def test_is_member(self):
creds = [{'project_name': 'demo', 'project_domain_id': 'default'},
{'project_name': 'baremetal', 'project_domain_id': 'default'},
{'project_name': 'demo', 'project_domain_id': None},
{'project_name': 'baremetal', 'project_domain_id': None}]
for c in creds:
self.assertTrue(policy.check('is_member', c, c))
c = {'project_name': 'demo1', 'project_domain_id': 'default2'}
self.assertFalse(policy.check('is_member', c, c))
def test_is_member(self):
creds = [{'project_name': 'demo', 'project_domain_id': 'default'},
{'project_name': 'baremetal', 'project_domain_id': 'default'},
{'project_name': 'demo', 'project_domain_id': None},
{'project_name': 'baremetal', 'project_domain_id': None}]
for c in creds:
self.assertTrue(policy.check('is_member', c, c))
c = {'project_name': 'demo1', 'project_domain_id': 'default2'}
self.assertFalse(policy.check('is_member', c, c))
def test_is_allocation_owner(self):
c1 = {'project_id': '1234',
'project_name': 'demo',
'project_domain_id': 'default'}
c2 = {'project_id': '5678',
'project_name': 'demo',
'project_domain_id': 'default'}
target = dict.copy(c1)
target['allocation.owner'] = '1234'
self.assertTrue(policy.check('is_allocation_owner', target, c1))
self.assertFalse(policy.check('is_allocation_owner', target, c2))
def test_is_node_lessee(self):
c1 = {'project_id': '1234',
'project_name': 'demo',
'project_domain_id': 'default'}
c2 = {'project_id': '5678',
'project_name': 'demo',
'project_domain_id': 'default'}
target = dict.copy(c1)
target['node.lessee'] = '1234'
self.assertTrue(policy.check('is_node_lessee', target, c1))
self.assertFalse(policy.check('is_node_lessee', target, c2))
def test_admin_api(self):
creds = ({'roles': ['admin']},
{'roles': ['administrator']},
{'roles': ['admin', 'administrator']})
for c in creds:
self.assertTrue(policy.check('admin_api', c, c))
def test_node_create(self):
creds = {
'roles': ['baremetal_admin'],
'project_name': 'demo',
'project_domain_id': 'default'
}
self.assertTrue(policy.check('baremetal:node:create', creds, creds))
def test_node_get(self):
creds = {
'roles': ['baremetal_observer'],
'project_name': 'demo',
'project_domain_id': 'default'
}
self.assertTrue(policy.check('baremetal:node:get', creds, creds))
def test_show_password(self):
creds = {
'roles': [u'admin'],
'project_name': 'admin',
'project_domain_id': 'default'
}
self.assertFalse(policy.check('show_password', creds, creds))
def test_admin_api(self):
creds = ({'roles': ['admin']},
{'roles': ['administrator']},
{'roles': ['admin', 'administrator']})
for c in creds:
self.assertTrue(policy.check('admin_api', c, c))
def before(self, state):
is_public_api = state.request.environ.get('is_public_api', False)
ctx = context.RequestContext.from_environ(state.request.environ,
is_public_api=is_public_api)
# Do not pass any token with context for noauth mode
if cfg.CONF.auth_strategy == 'noauth':
ctx.auth_token = None
creds = ctx.to_policy_values()
is_admin = policy.check('is_admin', creds, creds)
ctx.is_admin = is_admin
policy_deprecation_check()
state.request.context = ctx
def before(self, state):
is_public_api = state.request.environ.get('is_public_api', False)
ctx = context.RequestContext.from_environ(state.request.environ,
is_public_api=is_public_api)
# Do not pass any token with context for noauth mode
if cfg.CONF.auth_strategy == 'noauth':
ctx.auth_token = None
creds = ctx.to_policy_values()
is_admin = policy.check('is_admin', creds, creds)
ctx.is_admin = is_admin
policy_deprecation_check()
state.request.context = ctx
def test_creds(self, rule, check, targets, creds):
if not targets:
# when targets are not specified in the scenario,
# use the creds as the target dict
targets = creds
for target, creds in zip(targets, creds):
result = policy.check(rule, target, creds)
if result != check:
msg = '%s should be %s for target %s, creds %s' % (
rule, check, target, creds)
if check:
self.assertTrue(result, msg)
else:
self.assertFalse(result, msg)
def before(self, state):
is_public_api = state.request.environ.get('is_public_api', False)
# set the global_request_id if we have an inbound request id
gr_id = state.request.headers.get(INBOUND_HEADER, "")
if re.match(ID_FORMAT, gr_id):
state.request.environ[GLOBAL_REQ_ID] = gr_id
ctx = context.RequestContext.from_environ(state.request.environ,
is_public_api=is_public_api)
# Do not pass any token with context for noauth mode
if cfg.CONF.auth_strategy == 'noauth':
ctx.auth_token = None
creds = ctx.to_policy_values()
is_admin = policy.check('is_admin', creds, creds)
ctx.is_admin = is_admin
policy_deprecation_check()
state.request.context = ctx
def before(self, state):
is_public_api = state.request.environ.get('is_public_api', False)
