This commit implements the access control for all FM APIs. An incomplete
list of FM APIs can be found at
"https://docs.starlingx.io/api-ref/fault/api-ref-fm-v1-fault.html". Unit
tests will be created in other task.
All access control rules can be overwritten through file
"/etc/fm/policy.yaml". Any change in file "/etc/fm/policy.yaml" is
automatically detected by policy engine and the rules are updated.
Differently from other APIs, which have as default rule to enforce that
all users using the API are present in either project "admin" or
"services", all read-only actions (GET requests) of FM API are allowed
for any user, so it only requires "reader" role (that is the lowest
role). Other actions require the user to have "admin" role and to be
present in either project "admin" or "services".
As all system users of StarlingX have "admin" role and are present in
either project "admin" or "services", the default rules for FM API
allows any system users to execute any action, so there should be no
regression with the change introduced here.
To test the access control of FM API, the following commands will be
used:
fm alarm-list
fm alarm-show <uuid>
fm alarm-summary
fm alarm-delete <uuid>
fm event-list
fm event-show <uuid>
fm event-suppress --alarm_id <alarm_id>
fm event-suppress-list
fm event-unsuppress --alarm_id <alarm_id>
fm event-unsuppress-all
On test plan, these commands will be reffered as "test commands".
Note: there is one FM API that is not tested by the commands above,
that is the creation of alarms ("fm_api:alarm:create"). This API will
be tested indirectly by observing the system successfully creating
alarms in the deployed environment.
Test Plan:
PASS: Successfully deploy an AIO-SX using an Debian image with this
commit present. Successfully create, through openstack CLI, the users:
'testreader' with role 'reader' in project 'admin',
'adminsvc' with role 'admin' in project 'services' and
'otheradmin' with role 'admin' in project 'notadminproject'.
Create openrc files for all new users. Note: the other user that will be
used is the already existing 'admin' with role 'admin' in project
'admin'.
PASS: In the deployed AIO-SX, check the behavior of test commands
through different users: for "admin" and "adminsvc" users, all commands
are successful; for users "testreader" and "otheradmin", only the
commands "alarm-delete", "event-suppress", "event-unsuppress" and
"event-unsuppress-all" fail. Observe also that the system is able to
create alarms during its operation.
PASS: In the deployed AIO-SX, add the following lines in file
"/etc/fm/policy.yaml":
fm_api:alarm:create: role:admin
fm_api:alarm:delete: role:admin
fm_api:alarm:get: role:admin
fm_api:alarm:modify: role:admin
fm_api:event_log:get: role:admin
fm_api:event_suppression:get: role:admin
fm_api:event_suppression:modify: role:admin
and check that all test commands are successful through user
"otheradmin" and that all test commands fail through user "testreader".
Observe also that the system is able to create alarms during its
operation.
PASS: In the deployed AIO-SX, to assert that public API works without
authentication, execute the commands:
"curl -v http://<MGMT_IP>:18002/" and
"curl -v http://<MGMT_IP>:18002/v1/" and
verify that they are accepted and that the HTTP response is 200,
and execute the commands:
"curl -v http://<MGMT_IP>:18002/v1/alarms" and
"curl -v http://<MGMT_IP>:18002/v1/event_log" and
verify that they are rejected and that the HTTP response is 401.
PASS: In the deployed AIO-SX, check through Horizon interface that Fault
Management works correctly (showing alarms and events, allowing events
to be suppressed).
PASS: Repeat all tests above changing the deploy to AIO-DX using an
CentOS image.
Story: 2010149
Task: 46123
Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
Change-Id: I3db6d0464d8d53c4dfbc761663be1712141b8b93
These functions do a number of things, specifically they handles the
DevStack USE_PYTHON3 switch transparently so we can run both major
Python versions.
The new setup.cfg files are only used by setup_*() right now, making
the switch to use pbr is beyond what I want to do here.
Change-Id: Ib9753119235b1ce23030a2b3de0169ed6f8819e0
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
Because we are in a deadly embrace with the config plugin after
the OpenDev work the config plugin is being forced off in this job
to remove one of the dependencies.
Ultimately extracting cgts-client to be installable stand-alone
is a better solution to allow other plugins to install directly.
