Currently if target is not passed in context.can(),
it use defauls target which is context.user_id, context.project_id.
These defaults target are not useful as it pass the
context's user_id and project_id only which means we tell
oslo policy to verify the context data with context data.
This commit pass the actual target for networks policies
which is context.project_id itself as nova cannot verify the owner of
security_groups. Neutron will return the authorise error is requester
is not owner of security_group.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: I1ce8ad8a16bddb3f7520a3b4e323b75626928186
This adds new defaults roles in security_groups API policies.
These policies are made granular and default to
PROJECT_READER_OR_SYSTEM_READER and PROJECT_MEMBER_OR_SYSTEM_ADMIN.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: Ie1ea066e9683fc44d486bcde1eb0f01fca7645c7
This adds new defaults roles in security group API policies.
- GET rules are made granular and default to System or project reader
- add/remove sec grps policies are default to system admin or project member.
Added new context of other_project_reader for system and project reader
policy so that we can verify the other projct with its id not by role.
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: I83783aa3384d3b667729bbdd4a13fb014176ec75
We only care about neutron security groups now, so a lot of nova-network
only cruft can be removed. Do just that.
Change-Id: I2a360e766261a186f9edf6ceb47a786aea2957eb
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
With the removal of nova-network, a whole swathe of exceptions are no
longer raised on certain code paths. Start cleaning things up by
removing these. Some of these features can be removed now while the
remainder will be removed once we have removed the (now unused) code
that calls them.
Change-Id: I131062ded9ddedc31cf3b448b2c38306b55e874b
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
We're wrestling with multiple imports for this thing and have introduced
a cache to avoid having to load the thing repeatedly. However, Python
already has a way to ensure this doesn't happen: the use of a module.
Given that we don't have any state, we can straight up drop the class
and just call functions directly. Along the way, we drop the
'ensure_default' function, which is a no-op for neutron and switch all
the mocks over, where necessary.
Change-Id: Ia8dbe8ba61ec6d1b8498918a53a103a6eff4d488
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
Currently some do and some don't. Do it by default as intended. We also
remove the 'view_builder' argument from the base 'Controller.__init__'
function since nothing was actually setting this.
Change-Id: Ic0b16608078e4545f546509df94caba3166ed6e2
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
When we had cellsv1, we had two different sets of
[Host|InstanceAction|ComputeCells]API. Now that cellsv1 is gone, we only
need nova.compute.api.API, .HostAPI, and .InstanceActionAPI. This patch
removes the dynamic loader shims from nova/compute/__init__.py and swaps
out all references to directly access the classes in nova.compute.api.
Note that there are a couple of ways we could have done this. One way
would have been to replace
from nova import compute
with
from nova.compute import api
and then change
self.compute_api = compute.API()
to
self.compute_api = api.API()
However, the current approach was preferred because
- smaller delta
- the code reads better as compute.API(), which is more important than
the import being pretty
cleanup for blueprint remove-cells-v1
Change-Id: I84d9692efa3a131d6392dbd1011dfc43e4ac0b53
As nova extensions has been deprecated already and goal is to
merge all scattered code into main controller side.
Currently schema and request/response extended code are there
among all extensions.
This commit merge the security groups extension resposne into server
view builder.
Partially implements: blueprint api-extensions-merge-stein
Change-Id: I57141fc6b1ee87ad3933edd9dc255294d03b5651
API extensions policies have been deprecated in 17.0.0
release[1]. This commit removes them.
[1] Ie05f4e84519f8a00ffb66ea5ee920d5c7722a66b
Change-Id: Ib3faf85c78bc2cdee13175560dc1458ddb6cb7a8
As nova extensions has been deprecated already and goal is to
merge all scattered code into main controller side.
Currently schema and request/response extended code are there
among all extensions.
This commit merge the server_create for security group extensions.
Partially implements: blueprint api-extensions-merge-rocky
Note- unit tests will be moved to test_serversV21 when we will merge
the extended response for security group.
Change-Id: I447947e23451d3898a5eee0e25facc3d9ae8c01e
As nova extensions has been deprecated already and goal is to
merge all scattered code into main controller side.
Currently schema and request/response extended code are there
among all extensions.
This commit merge the schema part of create server for security
group extensions.
Partially implements: blueprint api-extensions-merge-rocky
Change-Id: I160028d77e84705106aad5ec8b2d9a54a3c54b18
The most of objects are removed from the extensions module. The last
thing is the expected_errors decorator, but that decorator is nothing
about the extensions. So move the decorator to the wsgi module where
is the place put the other decorator also. Then we can remove the
extensions module entirely.
