Commit Graph

610 Commits

Author SHA1 Message Date
Takashi Kajinami 632998e218 Fix access by admin users to resources in different projects
This allows admin users[1] to use a different project id in request
path, to fix the unexpected access denials during redirection when
enforcing new default rules. This was allowed previously with
deprecated policy rules, and with the new SRBAC design we require
project scope auth to access project owned resources such as stack.

[1]
User with admin role in admin project in case admin_project_name is
set in Keystone. If it's not set then user with admin role in any
project are considered as "admin".

Story: 2011036
Task: 49532
Change-Id: I49f46e36828881d9700e0e178bd80eb04efe4510
2024-03-07 19:12:17 +09:00
Takashi Kajinami 185f28a3b4 Isolate project scope and system scope
This change updates the default policies implemented in Heat, to follow
the updated guideline[1] to implement SRBAC.

The main change is that system users are no longer allowed to perform
any operations about project-level resources like stacks, while project
admin(*1) is still allowed to perform operations about project-level
resources BEYOND project (like getting stacks for all projects by list
stacks API).

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change

This also adds the test cases to validate reader role which was almost
implemented in heat.

(*1)
If Keystone has an admin project defined, Heat checks an additional
requirement that request context is scoped by that admin project.

Change-Id: I943b3c1ce021cc05445b73fbc342b8386cf5bf6a
2023-06-28 18:38:59 +09:00
Tobias Urdin c13f911ba6 Return HTTPBadRequest from circular dependency
We don't map the CircularDependencyException to
a 400 Bad Request in the fault middleware so users
can never get an understand of what is wrong in
their template. They are today instead present
with a 500 internal server error without details
which doesn't help them.

Change-Id: Idc8713b4c29e2534dd7059e4566ac3b777f418e5
2023-02-27 12:22:42 +00:00
Takashi Kajinami e17f68a83b Deploy healthcheck middleware as app instead of filter
Using the healthcheck middleware as a filter is deprecated and
the middleware should be used as an application[1].
 [1] 6feaa13610c450c8486f969703768db5319b4846

This change updates definition and usage of the healthcheck middleware
accordingly to avoid the following deprecation warning.

DeprecationWarning: Using function/method 'Healthcheck.factory()' is
deprecated: The healthcheck middleware must now be configured as
an application, not as a filter.

This also refactors composite definitions based on flavor by the new
pipeline factory.

Story: 2009071
Task: 42881
Change-Id: I75386dc4a7dc14b3c753dfff01f147ef8233bf94
2022-06-06 23:47:16 +09:00
Takashi Kajinami ef67b861dd Validate limit query parameter for List Software Config API
This change adds validation of the limit query parameter in List
Software Config API, as was implemented for List Stack API, to avoid
internal error at database query.

story: 2009707
task: 44054
Change-Id: Ib57919faebbd4eb6aa13857e242eb5f3dc448a02
2022-05-25 13:09:19 +09:00
Ghanshyam Mann 157f358057 [goal] Deprecate the JSON formatted policy file
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:

1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.

2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.

Also replace policy.json to policy.yaml ref from doc and code.

[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html

Change-Id: I1aa12bcd2638390f25d57ce8abeeec248121dc02
2021-06-17 01:35:45 +08:00
Zane Bitter af7f8e380a Add separate policy for updates with no changes
Allow operators to set a different (presumably looser) policy on PATCH
updates that don't make any changes to the stack, but just retrigger a
new update traversal (that will result in e.g. replacing any unhealthy
resources).

Change-Id: Id29e7ec7f6cf127177ea7ab29127b0568afaa18b
Task: 37305
2021-03-15 17:38:14 +05:30
Lance Bragstad 93594c30ec Implement secure RBAC
This commit updates default policies to account for system scope
and default roles. This is part of a broader change to provide a
consistent and secure authorization experience across OpenStack
projects.

- Introduces basic/reusable check strings in base.py
- Implements secure RBAC for build info API
- Implements secure RBAC for the action API
- Implements secure RBAC for cloud formations
- Implements secure RBAC for events
- Implements secure RBAC for the resource API
- Implements secure RBAC for the service API
- Implements secure RBAC for software configs
- Implements secure RBAC for software deployments
- Implements secure RBAC for stacks
- Adds unit tests for legacy and new secure-rbac policies.

Change-Id: Iff1e39481ea3b1f00bd89dba4a00aed30334ecec
2021-03-02 09:32:41 +05:30
Zane Bitter 73d05c0cdc Improve naming of get_allowed_params() argument
This used to be just a list of allowed names, but now it's a dict
mapping names to types. Use variable names that reflect the current
meaning, fix the docs, and use named constants where available.

