Merge "Implement system scoped RBAC for the deploy templates APIs"

2021-02-26 23:15:16 +00:00 · 2021-02-26 23:15:16 +00:00 · e8ffc75d5d
commit e8ffc75d5d
parent 9785383f70 27a8898540
4 changed files with 86 additions and 38 deletions
--- a/ironic/common/policy.py
+++ b/ironic/common/policy.py
@ -1316,31 +1316,78 @@ event_policies = [
 ]


+deprecated_deploy_template_get = policy.DeprecatedRule(
+    name='baremetal:deploy_template:get',
+    check_str='rule:is_admin or rule:is_observer'
+)
+deprecated_deploy_template_create = policy.DeprecatedRule(
+    name='baremetal:deploy_template:create',
+    check_str='rule:is_admin'
+)
+deprecated_deploy_template_delete = policy.DeprecatedRule(
+    name='baremetal:deploy_template:delete',
+    check_str='rule:is_admin'
+)
+deprecated_deploy_template_update = policy.DeprecatedRule(
+    name='baremetal:deploy_template:update',
+    check_str='rule:is_admin'
+)
+deprecated_template_reason = """
+The baremetal deploy template API is now aware of system scope and
+default roles.
+"""
+
 deploy_template_policies = [
    policy.DocumentedRuleDefault(
-        'baremetal:deploy_template:get',
-        'rule:is_admin or rule:is_observer',
-        'Retrieve Deploy Template records',
-        [{'path': '/deploy_templates', 'method': 'GET'},
-         {'path': '/deploy_templates/{deploy_template_ident}',
-          'method': 'GET'}]),
+        name='baremetal:deploy_template:get',
+        check_str=SYSTEM_READER,
+        scope_types=['system'],
+        description='Retrieve Deploy Template records',
+        operations=[
+            {'path': '/deploy_templates', 'method': 'GET'},
+            {'path': '/deploy_templates/{deploy_template_ident}',
+             'method': 'GET'}
+        ],
+        deprecated_rule=deprecated_deploy_template_get,
+        deprecated_reason=deprecated_template_reason,
+        deprecated_since=versionutils.deprecated.WALLABY
+    ),
    policy.DocumentedRuleDefault(
-        'baremetal:deploy_template:create',
-        'rule:is_admin',
-        'Create Deploy Template records',
-        [{'path': '/deploy_templates', 'method': 'POST'}]),
+        name='baremetal:deploy_template:create',
+        check_str=SYSTEM_ADMIN,
+        scope_types=['system'],
+        description='Create Deploy Template records',
+        operations=[{'path': '/deploy_templates', 'method': 'POST'}],
+        deprecated_rule=deprecated_deploy_template_create,
+        deprecated_reason=deprecated_template_reason,
+        deprecated_since=versionutils.deprecated.WALLABY
+    ),
    policy.DocumentedRuleDefault(
-        'baremetal:deploy_template:delete',
-        'rule:is_admin',
-        'Delete Deploy Template records',
-        [{'path': '/deploy_templates/{deploy_template_ident}',
-          'method': 'DELETE'}]),
+        name='baremetal:deploy_template:delete',
+        check_str=SYSTEM_ADMIN,
+        scope_types=['system'],
+        description='Delete Deploy Template records',
+        operations=[
+            {'path': '/deploy_templates/{deploy_template_ident}',
+             'method': 'DELETE'}
+        ],
+        deprecated_rule=deprecated_deploy_template_delete,
+        deprecated_reason=deprecated_template_reason,
+        deprecated_since=versionutils.deprecated.WALLABY
+    ),
    policy.DocumentedRuleDefault(
-        'baremetal:deploy_template:update',
-        'rule:is_admin',
-        'Update Deploy Template records',
-        [{'path': '/deploy_templates/{deploy_template_ident}',
-          'method': 'PATCH'}]),
+        name='baremetal:deploy_template:update',
+        check_str=SYSTEM_ADMIN,
+        scope_types=['system'],
+        description='Update Deploy Template records',
+        operations=[
+            {'path': '/deploy_templates/{deploy_template_ident}',
+             'method': 'PATCH'}
+        ],
+        deprecated_rule=deprecated_deploy_template_update,
+        deprecated_reason=deprecated_template_reason,
+        deprecated_since=versionutils.deprecated.WALLABY
+    ),
 ]