Partial implement bp api-extensions-merge-queens
Change-Id: I4802c5b38001a756448d4feb9ca336908821f591
sec group APIs accept query param to filter the
quota.
This commit adds json schema to validate the valid
query parameters.
There is no change in API behaviour and additionalProperties
is kept True for backward compatibility.
Partially implements blueprint json-schema-validation-for-query-param
Change-Id: If55296e0efe6676bb931aad8b2b0133efbb910a7
The GET /servers/{server_id}/os-security-groups API code can
perform poorly if the instance has several security groups and
each security group has several rules. This is because when processing
the output, we loop over the groups, and loop over the rules per group,
and then for each rule, if it has a group_id specified, we query
the security group details (from Neutron in most cases).
If more than one rule points at the same group_id, we're doing a redundant
group lookup and sending more traffic to the security group API (aka Neutron)
than needed.
This change optimizes that single API to load the rule group details
up front so that we only do at most one lookup per group_id.
This could be extended to GET /os-security-groups but that API is
deprecated so any optimization there is lower priority.
Change-Id: Ia451429f61b15526fade6838386e562c17591d36
Closes-Bug: #1729741
This patch adds os-security-group-rules related routes by a plain list,
instead of using stevedore.
After all the Nova API endpoints moves to the plain routes list,
the usage of stevedore for API loading will be removed from Nova.
The API sample tests are missed for os-security-group-rules API,
this patch adds them to ensure the route working correctly.
Partial-implement-blueprint api-no-more-extensions-pike
Change-Id: I2d3ac79fdb0314014f4b8b69a9c5f27a922d9046
This patch adds server-security-groups related routes by a plain list,
instead of using stevedore.
After all the Nova API endpoints moves to the plain routes list,
the usage of stevedore for API loading will be removed from Nova.
Partial-implement-blueprint api-no-more-extensions-pike
Change-Id: I8bd7676ccb37a041548ef2df729130b8bdf7a28c
This patch adds os-security-groups related routes by a plain list,
instead of using stevedore.
After all the Nova API endpoints moves to the plain routes list,
the usage of stevedore for API loading will be removed from Nova.
Partial-implement-blueprint api-no-more-extensions-pike
Change-Id: I3dde45b63cb633819d14b5fed55403f209347be4
When passing a source group_id for creating a new security group rule,
the code is looking up that group twice. We should just look that up
once at the beginning and reuse it so we don't have to hit the nova db
or neutron twice for the same thing.
Change-Id: I3ea4586d11b14da5f6d93e8d20f05171e7e6f0e8
Closes-bug: #1580621
This patch add '/servers' related routes by a plain list, instead
of using stevedore. After all the Nova API endpoints moves to
the plain routes list, the usage of stevedore for loading the API
will be removed from Nova.
To remove the servers extension from stevedore, all the extensions
which depend on servers needs to be removed together. Those
extensions are about the servers API response extension and the action
extension.
Also note that the original 'ProjectMapper' use the 'routes.Mapper.resource'
to create a set of routes for a resource which comform to the Atom
publishing protocol. It includes some of URL mappings we didn't document
before. This patch will remove those URL mappings, also remove the
corresponding URL mappings for 'os-volumes_boot' endpoint. For the detail,
please reference:
http://lists.openstack.org/pipermail/openstack-dev/2017-March/114736.html
Partial-implement-blueprint api-no-more-extensions-pike
Change-Id: I76c384c10bd804fc2049aef305044149bb55d0dc
This patch remove the stevedore extension point for server
create.
This patch move all the extension points into ServersController
class attribute 'server_create_func_list'. This is for
backward-compatible with the stevedore extension interface.
The final goal is that merging all of those extended code into
the ServerController. So this is a middle step for refactor.
Partial-implement-blueprint api-no-more-extensions-pike
Change-Id: I9a8f56037b35e89543626922221b910ab8b1917e
To get rid of all of stevedore extension point. The
jsons-chema extension point of server create should be
removed. This patch moves all of extended json-schema into
ServerControoler's class attributes 'schema_func_list'.
But the final goal is that merging all of those extended
json-schema into server's main json-schema. So this is a
middle step for all of those refactor for removing stevedore.
