4ae627be44
Move sample config to etc/drydock Update docs to generate a config with tox Update configuration for Keystone - Add config generation to tox.ini - Fix default in bootdata config - Add keystone dependencies - Add config generator config - Move sample config to a skeleton etc/drydock tree Use PasteDeploy for WSGI integration Using keystonemiddleware outside of a PasteDeploy pipeline is deprecated. Move Drydock to use PasteDeploy and integrate with keystonemiddleware Update Falcon context object Add keystone identity fields to context object Clean up context marker field Fix AuthMiddleware for keystone Update falcon middleware to harvest headers injected by keystonemiddleware Fix context middleware Update context middleware to enforce a UUID-formatted external context marker Lock keystonemiddleware version Lock keystonemiddleware version to the Newton release Sample drydock.conf with keystone This drydock.conf file is known to integrate successfully with Keystone via keystonemiddleware and the password plugin Add .dockerignore Stop adding .tox environment to docker images Integrate with oslo.policy Add oslo.policy 1.9.0 to requirements (Newton release) Add tox job to generate sample policy.yaml Create DrydockPolicy as facade for RBAC Inject policy engine into API init Create a DrydockPolicy instance and inject it into the Drydock API resources. Remove per-resource authorization Update Drydock context and auth middleware Update Drydock context to use keystone IDs instead of names as required by oslo.policy Update AuthMiddleware to capture headers when request provides a service token Add RBAC for /designs API Add RBAC enforcement for GET and POST of /api/v1.0/designs endpoint Refactor check_policy Refactor check_policy into the base class Enforce RBAC for /designs/id endpoint Enforce RBAC on /designs/id/parts endpoint Enforce RBAC on /designs/id/parts/kind Enforce RBAC on /designs/id/parts/kinds/ Enforce RBAC on /tasks/ endpoints Create unit tests - New unit tests for DrydockPolicy - New unit tests for AuthMiddleware w/ Keystone integration Address impacting keystonemiddleware bug Use v4.9.1 to address https://bugs.launchpad.net/keystonemiddleware/+bug/1653646 Add oslo_config fixtures for unit testing API base class fixes Fix an import error in API resource base class More graceful error handling in drydock_client Create shared function for checking API response status codes Create client errors for auth Create specific Exceptions for Unauthorized and Forbidden responses Ignore generated sample configs Lock iso8601 version oslo.versionedobjects appears to be impcompatible with iso8601 0.1.12 on Python 3.2+ Update docs for Keystone Note Keystone as a external depdendency and add notes on correctly configuring Drydock for Keystone integration Add keystoneauth1 to list_opts Explicitly pull keystoneauth password plugin options when generating a config template Update reference config for keystone Update the reference config template for Keystone integration Add keystoneauth1 to requirements Need to directly include keystoneauth1 so that oslo_config options can be pulled from it Update config doc for keystoneauth1 Use the keystoneauth1 generated configuration options for the configuration docs Remove auth options Force dependence on Keystone as the only authentication backend Clean up imports Fix how falcon modules are imported Default to empty role list Move param extraction Enforce RBAC before starting to parse parameters Implement DocumentedRuleDefault Use DocumentedRuleDefault for policy defaults at request of @tlam. Requires v 1.21.1 of oslo_policy, which is tied to the Pike openstack release. Change sample output filenames Update filenames to follow Openstack convention Fix tests to use hex formatted IDs Openstack resource IDs are not hyphenated, so update unit tests to reflect this Fix formating and whitespace Refactor a few small items for code review Update keystone integration to be more robust with Newton codebase Centralize policy_engine reference to support a decorator-based model RBAC enforcement decorator Add units tests for decorator-based RBAC and the tasks API Minor refactoring and format changes Change-Id: I35f90b0c88ec577fda1077814f5eac5c0ffb41e9
