Implement system scoped RBAC for node and driver passthru

This commit updates the policies for baremetal passthru policies to understand scope checking and account for a read-only role. This is part of a broader series of changes across OpenStack to provide a consistent RBAC experience and improve security. Change-Id: I31a258e0ce7db7e931e62f2a06e610857dabdd47
author: Lance Bragstad <lbragstad@gmail.com> 2020-11-18 21:16:05 +0000
committer: Julia Kreger <juliaashleykreger@gmail.com> 2021-02-22 05:49:11 -0800
commit: ff883486e62e394b03ed7c6e6911ca082e599586 (patch)
tree: 0f7f02886dcea39535066197fe794ed41839c6a8 /ironic/tests
parent: 9e773d96cae24436afc3cf9aff30f40d558678af (diff)
download: ironic-ff883486e62e394b03ed7c6e6911ca082e599586.tar.gz
2 files changed, 30 insertions, 30 deletions
diff --git a/ironic/tests/unit/api/test_rbac_legacy.yaml b/ironic/tests/unit/api/test_rbac_legacy.yaml
index 0b37b8d8e..f4842999b 100644
--- a/ironic/tests/unit/api/test_rbac_legacy.yaml
+++ b/ironic/tests/unit/api/test_rbac_legacy.yaml
@@ -520,90 +520,105 @@ nodes_vendor_passthru_methods_get_admin:
   method: get
   headers: *admin_headers
   assert_status: 503
+  deprecated: true
 
 nodes_vendor_passthru_methods_get_member:
   path: '/v1/nodes/{node_ident}/vendor_passthru/methods'
   method: get
   headers: *member_headers
   assert_status: 403
+  deprecated: true
 
 nodes_vendor_passthru_methods_get_observer:
   path: '/v1/nodes/{node_ident}/vendor_passthru/methods'
   method: get
   headers: *observer_headers
   assert_status: 403
+  deprecated: true
 
 nodes_vendor_passthru_get_admin:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: get
   headers: *admin_headers
   assert_status: 503
+  deprecated: true
 
 nodes_vendor_passthru_get_member:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: get
   headers: *member_headers
   assert_status: 403
+  deprecated: true
 
 nodes_vendor_passthru_get_observer:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: get
   headers: *observer_headers
   assert_status: 403
+  deprecated: true
 
 nodes_vendor_passthru_post_admin:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: post
   headers: *admin_headers
   assert_status: 503
+  deprecated: true
 
 nodes_vendor_passthru_post_member:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: post
   headers: *member_headers
   assert_status: 403
+  deprecated: true
 
 nodes_vendor_passthru_post_observer:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: post
   headers: *observer_headers
   assert_status: 403
+  deprecated: true
 
 nodes_vendor_passthru_put_admin:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: put
   headers: *admin_headers
   assert_status: 503
+  deprecated: true
 
 nodes_vendor_passthru_put_member:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: put
   headers: *member_headers
   assert_status: 403
+  deprecated: true
 
 nodes_vendor_passthru_put_observer:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: put
   headers: *observer_headers
   assert_status: 403
+  deprecated: true
 
 nodes_vendor_passthru_delete_admin:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: delete
   headers: *admin_headers
   assert_status: 503
+  deprecated: true
 
 nodes_vendor_passthru_delete_member:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: delete
   headers: *member_headers
   assert_status: 403
+  deprecated: true
 
 nodes_vendor_passthru_delete_observer:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: delete
   headers: *observer_headers
   assert_status: 403
+  deprecated: true
 
 # Node Traits - https://docs.openstack.org/api-ref/baremetal/#node-traits-nodes
 
@@ -1631,72 +1646,84 @@ drivers_vendor_passthru_methods_get_admin:
   method: get
   headers: *admin_headers
   assert_status: 404
+  deprecated: true
 
 drivers_vendor_passthru_methods_get_member:
   path: '/v1/drivers/{driver_name}/vendor_passthru/methods'
   method: get
   headers: *member_headers
   assert_status: 403
+  deprecated: true
 
 drivers_vendor_passthru_methods_get_observer:
   path: '/v1/drivers/{driver_name}/vendor_passthru/methods'
   method: get
   headers: *observer_headers
   assert_status: 403
+  deprecated: true
 
