Some of the early test changes for the RBAC work have merged
which is awesome, but a couple minor follow-up items should be
addressed. They are so minor it doesn't really make sense to merge
in with one of the patches in the chain.
Change-Id: I85de4d953237f240c3c220f6a57169c633fb295f
This commit lays down some common personas we're trying to introduce
across OpenStack services. Later commits will use these personas in
ironic's existing policies.
This will help use improve the security posture of OpenStack as a whole
and provide a more consistent experience operators and end users.
Change-Id: I2960d0f808949582dc964f4f5688a462d397de9e
In order for us to understand if we're starting to break
compatability with scope changes, we need to at least have
some testing, someway, some place to provide insight.
Hopefully, this should provide that insight by running
the same API testing we run with by default.
Once we have fully defined the scoped authenticaiton
use requirements, we can begin to build the new test
matrix, but this gives us a start.
Change-Id: Ie12e2665c97326142b564b23603647ec9d97052c
Testing every combination of role, endpoint and policy rule would
result in a huge test count, so to make testing the existing policy
rules complete and practical, the following guidelines are suggested:
- Only the default policy is tested, so inactive rules such as
is_node_owner, is_node_lessee are ignored.
- Each rule is tested completely on one endpoint which uses it.
- A rule (such as baremetal:node:list) which inherits a parent rule
(baremetal:node:get) is considered covered by the parent test.
- All endpoints need at least one test, but other endpoints which share
a fully tested rule only need one denied test which shows that they
are covered by some policy.
Also adds the initial pass of contributor documentation on how the
rbac testing works to try and express the mechanics and what to
expect to aid in reviewing/updating/editing the rules.
Co-Authored-By: Julia Kreger <juliaashleykreger@gmail.com>
Change-Id: I1cd88210e40e42f86464e6a817354620f5ab1d9c
This change adds get_mac_addresses call to the ManagementInterface which will
be used by both out-of-band inspection and in-band inspection with
ironic-inspector. This will remove the necessity of manually defining MAC
addresses for nodes and/or enabling IPMI functionality on Redfish-based
systems.
Change-Id: I3debcd1f32a2627dafd8456ec73a71fc7c402ebb
Story: 2008038
Task: 40699
Generating a yaml file called policy.json.sample is a bit misleading
because the file is not valid json, this change fixes that, with the
intention that the user can copy policy.yaml.sample to
/etc/ironic/policy.yaml and make customizations.
Change-Id: Ie6d5c8c38d785005d2bf2dc8f9f7ac42c2e8f7fb
Adds methods to export and clear certificates on the node during node
provisioning. Also enables to implement clean/deploy steps for certificate
management through these APIs.
Change-Id: Idc86d7b78854e0618f62c7e4c1a88670dc4561b0
Story: #2008297
Task: #41182
This version of oslo.policy includes fixes that ensure the Enforcer only
modifies copies of the rules, making it safer in environments that run
tests in parallel where the Enforcer is configured differently.
Change-Id: I8d7a06558cbf073487707fc33219e43beb5fc043
Indicate that idrac-redfish-virtual-media must be used instead,
otherwise a confusing failure will happen.
Change-Id: I3b6ced6dcf03580903f5ea7237fc057f372999f9
If 'agent_url' has been cleared from internal_info
it indicates that the node has been powered off.
Change-Id: Idba486c98e1e92d35fca2e2d156866566acb9e40
Story: 2008583
Task: 41736
All capabilities, except for boot_mode, are read from instance_info.
This change makes instance_info.capabilities[boot_mode] work as well
and deprecates instance_info.deploy_boot_mode.
Note that the special handling of properties.capabilities[boot_mode]
is kept in this patch.
Change-Id: Ic2e7fd4c71b7a7bc2950d17f7e1bbdad73bbb8a7
instance_info is the input from an operator, we should not change that.
Use driver_internal_info instead.
Change-Id: I12b4bc0d4599ccf5ef6fdca91f54f4294b127f9d
For some (likely historical) reasons we only use it for PXE and iPXE,
but the same logic applies to any boot interface (since it depends
on how the management interface and the BMC work, not on the boot
method). This change moves its handling to conductor utils.
Change-Id: I948beb4053034d3c1b4c5b7c64100e41f6022739
In devstack/lib/ironic, IRONIC_DEPLOY_DRIVER is defined at line 341.
However variables which use IRONIC_DEPLOY_DRIVER in default value
(e.g. IRONIC_DEPLOY_RAMDISK, IRONIC_DEPLOY_KERNEL, IRONIC_DEPLOY_ISO
and IRONIC_EFIBOOT) are defined at line 276-282.
This will cause problem at line 295-296:
if [[ "$IRONIC_BUILD_DEPLOY_RAMDISK" == "False" && \
! (-e "$IRONIC_DEPLOY_RAMDISK" && -e "$IRONIC_DEPLOY_KERNEL")
So, this commit moves definition of IRONIC_DEPLOY_DRIVER before
its first use.
Change-Id: I74acb32714ce8830d4697fc796146b894aa7d8c9
Currently ilo5 based hardware does not support redfish
based firmware update. This patch fixes the issue by
making the change to to check whether sushy_task.messages
is present. It was also not calling prepare_ramdisk()
before rebooting the system to update the firmware which
has been fixed in this patch.
Change-Id: I9d70fed0de1829973748c06a1342d7a7af0f93d4
Story: #2008403
Task: #41339
