Implemented basic CLI operations with whitelist

Change-Id: I4ccf158807099add16a5082d8a461205447d7fa0
This commit is contained in:
Dmitry Nikishov 2016-11-15 08:53:44 +00:00
parent 79a59c52f0
commit ec68268b3b
5 changed files with 236 additions and 3 deletions

View File

@ -28,8 +28,11 @@ Than enable extension for a particular environment
### How to Use
This extension introduces set of additional Fuel CLI commands which allows the operator to
associate a git repo with a particular environment and preform CRUD operations on this repo.
This extension introduces two sets of additional Fuel CLI commands. The first set allows the
operator to associate a git repo with a particular environment and preform CRUD operations on
this repo. The second set allows the operator to execute audit and enforce operations on the
environment as well as list the changes made to configuration. It also allows to manage white
lists for these changes.
See details [here](./doc/cli.md).
```
gitrepo create
@ -38,6 +41,13 @@ See details [here](./doc/cli.md).
gitrepo init
gitrepo list
gitrepo update
audit enforce
audit noop
audit list outofsync
audit whitelist show
audit whitelist add
audit whitelist delete
```
Create repository and configure nailgun to use it.
```
@ -105,5 +115,59 @@ roles:
Configuration files for Role and Node levels should be placed in corresponding directory described
in overrides.yaml
### Audit and enforcement
This feature enables the operator to audit the changes made to the environment as well as enforce
configuration.
```
fuel2 audit noop --env <env-id> || --repo <repo-id>
```
Audit is basically a Fuel graph run with noop flag set. This runs the whole graph and records Puppet resources, that would have changed their state. The command above is equivalent to
```
fuel2 env redeploy --noop <env-id>
```
After the audit run, the operator is able to list the changes to the state of Puppet resources on the environment via following command:
```
fuel2 audit list outofsync --task <noop-task-id> || --repo <repo-id>
```
This is a convenient alternative to the stock command:
```
fuel2 task history show <noop-task-id> --include-summary
```
To enforce configuration state, the operator can issue a stock redeploy command:
```
fuel2 env redeploy <env-id>
```
To perform the whole audit-enforce process automatically, this extension provides the following command:
```
fuel2 audit enforce --env <env-id> || --repo <repo-id>
```
This command will run audit, check the changes and will enforce configuration, if needed.
### Audit changes whitelisting
Since fuel-library contains non-idempotent tasks, that contain Puppet resources, which will be
triggered on each deployment run, this extension provides the operator the ability to filter such changes out.
A whitelist rule is a string, that is included into a Puppet report line for the whitelisted resource change, e.g. for
```
Openstack_tasks::Swift::Proxy_storage/Package[mc]/ensure
```
the whitelist rule could be
```
Package[mc]/ensure
```
Whitelist rules for an environment can be listed by
```
fuel2 audit whitelist show <env-id>
```
These rules can be managed by following commands:
```
fuel2 audit whitelist add <env-id> <rule>
fuel2 audit whitelist delete <rule-id>
```
### REST API
API documentation can be found [here](./doc/api.md)

View File

@ -35,3 +35,58 @@ Example:
```
curl -X PUT -H 'X-Auth-Token: $(fuel token)' http://localhost:8000/api/v1/clusters/4/git-repos/2 -d '{"ref": "master"}'
```
#### GET /clusters/changes-whitelist/(obj_id)
Returns the serialized whitelist rule object
Example
```
curl -H "X-Auth-Token: $(fuel token)" http://localhost:8000/api/v1/clusters/changes-whitelist/1
```
#### PUT /clusters/changes-whitelist/(obj_id)
Updates a whitelist rule
Input data schema:
```
"$schema": "http://json-schema.org/draft-04/schema#",
"title": "ChangesWhitelistRule",
"description": "Serialized ChangesWhitelistRule object",
"type": "object",
"properties": {
"rule": {"type": "string"},
}
```
Example
```
curl -H "X-Auth-Token: $(fuel token)" -X PUT http://localhost:8000/api/v1/clusters/changes-whitelist/1 -d '{"rule": "new-rule-string"}'
```
#### DELETE /clusters/changes-whitelist/(obj_id)
Deletes a whitelist rule
Example