Change-Id: I3aadca4e1e9db5da5d07d521c2313162062639b7
2020-07-14 14:53:59 -04:00
Zane Bitter 4d26be471e Clean up API policy decorators
The decorators for unregistered policies were needed only during the
migration to policy in code. Remove the unused ones and simplify those
remaining.

Change-Id: Ic53fcc62db46863c6a2b00cbc7e32250a7d6e16f
2020-04-30 10:48:31 -04:00
Hervé Beraud bb02b2b5f1 Remove six and python 2.7 full support
Six is in use to help us to keep support for python 2.7.
Since the ussuri cycle we decide to remove the python 2.7
support so we can go ahead and also remove six usage from
the python code.

Review process and help
-----------------------
Removing six introduce a lot of changes and an huge amount of modified files
To simplify reviews we decided to split changes into several patches to avoid
painful reviews and avoid mistakes.

To review this patch you can use the six documentation [1] to obtain help and
understand choices.

Additional informations
-----------------------
Changes related to 'six.b(data)' [2]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

six.b [2] encode the given datas in latin-1 in python3 so I did the same
things in this patch.

Latin-1 is equal to iso-8859-1 [3].

This encoding is the default encoding [4] of certain descriptive HTTP
headers.

I suggest to keep latin-1 for the moment and to move to another encoding
in a follow-up patch if needed to move to most powerful encoding (utf8).

HTML4 support utf8 charset and utf8 is the default charset for HTML5 [5].

Note that this commit message is autogenerated and not necesserly contains
changes related to 'six.b'

[1] https://six.readthedocs.io/
[2] https://six.readthedocs.io/#six.b
[3] https://docs.python.org/3/library/codecs.html#standard-encodings
[4] https://www.w3schools.com/charsets/ref_html_8859.asp
[5] https://www.w3schools.com/html/html_charset.asp

Patch 2 of a serie of 28 patches

Change-Id: I2795dee87f0e27b64820686acfc614ac2ba19a4f
2020-04-22 12:23:44 +02:00
Hervé Beraud 991e967846 Remove six and python 2.7 full support
Six is in use to help us to keep support for python 2.7.
Since the ussuri cycle we decide to remove the python 2.7
support so we can go ahead and also remove six usage from
the python code.

Review process and help
-----------------------
Removing six introduce a lot of changes and an huge amount of modified files
To simplify reviews we decided to split changes into several patches to avoid
painful reviews and avoid mistakes.

To review this patch you can use the six documentation [1] to obtain help and
understand choices.

Additional informations
-----------------------
Changes related to 'six.b(data)' [2]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

six.b [2] encode the given datas in latin-1 in python3 so I did the same
things in this patch.

Latin-1 is equal to iso-8859-1 [3].

This encoding is the default encoding [4] of certain descriptive HTTP
headers.

I suggest to keep latin-1 for the moment and to move to another encoding
in a follow-up patch if needed to move to most powerful encoding (utf8).

HTML4 support utf8 charset and utf8 is the default charset for HTML5 [5].

Note that this commit message is autogenerated and not necesserly contains
changes related to 'six.b'

[1] https://six.readthedocs.io/
[2] https://six.readthedocs.io/#six.b
[3] https://docs.python.org/3/library/codecs.html#standard-encodings
[4] https://www.w3schools.com/charsets/ref_html_8859.asp
[5] https://www.w3schools.com/html/html_charset.asp

Patch 1 of a serie of 28 patches

Change-Id: Ia310a58ffdc688302b32d57a6bef6b1b8f5d9950
2020-04-22 12:23:44 +02:00
Zane Bitter 6f8837d84e Split 'action' policy into more granular controls
Allow operators to specify different policies for each action, since
each action is quite different in character.

The previous "actions:action" rule remains and is the default for each
of the new rules, so there is no effect on existing policies and no
action required by the operator unless they want to take advantage of
the additional flexibility.

Change-Id: Ic4985e8637bc4f34ea2514075b30d2ec32f3441c
Task: 37296
2019-10-29 12:24:29 -04:00
Benoît Knecht fafdd06bfd middleware: return HTTPBadRequest when path is invalid
Gracefully handle paths that are invalid UTF-8 by returning HTTP error
400 instead of an Internal Server Error.