# set the global_request_id if we have an inbound request id
gr_id = state.request.headers.get(INBOUND_HEADER, "")
if re.match(ID_FORMAT, gr_id):
state.request.environ[GLOBAL_REQ_ID] = gr_id
ctx = context.RequestContext.from_environ(state.request.environ,
is_public_api=is_public_api)
# Do not pass any token with context for noauth mode
if cfg.CONF.auth_strategy == 'noauth':
ctx.auth_token = None
creds = ctx.to_policy_values()
is_admin = policy.check('is_admin', creds, creds)
ctx.is_admin = is_admin
policy_deprecation_check()
state.request.context = ctx
def before(self, state):
headers = state.request.headers
# Do not pass any token with context for noauth mode
auth_token = (None if cfg.CONF.auth_strategy == 'noauth' else
headers.get('X-Auth-Token'))
is_public_api = state.request.environ.get('is_public_api', False)
creds = {
'user': headers.get('X-User') or headers.get('X-User-Id'),
'tenant': headers.get('X-Tenant') or headers.get('X-Tenant-Id'),
'domain_id': headers.get('X-User-Domain-Id'),
'domain_name': headers.get('X-User-Domain-Name'),
'auth_token': auth_token,
'roles': headers.get('X-Roles', '').split(','),
'is_public_api': is_public_api,
}
is_admin = policy.check('is_admin', creds, creds)
state.request.context = context.RequestContext(is_admin=is_admin,
**creds)
def test_node_get(self):
creds = {'roles': ['generic_user'], 'tenant': 'demo'}
self.assertFalse(policy.check('baremetal:node:get', creds, creds))
def test_node_create(self):
creds = {'roles': ['baremetal_observer'], 'tenant': 'demo'}
self.assertFalse(policy.check('baremetal:node:create', creds, creds))
def test_public_api(self):
creds = ({'is_public_api': 'False'}, {})
for c in creds:
self.assertFalse(policy.check('public_api', c, c))
def test_show_password(self):
creds = {'roles': [u'admin'], 'tenant': 'demo'}
self.assertFalse(policy.check('show_password', creds, creds))
def test_node_create(self):
creds = {'roles': ['baremetal_admin'], 'tenant': 'demo'}
self.assertTrue(policy.check('baremetal:node:create', creds, creds))
def test_admin_api(self):
creds = {'roles': ['Member']}
self.assertFalse(policy.check('admin_api', creds, creds))
def test_show_password(self):
creds = {'roles': [u'admin'], 'tenant': 'demo'}
self.assertFalse(policy.check('show_password', creds, creds))
def lookup(self, context, **kwargs):
"""Find a matching node for the agent.
Method to be called the first time a ramdisk agent checks in. This
can be because this is a node just entering decom or a node that
rebooted for some reason. We will use the mac addresses listed in the
kwargs to find the matching node, then return the node object to the
agent. The agent can that use that UUID to use the node vendor
passthru method.
Currently, we don't handle the instance where the agent doesn't have
a matching node (i.e. a brand new, never been in Ironic node).
Additionally, we may pass on useful configurations to the agent, which
it would then be responsible for applying if relevant. Today these are
limited to heartbeat_timeout and metrics configuration.
kwargs should have the following format::
{
"version": "2"
"inventory": {
"interfaces": [
{
"name": "eth0",
"mac_address": "00:11:22:33:44:55",
"switch_port_descr": "port24",
"switch_chassis_descr": "tor1"
}, ...
], ...
},
"node_uuid": "ab229209-0139-4588-bbe5-64ccec81dd6e"
}
The interfaces list should include a list of the non-IPMI MAC addresses
in the form aa:bb:cc:dd:ee:ff.
node_uuid argument is optional. If it's provided (e.g. as a result of
inspection run before lookup), this method will just return a node and
options.
This method will also return the timeout for heartbeats. The driver
will expect the agent to heartbeat before that timeout, or it will be
considered down. This will be in a root level key called
'heartbeat_timeout'
:raises: NotFound if no matching node is found.
:raises: InvalidParameterValue with unknown payload version
"""
LOG.warning(
_LW('Agent lookup vendor passthru is deprecated and will be '
'removed in the Ocata release; please update your '
'ironic-python-agent image to the Newton version'))
LOG.debug('Agent lookup using data %s', kwargs)
uuid = kwargs.get('node_uuid')
if uuid:
node = objects.Node.get_by_uuid(context, uuid)
else:
inventory = kwargs.get('inventory')
interfaces = self._get_interfaces(inventory)
mac_addresses = self._get_mac_addresses(interfaces)
node = self._find_node_by_macs(context, mac_addresses)
LOG.info(
_LI('Initial lookup for node %s succeeded, agent is running '
'and waiting for commands'), node.uuid)
ndict = node.as_dict()
cdict = context.to_dict()
show_driver_secrets = policy.check('show_password', cdict, cdict)
if not show_driver_secrets:
ndict['driver_info'] = strutils.mask_dict_password(
ndict['driver_info'], "******")
