StarlingX Fault Management
Go to file
Joao Victor Portal 99eba3afb8 Implement access control for FM API
This commit implements the access control for all FM APIs. An incomplete
list of FM APIs can be found at
"https://docs.starlingx.io/api-ref/fault/api-ref-fm-v1-fault.html". Unit
tests will be created in other task.

All access control rules can be overwritten through file
"/etc/fm/policy.yaml". Any change in file "/etc/fm/policy.yaml" is
automatically detected by policy engine and the rules are updated.

Differently from other APIs, which have as default rule to enforce that
all users using the API are present in either project "admin" or
"services", all read-only actions (GET requests) of FM API are allowed
for any user, so it only requires "reader" role (that is the lowest
role). Other actions require the user to have "admin" role and to be
present in either project "admin" or "services".

As all system users of StarlingX have "admin" role and are present in
either project "admin" or "services", the default rules for FM API
allows any system users to execute any action, so there should be no
regression with the change introduced here.

To test the access control of FM API, the following commands will be
used:
fm alarm-list
fm alarm-show <uuid>
fm alarm-summary
fm alarm-delete <uuid>
fm event-list
fm event-show <uuid>
fm event-suppress --alarm_id <alarm_id>
fm event-suppress-list
fm event-unsuppress --alarm_id <alarm_id>
fm event-unsuppress-all
On test plan, these commands will be reffered as "test commands".

Note: there is one FM API that is not tested by the commands above,
that is the creation of alarms ("fm_api:alarm:create"). This API will
be tested indirectly by observing the system successfully creating
alarms in the deployed environment.

Test Plan:

PASS: Successfully deploy an AIO-SX using an Debian image with this
commit present. Successfully create, through openstack CLI, the users:
'testreader' with role 'reader' in project 'admin',
'adminsvc' with role 'admin' in project 'services' and
'otheradmin' with role 'admin' in project 'notadminproject'.
Create openrc files for all new users. Note: the other user that will be
used is the already existing 'admin' with role 'admin' in project
'admin'.
PASS: In the deployed AIO-SX, check the behavior of test commands
through different users: for "admin" and "adminsvc" users, all commands
are successful; for users "testreader" and "otheradmin", only the
commands "alarm-delete", "event-suppress", "event-unsuppress" and
"event-unsuppress-all" fail. Observe also that the system is able to
create alarms during its operation.
PASS: In the deployed AIO-SX, add the following lines in file
"/etc/fm/policy.yaml":
fm_api:alarm:create: role:admin
fm_api:alarm:delete: role:admin
fm_api:alarm:get: role:admin
fm_api:alarm:modify: role:admin
fm_api:event_log:get: role:admin
fm_api:event_suppression:get: role:admin
fm_api:event_suppression:modify: role:admin
and check that all test commands are successful through user
"otheradmin" and that all test commands fail through user "testreader".
Observe also that the system is able to create alarms during its
operation.
PASS: In the deployed AIO-SX, to assert that public API works without
authentication, execute the commands:
"curl -v http://<MGMT_IP>:18002/" and
"curl -v http://<MGMT_IP>:18002/v1/" and
verify that they are accepted and that the HTTP response is 200,
and execute the commands:
"curl -v http://<MGMT_IP>:18002/v1/alarms" and
"curl -v http://<MGMT_IP>:18002/v1/event_log" and
verify that they are rejected and that the HTTP response is 401.
PASS: In the deployed AIO-SX, check through Horizon interface that Fault
Management works correctly (showing alarms and events, allowing events
to be suppressed).
PASS: Repeat all tests above changing the deploy to AIO-DX using an
CentOS image.

Story: 2010149
Task: 46123

Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
Change-Id: I3db6d0464d8d53c4dfbc761663be1712141b8b93
2022-08-26 10:54:39 -03:00
api-ref/source Removing system uuid from alarms summary 2021-08-12 19:55:39 -04:00
devstack Implement access control for FM API 2022-08-26 10:54:39 -03:00
doc Reimplementation logic for trap generation 2020-12-08 18:37:50 -03:00
fm-api Remove unused constant 2022-02-08 12:43:35 +00:00
fm-common Add UUID in SNMP trap 2022-05-04 17:25:56 -03:00
fm-doc Update events.yaml for specific alarms 2022-08-11 04:26:26 +00:00
fm-mgr debian: Fix fm bootstrap 2022-04-09 17:51:12 +00:00
fm-rest-api Implement access control for FM API 2022-08-26 10:54:39 -03:00
python-fmclient Implement access control for FM API 2022-08-26 10:54:39 -03:00
releasenotes Switch to newer openstackdocstheme and reno versions 2020-06-04 14:20:25 +02:00
.gitignore Create test framework for python with stestr. 2020-01-16 16:45:45 +08:00
.gitreview OpenDev Migration Patch 2019-04-19 19:52:34 +00:00
.zuul.yaml Removing py36 gates from zuul for fault 2021-09-30 10:14:06 -03:00
bindep.txt py3: Add support for python 3.9 2021-09-01 08:58:34 -04:00
centos_build_layer.cfg Build layering, add layer build config file 2019-10-15 19:41:08 +08:00
centos_iso_image.inc Remove snmp-ext and snmp-audittrail from FM 2021-01-04 14:57:33 -03:00
centos_pkg_dirs Remove snmp-ext and snmp-audittrail from FM 2021-01-04 14:57:33 -03:00
centos_stable_docker_images.inc Create the stable wheel and image build files 2019-03-24 21:08:19 -04:00
centos_stable_wheels.inc Create the stable wheel and image build files 2019-03-24 21:08:19 -04:00
CONTRIBUTORS.wrs StarlingX open source release updates 2018-05-31 07:36:00 -07:00
debian_build_layer.cfg Add debian_build_layer.cfg file 2021-10-28 15:26:08 -04:00
debian_iso_image.inc Add debian_iso_image.inc file 2021-10-27 02:24:07 -04:00
debian_pkg_dirs Update debian-pkg-dirs with fm-doc library 2022-02-04 02:02:56 +00:00
LICENSE StarlingX open source release updates 2018-05-31 07:36:00 -07:00
pylint.rc Re-enable important py3k checks for fault 2021-11-09 14:09:17 -03:00
README.rst Followup opendev cleanup and test jobs 2019-04-20 20:26:25 -05:00
requirements.txt Adding pylint zuul and tox target 2020-03-11 09:05:18 -05:00
test-requirements.txt Attempt to fix zuul jobs from timing out 2021-08-10 07:32:57 -05:00
tox.ini Add debian package infra for fm-api 2021-09-27 12:53:01 -04:00

fault

StarlingX Fault Management