Change-Id: I3b30e4d64e758eefd85f7a70fc645db69991b3d7
Task: 26379
2018-09-11 11:23:46 +02:00
rabi 3ab4f15a43 Option for retrieving child templates and env files from swift
This provides an option to specify a swift container for stack
actions and all child templates and env files will be fetched
from the container, if available. However, files coming in the
'files' map from the client will have precedence, if the same
is also present in swift.

Change-Id: Ifa21fbcb41fcb77827997cce2d5e9266ba849b17
Story: #1755453
Task: 17353
2018-07-26 09:50:51 +05:30
Pavlo Shchelokovskyy b2fa516a47 Use application_url in API version document
this handles the possible vhost in Heat API path correctly
(like http://mucloud.com/heat-api) contrary to host_url.

Change-Id: I2f4dbb7d98fbdf5314d5771309919c5b25a72f94
Story: 2002531
Task: 22075
2018-06-14 08:18:28 +00:00
Pavlo Shchelokovskyy 80f68801d1 Fix versions Controller for Py3
the webob's Response.body in fact accepts only bytes,
so under Python3 an attempt to assign a text value to webob's response.body
produces the following exception:

TypeError: You cannot set Response.body to a text object (use
Response.text)

Change-Id: I6352ec0662441dab039f15b35c8383e6d7d3dc78
Story: 2002531
Task: 22076
2018-06-14 08:18:20 +00:00
rabi 8db1b3ea41 Remove stack watch service
This removes the rpc api and related code.

Change-Id: Ib89bcc3ff6a542f49467e2ad6c7e2a716a0dc2b4
Partial-Bug: #1743707
2018-01-28 09:35:05 +05:30
rabi 6d55417f80 Remove CloudWatch API
This patch removes the API, the next set of patches in the
series would remove stack watch service and related
WatchRule implementation.

Change-Id: I8b0472be862907298c8da51f435b5d8b19610ec3
Partial-Bug: #1743707
2018-01-28 09:11:17 +05:30
ricolin f2bc379242 [policy in code] part 6(cfn, cloudwatch)
Add cloudformation and cloudwatch policy in code rules.
Remove policy.json. We don't keep any default policy rules in
policy.json from now. Still they can create policy.json file and
add any rules they try to override.
Partially-Implements: bp policy-in-code

Change-Id: I610115dc1974b2182ce673bb086a1da15b022de3
2017-12-13 10:58:47 +08:00
ricolin 0e45db46ba [policy in code] part 5 (software-*)
Add software_deployments rules, software_configs rules.
Partially-Implements: bp policy-in-code

Change-Id: If0c98ffcfceae395ab2443356aea3904edaf7b4e
2017-12-07 01:11:49 +00:00
Zuul 4698287a3a Merge "[policy in code] part 4" 2017-12-06 21:37:16 +00:00
Zuul 63148dcf5a Merge "[policy in code] part 2 (stacks)" 2017-12-05 06:49:43 +00:00
ricolin 51e4f04693 [policy in code] part 4
Add service rule, resource rules, actions rules, build_info rules,
events rules.
Partially-Implements: bp policy-in-code

Change-Id: I497f4d02b5ea8399265dedc548214e4eca6b6a35
2017-12-01 01:34:59 +08:00
ricolin 575a45b1c0 [policy in code] part 2 (stacks)
Allow use policy in code to stacks's rule.
Also convert check_is_admin to use new mechanism.
Partially-Implements: bp policy-in-code

Change-Id: I398ed162790294d0d4453f7f12c77b38e95a5580
2017-12-01 01:15:58 +08:00
Zuul 218c182fbb Merge "Remove SSLMiddleware" 2017-11-27 03:36:19 +00:00
ricolin b171490450 [policy in code] Part 1 Base framework
This adds the basic framework for registering and using default policy
rules. Rules should be defined and returned from a module in
heat/policies/, and then added to the list in heat/policies/__init__.py.

new policy wrapers `registered_identified_stack` and
`registered_policy_enforce` has been added for policy enforcement of
registered rules with same parameter as `identified_stack` and
`policy_enforce` besides set `is_registered_policy` flag to true.
This flag will decide to use new policy framework or not.

Now we can use `tox -e genpolicy` to check and generate policy file.

Change-Id: I7a232b3ea7ce0f69a5b7ffa278ceace7a76b666f
Partially-Implements: bp policy-in-code
2017-11-21 16:23:11 +08:00
Zuul 037cfb6e98 Merge "Don't return the sensitive information to user" 2017-11-15 00:50:05 +00:00
huangtianhua 8cdfc3b293 Don't return the sensitive information to user
We return back the sensitive information to user
when some exceptions happened, for example,
when DBError happened, we return the whole sql
statement to user, it's not safe.
This patch changes to return the message if the
exception is the HeatException, otherwise the message
won't be revealed to user.

