Fix artifical rbac policy constraint that resulted in 500s
Some of the endpoints are *highly* restricted in ironic's newer more stringently enforced RBAC world. Some of these endpoints would emit 500s by default, when realistically it was the policy definition saying "only system scope could be used" for the endpoint, but the reality is that 403 is what should have been returned for a client to properly understand what is going on. Change-Id: If5e13764dad886ba3ee1a848f3ff9f3279f4d7f6
This commit is contained in:
Julia Kreger
parent
43861609a8
commit
c6a4005049
|
|
@ -1638,7 +1638,7 @@ conductor_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='baremetal:conductor:get',
|
name='baremetal:conductor:get',
|
||||||
check_str=SYSTEM_READER,
|
check_str=SYSTEM_READER,
|
||||||
scope_types=['system'],
|
scope_types=['system', 'project'],
|
||||||
description='Retrieve Conductor records',
|
description='Retrieve Conductor records',
|
||||||
operations=[
|
operations=[
|
||||||
{'path': '/conductors', 'method': 'GET'},
|
{'path': '/conductors', 'method': 'GET'},
|
||||||
|
|
@ -1839,7 +1839,7 @@ deploy_template_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='baremetal:deploy_template:get',
|
name='baremetal:deploy_template:get',
|
||||||
check_str=SYSTEM_READER,
|
check_str=SYSTEM_READER,
|
||||||
scope_types=['system'],
|
scope_types=['system', 'project'],
|
||||||
description='Retrieve Deploy Template records',
|
description='Retrieve Deploy Template records',
|
||||||
operations=[
|
operations=[
|
||||||
{'path': '/deploy_templates', 'method': 'GET'},
|
{'path': '/deploy_templates', 'method': 'GET'},
|
||||||
|
|
@ -1851,7 +1851,7 @@ deploy_template_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='baremetal:deploy_template:create',
|
name='baremetal:deploy_template:create',
|
||||||
check_str=SYSTEM_ADMIN,
|
check_str=SYSTEM_ADMIN,
|
||||||
scope_types=['system'],
|
scope_types=['system', 'project'],
|
||||||
description='Create Deploy Template records',
|
description='Create Deploy Template records',
|
||||||
operations=[{'path': '/deploy_templates', 'method': 'POST'}],
|
operations=[{'path': '/deploy_templates', 'method': 'POST'}],
|
||||||
deprecated_rule=deprecated_deploy_template_create
|
deprecated_rule=deprecated_deploy_template_create
|
||||||
|
|
@ -1859,7 +1859,7 @@ deploy_template_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='baremetal:deploy_template:delete',
|
name='baremetal:deploy_template:delete',
|
||||||
check_str=SYSTEM_ADMIN,
|
check_str=SYSTEM_ADMIN,
|
||||||
scope_types=['system'],
|
scope_types=['system', 'project'],
|
||||||
description='Delete Deploy Template records',
|
description='Delete Deploy Template records',
|
||||||
operations=[
|
operations=[
|
||||||
{'path': '/deploy_templates/{deploy_template_ident}',
|
{'path': '/deploy_templates/{deploy_template_ident}',
|
||||||
|
|
@ -1870,7 +1870,7 @@ deploy_template_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='baremetal:deploy_template:update',
|
name='baremetal:deploy_template:update',
|
||||||
check_str=SYSTEM_ADMIN,
|
check_str=SYSTEM_ADMIN,
|
||||||
scope_types=['system'],
|
scope_types=['system', 'project'],
|
||||||
description='Update Deploy Template records',
|
description='Update Deploy Template records',
|
||||||
operations=[
|
operations=[
|
||||||
{'path': '/deploy_templates/{deploy_template_ident}',
|
{'path': '/deploy_templates/{deploy_template_ident}',
|
||||||
|
|
|
||||||
|
|
@ -3383,19 +3383,19 @@ owner_reader_cannot_get_conductors:
|
||||||
path: '/v1/conductors'
|
path: '/v1/conductors'
|
||||||
method: get
|
method: get
|
||||||
headers: *owner_reader_headers
|
headers: *owner_reader_headers
|
||||||
assert_status: 500
|
