starlingx/distcloud
Code Issues Proposed changes
distcloud/distributedcloud/dcmanager/api/controllers/v1/subcloud_deploy.py
Joao Victor Portal 28a4b568b1 Implement access control for DC API 
This commit implements access control for DC API. The reference doc can
be found at
"https://docs.starlingx.io/api-ref/distcloud/api-ref-dcmanager-v1.html".
Unit tests and YAML file support will be done in other tasks.

The access control implementation for GET requests requires the user to
have "reader" role and to be present in either "admin" or "services"
project. For other requests, it requires the user to have "admin" role
and to be present in either "admin" or "services" project. Requests
using public API URLs require no credentials.

As all default system users of StarlingX have "admin" role and are
present in either project "admin" or "services", there should be no
regression with the change introduced here.

The implementation done here is a little bit different from the one done
for sysinv and FM APIs, because the routing of requests is not done when
"before()" method of Pecan hooks are called, so the controller is not
defined at this point.

To test the access control of DC API, the following commands are used
(long list of parameters is replaced by "<params>"):

dcmanager subcloud add <params>
dcmanager subcloud manage subcloud2
dcmanager subcloud list
dcmanager subcloud delete subcloud2
dcmanager subcloud-deploy upload <params>
dcmanager subcloud-deploy show
dcmanager alarm summary
dcmanager patch-strategy create
dcmanager patch-strategy show
dcmanager patch-strategy apply
dcmanager patch-strategy abort
dcmanager patch-strategy delete
dcmanager strategy-config update <params> subcloud1
dcmanager strategy-config list
dcmanager strategy-config delete subcloud1
dcmanager subcloud-group add --name group01
dcmanager subcloud-group update --description test group01
dcmanager subcloud-group list
dcmanager subcloud-group delete group01
dcmanager subcloud-backup create --subcloud subcloud1

On test plan, these commands are reffered as "test commands".

The access control is not implemented for "dcdbsync" and "dcorch"
servers. Also, it is also not implemented for action POST
"/v1.0/notifications" in dcmanager API server, as it it is only called
indirectly by sysinv controllers.

Test Plan:

PASS: Successfully deploy a Distributed Cloud (with 1 subcloud) using a
CentOS image with this commit present. Successfully create, through
openstack CLI, the users: 'testreader' with role 'reader' in project
'admin', 'adminsvc' with role 'admin' in project 'services' and
'otheradmin' with role 'admin' in project 'notadminproject'. Create
openrc files for all new users. Note: the other user used is the already
existing 'admin' with role 'admin' in project 'admin'.
PASS: In the deployed DC, check the behavior of test commands through
different users: for "admin" and "adminsvc" users, all commands are
successful; for "testreader" user, only the test commands ending with
"list" or "summary" (GET requests) are successful; for "otheradmin"
user, all commands fail.
PASS: In the deployed DC, to assert that public API works without
authentication, execute the command "curl -v http://<MGMT_IP>:8119/" and
verify that it is accepted and that the HTTP response is 200, and
execute the command "curl -v http://<MGMT_IP>:8119/v1.0/subclouds" and
verify that it is rejected and that the HTTP response is 401.
PASS: In the deployed DC, check through Horizon interface that DC
management works correctly with default admin user.

Story: 2010149
Task: 46287

Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
Change-Id: Icfe24fd62096c7bf0bbb1f97e819dee5aac675e4
2022-09-22 18:26:35 -03:00