Change-Id: I6e01b1003a39106274e79c3b413917a30b5651b6
Closes-Bug: #1708122
2017-11-09 16:24:40 +08:00
rabi 01b5878129 Add REST api support for cancel without rollback
We already have REST api support for cancelling a
UPDATE_IN_PROGRESS stack with rollback. This adds a
new action 'cancel_without_rollback' to allow for
canceling a create/update in_progress stack without
rollback.

APIImpact

Change-Id: I6c6ffa0502ab8745cfb2f9c5ef263f1e02dfc4ca
Closes-Bug: #1709041
2017-11-08 17:08:43 +05:30
ricolin f2fd3884e8 Remove SSLMiddleware
We deprecate SSLMiddleware in 6.0.0, and announce to remove it at
8.0.0. Now will be a good time to remove it out.

Change-Id: Iaf9be21ffcec9018ad91a5122ed7f2477a7e4a52
2017-10-18 02:19:46 +00:00
rabi 46adb6649d Fix error for invalid auth_encryption_key
cryptography module throws an InvalidToken exception that does
not have any error message.

Change-Id: Ied520cd9ff60032fad1ae13e4a81dad6847d82ab
Closes-Bug: #1711047
2017-08-16 14:30:47 +05:30
ricolin 552f94b928 Add converge flag in stack update for observing on reality
Add converge parameter for stack update API and RPC call,
that allow triggering observe on reality. This will be
triggered by API call with converge argument (with True
or False value) within. This flag also works for resources
within nested stack.
Implements bp get-reality-for-resources

Change-Id: I151b575b714dcc9a5971a1573c126152ecd7ea93
2017-08-07 05:39:29 +00:00
liyi 8f10215ffd Remove log translations
Log messages are no longer being translated. This removes all use of
the _LE, _LI, and _LW translation markers to simplify logging and to
avoid confusion with new contributions.

See:
http://lists.openstack.org/pipermail/openstack-i18n/2016-November/002574.html
http://lists.openstack.org/pipermail/openstack-dev/2017-March/113365.html

Change-Id: Ieec8028305099422e1b0f8fc84bc90c9ca6c694f
2017-03-25 17:11:50 +08:00
Zane Bitter 5392273af8 Fix missing spaces in strings
Where strings are continued across multiple lines, it's easy to miss a
space. This fixes several incorrect strings, cleans up some formatting
(don't line break inside a format specifier) and fixes typos.

Change-Id: Id781b16cad03c32973a67c02ad22ce4459c6d126
2017-03-03 03:48:14 +00:00
Lu lei 1c714d9e5b Use i18n to translate msg in LOG.xxx()
1.Help messages and output info should support oslo.i18n. So we
should use oslo.i18n in LOG.warning()/LOG.error()/ LOG.info()
/LOG.critical()/LOG.exception().

2.Not all files need to translate msg, tests directory and dev directory
are faced with developers, so they need to nothing.

The more information as follow:
 [1] http://docs.openstack.org/developer/oslo.i18n/guidelines.html
 [2] http://docs.openstack.org/developer/oslo.i18n/usage.html

Co-Authored-By: shizhihui <zhihui.shi@easystack.cn>
Change-Id: Iced712f8833e90f3570497cd033713bdc34c27da
2016-11-23 21:50:53 +08:00
Zane Bitter f310a1f6bc Handle ambiguous physical resource IDs
It's possible that we could end up with multiple resources with the same
physical resource ID, but that would be undetectable since we return only
one from the database layer. This change allows us to detect the problem an
return an error where the result is rendered ambiguous.

Change-Id: I2c5ddbe6731c33a09ec7c4a7b91dcfe414da4385
2016-12-05 14:58:20 -05:00
huangtianhua 6c26eb8df6 Fix a small nit
To fix a small nit of bug/1641812.

Change-Id: I9c2c6e605541a6fabe3707d63bcbdd27282c74e6
2016-12-01 10:43:14 +08:00
huangtianhua 6afc7a68d0 Includes project info while admin getting stacks
To return the information of project when super admin
getting stacks across tenants.

Change-Id: I40c0d61325752428b3ccf57706a825b47ae231c9
Closes-Bug: #1641812
2016-11-30 14:15:06 +08:00
rabi 2407c86436 Ignore merged env if environment files are specified
Ignore merged environment from the client, if there are
'environment_files' in the request for merging in the server.
This would avoid the duplicates when 'parameter_merge_strategies'
are specified in the first env file.