assert_status: 403
|
||||||
|
|
||||||
lessee_reader_cannot_get_conductors:
|
lessee_reader_cannot_get_conductors:
|
||||||
path: '/v1/conductors'
|
path: '/v1/conductors'
|
||||||
method: get
|
method: get
|
||||||
headers: *lessee_reader_headers
|
headers: *lessee_reader_headers
|
||||||
assert_status: 500
|
assert_status: 403
|
||||||
|
|
||||||
third_party_admin_cannot_get_conductors:
|
third_party_admin_cannot_get_conductors:
|
||||||
path: '/v1/conductors'
|
path: '/v1/conductors'
|
||||||
method: get
|
method: get
|
||||||
headers: *third_party_admin_headers
|
headers: *third_party_admin_headers
|
||||||
assert_status: 500
|
assert_status: 403
|
||||||
|
|
||||||
# Allocations - https://docs.openstack.org/api-ref/baremetal/#allocations-allocations
|
# Allocations - https://docs.openstack.org/api-ref/baremetal/#allocations-allocations
|
||||||
|
|
||||||
|
|
@ -3631,19 +3631,19 @@ owner_reader_cannot_get_deploy_templates:
|
||||||
path: '/v1/deploy_templates'
|
path: '/v1/deploy_templates'
|
||||||
method: get
|
method: get
|
||||||
headers: *owner_reader_headers
|
headers: *owner_reader_headers
|
||||||
assert_status: 500
|
assert_status: 403
|
||||||
|
|
||||||
lessee_reader_cannot_get_deploy_templates:
|
lessee_reader_cannot_get_deploy_templates:
|
||||||
path: '/v1/deploy_templates'
|
path: '/v1/deploy_templates'
|
||||||
method: get
|
method: get
|
||||||
headers: *lessee_reader_headers
|
headers: *lessee_reader_headers
|
||||||
assert_status: 500
|
assert_status: 403
|
||||||
|
|
||||||
third_party_admin_cannot_get_deploy_templates:
|
third_party_admin_cannot_get_deploy_templates:
|
||||||
path: '/v1/deploy_templates'
|
path: '/v1/deploy_templates'
|
||||||
method: get
|
method: get
|
||||||
headers: *third_party_admin_headers
|
headers: *third_party_admin_headers
|
||||||
assert_status: 500
|
assert_status: 403
|
||||||
|
|
||||||
third_party_admin_cannot_post_deploy_template:
|
third_party_admin_cannot_post_deploy_template:
|
||||||
path: '/v1/deploy_templates'
|
path: '/v1/deploy_templates'
|
||||||
|
|
@ -3656,20 +3656,20 @@ third_party_admin_cannot_post_deploy_template:
|
||||||
args: {}
|
args: {}
|
||||||
priority: 0
|
priority: 0
|
||||||
headers: *third_party_admin_headers
|
headers: *third_party_admin_headers
|
||||||
assert_status: 500
|
assert_status: 403
|
||||||
|
|
||||||
service_cannot_get_deploy_templates:
|
service_cannot_get_deploy_templates:
|
||||||
path: '/v1/deploy_templates'
|
path: '/v1/deploy_templates'
|
||||||
method: get
|
method: get
|
||||||
headers: *service_headers
|
headers: *service_headers
|
||||||
assert_status: 500
|
assert_status: 403
|
||||||
|
|
||||||
service_cannot_post_deploy_template:
|
service_cannot_post_deploy_template:
|
||||||
path: '/v1/deploy_templates'
|
path: '/v1/deploy_templates'
|
||||||
method: post
|
method: post
|
||||||
body: *deploy_template
|
body: *deploy_template
|
||||||
headers: *service_headers
|
headers: *service_headers
|
||||||
assert_status: 500
|
assert_status: 403
|
||||||
|
|
||||||
# Chassis endpoints - https://docs.openstack.org/api-ref/baremetal/#chassis-chassis
|
# Chassis endpoints - https://docs.openstack.org/api-ref/baremetal/#chassis-chassis
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Some of Ironic's API endpoints, when the new RBAC policy is being enforced,
|
||||||
|
were previously emitting *500* error codes when insufficent access rights were
|
||||||
|
being used, specifically because the policy required ``system`` scope. This
|
||||||
|
has been corrected, and the endpoints should now properly signal a *403* error
|
||||||
|
code if insufficient access rights are present for an authenticated requestor.
|
||||||
Loading…
Reference in New Issue