This commit does two different changes: it changes the policy engine to
oslo_policy and restrict access to sysinv API to users of projects
'admin' or 'services'.
The policy engine deprecated is the one present in the file
"sysinv/sysinv/sysinv/sysinv/openstack/common/policy.py" (780 lines).
This file is no longer used by this repository and was not deleted
because it is used by other repositories, like starlingx/update. The
library oslo_policy is used in its place. In fact, the deprecated engine
seems to be an ancient version of oslo_policy. The library oslo_policy
changed the default format of configuration files from JSON to YAML, so
the configuration files named "policy.json" were changed to
"policy.yaml". The file that initializes and wraps oslo_policy
("sysinv/sysinv/sysinv/sysinv/common/policy.py") contains the minimal
implementation to use this library.
The access to sysinv API, before this commit, was restricted to users
with role "admin" or "administrator" from any project. This commit
restricts the access to users with role "admin" of projects "admin" or
"services". This change should not cause problems, because role
"administrator" doesn't exist and because all users from Starlingx are
from projects "admin" or "services". This change is needed to avoid
access from admin users of other projects.
To test custom policy rules set in the file "/etc/sysinv/policy.yaml",
it will be used the Service Parameter API actions create/apply/modify/
delete/get (commands "system service-parameter-[add/apply/modify/delete/
list]". To test default policy for sysinv API commands, it will be used
the command to change the system description (PATCH "/v1/isystems",
command "system modify --description='test'"). On test plan, these
commands will be reffered as "test commands". Any change in the file
"/etc/sysinv/policy.yaml" is detected by policy engine and rules are
updated.
Test Plan:
PASS: Successfully deploy an AIO-SX using an Debian image with this
commit present. Successfully create, through openstack CLI, the users:
'testreader' with role 'reader' in project 'admin',
'adminsvc' with role 'admin' in project 'services' and
'otheradmin' with role 'admin' in project 'notadminproject'.
Create openrc files for all new users. Note: the other user that will be
used is the already existing 'admin' with role 'admin' in project
'admin'.
PASS: In the deployed AIO-SX, check the behavior of test commands
through different users: for "admin" and "adminsvc" users, all commands
are successful; for user "testreader", only "service-parameter-list"
command is successful and for user "otheradmin" no command is
successful.
PASS: In the deployed AIO-SX, add the following lines in file
"/etc/sysinv/policy.yaml":
config_api:service_parameter:add: role:reader
config_api:service_parameter:apply: role:reader
config_api:service_parameter:delete: role:reader
config_api:service_parameter:get: role:reader
config_api:service_parameter:modify: role:reader
and check the behavior of test commands through different users:
for "admin" and "adminsvc" users, all commands are successful; for users
"testreader" and "otheradmin", all commands are successful except the
change in the system description ("system modify --description='test'").
PASS: In the deployed AIO-SX, to assert that public API works without
authentication, execute the commands:
"curl -v http://<MGMT_IP>:6385/v1/" and
"curl -v http://<MGMT_IP>:6385/v1/isystems/mgmtvlan" and
verify that they are accepted and that the HTTP response is 200,
and execute the commands:
"curl -v http://<MGMT_IP>:6385/v1/isystems/" and
"curl -v http://<MGMT_IP>:6385/v1/service_parameter" and
verify that they are rejected and that the HTTP response is 401.
PASS: Repeat all tests above changing the deploy to AIO-DX using an
CentOS image.
PASS: Successfully execute Debian AIO-SX daily regression and sanity
tests using an image containing this change.
Story: 2010149
Task: 45984
Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
Change-Id: Id7aa387e154afb1441a8484b076cdc97f2fc46cb
The Host Hardware Profiles for creating re-usable configuration
templates for hosts are no longer maintained or supported and should be
removed from code. Including : CPU, Interface, Storage and Memory
profiles.
profile categories:
* cpu
* memory
* storage
* interfaces
topics:
* remove objects
* update models
* update documentation
* remove import/export profile apis
* remove and update unit tests
* new version script for migration upgrade
Test Plan / Failure Path:
PASS: Verify profile feature is removed on system upgrade
without existing previous profiles.
