diff options
author | Lance Bragstad <lbragstad@gmail.com> | 2020-11-18 21:16:05 +0000 |
---|---|---|
committer | Julia Kreger <juliaashleykreger@gmail.com> | 2021-02-22 05:49:11 -0800 |
commit | ff883486e62e394b03ed7c6e6911ca082e599586 (patch) | |
tree | 0f7f02886dcea39535066197fe794ed41839c6a8 /ironic/tests | |
parent | 9e773d96cae24436afc3cf9aff30f40d558678af (diff) | |
download | ironic-ff883486e62e394b03ed7c6e6911ca082e599586.tar.gz |
Implement system scoped RBAC for node and driver passthru
This commit updates the policies for baremetal passthru policies to understand
scope checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC experience and
improve security.
Change-Id: I31a258e0ce7db7e931e62f2a06e610857dabdd47
Diffstat (limited to 'ironic/tests')
-rw-r--r-- | ironic/tests/unit/api/test_rbac_legacy.yaml | 30 | ||||
-rw-r--r-- | ironic/tests/unit/api/test_rbac_system_scoped.yaml | 30 |
2 files changed, 30 insertions, 30 deletions
diff --git a/ironic/tests/unit/api/test_rbac_legacy.yaml b/ironic/tests/unit/api/test_rbac_legacy.yaml index 0b37b8d8e..f4842999b 100644 --- a/ironic/tests/unit/api/test_rbac_legacy.yaml +++ b/ironic/tests/unit/api/test_rbac_legacy.yaml @@ -520,90 +520,105 @@ nodes_vendor_passthru_methods_get_admin: method: get headers: *admin_headers assert_status: 503 + deprecated: true nodes_vendor_passthru_methods_get_member: path: '/v1/nodes/{node_ident}/vendor_passthru/methods' method: get headers: *member_headers assert_status: 403 + deprecated: true nodes_vendor_passthru_methods_get_observer: path: '/v1/nodes/{node_ident}/vendor_passthru/methods' method: get headers: *observer_headers assert_status: 403 + deprecated: true nodes_vendor_passthru_get_admin: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: get headers: *admin_headers assert_status: 503 + deprecated: true nodes_vendor_passthru_get_member: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: get headers: *member_headers assert_status: 403 + deprecated: true nodes_vendor_passthru_get_observer: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: get headers: *observer_headers assert_status: 403 + deprecated: true nodes_vendor_passthru_post_admin: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: post headers: *admin_headers assert_status: 503 + deprecated: true nodes_vendor_passthru_post_member: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: post headers: *member_headers assert_status: 403 + deprecated: true nodes_vendor_passthru_post_observer: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: post headers: *observer_headers assert_status: 403 + deprecated: true nodes_vendor_passthru_put_admin: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: put headers: *admin_headers assert_status: 503 + deprecated: true nodes_vendor_passthru_put_member: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: put headers: *member_headers assert_status: 403 + deprecated: true nodes_vendor_passthru_put_observer: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: put headers: *observer_headers assert_status: 403 + deprecated: true nodes_vendor_passthru_delete_admin: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: delete headers: *admin_headers assert_status: 503 + deprecated: true nodes_vendor_passthru_delete_member: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: delete headers: *member_headers assert_status: 403 + deprecated: true nodes_vendor_passthru_delete_observer: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: delete headers: *observer_headers assert_status: 403 + deprecated: true # Node Traits - https://docs.openstack.org/api-ref/baremetal/#node-traits-nodes @@ -1631,72 +1646,84 @@ drivers_vendor_passthru_methods_get_admin: method: get headers: *admin_headers assert_status: 404 + deprecated: true drivers_vendor_passthru_methods_get_member: path: '/v1/drivers/{driver_name}/vendor_passthru/methods' method: get headers: *member_headers assert_status: 403 + deprecated: true drivers_vendor_passthru_methods_get_observer: path: '/v1/drivers/{driver_name}/vendor_passthru/methods' method: get headers: *observer_headers assert_status: 403 + deprecated: true drivers_vendor_passthru_get_admin: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: get headers: *admin_headers assert_status: 404 + deprecated: true drivers_vendor_passthru_get_member: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: get headers: *member_headers assert_status: 403 + deprecated: true drivers_vendor_passthru_get_observer: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: get headers: *observer_headers assert_status: 403 + deprecated: true drivers_vendor_passthru_post_admin: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: post headers: *admin_headers assert_status: 404 + deprecated: true drivers_vendor_passthru_post_member: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: post headers: *member_headers assert_status: 403 + deprecated: true drivers_vendor_passthru_post_observer: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: post headers: *observer_headers assert_status: 403 + deprecated: true drivers_vendor_passthru_put_admin: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: put headers: *admin_headers assert_status: 404 + deprecated: true drivers_vendor_passthru_put_member: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: put headers: *member_headers assert_status: 403 + deprecated: true drivers_vendor_passthru_put_observer: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: put headers: *observer_headers assert_status: 403 + deprecated: true # NOTE(TheJulia): Returns an error due to the driver name # not matching, but this should be pass policy checking. @@ -1706,18 +1733,21 @@ drivers_vendor_passthru_delete_admin: method: delete headers: *admin_headers assert_status: 404 + skip_reason: not updated for scope testing drivers_vendor_passthru_delete_observer: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: delete headers: *member_headers assert_status: 403 + skip_reason: not updated for scope testing drivers_vendor_passthru_delete_observer: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: delete headers: *observer_headers assert_status: 403 + skip_reason: not updated for scope