--- a/ironic/tests/unit/api/test_rbac_legacy.yaml
+++ b/ironic/tests/unit/api/test_rbac_legacy.yaml
@ -2053,6 +2053,7 @@ deploy_templates_post_admin:
        priority: 0
  headers: *admin_headers
  assert_status: 201
+  deprecated: true

 deploy_templates_post_member:
  path: '/v1/deploy_templates'
@ -2060,6 +2061,7 @@ deploy_templates_post_member:
  body: *deploy_template_body
  headers: *member_headers
  assert_status: 403
+  deprecated: true

 deploy_templates_post_observer:
  path: '/v1/deploy_templates'
@ -2067,42 +2069,49 @@ deploy_templates_post_observer:
  body: *deploy_template_body
  headers: *observer_headers
  assert_status: 403
+  deprecated: true

 deploy_templates_get_admin:
  path: '/v1/deploy_templates'
  method: get
  headers: *admin_headers
  assert_status: 200
+  deprecated: true

 deploy_templates_get_member:
  path: '/v1/deploy_templates'
  method: get
  headers: *member_headers
  assert_status: 403
+  deprecated: true

 deploy_templates_get_observer:
  path: '/v1/deploy_templates'
  method: get
  headers: *observer_headers
  assert_status: 200
+  deprecated: true

 deploy_templates_deploy_template_id_get_admin:
  path: '/v1/deploy_templates/{deploy_template_ident}'
  method: get
  headers: *admin_headers
  assert_status: 200
+  deprecated: true

 deploy_templates_deploy_template_id_get_member:
  path: '/v1/deploy_templates/{deploy_template_ident}'
  method: get
  headers: *member_headers
  assert_status: 403
+  deprecated: true

 deploy_templates_deploy_template_id_get_observer:
  path: '/v1/deploy_templates/{deploy_template_ident}'
  method: get
  headers: *observer_headers
  assert_status: 200
+  deprecated: true

 deploy_templates_deploy_template_id_patch_admin:
  path: '/v1/deploy_templates/{deploy_template_ident}'
@ -2113,6 +2122,7 @@ deploy_templates_deploy_template_id_patch_admin:
      value: 'CUSTOM_MAGIC'
  headers: *admin_headers
  assert_status: 200
+  deprecated: true

 deploy_templates_deploy_template_id_patch_member:
  path: '/v1/deploy_templates/{deploy_template_ident}'
@ -2120,6 +2130,7 @@ deploy_templates_deploy_template_id_patch_member:
  body: *template_patch
  headers: *member_headers
  assert_status: 403
+  deprecated: true

 deploy_templates_deploy_template_id_patch_observer:
  path: '/v1/deploy_templates/{deploy_template_ident}'
@ -2127,24 +2138,28 @@ deploy_templates_deploy_template_id_patch_observer:
  body: *template_patch
  headers: *observer_headers
  assert_status: 403
+  deprecated: true

 deploy_templates_deploy_template_id_delete_admin:
  path: '/v1/deploy_templates/{deploy_template_ident}'
  method: delete
  headers: *admin_headers
  assert_status: 204
+  deprecated: true

 deploy_templates_deploy_template_id_delete_member:
  path: '/v1/deploy_templates/{deploy_template_ident}'
  method: delete
  headers: *member_headers
  assert_status: 403
+  deprecated: true

 deploy_templates_deploy_template_id_delete_observer:
  path: '/v1/deploy_templates/{deploy_template_ident}'
  method: delete
  headers: *observer_headers
  assert_status: 403
+  deprecated: true

