99eba3afb8
This commit implements the access control for all FM APIs. An incomplete list of FM APIs can be found at "https://docs.starlingx.io/api-ref/fault/api-ref-fm-v1-fault.html". Unit tests will be created in other task. All access control rules can be overwritten through file "/etc/fm/policy.yaml". Any change in file "/etc/fm/policy.yaml" is automatically detected by policy engine and the rules are updated. Differently from other APIs, which have as default rule to enforce that all users using the API are present in either project "admin" or "services", all read-only actions (GET requests) of FM API are allowed for any user, so it only requires "reader" role (that is the lowest role). Other actions require the user to have "admin" role and to be present in either project "admin" or "services". As all system users of StarlingX have "admin" role and are present in either project "admin" or "services", the default rules for FM API allows any system users to execute any action, so there should be no regression with the change introduced here. To test the access control of FM API, the following commands will be used: fm alarm-list fm alarm-show <uuid> fm alarm-summary fm alarm-delete <uuid> fm event-list fm event-show <uuid> fm event-suppress --alarm_id <alarm_id> fm event-suppress-list fm event-unsuppress --alarm_id <alarm_id> fm event-unsuppress-all On test plan, these commands will be reffered as "test commands". Note: there is one FM API that is not tested by the commands above, that is the creation of alarms ("fm_api:alarm:create"). This API will be tested indirectly by observing the system successfully creating alarms in the deployed environment. Test Plan: PASS: Successfully deploy an AIO-SX using an Debian image with this commit present. Successfully create, through openstack CLI, the users: 'testreader' with role 'reader' in project 'admin', 'adminsvc' with role 'admin' in project 'services' and 'otheradmin' with role 'admin' in project 'notadminproject'. Create openrc files for all new users. Note: the other user that will be used is the already existing 'admin' with role 'admin' in project 'admin'. PASS: In the deployed AIO-SX, check the behavior of test commands through different users: for "admin" and "adminsvc" users, all commands are successful; for users "testreader" and "otheradmin", only the commands "alarm-delete", "event-suppress", "event-unsuppress" and "event-unsuppress-all" fail. Observe also that the system is able to create alarms during its operation. PASS: In the deployed AIO-SX, add the following lines in file "/etc/fm/policy.yaml": fm_api:alarm:create: role:admin fm_api:alarm:delete: role:admin fm_api:alarm:get: role:admin fm_api:alarm:modify: role:admin fm_api:event_log:get: role:admin fm_api:event_suppression:get: role:admin fm_api:event_suppression:modify: role:admin and check that all test commands are successful through user "otheradmin" and that all test commands fail through user "testreader". Observe also that the system is able to create alarms during its operation. PASS: In the deployed AIO-SX, to assert that public API works without authentication, execute the commands: "curl -v http://<MGMT_IP>:18002/" and "curl -v http://<MGMT_IP>:18002/v1/" and verify that they are accepted and that the HTTP response is 200, and execute the commands: "curl -v http://<MGMT_IP>:18002/v1/alarms" and "curl -v http://<MGMT_IP>:18002/v1/event_log" and verify that they are rejected and that the HTTP response is 401. PASS: In the deployed AIO-SX, check through Horizon interface that Fault Management works correctly (showing alarms and events, allowing events to be suppressed). PASS: Repeat all tests above changing the deploy to AIO-DX using an CentOS image. Story: 2010149 Task: 46123 Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com> Change-Id: I3db6d0464d8d53c4dfbc761663be1712141b8b93
