summaryrefslogtreecommitdiff
path: root/ironic/common/context.py
Commit message (Collapse)AuthorAgeFilesLines
* Auto-populate lessee for deploymentsJulia Kreger2022-05-231-1/+37
| | | | | | | | | | | | | | Adds a configuration option and capability to automatically record the lessee for a deployment based upon the original auth_token information provided in the request context. Additional token information is now shared through the context which is extended in the same fashion as most other projects saving request token information to their RequestContext, instead of triggering excess API calls in the background to Keystone to try and figure out requestor's information. Change-Id: I42a2ceb9d2e7dfdc575eb37ed773a1bc682cec23
* Remove redundant/legacy is_admin logicJulia Kreger2021-06-151-4/+0
| | | | | | | | | | | | | | | | | | | | The original model used was to assert is_admin on the object context which was actually used in only one place in ironic's code. Redudnantly of course. This is an excess call of is_admin on all API invocations, and is simply not necessary as individual calls have API policy checking and is_admin was only being consulted in the glance service utils... However, the glance service utils also confirmed it should be able to access glance if there was an auth_token present on the request which should also always be the case. This was somewhat identified as redundant/possible bug during the Wallaby cycle and appears to be fine to remove This does *not* remove the deprecated rule. At present, it appears that rule may not be removed until after Xena. Change-Id: I5a176f51db93d2a2238496f6955c1c7d9a79c548
* Deprecate legacy policies, update project scoped docsJulia Kreger2021-03-171-0/+3
| | | | | | | | | | | | | Deprecates legacy policies which will be removed at a later point in time. Notes these in a release note which covers project scoped access enablement, and updates the Secure RBAC docs to cover additional details Special thanks to Rammstein Radio on Pandora, for without this and all of the amazing artists it brought to my coding jam sessions, this effort would not have reached any sort of conclusion in the relatively short time for such a massive amount of work. Change-Id: I3bf0fa0de07e19d6058f0299e7abbff91b48b360
* Remove from_dict function from contextRiccardo Pittau2020-11-171-11/+0
| | | | | | Also changing context entries from deprecated to current ones. Change-Id: I06a8763acf70e9e5890681c6ad3d410de86c14a1
* Fix tenant DeprecationWarning from oslo_contextJulia Kreger2018-05-111-1/+1
| | | | | | | | | | | | | | | | Unit tests run a bit slow because all context invocations were resulting in a deprecation warning being logged for each task invocation. Seems like it was an easy change! Error: DeprecationWarning: Using the 'tenant' argument is deprecated in version '2.18' and will be removed in version '3.0', please use the 'project_id' argument instead Change-Id: Ie555a5c554356c04d929fce972b061f720701355
* Stop sending custom context values over RPCVladyslav Drok2017-06-051-20/+3
| | | | | | | | | | Starting with this change, we stop sending the custom fields in the context object when communicating over RPC, and remove them from to_policy_values method, meaning that they can not be used in policy checks anymore. Closes-Bug: #1695104 Change-Id: Iefc771a9706cde39db9e9d31c475dfb11b262373
* Remove unused logging importAnh Tran2017-02-171-3/+0
| | | | Change-Id: I7f55eececc6079e0473a6f3bceedf1350b36d229
* Add user and project domains to ironic contextVladyslav Drok2016-11-151-38/+31
