From eb59b2614dd0f50b0febac682a2d698802e14bac Mon Sep 17 00:00:00 2001 From: Boxiang Zhu Date: Wed, 17 Aug 2022 13:21:35 +0800 Subject: [PATCH] fix: Remove invalid panko policy 1. remove invalid panko policy 2. remove install panko from post_install.sh 3. update policy Change-Id: Icb23e4ff34ff47952294f711ddabd36cc9df706e --- skyline_apiserver/policy/manager/ironic.py | 52 ++++++++++----------- skyline_apiserver/policy/manager/neutron.py | 28 +++++++++++ skyline_apiserver/policy/manager/nova.py | 7 +++ skyline_apiserver/policy/manager/panko.py | 35 -------------- tools/post_install.sh | 9 ---- 5 files changed, 61 insertions(+), 70 deletions(-) delete mode 100644 skyline_apiserver/policy/manager/panko.py diff --git a/skyline_apiserver/policy/manager/ironic.py b/skyline_apiserver/policy/manager/ironic.py index 5527de1..7c4b25d 100644 --- a/skyline_apiserver/policy/manager/ironic.py +++ b/skyline_apiserver/policy/manager/ironic.py @@ -92,28 +92,28 @@ list_rules = ( base.APIRule( name="baremetal:node:get:last_error", check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"), - description="Governs if the node last_error field is masked from APIclients with insufficent privileges.", + description="Governs if the node last_error field is masked from API clients with insufficient privileges.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:get:reservation", check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"), - description="Governs if the node reservation field is masked from APIclients with insufficent privileges.", + description="Governs if the node reservation field is masked from API clients with insufficient privileges.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:get:driver_internal_info", check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"), - description="Governs if the node driver_internal_info field is masked from API clients with insufficent privileges.", + description="Governs if the node driver_internal_info field is masked from API clients with insufficient privileges.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:get:driver_info", check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"), - description="Governs if the driver_info field is masked from APIclients with insufficent privileges.", + description="Governs if the driver_info field is masked from API clients with insufficient privileges.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/nodes/{node_ident}"}], ), @@ -161,7 +161,7 @@ list_rules = ( ), base.APIRule( name="baremetal:node:update:driver_interfaces", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"), description="Governs if node driver and driver interfaces field can be updated via the API clients.", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}], @@ -210,7 +210,7 @@ list_rules = ( ), base.APIRule( name="baremetal:node:update_instance_info", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"), description="Update Node instance_info field", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}], @@ -231,35 +231,35 @@ list_rules = ( ), base.APIRule( name="baremetal:node:validate", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"), description="Request active validation of Nodes", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/nodes/{node_ident}/validate"}], ), base.APIRule( name="baremetal:node:set_maintenance", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"), description="Set maintenance flag, taking a Node out of service", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/nodes/{node_ident}/maintenance"}], ), base.APIRule( name="baremetal:node:clear_maintenance", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"), description="Clear maintenance flag, placing the Node into service again", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/maintenance"}], ), base.APIRule( name="baremetal:node:get_boot_device", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"), description="Retrieve Node boot device metadata", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/nodes/{node_ident}/management/boot_device"}, {"method": "GET", "path": "/nodes/{node_ident}/management/boot_device/supported"}], ), base.APIRule( name="baremetal:node:set_boot_device", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"), description="Change Node boot device", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/boot_device"}], @@ -280,7 +280,7 @@ list_rules = ( ), base.APIRule( name="baremetal:node:inject_nmi", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"), description="Inject NMI for a node", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/inject_nmi"}], @@ -315,7 +315,7 @@ list_rules = ( ), base.APIRule( name="baremetal:node:set_provision_state", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"), description="Change Node provision status", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/provision"}], @@ -350,14 +350,14 @@ list_rules = ( ), base.APIRule( name="baremetal:node:vif:attach", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"), description="Attach a VIF to a node", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/nodes/{node_ident}/vifs"}], ), base.APIRule( name="baremetal:node:vif:detach", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"), description="Detach a VIF from a node", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/vifs/{node_vif_ident}"}], @@ -371,14 +371,14 @@ list_rules = ( ), base.APIRule( name="baremetal:node:traits:set", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"), description="Add a trait to, or replace all traits of, a node", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/nodes/{node_ident}/traits"}, {"method": "PUT", "path": "/nodes/{node_ident}/traits/{trait}"}], ), base.APIRule( name="baremetal:node:traits:delete", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"), description="Remove one or all traits from a node", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/traits"}, {"method": "DELETE", "path": "/nodes/{node_ident}/traits/{trait}"}], @@ -427,21 +427,21 @@ list_rules = ( ), base.APIRule( name="baremetal:port:create", - check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"), description="Create Port records", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/ports"}], ), base.APIRule( name="baremetal:port:delete", - check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"), description="Delete Port records", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/ports/{port_id}"}], ), base.APIRule( name="baremetal:port:update", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"), description="Update Port records", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/ports/{port_id}"}], @@ -455,21 +455,21 @@ list_rules = ( ), base.APIRule( name="baremetal:portgroup:create", - check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"), description="Create Portgroup records", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/portgroups"}], ), base.APIRule( name="baremetal:portgroup:delete", - check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"), description="Delete Portgroup records", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/portgroups/{portgroup_ident}"}], ), base.APIRule( name="baremetal:portgroup:update", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"), description="Update Portgroup records", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/portgroups/{portgroup_ident}"}], @@ -588,21 +588,21 @@ list_rules = ( ), base.APIRule( name="baremetal:volume:create", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"), description="Create Volume connector and target records", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/volume/connectors"}, {"method": "POST", "path": "/volume/targets"}], ), base.APIRule( name="baremetal:volume:delete", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"), description="Delete Volume connector and target records", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "DELETE", "path": "/volume/targets/{volume_target_id}"}], ), base.APIRule( name="baremetal:volume:update", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"), description="Update Volume connector and target records", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "PATCH", "path": "/volume/targets/{volume_target_id}"}], diff --git a/skyline_apiserver/policy/manager/neutron.py b/skyline_apiserver/policy/manager/neutron.py index 0b24ed9..fde5438 100644 --- a/skyline_apiserver/policy/manager/neutron.py +++ b/skyline_apiserver/policy/manager/neutron.py @@ -1104,6 +1104,34 @@ list_rules = ( scope_types=["project"], operations=[{"method": "DELETE", "path": "/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}"}], ), + base.APIRule( + name="get_policy_packet_rate_limit_rule", + check_str=("role:reader and project_id:%(project_id)s"), + description="Get a QoS packet rate limit rule", + scope_types=["project"], + operations=[{"method": "GET", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules"}, {"method": "GET", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}"}], + ), + base.APIRule( + name="create_policy_packet_rate_limit_rule", + check_str=("role:admin and project_id:%(project_id)s"), + description="Create a QoS packet rate limit rule", + scope_types=["project"], + operations=[{"method": "POST", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules"}], + ), + base.APIRule( + name="update_policy_packet_rate_limit_rule", + check_str=("role:admin and project_id:%(project_id)s"), + description="Update a QoS packet rate limit rule", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}"}], + ), + base.APIRule( + name="delete_policy_packet_rate_limit_rule", + check_str=("role:admin and project_id:%(project_id)s"), + description="Delete a QoS packet rate limit rule", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}"}], + ), base.APIRule( name="get_policy_dscp_marking_rule", check_str=("role:reader and project_id:%(project_id)s"), diff --git a/skyline_apiserver/policy/manager/nova.py b/skyline_apiserver/policy/manager/nova.py index 340d73d..933a749 100644 --- a/skyline_apiserver/policy/manager/nova.py +++ b/skyline_apiserver/policy/manager/nova.py @@ -1229,6 +1229,13 @@ list_rules = ( scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (unshelve)"}], ), + base.APIRule( + name="os_compute_api:os-shelve:unshelve_to_host", + check_str=("rule:project_admin_api"), + description="Unshelve (restore) shelve offloaded server to a specific host", + scope_types=["project"], + operations=[{"method": "POST", "path": "/servers/{server_id}/action (unshelve)"}], + ), base.APIRule( name="os_compute_api:os-shelve:shelve_offload", check_str=("rule:project_admin_api"), diff --git a/skyline_apiserver/policy/manager/panko.py b/skyline_apiserver/policy/manager/panko.py deleted file mode 100644 index 14fdd81..0000000 --- a/skyline_apiserver/policy/manager/panko.py +++ /dev/null @@ -1,35 +0,0 @@ -# flake8: noqa -# fmt: off - -from . import base - -list_rules = ( - base.Rule( - name="context_is_admin", - check_str=("role:admin"), - description="No description", - ), - base.APIRule( - name="segregation", - check_str=("role:admin and system_scope:all"), - description="Return the user and project the requestshould be limited to", - scope_types=["system"], - operations=[{"method": "GET", "path": "/v2/events"}, {"method": "GET", "path": "/v2/events/{message_id}"}], - ), - base.APIRule( - name="telemetry:events:index", - check_str=(""), - description="Return all events matching the query filters.", - scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v2/events"}], - ), - base.APIRule( - name="telemetry:events:show", - check_str=(""), - description="Return a single event with the given message id.", - scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v2/events/{message_id}"}], - ), -) - -__all__ = ("list_rules",) diff --git a/tools/post_install.sh b/tools/post_install.sh index 1e4bfc3..9444052 100755 --- a/tools/post_install.sh +++ b/tools/post_install.sh @@ -2,10 +2,6 @@ set -ex -# Some projects have been DEPRECATED. -# panko: https://opendev.org/openstack/panko -INSTALL_DEPRECATED_PROJECTS="panko" - INSTALL_PROJECTS="keystone \ placement \ nova \ @@ -27,8 +23,3 @@ for project in ${INSTALL_PROJECTS} do pip install -U git+https://opendev.org/openstack/${project}@${BRANCH} done - -for deprecated_project in ${INSTALL_DEPRECATED_PROJECTS} -do - pip install -U ${deprecated_project} -done