Change-Id: I4ee274d69e42a47c4b8fd5a25567fb2eb144a8cc
Related-Bug: #1635409
2016-11-02 09:16:58 +05:30
huangtianhua 62f6045f2a Return condition functions based on the filter param
Add 'with_condition_func' filter param for API
template-function-list, if the param set to true,
the response will include the condition functions.

Change-Id: Icdfbafbb98698373648ff2d78db3c45fe2b924ee
Closes-Bug: #1625505
2016-10-14 02:19:37 +00:00
rabi 1f88c675c4 Remove tenant_safe flag from rpc and db api
We can use admin_context to have access to stacks
and software configs across projects. This removes
the tenant_safe flag from rpc and db api. This is
backward compatible with older rpc clients.

We still support use of global_tenant flag for listing
stacks and software configs. However, by default
an admin(user with admin role in admin_project)
would not need that.

Change-Id: I12303dbf30fb80290f95baba0c67cdf684f5f409
2016-08-16 12:38:33 +05:30
Jenkins bb4fb01cec Merge "Remove unnecessary checks" 2016-08-02 12:15:02 +00:00
Thomas Herve 9a248ad6c5 Check for empty sections in environment
Passing empty section like parameters in the environment can leave the
user with a strange error message. This fixes the issue by providing a
correct error.

Change-Id: I766cd38e8a70c9f76cf10f540e22a929eaed3768
Closes-Bug: #1606148
2016-07-25 13:43:27 +02:00
Dmitriy Uvarenkov 38db9f440e Remove unnecessary checks
Service's _get_stack method already checks
whether the stack is None and if it is, throws
an exception. So methods that use _get_stack
do not need to check the same thing.
Also, looks like there is no way that stack's
self.raw_template.template or self.raw_template.template
can be None or blank, so removed such checks as well
with corresponding tests.

Change-Id: I83d6e9251e0f7b6cacb0ddcfe1a3bc5dcf57d1c3
2016-07-12 14:46:03 +03:00
Steven Hardy 316b5b6381 Add stack files retrieval API
Similar to the recent addition that enables retrieval of the current
environment for a stack, this enables reading the current files map
for a running stack, which is useful if you want to introspect the
current state, and/or deploy another similar stack without necessarily
having the exact command/repo used initially.

APIImpact
Implements: blueprint files-show

Change-Id: I3198b6a7dc06648af24c198d39470f3b0d5d6f11
2016-07-11 18:02:59 +01:00
ChangBo Guo(gcb) ffda52200e Config: no need to set default=None
By default oslo.cfg sets the default value as None. There is no
need to explicitly do this.

TrivialFix

Change-Id: I8d47b8815947c1c1e22e49822ffec0b8874d4487
2016-06-28 15:25:15 +08:00
Jenkins 257e0a9f67 Merge "Implement event list nested-depth" 2016-06-28 03:01:59 +00:00
rabi ac86702172 Authorize super admin actions on all projects
This allows admin super user (user with admin role in admin_project)
to do stack operations across all projects.

Change-Id: Ifbf56fde02b89248ee788e6a212ef9d11e665dc0
Partial-Bug: #1466694
2016-06-14 22:16:25 +05:30
Steve Baker 32ade7a243 Implement event list nested-depth
The GET call to list events will support a nested_depth parameter. The
response will have an additional links url with the ref 'root_stack'
to indicate that this API supports nested_depth queries.

This has the following consequences for old/new combinations of
client/server
- new heatclient, new server - nested_depth param is set, server
  returns nested events
- new heatclient, old server - nested_depth param is set, server
  returns events with no root_stack, heatclient falls back to
  recursive event fetch
- old heatclient, new server - nested_depth param is never set,
  recursive event fetch works as before

Here are some timings for a TripleO overcloud stack with ~700 events.

Current heat and python-heatclient master:
time openstack stack event list --nested-depth 4 overcloud |wc -l
744
real    0m17.500s

This change, with heatclient 31278ff5f77b152b5ef7a4197e15c441c72ff163:
time openstack stack event list --nested-depth 4 overcloud  |wc -l
608
real    0m1.725s

The difference in event count (744 vs 608) is due to the stack events
being filtered out for stacks with zero resources - these are a source
of unnecessary noise so their removal should be considered an improvement.

Closes-Bug: #1588561

Change-Id: I27e1ffb770e00a7f929c081b2a505e2007f5d584
2016-06-14 13:39:38 +12:00