| | | | | | | | | | | | | | | | | | | | | | | This change also removes most of the logic from ironic's RequestContext to reuse the oslo_context as much as possible. Usage of domain_id and domain_name in policy files is deprecated and their support will be removed in the Pike release. domain_id field was removed from the context class completely, domain_name value now mathces the oslo_context expectations. ContextHook is changed too so as not to duplicate from_environ functional from oslo_context. to_dict method left as is, so that we don't break an older service receiving the context over RPC. It will be changed in Pike release to reuse the base oslo_context class' to_dict. Closes-Bug: #1602081 Closes-Bug: #1627173 Closes-Bug: #1641972 Co-Authored-By: Jamie Lennox <jamielennox@gmail.com> Co-Authored-By: Devananda van der Veen <devananda.vdv@gmail.com> Change-Id: I9afe89bc6aee282ee4b7579d661e3fa83cc0ce84
* Mask instance secrets in API responsesDevananda van der Veen2016-08-261-5/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change adds a new policy setting, "show_instance_secrets", whose behavior mirrors that of the existing "show_passwords" policy setting. Whereas "show_passwords" has historically blocked all sensitive information from the node's driver_info field, the new setting blocks all sensitive information from the node's instance_info field, including image_url. The name of the old setting, "show_passwords", is not being changed at this time because such a change is not backwards-compatible. Instead, the documentation string for this setting has been changed to clarify what it does. Note that the behavior has not actually changed. Note that this change moves the policy.check("show_password") call from the Pecan hook into the API's Nodes() class, where the policy.check("show_instance_secrets") is also added. This makes the code a little cleaner and more maintainable, especially if we want to add any more checks like this in the future. As a result of this cleanup, the ironic-specific RequestContext.show_password property is removed. Partial-bug: #1530972 Partial-bug: #1526752 Related-bug: #1613903 Change-Id: I48493c53971cdab3b9122897e51322e19ce2f600
* Remove oslo-incubator referencesJim Rollenhagen2016-08-051-1/+1
| | | | | | | | This drops compatibility for icehouse-era RPC backend configuration, as well as references to openstack.common in a docstring and an example traceback. Change-Id: I9603fcf0f78066f188d4852d2a815c0abe12744d
* Trivial: Fix a trivial flake8 errorTang Chen2016-07-221-2/+1
| | | | | | | | | | There is a flake8 error in context.py: "D200 One-line docstring should fit on one line with quotes" This patch fixes it. Change-Id: I412a7c3ee2d16eb4c87e981831ae616c29378180
* Follow-up patch of 0607226fc4b4bc3c9e1738dc3f78ed99e5d4f13dLin Tan2016-04-191-1/+2
| | | | | | | A follow-up patch of 0607226fc4b4bc3c9e1738dc3f78ed99e5d4f13d to correct typos. Change-Id: I3258cd8c972501a70d0b0f7f74184a15215d6f51
* Adopt Ironic's own contextLin Tan2016-04-011-4/+36
| | | | | | | | | | | | | Adopt Ironic's own context in Ironic and add tests. Refactor ensure_thread_contain_context to Ironic's own context class, this will be more generical and not bind to TaskManager anymore. Explicitly call ensure_thread_contain_context() in Inspector driver for inspect hardware action. Change-Id: Ic2bb16a2deb02054b4fca795d431c965e30a246f Closes-Bug: #1560264
* Tolerate roles in context.RequestContextDavanum Srinivas2016-02-241-6/+8
| | | | | | | | | | | | | In Ia575ba803a0fb70f39146bd75d381ed19414bd23, oslo.context added roles support in the context itself. Once that change is released in oslo.context and the global requirements has been updated, we should switch to passing in the roles in the __init__ parameter. Until then we should set self.roles *after* the constructor since the constructor sets the roles to None when the new library gets released. Closes-Bug: 1549317 Change-Id: Ie28a4144ccac5d6894405ba7f801617376e35c51
* Use oslo_context packageGhe Rivero2015-03-121-1/+1
| | | | | | | Use graduated library oslo_context and remove any reference to the context module from oslo.incubator Change-Id: I590f033c4b164cea9022cd951ded393b7406381e
* Add policy show_password to mask passwords in driver_infoZhenzan Zhou2015-02-041-1/+5
