99eba3afb8
This commit implements the access control for all FM APIs. An incomplete list of FM APIs can be found at "https://docs.starlingx.io/api-ref/fault/api-ref-fm-v1-fault.html". Unit tests will be created in other task. All access control rules can be overwritten through file "/etc/fm/policy.yaml". Any change in file "/etc/fm/policy.yaml" is automatically detected by policy engine and the rules are updated. Differently from other APIs, which have as default rule to enforce that all users using the API are present in either project "admin" or "services", all read-only actions (GET requests) of FM API are allowed for any user, so it only requires "reader" role (that is the lowest role). Other actions require the user to have "admin" role and to be present in either project "admin" or "services". As all system users of StarlingX have "admin" role and are present in either project "admin" or "services", the default rules for FM API allows any system users to execute any action, so there should be no regression with the change introduced here. To test the access control of FM API, the following commands will be used: fm alarm-list fm alarm-show <uuid> fm alarm-summary fm alarm-delete <uuid> fm event-list fm event-show <uuid> fm event-suppress --alarm_id <alarm_id> fm event-suppress-list fm event-unsuppress --alarm_id <alarm_id> fm event-unsuppress-all On test plan, these commands will be reffered as "test commands". Note: there is one FM API that is not tested by the commands above, that is the creation of alarms ("fm_api:alarm:create"). This API will be tested indirectly by observing the system successfully creating alarms in the deployed environment. Test Plan: PASS: Successfully deploy an AIO-SX using an Debian image with this commit present. Successfully create, through openstack CLI, the users: 'testreader' with role 'reader' in project 'admin', 'adminsvc' with role 'admin' in project 'services' and 'otheradmin' with role 'admin' in project 'notadminproject'. Create openrc files for all new users. Note: the other user that will be used is the already existing 'admin' with role 'admin' in project 'admin'. PASS: In the deployed AIO-SX, check the behavior of test commands through different users: for "admin" and "adminsvc" users, all commands are successful; for users "testreader" and "otheradmin", only the commands "alarm-delete", "event-suppress", "event-unsuppress" and "event-unsuppress-all" fail. Observe also that the system is able to create alarms during its operation. PASS: In the deployed AIO-SX, add the following lines in file "/etc/fm/policy.yaml": fm_api:alarm:create: role:admin fm_api:alarm:delete: role:admin fm_api:alarm:get: role:admin fm_api:alarm:modify: role:admin fm_api:event_log:get: role:admin fm_api:event_suppression:get: role:admin fm_api:event_suppression:modify: role:admin and check that all test commands are successful through user "otheradmin" and that all test commands fail through user "testreader". Observe also that the system is able to create alarms during its operation. PASS: In the deployed AIO-SX, to assert that public API works without authentication, execute the commands: "curl -v http://<MGMT_IP>:18002/" and "curl -v http://<MGMT_IP>:18002/v1/" and verify that they are accepted and that the HTTP response is 200, and execute the commands: "curl -v http://<MGMT_IP>:18002/v1/alarms" and "curl -v http://<MGMT_IP>:18002/v1/event_log" and verify that they are rejected and that the HTTP response is 401. PASS: In the deployed AIO-SX, check through Horizon interface that Fault Management works correctly (showing alarms and events, allowing events to be suppressed). PASS: Repeat all tests above changing the deploy to AIO-DX using an CentOS image. Story: 2010149 Task: 46123 Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com> Change-Id: I3db6d0464d8d53c4dfbc761663be1712141b8b93 |
||
---|---|---|
.. | ||
api | ||
cmd | ||
common | ||
db | ||
objects | ||
tests | ||
__init__.py | ||
config-generator.conf | ||
policy.yaml |