airship
/
promenade
Code Issues Proposed changes

Add policy to validatedesign 

Adds policy enforcement to validatedesign and adds testing for
validatedesign endpoint. Also fixes error when raising
ValidationException.

Change-Id: Ie48fc49a05f7890866d2dd3480c4d6333ef3a087
This commit is contained in:
Samantha Blanco 2017-12-21 18:25:44 -05:00
parent 47bf886ddd
commit a3b79eabc0
7 changed files with 33 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/source/configuration/pki-catalog.rst
View File

@ -1,7 +1,7 @@
PKI Catalog PKI Catalog
=========== ===========
Configuration for certificate generation in the cluster. Configuration for certificate and keypair generation in the cluster.
Sample Document Sample Document

5
promenade/control/validatedesign.py
View File

@ -19,6 +19,7 @@ import falcon
from promenade.config import Configuration from promenade.config import Configuration
from promenade.control import base from promenade.control import base
from promenade import exceptions from promenade import exceptions
from promenade import policy
from promenade import validation from promenade import validation
LOG = logging.getLogger(__name__) LOG = logging.getLogger(__name__)
@ -46,10 +47,12 @@ class ValidateDesignResource(base.BaseResource):
"code": status_code, "code": status_code,
}) })
@policy.ApiEnforcer('kubernetes_provisioner:post_validatedesign')
def on_post(self, req, resp): def on_post(self, req, resp):
href = req.get_param('href', required=True) href = req.get_param('href', required=True)
try: try:
config = Configuration.from_design_ref(href) config = Configuration.from_design_ref(
href, allow_missing_substitutions=False)
validation.check_design(config) validation.check_design(config)
msg = "Promenade validations succeeded" msg = "Promenade validations succeeded"
return self._return_msg(resp, falcon.HTTP_200, message=msg) return self._return_msg(resp, falcon.HTTP_200, message=msg)

2
promenade/exceptions.py
View File

@ -196,7 +196,7 @@ class PromenadeException(Exception):
@staticmethod @staticmethod
def _gen_ex_message(title, description): def _gen_ex_message(title, description):
ttl = title or 'Exception' ttl = title or 'Exception'
dsc = description or 'No additional decsription' dsc = description or 'No additional description'
return '{} : {}'.format(ttl, dsc) return '{} : {}'.format(ttl, dsc)
@staticmethod @staticmethod

30
promenade/options.py
View File

@ -4,30 +4,10 @@ import keystoneauth1.loading
OPTIONS = [] OPTIONS = []
def setup(disable=None): def setup(disable_keystone=False):
if disable is None:
disable = []
else:
disable = disable.split()
for name, func in GROUPS.items():
if name not in disable:
func()
cfg.CONF([], project='promenade') cfg.CONF([], project='promenade')
def register_application():
cfg.CONF.register_opts(OPTIONS) cfg.CONF.register_opts(OPTIONS)
if disable_keystone is False:
cfg.CONF.register_opts(
def register_keystone_auth(): keystoneauth1.loading.get_auth_plugin_conf_options('password'),
cfg.CONF.register_opts( group='keystone_authtoken')
keystoneauth1.loading.get_auth_plugin_conf_options('password'),
group='keystone_authtoken')
GROUPS = {
'promenade': register_application,
'keystone': register_keystone_auth,
}

6
promenade/policy.py
View File

@ -35,6 +35,12 @@ POLICIES = [
'path': '/api/v1.0/join-scripts', 'path': '/api/v1.0/join-scripts',
'method': 'GET' 'method': 'GET'
}]), }]),
op.DocumentedRuleDefault('kubernetes_provisioner:post_validatedesign',
'role:admin', 'Validate documents',
[{
'path': '/api/v1.0/validatedesign',
'method': 'POST'
}]),
] ]

4
promenade/promenade.py
View File

@ -17,8 +17,8 @@ from promenade import logging
from promenade import policy from promenade import policy
def start_promenade(disable=""): def start_promenade(disable=False):
options.setup(disable=disable) options.setup(disable_keystone=disable)
# Setup root logger # Setup root logger
logging.setup(verbose=True) logging.setup(verbose=True)

14
tools/g2/stages/join-nodes.sh
View File

@ -73,6 +73,17 @@ render_curl_url() {
echo "${BASE_URL}?${DESIGN_REF}&${HOST_PARAMS}${LABEL_PARAMS}" echo "${BASE_URL}?${DESIGN_REF}&${HOST_PARAMS}${LABEL_PARAMS}"
} }
render_validate_url() {
BASE_URL="${BASE_PROM_URL}/api/v1.0/validatedesign"
if [[ ${USE_DECKHAND} == 1 ]]; then
HREF="href=deckhand%2Bhttp://deckhand-int.ucp.svc.cluster.local:9000/api/v1.0/revisions/${DECKHAND_REVISION}/rendered-documents"
else
HREF="href=${NGINX_URL}/promenade.yaml"
fi
echo "${BASE_URL}?${HREF}"
}
mkdir -p "${SCRIPT_DIR}" mkdir -p "${SCRIPT_DIR}"
for NAME in "${NODES[@]}"; do for NAME in "${NODES[@]}"; do
@ -102,6 +113,9 @@ for NAME in "${NODES[@]}"; do
sleep 10 sleep 10
done done
log "Validating documents"
ssh_cmd "${VIA}" curl -v "${CURL_ARGS[@]}" -X POST "$(render_validate_url)"
JOIN_CURL_URL="$(render_curl_url "${NAME}" "${LABELS[@]}")" JOIN_CURL_URL="$(render_curl_url "${NAME}" "${LABELS[@]}")"
log "Fetching join script via: ${JOIN_CURL_URL}" log "Fetching join script via: ${JOIN_CURL_URL}"
ssh_cmd "${VIA}" curl "${CURL_ARGS[@]}" \ ssh_cmd "${VIA}" curl "${CURL_ARGS[@]}" \