 # Chassis endpoints - https://docs.openstack.org/api-ref/baremetal/#chassis-chassis

--- a/ironic/tests/unit/api/test_rbac_system_scoped.yaml
+++ b/ironic/tests/unit/api/test_rbac_system_scoped.yaml
@ -1794,7 +1794,6 @@ deploy_templates_post_admin:
        priority: 0
  headers: *admin_headers
  assert_status: 201
-  skip_reason: not updated for scope testing

 deploy_templates_post_member:
  path: '/v1/deploy_templates'
@ -1802,7 +1801,6 @@ deploy_templates_post_member:
  body: *deploy_template_body
  headers: *scoped_member_headers
  assert_status: 403
-  skip_reason: not updated for scope testing

 deploy_templates_post_observer:
  path: '/v1/deploy_templates'
@ -1810,49 +1808,42 @@ deploy_templates_post_observer:
  body: *deploy_template_body
  headers: *observer_headers
  assert_status: 403
-  skip_reason: not updated for scope testing

 deploy_templates_get_admin:
  path: '/v1/deploy_templates'
  method: get
  headers: *admin_headers
  assert_status: 200
-  skip_reason: not updated for scope testing

 deploy_templates_get_member:
  path: '/v1/deploy_templates'
  method: get
  headers: *scoped_member_headers
-  assert_status: 403
-  skip_reason: not updated for scope testing
+  assert_status: 200

 deploy_templates_get_observer:
  path: '/v1/deploy_templates'
  method: get
  headers: *observer_headers
  assert_status: 200
-  skip_reason: not updated for scope testing

 deploy_templates_deploy_template_id_get_admin:
  path: '/v1/deploy_templates/{deploy_template_ident}'
  method: get
  headers: *admin_headers
  assert_status: 200
-  skip_reason: not updated for scope testing

 deploy_templates_deploy_template_id_get_member:
  path: '/v1/deploy_templates/{deploy_template_ident}'
  method: get
  headers: *scoped_member_headers
-  assert_status: 403
-  skip_reason: not updated for scope testing
+  assert_status: 200

 deploy_templates_deploy_template_id_get_observer:
  path: '/v1/deploy_templates/{deploy_template_ident}'
  method: get
  headers: *observer_headers
  assert_status: 200
-  skip_reason: not updated for scope testing

 deploy_templates_deploy_template_id_patch_admin:
  path: '/v1/deploy_templates/{deploy_template_ident}'
@ -1863,7 +1854,6 @@ deploy_templates_deploy_template_id_patch_admin:
      value: 'CUSTOM_MAGIC'
  headers: *admin_headers
  assert_status: 200
-  skip_reason: not updated for scope testing

 deploy_templates_deploy_template_id_patch_member:
  path: '/v1/deploy_templates/{deploy_template_ident}'
@ -1871,7 +1861,6 @@ deploy_templates_deploy_template_id_patch_member:
  body: *template_patch
  headers: *scoped_member_headers
  assert_status: 403
-  skip_reason: not updated for scope testing

 deploy_templates_deploy_template_id_patch_observer:
  path: '/v1/deploy_templates/{deploy_template_ident}'
@ -1879,28 +1868,24 @@ deploy_templates_deploy_template_id_patch_observer:
  body: *template_patch
  headers: *observer_headers
  assert_status: 403
-  skip_reason: not updated for scope testing

 deploy_templates_deploy_template_id_delete_admin:
  path: '/v1/deploy_templates/{deploy_template_ident}'
  method: delete
  headers: *admin_headers
  assert_status: 204
-  skip_reason: not updated for scope testing

 deploy_templates_deploy_template_id_delete_member:
  path: '/v1/deploy_templates/{deploy_template_ident}'
  method: delete
  headers: *scoped_member_headers
  assert_status: 403
-  skip_reason: not updated for scope testing

 deploy_templates_deploy_template_id_delete_observer:
  path: '/v1/deploy_templates/{deploy_template_ident}'
  method: delete
  headers: *observer_headers
  assert_status: 403
-  skip_reason: not updated for scope testing

 # Chassis endpoints - https://docs.openstack.org/api-ref/baremetal/#chassis-chassis

--- a/releasenotes/notes/system-scoped-authentication-28e3651de250bea8.yaml
+++ b/releasenotes/notes/system-scoped-authentication-28e3651de250bea8.yaml
@ -4,7 +4,8 @@ features:
    The Baremetal API, provided by the ironic-api process, now supports use of
    ``system`` scoped ``keystone`` authentication for the following endpoints:
    nodes, ports, portgroups, chassis, drivers, driver vendor passthru,
-    volume targets, volume connectors, conductors, allocations, events
+    volume targets, volume connectors, conductors, allocations, events,
+    deploy templates
 upgrade:
  - |
    Deprecated policy rules are not expressed via a default policy file