This commit uses the existing policy-in-code module to move all
default policies for magnum service and stat into code. This commit
also adds helpful documentation about each API those policies protect,
which will be generated in sample policy files and completely remove
usage of policy.json file.
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
Change-Id: I01a8ce964bf8bd569d4aa4e899cbcd9855281835
This commit uses the existing policy-in-code module to move all
default policies for certificates into code. This commit also adds
helpful documentation about each API those policies protect,
which will be generated in sample policy files.
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
Change-Id: I1abc75441d7984497739194a273d8bda63f832a0
This commit uses the existing policy-in-code module to move all
default policies for quotas into code. This commit also adds
helpful documentation about each API those policies protect,
which will be generated in sample policy files.
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
Change-Id: I2fbd7577545ed08dee10064d321e8c6941324b5d
This commit uses the existing policy-in-code module to move all
default policies for cluster templates into code. This commit also adds
helpful documentation about each API those policies protect,
which will be generated in sample policy files.
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
Change-Id: I9a8176ea20e3c925441473d1d84db3a73edca7a5
This commit uses the existing policy-in-code module to move all
default policies for clusters into code. This commit also adds
helpful documetation about each API those policies protect,
which will be generated in sample policy files.
Change-Id: I36e69fe930505c2777f4376be1f6ddf17016998f
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
This commit uses the existing policy-in-code module to move all
default policies for baymodels into code. This commit also adds
helpful documetation about each API those policies protect, which
will be generated in sample policy files.
Change-Id: Ia4409ff712d0e64985d9565e11671b33c8ac9ddf
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
This commit uses the existing policy-in-code module to move all
default policies for bays into code. This commit also adds helpful
documetation about each API those policies protect, which will be
generated in sample policy files.
Change-Id: I4221ed56146ed952781f5f38bc4344d8a0d07881
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
This change prepares the magnum project to start implementing
policies in code. Subsequent patches will register more magnum
policies in code and remove the corresponding entry from the
policy file maintained in source.
This is part of a community effort to provide better user
experience for those having to maintain RBAC policy. More
information on this effort can be found below:
https://governance.openstack.org/tc/goals/queens/policy-in-code.html
Change-Id: I0e2b34067ea1e4d5868df544a9f65ae3f1944c43
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
Set the clustertemplate:publish policy to be admin only by default -
currently it is admin_or_user, which means any openstack user can create
a public cluster template.
Update tests for bay model and cluster template, splitting tests
requiring admin credentials into a separate class.
Change-Id: I0bfb57c569863f1ecf7d697cd5ac161a9a710432
Closes-Bug: #1687887
This commit addresses multiple potential vulnerabilities in
Magnum. It makes the following changes:
* Permissions for /etc/sysconfig/heat-params inside Magnum
created instances are tightened to 0600 (used to be 0755).
* Certificate retrieval is modified to work without the need
for a Keystone trust.
* The cluster's Keystone trust id is only passed into
instances for clusters where that is actually needed. This
prevents the trustee user from consuming the trust in cases
where it is not needed.
* The configuration setting trust/cluster_user_trust (False by
default) is introduced. It needs to be explicitely enabled
by the cloud operator to allow clusters that need the
trust_id to be passed into instances to work. Without this
setting, attempts to create such clusters will fail.
Please note, that none of these changes apply to existing
clusters. They will have to be deleted and rebuilt to benefit
from these changes.
Change-Id: I643d408cde0d6e30812cf6429fb7118184793400
This will give admins a way to revoke access to an existing cluster
once a user has been granted access.
Bumped the API microversion to 1.5 for the new endpoint.
Deprecated policy certificate:get in favor of certificate:get_ca for
clarity and consistency.
Depends-On: Ie960464e45445e195e75b91e8d65a4046eb21e93
Implements: blueprint revoke-cluster-cert
Change-Id: Ief28bef3a79f212acf4166e443a96e5419fbb757
This change introduces a new /stats REST endpoint that
provide the following basic information;
1) Total number of clusters and nodes for the given tenant.
2) Total number of clusters and nodes across all the tenants.
Follow-up patches include more stats.
Change-Id: Iac0bf9343549de31654545d5b1fd7601e56142a7
Partially Implements blueprint magnum-stats-api
This is the first of several patches to add new Cluster commands
that will replace the Bay terminalogy in Magnum. This patch adds
the new Cluster and ClusterTemplate commands in addition to the
Bay and Baymodel commands. Additional patches will be created
for client, docs, and additional functional tests.
Change-Id: Ie686281a6f98a1a9931158d2a79eee6ac21ed9a1
Implements: blueprint rename-bay-to-cluster
Following on from removing the k8s specific APIs in
I1f6f04a35dfbb39f217487fea104ded035b75569 the objects associated with
these APIs need removal.