 drivers_vendor_passthru_get_admin:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: get
   headers: *admin_headers
   assert_status: 404
+  deprecated: true
 
 drivers_vendor_passthru_get_member:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: get
   headers: *member_headers
   assert_status: 403
+  deprecated: true
 
 drivers_vendor_passthru_get_observer:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: get
   headers: *observer_headers
   assert_status: 403
+  deprecated: true
 
 drivers_vendor_passthru_post_admin:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: post
   headers: *admin_headers
   assert_status: 404
+  deprecated: true
 
 drivers_vendor_passthru_post_member:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: post
   headers: *member_headers
   assert_status: 403
+  deprecated: true
 
 drivers_vendor_passthru_post_observer:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: post
   headers: *observer_headers
   assert_status: 403
+  deprecated: true
 
 drivers_vendor_passthru_put_admin:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: put
   headers: *admin_headers
   assert_status: 404
+  deprecated: true
 
 drivers_vendor_passthru_put_member:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: put
   headers: *member_headers
   assert_status: 403
+  deprecated: true
 
 drivers_vendor_passthru_put_observer:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: put
   headers: *observer_headers
   assert_status: 403
+  deprecated: true
 
 # NOTE(TheJulia): Returns an error due to the driver name
 # not matching, but this should be pass policy checking.
@@ -1706,18 +1733,21 @@ drivers_vendor_passthru_delete_admin:
   method: delete
   headers: *admin_headers
   assert_status: 404
+  skip_reason: not updated for scope testing
 
 drivers_vendor_passthru_delete_observer:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: delete
   headers: *member_headers
   assert_status: 403
+  skip_reason: not updated for scope testing
 
 drivers_vendor_passthru_delete_observer:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: delete
   headers: *observer_headers
   assert_status: 403
+  skip_reason: not updated for scope testing
 
 # Node Bios - https://docs.openstack.org/api-ref/baremetal/#node-bios-nodes
 
diff --git a/ironic/tests/unit/api/test_rbac_system_scoped.yaml b/ironic/tests/unit/api/test_rbac_system_scoped.yaml
index 69140205a..e9c10fa4c 100644
--- a/ironic/tests/unit/api/test_rbac_system_scoped.yaml
+++ b/ironic/tests/unit/api/test_rbac_system_scoped.yaml
@@ -455,105 +455,90 @@ nodes_vendor_passthru_methods_get_admin:
   method: get
   headers: *admin_headers
   assert_status: 503
-  skip_reason: policy not implemented yet
 
 nodes_vendor_passthru_methods_get_member:
   path: '/v1/nodes/{node_ident}/vendor_passthru/methods'
   method: get
   headers: *scoped_member_headers
   assert_status: 403
-  skip_reason: policy not implemented yet
 
 nodes_vendor_passthru_methods_get_observer:
   path: '/v1/nodes/{node_ident}/vendor_passthru/methods'
   method: get
   headers: *observer_headers
   assert_status: 403
-  skip_reason: policy not implemented yet
 
 nodes_vendor_passthru_get_admin:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: get
   headers: *admin_headers
   assert_status: 503
-  skip_reason: policy not implemented yet
 
 nodes_vendor_passthru_get_member:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: get
   headers: *scoped_member_headers
   assert_status: 403
-  skip_reason: policy not implemented yet
 
 nodes_vendor_passthru_get_observer:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: get
   headers: *observer_headers
   assert_status: 403
-  skip_reason: policy not implemented yet
 
 nodes_vendor_passthru_post_admin:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: post
   headers: *admin_headers
   assert_status: 503
-  skip_reason: policy not implemented yet
 
 nodes_vendor_passthru_post_member:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: post
   headers: *scoped_member_headers
   assert_status: 403
-  skip_reason: policy not implemented yet
 
 nodes_vendor_passthru_post_observer:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: post
   headers: *observer_headers
   assert_status: 403
-  skip_reason: policy not implemented yet
 
 nodes_vendor_passthru_put_admin:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: put
   headers: *admin_headers
   assert_status: 503
-  skip_reason: policy not implemented yet
 
 nodes_vendor_passthru_put_member:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: put
   headers: *scoped_member_headers
   assert_status: 403
-  skip_reason: policy not implemented yet
 
