airship
/
promenade
Code Issues Proposed changes

Add policy to validatedesign 

Adds policy enforcement to validatedesign and adds testing for
validatedesign endpoint. Also fixes error when raising
ValidationException.

Change-Id: Ie48fc49a05f7890866d2dd3480c4d6333ef3a087
This commit is contained in:
Samantha Blanco 2017-12-21 18:25:44 -05:00
parent 47bf886ddd
commit a3b79eabc0
7 changed files with 33 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/source/configuration/pki-catalog.rst
View File

@ -1,7 +1,7 @@
PKI Catalog
===========
Configuration for certificate generation in the cluster.
Configuration for certificate and keypair generation in the cluster.
Sample Document

5
promenade/control/validatedesign.py
View File

@ -19,6 +19,7 @@ import falcon
from promenade.config import Configuration
from promenade.control import base
from promenade import exceptions
from promenade import policy
from promenade import validation
LOG = logging.getLogger(__name__)
@ -46,10 +47,12 @@ class ValidateDesignResource(base.BaseResource):
"code": status_code,
})
@policy.ApiEnforcer('kubernetes_provisioner:post_validatedesign')
def on_post(self, req, resp):
href = req.get_param('href', required=True)
try:
config = Configuration.from_design_ref(href)
config = Configuration.from_design_ref(
href, allow_missing_substitutions=False)
validation.check_design(config)
msg = "Promenade validations succeeded"
return self._return_msg(resp, falcon.HTTP_200, message=msg)

2
promenade/exceptions.py
View File

@ -196,7 +196,7 @@ class PromenadeException(Exception):
@staticmethod
def _gen_ex_message(title, description):
ttl = title or 'Exception'
dsc = description or 'No additional decsription'
dsc = description or 'No additional description'
return '{} : {}'.format(ttl, dsc)
@staticmethod

30
promenade/options.py
View File

@ -4,30 +4,10 @@ import keystoneauth1.loading
OPTIONS = []
def setup(disable=None):
if disable is None:
disable = []
else:
disable = disable.split()
for name, func in GROUPS.items():
if name not in disable:
func()
def setup(disable_keystone=False):
cfg.CONF([], project='promenade')
def register_application():
cfg.CONF.register_opts(OPTIONS)
def register_keystone_auth():
cfg.CONF.register_opts(
keystoneauth1.loading.get_auth_plugin_conf_options('password'),
group='keystone_authtoken')
GROUPS = {
'promenade': register_application,
'keystone': register_keystone_auth,
}
if disable_keystone is False:
cfg.CONF.register_opts(
keystoneauth1.loading.get_auth_plugin_conf_options('password'),
group='keystone_authtoken')

6
promenade/policy.py
View File

@ -35,6 +35,12 @@ POLICIES = [
'path': '/api/v1.0/join-scripts',
'method': 'GET'
}]),
op.DocumentedRuleDefault('kubernetes_provisioner:post_validatedesign',
'role:admin', 'Validate documents',
[{
'path': '/api/v1.0/validatedesign',
'method': 'POST'
}]),
]

4
promenade/promenade.py
View File

@ -17,8 +17,8 @@ from promenade import logging
from promenade import policy
def start_promenade(disable=""):
options.setup(disable=disable)
def start_promenade(disable=False):
options.setup(disable_keystone=disable)
# Setup root logger
logging.setup(verbose=True)

14
tools/g2/stages/join-nodes.sh
View File

@ -73,6 +73,17 @@ render_curl_url() {
echo "${BASE_URL}?${DESIGN_REF}&${HOST_PARAMS}${LABEL_PARAMS}"
}
render_validate_url() {
BASE_URL="${BASE_PROM_URL}/api/v1.0/validatedesign"
if [[ ${USE_DECKHAND} == 1 ]]; then
HREF="href=deckhand%2Bhttp://deckhand-int.ucp.svc.cluster.local:9000/api/v1.0/revisions/${DECKHAND_REVISION}/rendered-documents"
else
HREF="href=${NGINX_URL}/promenade.yaml"
fi
echo "${BASE_URL}?${HREF}"
}
mkdir -p "${SCRIPT_DIR}"
for NAME in "${NODES[@]}"; do
@ -102,6 +113,9 @@ for NAME in "${NODES[@]}"; do
sleep 10
done
log "Validating documents"
ssh_cmd "${VIA}" curl -v "${CURL_ARGS[@]}" -X POST "$(render_validate_url)"
JOIN_CURL_URL="$(render_curl_url "${NAME}" "${LABELS[@]}")"
log "Fetching join script via: ${JOIN_CURL_URL}"
ssh_cmd "${VIA}" curl "${CURL_ARGS[@]}" \