This commit updates the policies for baremetal passthru policies to understand
scope checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC experience and
improve security.
Change-Id: I31a258e0ce7db7e931e62f2a06e610857dabdd47
This commit updates the policies for baremetal drivers to understand scope
checking and account for a read-only role. This is part of a broader series of
changes across OpenStack to provide a consistent RBAC experience and improve
security.
Change-Id: I7e2f205a5fbc186bfdaf2f5f58fb3b07abc9765d
This commit updates the policies for baremetal chassis to understand scope
checking and account for a read-only role. This is part of a broader series of
changes across OpenStack to provide a consistent RBAC experience and improve
security.
Change-Id: I5ecb44a389b057519599c7b812f8c913db4f085a
This commit updates the policies for baremetal port groups to understand scope
checking and account for a read-only role. This is part of a broader series of
changes across OpenStack to provide a consistent RBAC experience and improve
security.
Co-Authored-By: Julia Kreger <juliaashleykreger@gmail.com>
Change-Id: Ida3b341285e3f889311a44f615e0665a0736f6af
This commit updates the policies for baremetal ports to understand scope
checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC
experience and improve security.
Co-Authored-By: Julia Kreger <juliaashleykreger@gmail.com>
Change-Id: I0ff52a5b667cffdb93e210f5ef32c1d38953d6ee
This commit updates the policies for baremetal nodes to understand
scope checking and account for a member or read-only role.
This is part of a broader series of changes across OpenStack
to provide a consistent RBAC experience and improve security.
This change also implements basic testing of the RBAC interface, and
modifies the testing test_acl.py file to *both* delineate the tests
to prevent yaml variable expansion collission as well as handle
deprecated ACL testing so we can track our way through the API
and disable deprecated tests from providing false errors.
A notable difference between the testing is that members in the
system role *have* rights under the system scope. Members accounts
may be services such as nova-compute running the nova.virt.ironic
driver.
Co-Authored-By: Julia Kreger <juliaashleykreger@gmail.com>
Change-Id: Id8365f150f8f5828b99627e1f31b0bc30f3a28f2
This change adds support for utilising NVMe specific cleaning tools
on supported devices. This will remove the neccessity of using shred to
securely delete the contents of a NVMe drive and enable using nvme-cli
tools instead, improving cleaning performance and reducing wear on the device.
Story: 2008290
Task: 41168
Change-Id: I2f63db9b739e53699bd5f164b79640927bf757d7
When it is set to True, we try to write text data to a binary file,
which is not possible in Python 3. The issue has been "helpfully"
hidden by the fact that we use bytes in unit tests, as well as
by lack of CI coverage.
Change-Id: Ibbf90dcbcb36a5f7cf084a44a221c0c5c003b95a
The ironicclient CLI silently passes invalid JSON as a configdrive
blob, which fails much later with a confusing errors. Add an early
check in the API.
Change-Id: Ifa9993a9454fe036a600ca8b855397321d4fbc04
We are replacing all usages of the 'retrying' package with
'tenacity' as the author of retrying is not actively maintaining
the project.
Unit tests will be added/removed where applicable.
Tenacity [1] is a fork of retrying, but has improved the
interface and extensibility.
Our end goal here is removing the retrying package from our
requirements.
Tenacity provides the same functionality as retrying, but has the
following major differences to account for:
- Tenacity uses seconds rather than ms as retrying did.
- Tenacity has different kwargs for the decorator and
Retrying class itself.
- Tenacity has a different approach for retrying args by
using classes for its stop/wait/retry kwargs.
- By default tenacity raises a RetryError if a retried callable
times out; retrying raises the last exception from the callable.
Tenacity provides backwards compatibility here by offering
the 'reraise' kwarg.
- For retries that check a result, tenacity will raise if the retried
function raises, whereas retrying retried on all exceptions.
[1] https://github.com/jd/tenacity
Co-Authored-By: Dmitry Tantsur <dtantsur@protonmail.com>
Co-Authored-By: Riccardo Pittau <elfosardo@gmail.com>
Story: #1635390
Task: #10528
Change-Id: Ie5eb3ddc196505e8f58ed14de9952284598586fb
Some of the early test changes for the RBAC work have merged
which is awesome, but a couple minor follow-up items should be
addressed. They are so minor it doesn't really make sense to merge
in with one of the patches in the chain.
Change-Id: I85de4d953237f240c3c220f6a57169c633fb295f
This commit lays down some common personas we're trying to introduce
across OpenStack services. Later commits will use these personas in
ironic's existing policies.
This will help use improve the security posture of OpenStack as a whole
and provide a more consistent experience operators and end users.
Change-Id: I2960d0f808949582dc964f4f5688a462d397de9e
In order for us to understand if we're starting to break
compatability with scope changes, we need to at least have
some testing, someway, some place to provide insight.
Hopefully, this should provide that insight by running
the same API testing we run with by default.
Once we have fully defined the scoped authenticaiton
use requirements, we can begin to build the new test
matrix, but this gives us a start.
Change-Id: Ie12e2665c97326142b564b23603647ec9d97052c
Testing every combination of role, endpoint and policy rule would
result in a huge test count, so to make testing the existing policy
rules complete and practical, the following guidelines are suggested:
- Only the default policy is tested, so inactive rules such as
is_node_owner, is_node_lessee are ignored.
- Each rule is tested completely on one endpoint which uses it.
- A rule (such as baremetal:node:list) which inherits a parent rule
(baremetal:node:get) is considered covered by the parent test.
- All endpoints need at least one test, but other endpoints which share
a fully tested rule only need one denied test which shows that they
are covered by some policy.
Also adds the initial pass of contributor documentation on how the
rbac testing works to try and express the mechanics and what to
expect to aid in reviewing/updating/editing the rules.
Co-Authored-By: Julia Kreger <juliaashleykreger@gmail.com>
Change-Id: I1cd88210e40e42f86464e6a817354620f5ab1d9c
This change adds get_mac_addresses call to the ManagementInterface which will
be used by both out-of-band inspection and in-band inspection with
ironic-inspector. This will remove the necessity of manually defining MAC
addresses for nodes and/or enabling IPMI functionality on Redfish-based
systems.
Change-Id: I3debcd1f32a2627dafd8456ec73a71fc7c402ebb
Story: 2008038
Task: 40699
Generating a yaml file called policy.json.sample is a bit misleading
because the file is not valid json, this change fixes that, with the
intention that the user can copy policy.yaml.sample to
/etc/ironic/policy.yaml and make customizations.
Change-Id: Ie6d5c8c38d785005d2bf2dc8f9f7ac42c2e8f7fb
Adds methods to export and clear certificates on the node during node
provisioning. Also enables to implement clean/deploy steps for certificate
management through these APIs.
Change-Id: Idc86d7b78854e0618f62c7e4c1a88670dc4561b0
Story: #2008297
Task: #41182
