openstack/ironic
Code Issues Proposed changes

Merge "Implement "system" scoped RBAC for ports"

Browse Source
This commit is contained in:
Zuul 2021-02-23 05:43:02 +00:00 committed by Gerrit Code Review
commit 2be3f75760
4 changed files with 133 additions and 62 deletions

126
ironic/common/policy.py

@ -653,44 +653,108 @@ node_policies = [
),
]
deprecated_port_get = policy.DeprecatedRule(
name='baremetal:port:get',
check_str='rule:is_admin or rule:is_observer'
)
deprecated_port_list = policy.DeprecatedRule(
name='baremetal:port:list',
check_str='rule:baremetal:port:get'
)
deprecated_port_list_all = policy.DeprecatedRule(
name='baremetal:port:list_all',
check_str='rule:baremetal:port:get'
)
deprecated_port_create = policy.DeprecatedRule(
name='baremetal:port:create',
check_str='rule:is_admin'
)
deprecated_port_delete = policy.DeprecatedRule(
name='baremetal:port:delete',
check_str='rule:is_admin'
)
deprecated_port_update = policy.DeprecatedRule(
name='baremetal:port:update',
check_str='rule:is_admin'
)
deprecated_port_reason = """
The baremetal port API is now aware of system scope and default roles.
"""
port_policies = [
policy.DocumentedRuleDefault(
'baremetal:port:get',
'rule:is_admin or rule:is_observer',
'Retrieve Port records',
[{'path': '/ports/{port_id}', 'method': 'GET'},
{'path': '/nodes/{node_ident}/ports', 'method': 'GET'},
{'path': '/nodes/{node_ident}/ports/detail', 'method': 'GET'},
{'path': '/portgroups/{portgroup_ident}/ports', 'method': 'GET'},
{'path': '/portgroups/{portgroup_ident}/ports/detail',
'method': 'GET'}]),
name='baremetal:port:get',
check_str=SYSTEM_READER,
scope_types=['system'],
description='Retrieve Port records',
operations=[
{'path': '/ports/{port_id}', 'method': 'GET'},
{'path': '/nodes/{node_ident}/ports', 'method': 'GET'},
{'path': '/nodes/{node_ident}/ports/detail', 'method': 'GET'},
{'path': '/portgroups/{portgroup_ident}/ports', 'method': 'GET'},
{'path': '/portgroups/{portgroup_ident}/ports/detail',
'method': 'GET'}
],
deprecated_rule=deprecated_port_get,
deprecated_reason=deprecated_port_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:port:list',
'rule:baremetal:port:get',
'Retrieve multiple Port records, filtered by owner',
[{'path': '/ports', 'method': 'GET'},
{'path': '/ports/detail', 'method': 'GET'}]),
name='baremetal:port:list',
check_str=SYSTEM_READER,
scope_types=['system'],
description='Retrieve multiple Port records, filtered by owner',
operations=[
{'path': '/ports', 'method': 'GET'},
{'path': '/ports/detail', 'method': 'GET'}
],
deprecated_rule=deprecated_port_list,
deprecated_reason=deprecated_port_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:port:list_all',
'rule:baremetal:port:get',
'Retrieve multiple Port records',
[{'path': '/ports', 'method': 'GET'},
{'path': '/ports/detail', 'method': 'GET'}]),
name='baremetal:port:list_all',
check_str=SYSTEM_READER,
scope_types=['system'],
description='Retrieve multiple Port records',
operations=[
{'path': '/ports', 'method': 'GET'},
{'path': '/ports/detail', 'method': 'GET'}
],
deprecated_rule=deprecated_port_list_all,
deprecated_reason=deprecated_port_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:port:create',
'rule:is_admin',
'Create Port records',
[{'path': '/ports', 'method': 'POST'}]),
name='baremetal:port:create',
check_str=SYSTEM_ADMIN,
scope_types=['system'],
description='Create Port records',
operations=[{'path': '/ports', 'method': 'POST'}],
deprecated_rule=deprecated_port_create,
deprecated_reason=deprecated_port_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:port:delete',
'rule:is_admin',
'Delete Port records',
[{'path': '/ports/{port_id}', 'method': 'DELETE'}]),
name='baremetal:port:delete',
check_str=SYSTEM_ADMIN,
scope_types=['system'],
description='Delete Port records',
operations=[{'path': '/ports/{port_id}', 'method': 'DELETE'}],
deprecated_rule=deprecated_port_delete,
deprecated_reason=deprecated_port_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:port:update',
'rule:is_admin',
'Update Port records',
[{'path': '/ports/{port_id}', 'method': 'PATCH'}]),
name='baremetal:port:update',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Update Port records',
operations=[{'path': '/ports/{port_id}', 'method': 'PATCH'}],
deprecated_rule=deprecated_port_update,
deprecated_reason=deprecated_port_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
]
portgroup_policies = [