| | | | | | | | | | Ironic API already enforces admin role to run node-show. So a new policy show_password is added to control if plain text passwords in driver_info should be masked or not before sending back to API calls. The default is masking password for all cases. Change-Id: Icd3e6be049376bf7b4468f0c149a72a06643da32 Closes-Bug: #1406191
* Refactoring for Ironic policyRoman Prykhodchenko2014-12-221-1/+5
| | | | | | | | | | | | | | | | | | | | | - Synchronised OSLO policy and its dependencies to the newest version. - Replace policy-related code in Ironic with a proper configuration of the common policy engine; related commit 07e9b32a95352c25a611a93d215878a8b9a36b71 commit b19af0806f0e2dffc83607d39a88e408928da72c commit 2324c77549f0affeda854ac3e7a500097450bb6a commit a51469326e84ed977ecc4e57fd3d46cdc21aa08f commit fde1e156a38633ce9018569145390bce2047fea8 commit e700d926f7d8fe2f57e53b93361aaf281bebc8ed commit 65e3d8c9773880094c0a4c164e046fae9cb7a5d9 commit 5d1f15a7785b2597eb9db5700ace9625bd2d44dd commit fcf517d72cb81f972fad20caa9ff0341e9b4aa9c commit e038d896174ada12c4d8b1ddafda2834d9ed0b14 Change-Id: I4ede79ec7e56a6a7c5ca3d69d3b4fb9d2f4ada22 Closes-Bug: #1288178
* Port to oslo.messagingLucas Alvares Gomes2014-04-251-7/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The oslo.messaging library takes the existing RPC code from oslo and wraps it in a sane API with well defined semantics around which we can make a commitment to retain compatibility in future. The patch is large and hard to be split into different patches, but the changes can be summarized as: * Remove openstack/common/{rpc, notifier, log_handler} modules dependency (superceded by oslo.messaging) * New config option `conductor.workers_pool_size` add to determine the size of the workers greenthread pool. * PeriodicService class refactored and renamed to RPCService, all periodic tasks methods were moved to the ConductorManager class leaving RPCService class to be resposable for setting up and starting the RPCServer from oslo.messaging only. * In oslo.messaging, a request context is expected to be a dict so the method RequestContext.{to,from}_dict() was updated/added to the module. * The allowed_rpc_exception_modules configuration option is replaced by an allowed_remote_exmods get_transport() parameter. This is not something that users ever need to configure, but it is something each project using oslo.messaging needs to be able to customize. * New common/rpc.py module added to wrap the global messaging state. It also contains transport aliases for backwards compatibility with IceHouse rpc_backend configuration values. blueprint: oslo-messaging Change-Id: I454e8898baed002a1cddb9eb76492ae9c2f1212b
* Public APIRoman Prykhodchenko2013-09-101-0/+50
| | | | | | | | | | | | | | Some parts of the API should be available without supplying an authentication token, e.g., / - the root and /v1 - the specification of the API v1. This patch allows to specify public routes in the Pecan application configuration file and specifies the mentioned routes as public ones. Fixes: bug #1221263 Change-Id: Ie106f0767158d30fd89a72f011748537435ddeef
* Delete Ironic contextRoman Prykhodchenko2013-07-241-228/+0
| | | | | | | | | Since all the production code uses a context from openstack common library, the ironic.common.context has been deleted. All unit tests have been patched to use openstack.common.context rather than the old one. Change-Id: I2db5033200694191ce57a20f271d737d7e1acec7
* Fix pep8 errors and make it pass Jenkins tests.Devananda van der Veen2013-05-161-1/+2
| | | | | | | | | | Fix all existing pep8 errors. Remove install_venv and friends, which were not needed. Add a few ignores for nova code that is yet to be cleaned up. Skip one failing test case, fixed by review 29394. Import contrib/redhat-eventlet.patch from Nova. Change-Id: I46b6ccaa272bd058757064672ce9221263ed7087
* Move common things to ironic.common.Devananda van der Veen2013-05-131-0/+227
Move from ironic/ to ironic/common/ config.py context.py exception.py paths.py policy.py safe_utils.py states.py utils.py
View Lorry Controller Status