212 lines
8.5 KiB
Python
212 lines
8.5 KiB
Python
# Copyright 2017 AT&T Intellectual Property. All other rights reserved. #
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
import falcon
|
|
import json
|
|
import uuid
|
|
import logging
|
|
|
|
import drydock_provisioner.policy as policy
|
|
import drydock_provisioner.objects as hd_objects
|
|
import drydock_provisioner.error as errors
|
|
|
|
from .base import StatefulResource
|
|
|
|
class DesignsResource(StatefulResource):
|
|
|
|
def __init__(self, **kwargs):
|
|
super(DesignsResource, self).__init__(**kwargs)
|
|
|
|
@policy.ApiEnforcer('physical_provisioner:read_data')
|
|
def on_get(self, req, resp):
|
|
ctx = req.context
|
|
state = self.state_manager
|
|
|
|
try:
|
|
designs = list(state.designs.keys())
|
|
|
|
resp.body = json.dumps(designs)
|
|
resp.status = falcon.HTTP_200
|
|
except Exception as ex:
|
|
self.error(req.context, "Exception raised: %s" % str(ex))
|
|
self.return_error(resp, falcon.HTTP_500, message="Error accessing design list", retry=True)
|
|
|
|
@policy.ApiEnforcer('physical_provisioner:ingest_data')
|
|
def on_post(self, req, resp):
|
|
ctx = req.context
|
|
|
|
try:
|
|
json_data = self.req_json(req)
|
|
design = None
|
|
if json_data is not None:
|
|
base_design = json_data.get('base_design_id', None)
|
|
|
|
if base_design is not None:
|
|
base_design = uuid.UUID(base_design)
|
|
design = hd_objects.SiteDesign(base_design_id=base_design_uuid)
|
|
else:
|
|
design = hd_objects.SiteDesign()
|
|
design.assign_id()
|
|
design.create(req.context, self.state_manager)
|
|
|
|
resp.body = json.dumps(design.obj_to_simple())
|
|
resp.status = falcon.HTTP_201
|
|
except errors.StateError as stex:
|
|
self.error(req.context, "Error updating persistence")
|
|
self.return_error(resp, falcon.HTTP_500, message="Error updating persistence", retry=True)
|
|
except errors.InvalidFormat as fex:
|
|
self.error(req.context, str(fex))
|
|
self.return_error(resp, falcon.HTTP_400, message=str(fex), retry=False)
|
|
|
|
|
|
class DesignResource(StatefulResource):
|
|
|
|
def __init__(self, orchestrator=None, **kwargs):
|
|
super(DesignResource, self).__init__(**kwargs)
|
|
self.authorized_roles = ['user']
|
|
self.orchestrator = orchestrator
|
|
|
|
@policy.ApiEnforcer('physical_provisioner:read_data')
|
|
def on_get(self, req, resp, design_id):
|
|
source = req.params.get('source', 'designed')
|
|
ctx = req.context
|
|
|
|
try:
|
|
design = None
|
|
if source == 'compiled':
|
|
design = self.orchestrator.get_effective_site(design_id)
|
|
elif source == 'designed':
|
|
design = self.orchestrator.get_described_site(design_id)
|
|
|
|
resp.body = json.dumps(design.obj_to_simple())
|
|
except errors.DesignError:
|
|
self.error(req.context, "Design %s not found" % design_id)
|
|
self.return_error(resp, falcon.HTTP_404, message="Design %s not found" % design_id, retry=False)
|
|
|
|
class DesignsPartsResource(StatefulResource):
|
|
|
|
def __init__(self, ingester=None, **kwargs):
|
|
super(DesignsPartsResource, self).__init__(**kwargs)
|
|
self.ingester = ingester
|
|
self.authorized_roles = ['user']
|
|
|
|
if ingester is None:
|
|
self.error(None, "DesignsPartsResource requires a configured Ingester instance")
|
|
raise ValueError("DesignsPartsResource requires a configured Ingester instance")
|
|
|
|
@policy.ApiEnforcer('physical_provisioner:ingest_data')
|
|
def on_post(self, req, resp, design_id):
|
|
ingester_name = req.params.get('ingester', None)
|
|
|
|
if ingester_name is None:
|
|
self.error(None, "DesignsPartsResource POST requires parameter 'ingester'")