return {
# heartbeat_timeout is a config, so moving it into the
# config namespace. Instead of a separate deprecation,
# this will die when the vendor_passthru version of
# lookup goes away.
'heartbeat_timeout': CONF.api.ramdisk_heartbeat_timeout,
'node': ndict,
'config': ramdisk.config(),
}
def test_public_api(self):
creds = {'is_public_api': 'True'}
self.assertTrue(policy.check('public_api', creds, creds))
def test_show_password(self):
creds = {'roles': [u'admin'], 'project_name': 'admin',
'project_domain_id': 'default'}
self.assertFalse(policy.check('show_password', creds, creds))
def lookup(self, context, **kwargs):
"""Find a matching node for the agent.
Method to be called the first time a ramdisk agent checks in. This
can be because this is a node just entering cleaning or a node that
rebooted for some reason. We will use the mac addresses listed in the
kwargs to find the matching node, then return the node object to the
agent. The agent can that use that UUID to use the node vendor
passthru method.
Currently, we don't handle the instance where the agent doesn't have
a matching node (i.e. a brand new, never been in Ironic node).
Additionally, we may pass on useful configurations to the agent, which
it would then be responsible for applying if relevant. Today these are
limited to heartbeat_timeout and metrics configuration.
kwargs should have the following format::
{
"version": "2"
"inventory": {
"interfaces": [
{
"name": "eth0",
"mac_address": "00:11:22:33:44:55",
"switch_port_descr": "port24",
"switch_chassis_descr": "tor1"
}, ...
], ...
},
"node_uuid": "ab229209-0139-4588-bbe5-64ccec81dd6e"
}
The interfaces list should include a list of the non-IPMI MAC addresses
in the form aa:bb:cc:dd:ee:ff.
node_uuid argument is optional. If it's provided (e.g. as a result of
inspection run before lookup), this method will just return a node and
options.
This method will also return the timeout for heartbeats. The driver
will expect the agent to heartbeat before that timeout, or it will be
considered down. This will be in a root level key called
'heartbeat_timeout'
:raises: NotFound if no matching node is found.
:raises: InvalidParameterValue with unknown payload version
"""
LOG.warning(
_LW('Agent lookup vendor passthru is deprecated and will be '
'removed in the Ocata release; please update your '
'ironic-python-agent image to the Newton version'))
LOG.debug('Agent lookup using data %s', kwargs)
uuid = kwargs.get('node_uuid')
if uuid:
node = objects.Node.get_by_uuid(context, uuid)
else:
inventory = kwargs.get('inventory')
interfaces = self._get_interfaces(inventory)
mac_addresses = self._get_mac_addresses(interfaces)
node = self._find_node_by_macs(context, mac_addresses)
LOG.info(_LI('Initial lookup for node %s succeeded, agent is running '
'and waiting for commands'), node.uuid)
ndict = node.as_dict()
cdict = context.to_dict()
show_driver_secrets = policy.check('show_password', cdict, cdict)
if not show_driver_secrets:
ndict['driver_info'] = strutils.mask_dict_password(
ndict['driver_info'], "******")
return {
# heartbeat_timeout is a config, so moving it into the
# config namespace. Instead of a separate deprecation,
# this will die when the vendor_passthru version of
# lookup goes away.
'heartbeat_timeout': CONF.api.ramdisk_heartbeat_timeout,
'node': ndict,
'config': ramdisk.config(),
}
def test_node_get(self):
creds = {'roles': ['baremetal_observer'], 'tenant': 'demo'}
self.assertTrue(policy.check('baremetal:node:get', creds, creds))
def test_admin_api(self):
creds = {'roles': ['Member']}
self.assertFalse(policy.check('admin_api', creds, creds))
def test_node_create(self):
creds = {'roles': ['baremetal_observer'], 'tenant': 'demo'}
self.assertFalse(policy.check('baremetal:node:create', creds, creds))
def test_node_get(self):
creds = {'roles': ['baremetal_observer'], 'project_name': 'demo',
'project_domain_id': 'default'}
self.assertTrue(policy.check('baremetal:node:get', creds, creds))
def test_node_get(self):
creds = {'roles': ['generic_user'], 'tenant': 'demo'}
self.assertFalse(policy.check('baremetal:node:get', creds, creds))
def test_node_create(self):
creds = {'roles': ['baremetal_admin'], 'project_name': 'demo',
'project_domain_id': 'default'}
self.assertTrue(policy.check('baremetal:node:create', creds, creds))
def test_public_api(self):
creds = ({'is_public_api': 'False'}, {})
for c in creds:
self.assertFalse(policy.check('public_api', c, c))
def test_public_api(self):
creds = {'is_public_api': 'True'}
self.assertTrue(policy.check('public_api', creds, creds))