 nodes_vendor_passthru_put_observer:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: put
   headers: *observer_headers
   assert_status: 403
-  skip_reason: policy not implemented yet
 
 nodes_vendor_passthru_delete_admin:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: delete
   headers: *admin_headers
   assert_status: 503
-  skip_reason: policy not implemented yet
 
 nodes_vendor_passthru_delete_member:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: delete
   headers: *scoped_member_headers
   assert_status: 403
-  skip_reason: policy not implemented yet
 
 nodes_vendor_passthru_delete_observer:
   path: '/v1/nodes/{node_ident}/vendor_passthru?method=test'
   method: delete
   headers: *observer_headers
   assert_status: 403
-  skip_reason: policy not implemented yet
 
 # Node Traits - https://docs.openstack.org/api-ref/baremetal/#node-traits-nodes
 
@@ -1523,84 +1508,72 @@ drivers_vendor_passthru_methods_get_admin:
   method: get
   headers: *admin_headers
   assert_status: 404
-  skip_reason: not updated for scope testing
 
 drivers_vendor_passthru_methods_get_member:
   path: '/v1/drivers/{driver_name}/vendor_passthru/methods'
   method: get
   headers: *scoped_member_headers
   assert_status: 403
-  skip_reason: not updated for scope testing
 
 drivers_vendor_passthru_methods_get_observer:
   path: '/v1/drivers/{driver_name}/vendor_passthru/methods'
   method: get
   headers: *observer_headers
   assert_status: 403
-  skip_reason: not updated for scope testing
 
 drivers_vendor_passthru_get_admin:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: get
   headers: *admin_headers
   assert_status: 404
-  skip_reason: not updated for scope testing
 
 drivers_vendor_passthru_get_member:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: get
   headers: *scoped_member_headers
   assert_status: 403
-  skip_reason: not updated for scope testing
 
 drivers_vendor_passthru_get_observer:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: get
   headers: *observer_headers
   assert_status: 403
-  skip_reason: not updated for scope testing
 
 drivers_vendor_passthru_post_admin:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: post
   headers: *admin_headers
   assert_status: 404
-  skip_reason: not updated for scope testing
 
 drivers_vendor_passthru_post_member:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: post
   headers: *scoped_member_headers
   assert_status: 403
-  skip_reason: not updated for scope testing
 
 drivers_vendor_passthru_post_observer:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: post
   headers: *observer_headers
   assert_status: 403
-  skip_reason: not updated for scope testing
 
 drivers_vendor_passthru_put_admin:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: put
   headers: *admin_headers
   assert_status: 404
-  skip_reason: not updated for scope testing
 
 drivers_vendor_passthru_put_member:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: put
   headers: *scoped_member_headers
   assert_status: 403
-  skip_reason: not updated for scope testing
 
 drivers_vendor_passthru_put_observer:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: put
   headers: *observer_headers
   assert_status: 403
-  skip_reason: not updated for scope testing
 
 # NOTE(TheJulia): Returns an error due to the driver name
 # not matching, but this should be pass policy checking.
@@ -1610,21 +1583,18 @@ drivers_vendor_passthru_delete_admin:
   method: delete
   headers: *admin_headers
   assert_status: 404
-  skip_reason: not updated for scope testing
 
 drivers_vendor_passthru_delete_observer:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: delete
   headers: *scoped_member_headers
   assert_status: 403
-  skip_reason: not updated for scope testing
 
 drivers_vendor_passthru_delete_observer:
   path: '/v1/drivers/{driver_name}/vendor_passthru?method=test'
   method: delete
   headers: *observer_headers
   assert_status: 403
-  skip_reason: not updated for scope testing
 
 # Node Bios - https://docs.openstack.org/api-ref/baremetal/#node-bios-nodes
author	Lance Bragstad <lbragstad@gmail.com>	2020-11-18 21:16:05 +0000
committer	Julia Kreger <juliaashleykreger@gmail.com>	2021-02-22 05:49:11 -0800
commit	ff883486e62e394b03ed7c6e6911ca082e599586 (patch)
tree	0f7f02886dcea39535066197fe794ed41839c6a8 /ironic/tests
parent	9e773d96cae24436afc3cf9aff30f40d558678af (diff)
download	ironic-ff883486e62e394b03ed7c6e6911ca082e599586.tar.gz