Remove the container object, drop the db table and remove references to
the container object. The docker_conductor has also been removed as this
was used for managing containers using Magnum objects.
Change-Id: I288fa7a9717519b1ae8195820975676d99b4d6d2
Partially-Implements: blueprint delete-container-endpoint
Co-Authored-By: Spyros Trigazis <strigazi@gmail.com>
Following on from removing the k8s specific APIs in
I1f6f04a35dfbb39f217487fea104ded035b75569 the objects associated with
these APIs need removal.
Remove the service object, drop the db table and remove references to
the service object.
Change-Id: I4f06bb779caa0ad369a2b96b4714e1bf2db8acc6
Partially-Implements: blueprint delete-container-endpoint
Following on from removing the k8s specific APIs in
I1f6f04a35dfbb39f217487fea104ded035b75569 the objects associated with
these APIs need removal.
Remove the pod object, drop the db table and remove references to the
pod object.
Change-Id: I8c2499ccb97aae39d80868ce02fbef292d762c10
Partially-Implements: blueprint delete-container-endpoint
Only the user who creates the bay can get the certificate and call
the certificate signing request of the bay and create containers
in the bay, which is needed by [1].
[1] https://github.com/openstack/magnum/blob/master/specs/
create-trustee-user-for-each-bay.rst
Change-Id: Id959b76cb136ffbb0e6bcb8c3b83e02b30de66cf
Closes-Bug: #1536883
Partially-Implements: blueprint create-trustee-user-for-each-bay
The node object represents either a bare metal or virtual machine
node that is provisioned with an OS to run the containers, or
alternatively, run kubernetes. Magnum use Heat to deploy the nodes,
so it is unnecessary to maintain node object in Magnum. Heat can do
the work for us. The code about node object is useless now, so let's
remove it from Magnum.
Closes-Bug: #1540790
Change-Id: If8761b06a364127683099afb4dc51ea551be6f89
Magnum API's magnum_service:get_all is enforced by admin_api.
Modifying the rule to use context_is_admin. Also changing the to_dict()
call to include change in roles.
Change-Id: I44dda27857945dfd3ad43fa28ea458ce2966388c
Closes-Bug: #1503402
- Added a new 'public' column to the baymodel table
- Support for setting the public flag during create or update
- Return all public baymodels when listing baymodels
- Add new rule to policy.json
Partial-Implements: blueprint public-baymodels
Change-Id: I8576e08c504bdbb881306219f573e4a3531ab7fd
These changes implement the API level support for querying magnum
services.
Partially-Implements: blueprint magnum-service-list
Closes-bug: #1498158
Depends-On: Ia0c09222405c87cb61e5de4a43ba345ae3405b50
Change-Id: Ib816f595ba2edef29edaec40fa940570755b10aa
The Certificate controller has 2 operations:
1. POST
Generate X509 certificate using bay's CA cert.
Below is an example of Certificate POST API request using magnum command:
Example Request:
curl -X POST -H 'Content-Type: application/json' \
-d '{"bay_uuid": "<bay_uuid>", "csr": "<csr>"}' \
http://localhost:9511/v1/certificates
This creates a X509 certificate signed by the given bay's CA and returns
it. No database information is stored in Magnum against it. For each POST
request, a new certificate is generated.
Example Response:
{"bay_uuid": "<bay_uuid>", "csr": "<csr>",
"pem": "<pem encoded certifiacte>"}
2. GET
Fetches the CA cert associated with a bay. Below is an example of CA GET
API request using magnum command:
Example Request:
curl -X GET http://localhost:9511/v1/certificates/<bay_uuid>
This fetches stored CA cert for the given Bay, which can be used to validate
any client and node certificates signed by the Bay's CA. The value for each
is fetched from Barbican or Magnum db based on the different configuration
for storage of certificates.
Example Response:
{"bay_uuid": "<bay_uuid>", "pem": "<pem encoded certifiacte>"}
Co-Authored-By: Andrew Melton <andrew.melton@rackspace.com>
Change-Id: I4b72cc1e1bddc7a7c7eeb0ab22d3769a666ccb2b
Partially-Implements: bp secure-kubernetes
This patch introduce oslo.policy for magnum and also add policy
rules in a policy.json file.
we can define policy rules refer to
http://docs.openstack.org/developer/oslo.policy/api.html
Co-Authored-By: ShaoHe Feng <shaohe.feng@intel.com>
Change-Id: I37f8b0ba8108162e1f826780ff43c8d21f476209
Partial-implements: blueprint policy-enfore