```
curl -H "X-Auth-Token: $(fuel token)" -X DELETE http://localhost:8000/api/v1/clusters/changes-whitelist/1
```
#### GET /clusters/(env_id)/changes-whitelist/
Returns the whitelist rules for a specified environment
Example
```
curl -H "X-Auth-Token: $(fuel token)" http://localhost:8000/api/v1/clusters/1/changes-whitelist/
```
#### POST /clusters/(env_id)/changes-whitelist/
Creates one or more whitelist rule(s)
Input data schema:
```
"$schema": "http://json-schema.org/draft-04/schema#",
"title": "ChangesWhitelistRule Collection",
"description": "Serialized ChangesWhitelistRule collection",
"type": "object",
"items": {
"rule": {"type": "string"}
}
```
Example
```
curl -H "X-Auth-Token: $(fuel token)" -X POST http://localhost:8000/api/v1/clusters/1/changes-whitelist/ -d '[{"rule": "new-rule-string"}, {"rule": "new-rule-2"}]'
```

View File

@ -48,3 +48,39 @@ To get more detailed description use:
```
fuel2 help <command>
```
##### Audit and enforce
These commands allow to perform audit and enforce configuration on the environment as well as to list the changes made to it.
To perform the audit run on the environment:
```
fuel2 audit noop --env <env-id> || --repo <repo-id>
```
To list the changes:
```
fuel2 audit list outofsync --task <noop-task-id> || --env <env-id>
```
To perform audit run, inspect changes and enforce configuration, if needed:
```
fuel2 audit enforce --env <env-id> || --repo <repo-id>
```
##### Changes whitelist commands
These commands manage the rules, that allow to ignore certain changes to configuration.
To show rules whitelist for the environment:
```
fuel2 audit whitelist show <env-id>
```
To add a rule:
```
fuel2 audit whitelist add <env-id> <rule>
```
To delete a rule:
```
fuel2 audit whitelist delete <rule-id>
```

View File

@ -89,7 +89,7 @@ class Audit(lister.Lister, command.Command):
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('--env',
type=int,
help='Associated Repo ID')
help='Environment ID')
group.add_argument('--repo',
type=int,
help='Associated Repo ID')
@ -213,3 +213,78 @@ class OutOfSyncResources(lister.Lister, command.Command):
data = data_utils.get_display_data_multi(self.columns, changes)
return (self.columns, data)
class WhitelistRulesShow(lister.Lister, command.Command):
columns = (
'id',
'rule'
)
def get_parser(self, prog_name):
parser = super(WhitelistRulesShow, self).get_parser(prog_name)
parser.add_argument('env',
type=int,
help=('Environment to find whitelist rules '
'associated with'))
return parser
def take_action(self, parsed_args):
env_id = parsed_args.env
rules = fc_client.get_request(
'/clusters/{env}/changes-whitelist/'.format(env=env_id)
)
data = data_utils.get_display_data_multi(self.columns, rules)
return (self.columns, data)
class WhitelistRuleAdd(lister.Lister, command.Command):
columns = (
'id',
'rule'
)
def get_parser(self, prog_name):
parser = super(WhitelistRuleAdd, self).get_parser(prog_name)
parser.add_argument('env',
type=int,
help='Environment to add whitelist rules to')
parser.add_argument('rule',
type=str,
help='Rule to add')
return parser
def take_action(self, parsed_args):
env_id = parsed_args.env
rule = parsed_args.rule
data = {'rule': rule}
ret = fc_client.post_request(
'/clusters/{env}/changes-whitelist/'.format(env=env_id),
data
)
ret = data_utils.get_display_data_multi(self.columns, ret)
return (self.columns, ret)
class WhitelistRuleDelete(command.Command):
columns = ()
def get_parser(self, prog_name):
parser = super(WhitelistRuleDelete, self).get_parser(prog_name)
parser.add_argument('rule_id',
type=int,
help='Rule ID to delete')
return parser
def take_action(self, parsed_args):
rule_id = parsed_args.rule_id
fc_client.delete_request(
'/clusters/changes-whitelist/{rule}'.format(rule=rule_id)
)
return ((), {})

View File

@ -33,3 +33,6 @@ fuelclient:
audit_enforce = fuel_external_git.fuelclient_audit:Audit
audit_noop = fuel_external_git.fuelclient_audit:AuditRun
audit_list_outofsync = fuel_external_git.fuelclient_audit:OutOfSyncResources
audit_whitelist_show = fuel_external_git.fuelclient_audit:WhitelistRulesShow
audit_whitelist_add = fuel_external_git.fuelclient_audit:WhitelistRuleAdd
audit_whitelist_delete = fuel_external_git.fuelclient_audit:WhitelistRuleDelete