testing # Node Bios - https://docs.openstack.org/api-ref/baremetal/#node-bios-nodes diff --git a/ironic/tests/unit/api/test_rbac_system_scoped.yaml b/ironic/tests/unit/api/test_rbac_system_scoped.yaml index 69140205a..e9c10fa4c 100644 --- a/ironic/tests/unit/api/test_rbac_system_scoped.yaml +++ b/ironic/tests/unit/api/test_rbac_system_scoped.yaml @@ -455,105 +455,90 @@ nodes_vendor_passthru_methods_get_admin: method: get headers: *admin_headers assert_status: 503 - skip_reason: policy not implemented yet nodes_vendor_passthru_methods_get_member: path: '/v1/nodes/{node_ident}/vendor_passthru/methods' method: get headers: *scoped_member_headers assert_status: 403 - skip_reason: policy not implemented yet nodes_vendor_passthru_methods_get_observer: path: '/v1/nodes/{node_ident}/vendor_passthru/methods' method: get headers: *observer_headers assert_status: 403 - skip_reason: policy not implemented yet nodes_vendor_passthru_get_admin: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: get headers: *admin_headers assert_status: 503 - skip_reason: policy not implemented yet nodes_vendor_passthru_get_member: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: get headers: *scoped_member_headers assert_status: 403 - skip_reason: policy not implemented yet nodes_vendor_passthru_get_observer: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: get headers: *observer_headers assert_status: 403 - skip_reason: policy not implemented yet nodes_vendor_passthru_post_admin: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: post headers: *admin_headers assert_status: 503 - skip_reason: policy not implemented yet nodes_vendor_passthru_post_member: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: post headers: *scoped_member_headers assert_status: 403 - skip_reason: policy not implemented yet nodes_vendor_passthru_post_observer: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: post headers: *observer_headers assert_status: 403 - skip_reason: policy not implemented yet nodes_vendor_passthru_put_admin: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: put headers: *admin_headers assert_status: 503 - skip_reason: policy not implemented yet nodes_vendor_passthru_put_member: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: put headers: *scoped_member_headers assert_status: 403 - skip_reason: policy not implemented yet nodes_vendor_passthru_put_observer: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: put headers: *observer_headers assert_status: 403 - skip_reason: policy not implemented yet nodes_vendor_passthru_delete_admin: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: delete headers: *admin_headers assert_status: 503 - skip_reason: policy not implemented yet nodes_vendor_passthru_delete_member: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: delete headers: *scoped_member_headers assert_status: 403 - skip_reason: policy not implemented yet nodes_vendor_passthru_delete_observer: path: '/v1/nodes/{node_ident}/vendor_passthru?method=test' method: delete headers: *observer_headers assert_status: 403 - skip_reason: policy not implemented yet # Node Traits - https://docs.openstack.org/api-ref/baremetal/#node-traits-nodes @@ -1523,84 +1508,72 @@ drivers_vendor_passthru_methods_get_admin: method: get headers: *admin_headers assert_status: 404 - skip_reason: not updated for scope testing drivers_vendor_passthru_methods_get_member: path: '/v1/drivers/{driver_name}/vendor_passthru/methods' method: get headers: *scoped_member_headers assert_status: 403 - skip_reason: not updated for scope testing drivers_vendor_passthru_methods_get_observer: path: '/v1/drivers/{driver_name}/vendor_passthru/methods' method: get headers: *observer_headers assert_status: 403 - skip_reason: not updated for scope testing drivers_vendor_passthru_get_admin: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: get headers: *admin_headers assert_status: 404 - skip_reason: not updated for scope testing drivers_vendor_passthru_get_member: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: get headers: *scoped_member_headers assert_status: 403 - skip_reason: not updated for scope testing drivers_vendor_passthru_get_observer: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: get headers: *observer_headers assert_status: 403 - skip_reason: not updated for scope testing drivers_vendor_passthru_post_admin: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: post headers: *admin_headers assert_status: 404 - skip_reason: not updated for scope testing drivers_vendor_passthru_post_member: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: post headers: *scoped_member_headers assert_status: 403 - skip_reason: not updated for scope testing drivers_vendor_passthru_post_observer: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: post headers: *observer_headers assert_status: 403 - skip_reason: not updated for scope testing drivers_vendor_passthru_put_admin: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: put headers: *admin_headers assert_status: 404 - skip_reason: not updated for scope testing drivers_vendor_passthru_put_member: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: put headers: *scoped_member_headers assert_status: 403 - skip_reason: not updated for scope testing drivers_vendor_passthru_put_observer: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: put headers: *observer_headers assert_status: 403 - skip_reason: not updated for scope testing # NOTE(TheJulia): Returns an error due to the driver name # not matching, but this should be pass policy checking. @@ -1610,21 +1583,18 @@ drivers_vendor_passthru_delete_admin: method: delete headers: *admin_headers assert_status: 404 - skip_reason: not updated for scope testing drivers_vendor_passthru_delete_observer: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: delete headers: *scoped_member_headers assert_status: 403 - skip_reason: not updated for scope testing drivers_vendor_passthru_delete_observer: path: '/v1/drivers/{driver_name}/vendor_passthru?method=test' method: delete headers: *observer_headers assert_status: 403 - skip_reason: not updated for scope testing # Node Bios - https://docs.openstack.org/api-ref/baremetal/#node-bios-nodes |