This commit updates the policies for baremetal event policies to understand
scope checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC experience and
improve security.
Change-Id: I9543b0524f2e85eae0d4fd4331ea1ed9a66322d8
Changed permission defaults for changing the node owner of a node
and disabling cleaning to be system administrator based privilges.
This was review feedback in the very final review jam of the change,
which was agreed upon.
Change-Id: I5b0e609be1bfe90bbe76782e0544f7943b0c12a9
This commit updates the policies for baremetal allocation policies to
understand scope checking and account for a read-only role. This is part of a
broader series of changes across OpenStack to provide a consistent RBAC
experience and improve security.
Change-Id: I1cb3a7e885710c19f20df63b83beaa787ffa3bc3
This commit updates the policies for baremetal conductor policies to understand
scope checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC experience and
improve security.
Change-Id: I331f46092405ffd399ad45ba4ccb6dc7639051e5
This commit updates the policies for baremetal volume policies to understand
scope checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC experience and
improve security.
Change-Id: I361a6410f5825b2dc97b50586475a4fa8e0f0f1f
This commit updates the policies for baremetal utility policies to understand
scope checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC experience and
improve security.
Also adds duplicate Heartbeat and Lookup test classes with the middleware
scope enforcement enabled and enforced, to ensure that we do not adversely
impact these special API endpoints.
Change-Id: I89176b3adf1489e12493c62b908bf135c912e017
This commit updates the policies for baremetal passthru policies to understand
scope checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC experience and
improve security.
Change-Id: I31a258e0ce7db7e931e62f2a06e610857dabdd47
This commit updates the policies for baremetal drivers to understand scope
checking and account for a read-only role. This is part of a broader series of
changes across OpenStack to provide a consistent RBAC experience and improve
security.
Change-Id: I7e2f205a5fbc186bfdaf2f5f58fb3b07abc9765d
This commit updates the policies for baremetal chassis to understand scope
checking and account for a read-only role. This is part of a broader series of
changes across OpenStack to provide a consistent RBAC experience and improve
security.
Change-Id: I5ecb44a389b057519599c7b812f8c913db4f085a
This commit updates the policies for baremetal port groups to understand scope
checking and account for a read-only role. This is part of a broader series of
changes across OpenStack to provide a consistent RBAC experience and improve
security.
Co-Authored-By: Julia Kreger <juliaashleykreger@gmail.com>
Change-Id: Ida3b341285e3f889311a44f615e0665a0736f6af
This commit updates the policies for baremetal ports to understand scope
checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC
experience and improve security.
Co-Authored-By: Julia Kreger <juliaashleykreger@gmail.com>
Change-Id: I0ff52a5b667cffdb93e210f5ef32c1d38953d6ee
This commit updates the policies for baremetal nodes to understand
scope checking and account for a member or read-only role.
This is part of a broader series of changes across OpenStack
to provide a consistent RBAC experience and improve security.
This change also implements basic testing of the RBAC interface, and
modifies the testing test_acl.py file to *both* delineate the tests
to prevent yaml variable expansion collission as well as handle
deprecated ACL testing so we can track our way through the API
and disable deprecated tests from providing false errors.
A notable difference between the testing is that members in the
system role *have* rights under the system scope. Members accounts
may be services such as nova-compute running the nova.virt.ironic
driver.
Co-Authored-By: Julia Kreger <juliaashleykreger@gmail.com>
Change-Id: Id8365f150f8f5828b99627e1f31b0bc30f3a28f2
This change adds support for utilising NVMe specific cleaning tools
on supported devices. This will remove the neccessity of using shred to
securely delete the contents of a NVMe drive and enable using nvme-cli
tools instead, improving cleaning performance and reducing wear on the device.
Story: 2008290
Task: 41168
Change-Id: I2f63db9b739e53699bd5f164b79640927bf757d7
When it is set to True, we try to write text data to a binary file,
which is not possible in Python 3. The issue has been "helpfully"
hidden by the fact that we use bytes in unit tests, as well as
by lack of CI coverage.
Change-Id: Ibbf90dcbcb36a5f7cf084a44a221c0c5c003b95a
The ironicclient CLI silently passes invalid JSON as a configdrive
blob, which fails much later with a confusing errors. Add an early
check in the API.
Change-Id: Ifa9993a9454fe036a600ca8b855397321d4fbc04
We are replacing all usages of the 'retrying' package with
'tenacity' as the author of retrying is not actively maintaining
the project.
Unit tests will be added/removed where applicable.
Tenacity [1] is a fork of retrying, but has improved the
interface and extensibility.
Our end goal here is removing the retrying package from our
requirements.
Tenacity provides the same functionality as retrying, but has the
following major differences to account for:
- Tenacity uses seconds rather than ms as retrying did.
- Tenacity has different kwargs for the decorator and
Retrying class itself.
- Tenacity has a different approach for retrying args by
using classes for its stop/wait/retry kwargs.
- By default tenacity raises a RetryError if a retried callable
times out; retrying raises the last exception from the callable.
Tenacity provides backwards compatibility here by offering
the 'reraise' kwarg.
- For retries that check a result, tenacity will raise if the retried
function raises, whereas retrying retried on all exceptions.
[1] https://github.com/jd/tenacity
Co-Authored-By: Dmitry Tantsur <dtantsur@protonmail.com>
Co-Authored-By: Riccardo Pittau <elfosardo@gmail.com>
Story: #1635390
Task: #10528
Change-Id: Ie5eb3ddc196505e8f58ed14de9952284598586fb