147 lines
5.2 KiB
Python
Raw Blame History

# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Copyright (c) 2020-2022 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
import os
from oslo_config import cfg
from oslo_log import log as logging
import http.client as httpclient
import pecan
from pecan import expose
from pecan import request
from dcmanager.api.controllers import restcomm
from dcmanager.api.policies import subcloud_deploy as subcloud_deploy_policy
from dcmanager.api import policy
from dcmanager.common import consts
from dcmanager.common.i18n import _
from dcmanager.common import utils
import tsconfig.tsconfig as tsc
CONF = cfg.CONF
LOG = logging.getLogger(__name__)
LOCK_NAME = 'SubcloudDeployController'
class SubcloudDeployController(object):
def __init__(self):
super(SubcloudDeployController, self).__init__()
@staticmethod
def _upload_files(dir_path, file_option, file_item, binary):
prefix = file_option + '_'
# create the version directory if it does not exist
if not os.path.isdir(dir_path):
os.mkdir(dir_path, 0o755)
else:
# check if the file exists, if so remove it
filename = utils.get_filename_by_prefix(dir_path, prefix)
if filename is not None:
os.remove(dir_path + '/' + filename)
# upload the new file
file_item.file.seek(0, os.SEEK_SET)
contents = file_item.file.read()
fn = os.path.join(dir_path, prefix + os.path.basename(
file_item.filename))
if binary:
dst = open(fn, 'wb')
dst.write(contents)
else:
dst = os.open(fn, os.O_WRONLY | os.O_CREAT | os.O_TRUNC)
os.write(dst, contents)
@expose(generic=True, template='json')
def index(self):
# Route the request to specific methods with parameters
pass
@utils.synchronized(LOCK_NAME)
@index.when(method='POST', template='json')
def post(self):
policy.authorize(subcloud_deploy_policy.POLICY_ROOT % "upload", {},
restcomm.extract_credentials_for_policy())
deploy_dicts = dict()
missing_options = set()
for f in consts.DEPLOY_COMMON_FILE_OPTIONS:
if f not in request.POST:
missing_options.add(f)
# The API will only accept three types of input scenarios:
# 1. DEPLOY_PLAYBOOK, DEPLOY_OVERRIDES, and DEPLOY_CHART
# 2. DEPLOY_PLAYBOOK, DEPLOY_OVERRIDES, DEPLOY_CHART, and DEPLOY_PRESTAGE
# 3. DEPLOY_PRESTAGE
size = len(missing_options)
if len(missing_options) > 0:
if ((consts.DEPLOY_PRESTAGE in missing_options and size != 1) or
(consts.DEPLOY_PRESTAGE not in missing_options and size != 3)):
missing_str = str()
for missing in missing_options:
if missing is not consts.DEPLOY_PRESTAGE:
missing_str += '--%s ' % missing
error_msg = "error: argument %s is required" % missing_str.rstrip()
pecan.abort(httpclient.BAD_REQUEST, error_msg)
for f in consts.DEPLOY_COMMON_FILE_OPTIONS:
if f not in request.POST:
continue
file_item = request.POST[f]
filename = getattr(file_item, 'filename', '')
if not filename:
pecan.abort(httpclient.BAD_REQUEST,
_("No %s file uploaded" % f))
dir_path = tsc.DEPLOY_PATH
binary = False
if f == consts.DEPLOY_CHART:
binary = True
try:
self._upload_files(dir_path, f, file_item, binary)
except Exception as e:
pecan.abort(httpclient.INTERNAL_SERVER_ERROR,
_("Failed to upload %s file: %s" % (f, e)))
deploy_dicts.update({f: filename})
return deploy_dicts
@index.when(method='GET', template='json')
def get(self):
"""Get the subcloud deploy files that has been uploaded and stored"""
policy.authorize(subcloud_deploy_policy.POLICY_ROOT % "get", {},
restcomm.extract_credentials_for_policy())
deploy_dicts = dict()
for f in consts.DEPLOY_COMMON_FILE_OPTIONS:
dir_path = tsc.DEPLOY_PATH
filename = None
if os.path.isdir(dir_path):
prefix = f + '_'
filename = utils.get_filename_by_prefix(dir_path, prefix)
if filename is not None:
filename = filename.replace(prefix, '', 1)
deploy_dicts.update({f: filename})
return dict(subcloud_deploy=deploy_dicts)
View Git Blame Copy Permalink