The tests were not enabled earlier on, for endpoints that
are not going to be exposed to users, really. So this patch
just updates them so they are tested as expected.
Change-Id: If3c989d5bcf03de5704e30165747642134952f75
This patch adds project scoped access, as part of the work
to delineate system and project scope access.
Adds policies:
* baremetal:volume:list_all
* baremetal:volume:list
* baremetal:volume:view_target_properties
Change-Id: I898310b515195b7065a3b1c7998ef3f29f5e8747
The Redfish hardware type does not currently implement the RAID
hardware interface.
This patch implements the Redfish RAID interface, allowing operators
to specify the desired RAID configuration on Ironic Redfish nodes.
Story: 2003514
Task: 24789
Depends-On: https://review.opendev.org/c/openstack/sushy/+/774532
Change-Id: Icf5ca865e0c1e168b96659229df622698bea1503
This patch implements the project scoped rbac policies for a
system and project scoped deployment of ironic. Because of the
nature of Ports and Portgroups, along with the subcontroller
resources, this change was a little more invasive than was
originally anticipated. In that process, along with some
discussion in the #openstack-ironic IRC channel, that it
would be most security concious to respond only with 404s if
the user simply does not have access to the underlying node
object.
In essence, their view of the universe has been restricted as
they have less acess rights, and we appropriately enforce that.
Not expecting that, or not conciously being aware of that, can
quickly lead to confusion though. Possibly a day or more of
Julia's life as well, but it comes down to perceptions and
awareness.
Change-Id: I68c5f2bae76ca313ba77285747dc6b1bc8b623b9
* Adds additional policies:
* baremetal:node_get:last_error
* baremetal:node:get:reservation
* baremetal:node:get:driver_internal_info
* baremetal:node:get:driver_info
* baremetal:node:update:driver_info
* baremetal:node:update:properties
* baremetal:node:update:chassis_uuid
* baremetal:node:update:instance_uuid
* baremetal:node:update:lessee
* baremetal:node:update:driver_interfaces
* baremetal:node:update:network_data
* baremetal:node:update:conductor_group
* baremetal:node:update:name
* With new policies, responses of filtering and posted data is
performed. Testing has been added to the RBAC testing files
to align with this and the defaults where pertinant.
* Adds another variation of the common policy check method
which may be useful in the long term. This is too soon to
tell, but the overall purpose is to allow similar logic
patterns to the authorize behavior. This is because the
standard policies are, at present, also used to control
behavior of response, and node response sanitization needs
to be carefully navigated.
This change excludes linked resources such as /nodes/<uuid>/ports,
portgroups, volumes/[targets|connectors]. Those will be in later
changes, as the node itself is quite a bit.
Special note:
* The indicator endpoint code in the API appears to be broken
and given that should be fixed in a separate patch.
Change-Id: I2869bf21f761cfc543798cf1f7d97c5500cd3681
This change adds support for utilising NVMe specific cleaning tools
on supported devices. This will remove the neccessity of using shred to
securely delete the contents of a NVMe drive and enable using nvme-cli
tools instead, improving cleaning performance and reducing wear on the device.
(this specific change adds extra documentation to the earlier set of
patches implementing this).
Story: 2008290
Task: 41168
Change-Id: Ia6d34b31680967a0d14687e5a54d68a1f1644308
In order to reduce the load on the database backend, only lazy-load
a node's ports, portgroups, volume_connectors, and volume_targets.
With the power-sync as the main user, this change should reduce the
number of DB operations by two thirds roughly.
Change-Id: Id9a9a53156f7fd866d93569347a81e27c6f0673c
It is possible that an interface has both IPv4 and IPv6 addresses,
primarily when using SLAAC with OpenStack Neutron. When this is
the case, it is very likely that the first fixed IP would be a
SLAAC assigned port and the second IP is the IPv4 address.
In an environment where you are looking to boot via IPv4, no DHCPv6
infrastructure exists as IPv6 connectivity is provided via SLAAC,
you would not be able to use this network to boot off of.
This patch instead grabs all the fixed IP addresses, then inserts
the options that match the IP versions which are attached to the
interface, potentially resulting in both IPv4 and IPv6 options
being included (though the IPv6 ones would be largely omitted).
In environments where only IPv4 or IPv6 is in use on the port, it
will still only insert the options for those specific IP versions.
Story #2008660
Task #41933
Change-Id: I52e4ee022b17cb7f007534cb368136567b139a34
No longer explicit handle secure boot in PXE/iPXE derivatives since it's
now handled there.
Change-Id: I13b1d53578285b7171bfadb53bb2a7f69e7b53e3
Story: #2008270
Task: #41567
This patch proposes initial tests to perform validations in relation
to supporting project scope access in a deployment where system scope
is also delineated.
For now, these tests have been disabled with the exception of tests
whose scopes are unexpected to see project scope support.
* conductors
* drivers
* chassis
* deploy_templates
Change-Id: I29c2ea987464b5b210808d9ca806292b8ab2ddf4
One of the default role names in the RBAC model with system and
project scopes is reader. Reader replaces observer, and while this
was not done earlier to the tests in system scope was because it is
better to evolve the tests being able to run individual groups with
the same name as opposed to different names.
Change-Id: I57bab93adaf7e562c4c46febd612e1f27ea50bfa
This commit updates the policies for baremetal deploy template policies to
understand scope checking and account for a read-only role. This is part of a
broader series of changes across OpenStack to provide a consistent RBAC
experience and improve security.
Change-Id: I1d1d1bdae0171c44e122018a8a83b35dbb093c39
This commit updates the policies for baremetal event policies to understand
scope checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC experience and
improve security.
Change-Id: I9543b0524f2e85eae0d4fd4331ea1ed9a66322d8
