
and execute the commands:
"curl -v http://<MGMT_IP>:18002/v1/alarms" and
"curl -v http://<MGMT_IP>:18002/v1/event_log" and
verify that they are rejected and that the HTTP response is 401.
PASS: In the deployed AIO-SX, check through Horizon interface that Fault
Management works correctly (showing alarms and events, allowing events
to be suppressed).
PASS: Repeat all tests above changing the deploy to AIO-DX using an
CentOS image.
Story: 2010149
Task: 46123
Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
Change-Id: I3db6d0464d8d53c4dfbc761663be1712141b8b93
99eba3afb8