30
ironic/tests/unit/api/test_rbac_legacy.yaml

@ -997,18 +997,21 @@ ports_get_admin:
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
ports_get_member:
path: '/v1/ports'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
ports_get_observer:
path: '/v1/ports'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
# NOTE(TheJulia): Returns 400 when the conductor calls are
# mocked indicating node lookup failed, which means the access
@ -1021,6 +1024,7 @@ ports_post_admin:
body: &port_body
node_uuid: 68a552fb-dcd2-43bf-9302-e4c93287be16
address: 00:01:02:03:04:05
deprecated: true
ports_post_member:
path: '/v1/ports'
@ -1028,6 +1032,7 @@ ports_post_member:
headers: *member_headers
assert_status: 403
body: *port_body
deprecated: true
ports_post_observer:
path: '/v1/ports'
@ -1035,42 +1040,49 @@ ports_post_observer:
headers: *observer_headers
assert_status: 403
body: *port_body
deprecated: true
ports_detail_get_admin:
path: '/v1/ports/detail'
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
ports_detail_get_member:
path: '/v1/ports/detail'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
ports_detail_get_observer:
path: '/v1/ports/detail'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
ports_port_id_get_admin:
path: '/v1/ports/{port_ident}'
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
ports_port_id_get_member:
path: '/v1/ports/{port_ident}'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
ports_port_id_get_observer:
path: '/v1/ports/{port_ident}'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
ports_port_id_patch_admin:
path: '/v1/ports/{port_ident}'
@ -1081,6 +1093,7 @@ ports_port_id_patch_admin:
- op: replace
path: /extra
value: {'test': 'testing'}
deprecated: true
ports_port_id_patch_member:
path: '/v1/ports/{port_ident}'
@ -1088,6 +1101,7 @@ ports_port_id_patch_member:
headers: *member_headers
assert_status: 403
body: *port_patch_body
deprecated: true
ports_port_id_patch_observer:
path: '/v1/ports/{port_ident}'
@ -1095,24 +1109,28 @@ ports_port_id_patch_observer:
headers: *observer_headers
assert_status: 403
body: *port_patch_body
deprecated: true
ports_port_id_delete_admin:
path: '/v1/ports/{port_ident}'
method: delete
headers: *admin_headers
assert_status: 503
deprecated: true
ports_port_id_delete_member:
path: '/v1/ports/{port_ident}'
method: delete
headers: *member_headers
assert_status: 403
deprecated: true
ports_port_id_delete_observer:
path: '/v1/ports/{port_ident}'
method: delete
headers: *observer_headers
assert_status: 403
deprecated: true
# Ports by node - https://docs.openstack.org/api-ref/baremetal/#listing-ports-by-node-nodes-ports
@ -1121,36 +1139,42 @@ nodes_ports_get_admin:
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
nodes_ports_get_member:
path: '/v1/nodes/{node_ident}/ports'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
nodes_ports_get_observer:
path: '/v1/nodes/{node_ident}/ports'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
nodes_ports_detail_get_admin:
path: '/v1/nodes/{node_ident}/ports/detail'
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
nodes_ports_detail_get_member:
path: '/v1/nodes/{node_ident}/ports/detail'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
nodes_ports_detail_get_observer:
path: '/v1/nodes/{node_ident}/ports/detail'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
# Ports by portgroup - https://docs.openstack.org/api-ref/baremetal/#listing-ports-by-portgroup-portgroup-ports
@ -1159,36 +1183,42 @@ portgroups_ports_get_admin:
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
portgroups_ports_get_member:
path: '/v1/portgroups/{portgroup_ident}/ports'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
portgroups_ports_get_observer:
path: '/v1/portgroups/{portgroup_ident}/ports'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
portgroups_ports_detail_get_admin:
path: '/v1/portgroups/{portgroup_ident}/ports/detail'
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
portgroups_ports_detail_get_member:
path: '/v1/portgroups/{portgroup_ident}/ports/detail'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
portgroups_ports_detail_get_observer:
path: '/v1/portgroups/{portgroup_ident}/ports/detail'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
# Volume(s) - https://docs.openstack.org/api-ref/baremetal/#volume-volume