110 lines
2.8 KiB
RPMSpec
110 lines
2.8 KiB
RPMSpec
Summary: Fault Management Openstack REST API
|
|
Name: fm-rest-api
|
|
Version: 1.0
|
|
Release: %{tis_patch_ver}%{?_tis_dist}
|
|
License: Apache-2.0
|
|
Group: base
|
|
Packager: Wind River <info@windriver.com>
|
|
URL: unknown
|
|
Source0: %{name}-%{version}.tar.gz
|
|
|
|
BuildRequires: python-devel
|
|
BuildRequires: python-setuptools
|
|
BuildRequires: python2-pip
|
|
BuildRequires: python2-wheel
|
|
BuildRequires: python-oslo-config
|
|
BuildRequires: python-oslo-db
|
|
BuildRequires: python-oslo-log
|
|
BuildRequires: python-oslo-messaging
|
|
BuildRequires: python-oslo-middleware
|
|
|
|
Requires: python-eventlet
|
|
Requires: python-webob
|
|
Requires: python-paste
|
|
Requires: setup
|
|
|
|
BuildRequires: systemd
|
|
|
|
%description
|
|
Fault Management Openstack REST API Service
|
|
|
|
%define local_bindir /usr/bin/
|
|
%define local_initddir /etc/rc.d/init.d
|
|
%define pythonroot /usr/lib64/python2.7/site-packages
|
|
%define local_etc_pmond /etc/pmon.d/
|
|
%define debug_package %{nil}
|
|
|
|
%prep
|
|
%autosetup -n %{name}-%{version}
|
|
|
|
# Remove bundled egg-info
|
|
rm -rf *.egg-info
|
|
|
|
%build
|
|
echo "Start build"
|
|
|
|
export PBR_VERSION=%{version}
|
|
%{__python} setup.py build
|
|
%py2_build_wheel
|
|
PYTHONPATH=. oslo-config-generator --config-file=fm/config-generator.conf
|
|
|
|
%install
|
|
echo "Start install"
|
|
export PBR_VERSION=%{version}
|
|
%{__python} setup.py install --root=%{buildroot} \
|
|
--install-lib=%{pythonroot} \
|
|
--prefix=/usr \
|
|
--install-data=/usr/share \
|
|
--single-version-externally-managed
|
|
mkdir -p $RPM_BUILD_ROOT/wheels
|
|
install -m 644 dist/*.whl $RPM_BUILD_ROOT/wheels/
|
|
|
|
install -p -D -m 644 scripts/fm-api.service %{buildroot}%{_unitdir}/fm-api.service
|
|
install -d -m 755 %{buildroot}%{local_initddir}
|
|
install -p -D -m 755 scripts/fm-api %{buildroot}%{local_initddir}/fm-api
|
|
|
|
install -d -m 755 %{buildroot}%{local_etc_pmond}
|
|
install -p -D -m 644 fm-api-pmond.conf %{buildroot}%{local_etc_pmond}/fm-api.conf
|
|
|
|
# install default config files
|
|
cd %{_builddir}/%{name}-%{version} && oslo-config-generator --config-file fm/config-generator.conf --output-file %{_builddir}/%{name}-%{version}/fm.conf.sample
|
|
install -p -D -m 600 %{_builddir}/%{name}-%{version}/fm.conf.sample %{buildroot}%{_sysconfdir}/fm/fm.conf
|
|
install -p -D -m 600 fm/policy.yaml %{buildroot}%{_sysconfdir}/fm/policy.yaml
|
|
|
|
%clean
|
|
echo "CLEAN CALLED"
|
|
rm -rf $RPM_BUILD_ROOT
|
|
|
|
%post
|
|
/bin/systemctl enable fm-api.service >/dev/null 2>&1
|
|
|
|
%files
|
|
%defattr(-,root,root,-)
|
|
%doc LICENSE
|
|
|
|
%{local_bindir}/*
|
|
|
|
%{local_initddir}/*
|
|
|
|
%{pythonroot}/fm/*
|
|
|
|
%{pythonroot}/fm-%{version}*.egg-info
|
|
|
|
%config(noreplace) %attr(600,fm,fm)%{_sysconfdir}/fm/fm.conf
|
|
%config(noreplace) %attr(600,fm,fm)%{_sysconfdir}/fm/policy.yaml
|
|
|
|
# systemctl service files
|
|
%{_unitdir}/fm-api.service
|
|
|
|
# pmond config file
|
|
%{local_etc_pmond}/fm-api.conf
|
|
|
|
%package wheels
|
|
Summary: %{name} wheels
|
|
|
|
%description wheels
|
|
Contains python wheels for %{name}
|
|
|
|
%files wheels
|
|
/wheels/*
|