Partial-implement-blueprint api-no-more-extensions-pike
Change-Id: Id8ba6a0383cf236259224ace2df3c3d89f82f27d
This changes the formal parameter name to be 'security_groups'
so it's plural given it's a list and not a single security
group.
Change-Id: I243f689a30168b9081200f03a2ae060a4971e131
common.get_instance() raises a single exception HTTPNotFound only,
so it is not necessary to call the method in try-except block on
these cases.
This patch moves these calls from the block so that we will be
able to avoid digging what exceptions are raised on the method in
the future (On Ie1fc20fe5e028dd53116d5549814442232ddfe49 review,
we faced such situation).
Change-Id: I7c3898f79dfdd069c52de9327b7f5ec45786c8d6
This patch deprecates all the APIs which related SecurityGroup. All those
APIs will return 404.
The deprecated API endpoints are
'/os-security-group-default-rules'
'/os-security-groups'
'/os-security-group-rules'
The action 'addSecurityGroup' and 'removeSecurityGroup' will be kept. And
the attribute 'security_groups' in the servers response will be kept also.
Due to the current implementation of Microversion didn't support inheritance
very well. This patch uses object as SecurityGroupControllerBase's base class
to avoid two controller share same base controller which is subclass of
'wsgi.Controller'. The support of inheritance will be improved later to
avoid increase the complicated in this series patches.
This patch doesn't bump the max api version, due to the patch separation.
The max api version will bump in the last patch.
Partially implements blueprint deprecate-api-proxies
Change-Id: Ic834db770f68c72892a6497d5c60707b75f1beef
This changes over all occurences of dictionary syntax on SecurityGroup
object to use object syntax.
Change-Id: Ib624da3fd5197bcd31922cbe9b7c24cc037b9b12
Partially-Implements: bp rm-object-dict-compat-newton
The skip_policy_check flag is used to skip the legacy v2 API
policy check points in the v2.1 API. The legacy v2 API is removed
and all the old policy check points removed also. This flag is
useless anymore, this patch cleanup them.
Partially implements blueprint remove-legacy-v2-api-code
Change-Id: Ia4a8d9954bf456253101b936f8b4ff513aaa73b2
SecurityGroupAPI.get_instance_security_groups() takes instance.uuid as
parameter and use that to fetch instance security groups from the db.
Since all callers of this method has the instance to begin with we can
use it to get security groups without the extra db call.
Change-Id: I87769999839871c1a8d29c9013789d2611b8bccf
Closes-Bug: #1521675
The normal authorize and soft authorize has the same rule.
All actions of SecurityGroupsOutputController need soft authorize.
If soft authorize fails, no chance to do normal authorize, also if soft
authorize passes, the normal authorize is redundant.
Change-Id: Ie354b14f592738a882ca261133de4372a3e6507b
Closes-Bug: 1425849
In the V2 API, there are three cases for the name field:
1. disallow any space in the name: server_groups.
2. allow leading/trailing whitespaces, strip spaces and disallow
all characters are spaces: flavor_manage, servers.
3. allow leading/trailing whitespacess, no strip spaces and allow
all characters are spaces: aggregates, cells, create_backup,
security_groups, create_image, rebuild
But currently in the V2.1 API and V2.1 API compat mode disallows
leading/trailing in the name field.
For the V2.1 compat mode, we should relax the validation to avoid
breaking the user, although leading/trailing is unclear usecase. This
patch allows leading/trailing spaces but will strip them, and still
disallows that all characters are spaces in the name fields for
flavor_mange, servers, aggregates(and availability_zones),
create_backup, create_image, rebuild.
Due to the server_groups and security_groups(no jsons-schema in v2.1)
have consistent behavior between v2 and v2.1. So this patch won't
change server_groups.
But when creating servers, the name of security_groups, availability_zone
and keyapir isn't stripped the leading/trailing spaces. This is for
backward compatible with users who already use legacy V2 API created
security_group, availabilit_zone and keypair with leading/trailing
in the name, otherwise the users can't use those resource anymore.
For supporting servers schema extension point returns legacy v2 schema,
this patch adds version parameter to the schema extension point. Then
extension point can return different schema based on the version
parameter.
Change-Id: I9442891272284d395ea0dd8cfa302d3f74bf13ec
Partial-Bug: #1498075
This is step 4 of the remove v3 process. It moves the v2.1
json-schemas out of v3 directory, and also corrects all the
references.
Change-Id: Ibf88c38df951ed755b7431846cca7496f861c1dd
Partial-Bug: #1462901