PASS: Verify profile feature is removed on system upgrade
with existing previous profiles.
PASS: Verify profile feature is removed on fresh install.
Regression:
PASS: Verify that the Horizon GUI remains navigable.
PASS: Verify non-affected system commands remains listed.
Story: 2009163
Task: 43159
Signed-off-by: Pablo Bovina <pablo.bovina@windriver.com>
Depends-On: https://review.opendev.org/c/starlingx/config/+/806800
Change-Id: Id828365920ce179e347acf0de5d3ed6af09efcbd
Remove configutilities and move what is being used in other components
to controllerconfig.
Tested with a clean install on AIO-DX and running config_controller.
With the StarlingX move to supporting pure upstream OpenStack, the
majority of the SDK Modules are related to functionality no longer
supported. The remaining SDK Modules will be moved to StarlingX
documentation.
Story: 2005275
Task: 30262
Change-Id: Ie496548dfc6efee677a501c98c227c586df0a7d6
Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>
* Put everything in /usr/local and allow that to be overridden to
a user-writable dir and not require sudo.
* Make the variables and functions match other plugin patterns
Change-Id: I3a6c5ec26af3224b7a3ff931f889d22254580a9e
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
Allow cgtsclient to be installed without any of the other
sysinv services or prerequisites. Also allow some selection
within sysinv services.
Change-Id: Ie8f10cb11111e9545103df001976295fc4aba3a6
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
Use the DevStack-provided functions to do the Python installations
for configutilities and controllerconfig.
Prepare the plugin setting for declaring DevStack prereqs that
is available in master's DevStack playbook.
Also do not enable all services by default. sysinv-api is disabled
in the devstack job as it does not properly start under Bionic. We
will address this separately.
Change-Id: Ib57863526d285049b5964828e1b60bf215d25a23
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
- rename sysinv-agent to sysinv-agent.sh to avoid overwrite
entry_point for sysinv-agent
- check sysinv services status once services are started
Change-Id: I58944452ca6cc9b3b6a5d4959b34c7b84c6d58f3
Signed-off-by: Sun Austin <austin.sun@intel.com>
need add sysinv-agent to ENABLED_SERVICES list
in devstack/localrc to enable this service.
Story: 2004370
Task: 27976
Change-Id: Id5a18a761bf288abe0ee145d116d09c9443848d3
Signed-off-by: Austin <austin.sun@intel.com>
fix below issue:
cgcs_client(system) reports error "public endpoint for platform
service in RegionOne region not found"
Story: 2004370
Task: 28000
Change-Id: I7378db1d7bc06bb6ef9b8a495858f45b4d414733
Signed-off-by: Sun Austin <austin.sun@intel.com>
Listed below are the errors which were fixed as well as the actions
taken to fix them:
E010: do not on the same line as for
--> let do and for in the same line
E011: then not on the same line as if or elif
--> let then and if or elif in the same line
E020: Function declaration not in format ^function name {$
--> fix the format to suit ^function name {$
E041: Usage of $[ for arithmetic is deprecated for $((
--> fix from $[ to $((
E043: arithmetic compound has inconsistent return semantics
--> do not use +=, ++, -=, --; use value=value+? instead.
E001: check that lines do not end with trailing whitespace
--> delete trailing whitespace
E003: ensure all indents are a multiple of 4 spaces
--> add/delete spaces
E042: local declaration hides errors
--> let declaration and assignment in two lines.
Listed below are test cases done which run one controller
and one compute in KVMs
Test-Install ---- success
Related: https://review.openstack.org/#/c/600663/https://review.openstack.org/#/c/601221/
Story: 2003360
Task: 26213
Change-Id: I3ece37db3a326ea58bd344f43beefcbbbd4f0ad4
Signed-off-by: SidneyAn <ran1.an@intel.com>
[dtroyer]Fixed the mechanical/syntax problems to focus on the sysinv issues
Story: 2003126
Change-Id: I5f131904890e94bd4396b3b1a809a00eb0d32eac
Signed-off-by: Austin Sun <austin.sun@intel.com>
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
Joao Victor Portal