Support upgrade on behalf of user by admin
Unleash the capability that admin user can do rolling upgrade on behalf of the end user so that cloud admin can do urgent security patching when it's really necessary. Task: 39784 Story: 2007675 Change-Id: I8fa9a30ee8252b94baa80e4bbca197b285fb7f71
This commit is contained in:
parent
7103c22bd9
commit
2cb23153bd
|
@ -135,6 +135,11 @@ class ActionsController(base.Controller):
|
|||
:param cluster_ident: UUID of a cluster or logical name of the cluster.
|
||||
"""
|
||||
context = pecan.request.context
|
||||
if context.is_admin:
|
||||
policy.enforce(context, "cluster:upgrade_all_projects",
|
||||
action="cluster:upgrade_all_projects")
|
||||
context.all_tenants = True
|
||||
|
||||
cluster = api_utils.get_resource('Cluster', cluster_ident)
|
||||
policy.enforce(context, 'cluster:upgrade', cluster,
|
||||
action='cluster:upgrade')
|
||||
|
|
|
@ -172,7 +172,19 @@ rules = [
|
|||
'method': 'POST'
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLUSTER % 'upgrade_all_projects',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description='Upgrade an existing cluster across all projects.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v1/clusters/{cluster_ident}/actions/upgrade',
|
||||
'method': 'POST'
|
||||
}
|
||||
]
|
||||
)
|
||||
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -12,6 +12,9 @@
|
|||
|
||||
from unittest import mock
|
||||
|
||||
from oslo_utils import uuidutils
|
||||
|
||||
from magnum.common import context as magnum_context
|
||||
from magnum.conductor import api as rpcapi
|
||||
import magnum.conf
|
||||
from magnum.tests.unit.api import base as api_base
|
||||
|
@ -143,8 +146,8 @@ class TestClusterUpgrade(api_base.FunctionalTest):
|
|||
project_id=self.cluster_obj.project_id,
|
||||
is_default=False)
|
||||
p = mock.patch.object(rpcapi.API, 'cluster_upgrade')
|
||||
self.mock_cluster_resize = p.start()
|
||||
self.mock_cluster_resize.side_effect = self._sim_rpc_cluster_upgrade
|
||||
self.mock_cluster_upgrade = p.start()
|
||||
self.mock_cluster_upgrade.side_effect = self._sim_rpc_cluster_upgrade
|
||||
self.addCleanup(p.stop)
|
||||
|
||||
def _sim_rpc_cluster_upgrade(self, cluster, cluster_template, batch_size,
|
||||
|
@ -162,6 +165,38 @@ class TestClusterUpgrade(api_base.FunctionalTest):
|
|||
"container-infra latest"})
|
||||
self.assertEqual(202, response.status_code)
|
||||
|
||||
def test_upgrade_cluster_as_admin(self):
|
||||
token_info = {
|
||||
'token': {
|
||||
'project': {'id': 'fake_project_1'},
|
||||
'user': {'id': 'fake_user_1'}
|
||||
}
|
||||
}
|
||||
user_context = magnum_context.RequestContext(
|
||||
auth_token_info=token_info,
|
||||
project_id='fake_project_1',
|
||||
user_id='fake_user_1',
|
||||
is_admin=False)
|
||||
cluster_uuid = uuidutils.generate_uuid()
|
||||
cluster_template_uuid = uuidutils.generate_uuid()
|
||||
obj_utils.create_test_cluster_template(
|
||||
user_context,
|
||||
public=True, uuid=cluster_template_uuid)
|
||||
obj_utils.create_test_cluster(
|
||||
user_context,
|
||||
uuid=cluster_uuid,
|
||||
cluster_template_id=cluster_template_uuid)
|
||||
|
||||
cluster_upgrade_req = {"cluster_template": "test_2"}
|
||||
self.context.is_admin = True
|
||||
response = self.post_json(
|
||||
'/clusters/%s/actions/upgrade' %
|
||||
cluster_uuid,
|
||||
cluster_upgrade_req,
|
||||
headers={"Openstack-Api-Version": "container-infra latest"})
|
||||
|
||||
self.assertEqual(202, response.status_int)
|
||||
|
||||
def test_upgrade_default_worker(self):
|
||||
cluster_upgrade_req = {
|
||||
"cluster_template": "test_2",
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
Cloud admin user now can do rolling upgrade on behalf of end
|
||||
user so as to do urgent security patching when it's necessary.
|
Loading…
Reference in New Issue