Depends-On: https://review.opendev.org/653961
Change-Id: I47f1d0df404fc40a9d514c1b0689b5457dbc3f87
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
Use the correct service name in start_fault() and stop_fault()
Change-Id: I881b8e4cbcca3219e7a18fa6f60afc1e442b41f4
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
* add cleanup for fm-api and fm-client
* fmManager process launch including
* 1, collate /etc/fm/fm.conf for fmManager
* 2, create fm database
* 3, create table event_suppression/alarm/event
* with fm-dbsync --config-file /etc/fm/fm.conf
* 4, update fm_db_sync_event_suppression.py install
* for hardcode in fm-common/sources/fmConstants.h
* 5, add event type file /etc/fm/events.yaml
* 6, fmManager process launch
Test case:
$./stack.sh
=========================
DevStack Component Timing
(times are in seconds)
=========================
run_process 21
test_with_retry 2
apt-get-update 9
pip_install 128
osc 143
wait_for_service 16
dbsync 20
apt-get 35
-------------------------
Unaccounted time 343
=========================
Total runtime 717
This is your host IP address: 192.168.122.80
This is your host IPv6 address: ::1
Horizon is now available at http://192.168.122.80/dashboard
Keystone is serving at http://192.168.122.80/identity/
The default users are: admin and demo
The password: secret
Task: 23294
Story: 2003159
Depends-on: https://review.openstack.org/#/c/648119/
Depends-on: https://review.openstack.org/#/c/641710/
Change-Id: Icbbf4b57261ccd46c12cf765919e26c3916d0fc6
Signed-off-by: Martin, Chen <haochuan.z.chen@intel.com>
fm-rest-api requires cgtsclient, stx-config needed some work
to allow only that to be installed.
Rework installation dir again. Put everything in /usr/local
again, but allow that to be changed to a user-writable dir and
not require sudo.
Depends-on: https://review.openstack.org/641786
Depends-on: https://review.openstack.org/641783
Depends-on: https://review.openstack.org/641699
Change-Id: I37cc8283e8eb93a77088aebacdcc62dfb7e1c75e
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
* Install build artifacts to a fixed dir rather than attempting
to infer a location based on the Python binary location. That
was intended to work seamlessly in venvs, we'll burn that bridge
when we come to it, for now just put it all in
$DEST/usr/{bin|include|lib}. This also removed the need for
root access for these files to allow the build steps to be performed
on laptops that may not otherwise run DevStack.
* Handle some side-effects of a non-default install location for
the build artifacts.
* Add missing CentOS prereqs for base image builds:
fm-common:
- libuuid-devel
- postgresql-devel
* Add the declarations to settings for the devstack playbook to
handle plugin precedence order properly.
Change-Id: I8ec59f83dff522fcec0be4e0a650e402a2747a98
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
We're changing to upstream master soon, let's start running
on the upstream devstack configuration.
There is an undeclared dependency on cgtsclient in fm-rest-api
so we need to work around that.
Change-Id: If764701fce94fb760edf0a68805753d3804892c0
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
* Pull binary build steps into separate functions
* Add build.sh to call binary builds without the rest of DevStack
* Add new stx-fault-build job and tox build environment
* Make stx-fault-devstack voting (still only devstack/*)
Change-Id: I6692fc1f75db413860ede2657f4f1501b95c10c0
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
change install_non_bb to install due to
I431b733030444185cc51a8b5352492926170a4c3 change
Force to use xenial(nodeset:openstack-single-node-xenial)
Closes-bug: 1812785
Change-Id: I61338a79f09d59b1f1e36a4911ecadad4a3453e8
Signed-off-by: Sun Austin <austin.sun@intel.com>
It is "fm-rest-api" in .zuul.yaml. Correct the service name.
Change-Id: Idbac53b74e0eeb5b7da5c83c2526fb3ac7be855e
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
This fixes the cleanup for the rest-api since it was missing either '-'
or the '_'.
Change-Id: Id461458c6ba0045f28e9d26de11c318c5c4c51a4
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Begin working on a base devstack job for testing stx projects.
We have to pull a lot of stable/pike bits yet let STX services
run from master.
Change-Id: I6eee854888acb27b54c10c25d47e97d98a7f999c
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
At the moment it just installs and partially configures it.
Depends-On: https://review.openstack.org/610756
Change-Id: If74b81841f583ad6d3850cd12ee337c1b4a1a177
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
Add a DevStack plugin to build and install the basic Fault dependencies
required by most of the other STX projects. The bulk of this was originally
submitted in https://review.openstack.org/#/c/595865/.
Installing and starting the REST API service will follow in a later review.
Also enable bashate on the devstack plugin and max yaml line length
set to 260
Change-Id: I95009fceee28a81e6d8795e90b259e0e1b175327
Signed-off-by: Dean Troyer <dtroyer@gmail.com>