|
|
self.return_error(resp, falcon.HTTP_400, message="POST requires parameter 'ingester'", retry=False)
|
|
else:
|
|
try:
|
|
raw_body = req.stream.read(req.content_length or 0)
|
|
if raw_body is not None and len(raw_body) > 0:
|
|
parsed_items = self.ingester.ingest_data(plugin_name=ingester_name, design_state=self.state_manager,
|
|
content=raw_body, design_id=design_id, context=req.context)
|
|
resp.status = falcon.HTTP_201
|
|
resp.body = json.dumps([x.obj_to_simple() for x in parsed_items])
|
|
else:
|
|
self.return_error(resp, falcon.HTTP_400, message="Empty body not supported", retry=False)
|
|
except ValueError:
|
|
self.return_error(resp, falcon.HTTP_500, message="Error processing input", retry=False)
|
|
except LookupError:
|
|
self.return_error(resp, falcon.HTTP_400, message="Ingester %s not registered" % ingester_name, retry=False)
|
|
|
|
@policy.ApiEnforcer('physical_provisioner:ingest_data')
|
|
def on_get(self, req, resp, design_id):
|
|
try:
|
|
design = self.state_manager.get_design(design_id)
|
|
except DesignError:
|
|
self.return_error(resp, falcon.HTTP_404, message="Design %s nout found" % design_id, retry=False)
|
|
|
|
part_catalog = []
|
|
|
|
site = design.get_site()
|
|
|
|
part_catalog.append({'kind': 'Region', 'key': site.get_id()})
|
|
|
|
part_catalog.extend([{'kind': 'Network', 'key': n.get_id()} for n in design.networks])
|
|
|
|
part_catalog.extend([{'kind': 'NetworkLink', 'key': l.get_id()} for l in design.network_links])
|
|
|
|
part_catalog.extend([{'kind': 'HostProfile', 'key': p.get_id()} for p in design.host_profiles])
|
|
|
|
part_catalog.extend([{'kind': 'HardwareProfile', 'key': p.get_id()} for p in design.hardware_profiles])
|
|
|
|
part_catalog.extend([{'kind': 'BaremetalNode', 'key': n.get_id()} for n in design.baremetal_nodes])
|
|
|
|
resp.body = json.dumps(part_catalog)
|
|
resp.status = falcon.HTTP_200
|
|
return
|
|
|
|
|
|
class DesignsPartsKindsResource(StatefulResource):
|
|
|
|
def __init__(self, **kwargs):
|
|
super(DesignsPartsKindsResource, self).__init__(**kwargs)
|
|
self.authorized_roles = ['user']
|
|
|
|
@policy.ApiEnforcer('physical_provisioner:read_data')
|
|
def on_get(self, req, resp, design_id, kind):
|
|
ctx = req.context
|
|
|
|
resp.status = falcon.HTTP_200
|
|
|
|
class DesignsPartResource(StatefulResource):
|
|
|
|
def __init__(self, orchestrator=None, **kwargs):
|
|
super(DesignsPartResource, self).__init__(**kwargs)
|
|
self.authorized_roles = ['user']
|
|
self.orchestrator = orchestrator
|
|
|
|
@policy.ApiEnforcer('physical_provisioner:read_data')
|
|
def on_get(self, req , resp, design_id, kind, name):
|
|
ctx = req.context
|
|
source = req.params.get('source', 'designed')
|
|
|
|
try:
|
|
design = None
|
|
if source == 'compiled':
|
|
design = self.orchestrator.get_effective_site(design_id)
|
|
elif source == 'designed':
|
|
design = self.orchestrator.get_described_site(design_id)
|
|
|
|
part = None
|
|
if kind == 'Site':
|
|
part = design.get_site()
|
|
elif kind == 'Network':
|
|
part = design.get_network(name)
|
|
elif kind == 'NetworkLink':
|
|
part = design.get_network_link(name)
|
|
elif kind == 'HardwareProfile':
|
|
part = design.get_hardware_profile(name)
|
|
elif kind == 'HostProfile':
|
|
part = design.get_host_profile(name)
|
|
elif kind == 'BaremetalNode':
|
|
part = design.get_baremetal_node(name)
|
|
else:
|
|
self.error(req.context, "Kind %s unknown" % kind)
|
|
self.return_error(resp, falcon.HTTP_404, message="Kind %s unknown" % kind, retry=False)
|
|
return
|
|
|
|
resp.body = json.dumps(part.obj_to_simple())
|
|
except errors.DesignError as dex:
|
|
self.error(req.context, str(dex))
|
|
self.return_error(resp, falcon.HTTP_404, message=str(dex), retry=False)
|
|
except Exception as exc:
|
|
self.error(req.context, str(exc))
|
|
self.return_error(resp. falcon.HTTP_500, message=str(exc), retry=False)
|