36
ironic/tests/unit/api/test_rbac_system_scoped.yaml

@ -931,21 +931,18 @@ ports_get_admin:
method: get
headers: *admin_headers
assert_status: 200
skip_reason: not updated for scope testing
ports_get_member:
path: '/v1/ports'
method: get
headers: *scoped_member_headers
assert_status: 403
skip_reason: not updated for scope testing
assert_status: 200
ports_get_observer:
path: '/v1/ports'
method: get
headers: *observer_headers
assert_status: 200
skip_reason: not updated for scope testing
# NOTE(TheJulia): Returns 400 when the conductor calls are
# mocked indicating node lookup failed, which means the access
@ -958,7 +955,6 @@ ports_post_admin:
body: &port_body
node_uuid: 68a552fb-dcd2-43bf-9302-e4c93287be16
address: 00:01:02:03:04:05
skip_reason: not updated for scope testing
ports_post_member:
path: '/v1/ports'
@ -966,7 +962,6 @@ ports_post_member:
headers: *scoped_member_headers
assert_status: 403
body: *port_body
skip_reason: not updated for scope testing
ports_post_observer:
path: '/v1/ports'
@ -974,49 +969,42 @@ ports_post_observer:
headers: *observer_headers
assert_status: 403
body: *port_body
skip_reason: not updated for scope testing
ports_detail_get_admin:
path: '/v1/ports/detail'
method: get
headers: *admin_headers
assert_status: 200
skip_reason: not updated for scope testing
ports_detail_get_member:
path: '/v1/ports/detail'
method: get
headers: *scoped_member_headers
assert_status: 403
skip_reason: not updated for scope testing
assert_status: 200
ports_detail_get_observer:
path: '/v1/ports/detail'
method: get
headers: *observer_headers
assert_status: 200
skip_reason: not updated for scope testing
ports_port_id_get_admin:
path: '/v1/ports/{port_ident}'
method: get
headers: *admin_headers
assert_status: 200
skip_reason: not updated for scope testing
ports_port_id_get_member:
path: '/v1/ports/{port_ident}'
method: get
headers: *scoped_member_headers
assert_status: 403
skip_reason: not updated for scope testing
assert_status: 200
ports_port_id_get_observer:
path: '/v1/ports/{port_ident}'
method: get
headers: *observer_headers
assert_status: 200
skip_reason: not updated for scope testing
# NOTE(TheJulia): Returns 500 without the ability to update
# the conductor.
@ -1029,15 +1017,13 @@ ports_port_id_patch_admin:
- op: replace
path: /extra
value: {'test': 'testing'}
skip_reason: not updated for scope testing
ports_port_id_patch_member:
path: '/v1/ports/{port_ident}'
method: patch
headers: *scoped_member_headers
assert_status: 403
assert_status: 503
body: *port_patch_body
skip_reason: not updated for scope testing
ports_port_id_patch_observer:
path: '/v1/ports/{port_ident}'
@ -1045,7 +1031,6 @@ ports_port_id_patch_observer:
headers: *observer_headers
assert_status: 403
body: *port_patch_body
skip_reason: not updated for scope testing
# NOTE(TheJulia): This call attempts to use the conductor which
# is not possible and thus not status of 403.
@ -1054,21 +1039,18 @@ ports_port_id_delete_admin:
method: delete
headers: *admin_headers
assert_status: 503
skip_reason: not updated for scope testing
ports_port_id_delete_member:
path: '/v1/ports/{port_ident}'
method: delete
headers: *scoped_member_headers
assert_status: 403
skip_reason: not updated for scope testing
ports_port_id_delete_observer:
path: '/v1/ports/{port_ident}'
method: delete
headers: *observer_headers
assert_status: 403
skip_reason: not updated for scope testing
# Ports by node - https://docs.openstack.org/api-ref/baremetal/#listing-ports-by-node-nodes-ports
@ -1077,42 +1059,36 @@ nodes_ports_get_admin:
method: get
headers: *admin_headers
assert_status: 200
skip_reason: not updated for scope testing
nodes_ports_get_member:
path: '/v1/nodes/{node_ident}/ports'
method: get
headers: *scoped_member_headers
assert_status: 403
skip_reason: not updated for scope testing
assert_status: 200
nodes_ports_get_observer:
path: '/v1/nodes/{node_ident}/ports'
method: get
headers: *observer_headers
assert_status: 200
skip_reason: not updated for scope testing
nodes_ports_detail_get_admin:
path: '/v1/nodes/{node_ident}/ports/detail'
method: get
headers: *admin_headers
assert_status: 200
skip_reason: not updated for scope testing
nodes_ports_detail_get_member:
path: '/v1/nodes/{node_ident}/ports/detail'
method: get
headers: *scoped_member_headers
assert_status: 403
skip_reason: not updated for scope testing
assert_status: 200
nodes_ports_detail_get_observer:
path: '/v1/nodes/{node_ident}/ports/detail'
method: get
headers: *observer_headers
assert_status: 200
skip_reason: not updated for scope testing
# Ports by portgroup - https://docs.openstack.org/api-ref/baremetal/#listing-ports-by-portgroup-portgroup-ports

3
releasenotes/notes/system-scoped-authentication-28e3651de250bea8.yaml

@ -2,7 +2,8 @@
features:
- |
The Baremetal API, provided by the ironic-api process, now supports use of
``system`` scoped ``keystone`` authentication for the node endpoint.
``system`` scoped ``keystone`` authentication for the nodes and ports
endpoints.
upgrade:
- |
Deprecated policy rules are not expressed via a default policy file