Add credential API

Implements the 'credentials' endpoint to Magnum API, initially
supporting rotation of cluster credentials dictated by the underlying
driver.

Change-Id: Idaab3c0d1fdca4b15505a949182ceb1d987d3a7f
Signed-off-by: Matthew Northcott <[email protected]>

Author: mtnorthcott

magnum/api/controllers/v1/__init__.py

@@ -27,6 +27,7 @@
 from magnum.api.controllers.v1 import certificate
 from magnum.api.controllers.v1 import cluster
 from magnum.api.controllers.v1 import cluster_template
+from magnum.api.controllers.v1 import credential
 from magnum.api.controllers.v1 import federation
 from magnum.api.controllers.v1 import magnum_services
 from magnum.api.controllers.v1 import quota
@@ -98,6 +99,9 @@ class V1(controllers_base.APIBase):
     nodegroups = [link.Link]
     """Links to the nodegroups resource"""
 
+    credentials = [link.Link]
+    """Links to the credentials resource"""
+
     @staticmethod
     def convert():
         v1 = V1()
@@ -162,6 +166,12 @@ def convert():
                                              'clusters/{cluster_id}',
                                              'nodegroups',
                                              bookmark=True)]
+        v1.credentials = [link.Link.make_link('self', pecan.request.host_url,
+                                              'credentials', ''),
+                          link.Link.make_link('bookmark',
+                                              pecan.request.host_url,
+                                              'credentials', '',
+                                              bookmark=True)]
 
         return v1
 
@@ -176,6 +186,7 @@ class Controller(controllers_base.Controller):
     mservices = magnum_services.MagnumServiceController()
     stats = stats.StatsController()
     federations = federation.FederationsController()
+    credentials = credential.CredentialsController()
 
     @expose.expose(V1)
     def get(self):

magnum/api/controllers/v1/credential.py

@@ -0,0 +1,65 @@
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+
+import pecan
+from wsme import types as wtypes
+
+from oslo_log import log
+
+from magnum.api.controllers import base
+from magnum.api.controllers.v1 import types
+from magnum.api import expose
+from magnum.api import utils as api_utils
+from magnum.common import policy
+
+
+LOG = log.getLogger(__name__)
+
+
+class ClusterID(wtypes.Base):
+    """API representation of a cluster ID
+
+    This class enforces type checking and value constraints, and converts
+    between the internal object model and the API representation of a cluster
+    ID.
+    """
+
+    uuid = types.uuid
+    """Unique UUID for this cluster"""
+
+    def __init__(self, uuid):
+        self.uuid = uuid
+
+
+class CredentialsController(base.Controller):
+    """REST controller for cluster actions."""
+    def __init__(self):
+        super(CredentialsController, self).__init__()
+
+    @base.Controller.api_version("1.12")
+    @expose.expose(ClusterID, types.uuid_or_name, status_code=202)
+    def patch(self, cluster_ident):
+        """Rotate the credential in use by a cluster.
+
+        :param cluster_ident: UUID of a cluster or logical name of the cluster.
+        """
+
+        context = pecan.request.context
+        policy.enforce(context, 'credential:rotate',
+                       action='credential:rotate')
+
+        cluster = api_utils.get_resource('Cluster', cluster_ident)
+        # NOTE(northcottmt): Perform rotation synchronously as there aren't any
+        # slow apply/upgrade operations to do
+        pecan.request.rpcapi.credential_rotate(cluster)
+
+        return ClusterID(cluster.uuid)

magnum/api/controllers/versions.py

@@ -34,10 +34,11 @@
     * 1.9 - Add nodegroup API
     * 1.10 - Allow nodegroups with 0 nodes
     * 1.11 - Remove bay and baymodel objects
+    * 1.12 - Add credential API
 """
 
 BASE_VER = '1.1'
-CURRENT_MAX_VER = '1.11'
+CURRENT_MAX_VER = '1.12'
 
 
 class Version(object):

magnum/api/rest_api_version_history.rst

@@ -105,7 +105,16 @@ user documentation.
   Allow the cluster to be created with node_count = 0 as well as to update
   existing nodegroups to have 0 nodes.
 
+
 1.11
 ---
 
   Drop bay and baymodels objects from magnum source code
+
+
+1.12
+---
+
+  Add credential API
+
+  Allow the cluster to have its associated credential rotated.

magnum/cmd/conductor.py

@@ -29,6 +29,7 @@
 from magnum.conductor.handlers import ca_conductor
 from magnum.conductor.handlers import cluster_conductor
 from magnum.conductor.handlers import conductor_listener
+from magnum.conductor.handlers import credential_conductor
 from magnum.conductor.handlers import federation_conductor
 from magnum.conductor.handlers import indirection_api
 from magnum.conductor.handlers import nodegroup_conductor
@@ -54,6 +55,7 @@ def main():
         indirection_api.Handler(),
         cluster_conductor.Handler(),
         conductor_listener.Handler(),
+        credential_conductor.Handler(),
         ca_conductor.Handler(),
         federation_conductor.Handler(),
         nodegroup_conductor.Handler(),

magnum/common/policies/__init__.py

@@ -18,6 +18,7 @@
 from magnum.common.policies import certificate
 from magnum.common.policies import cluster
 from magnum.common.policies import cluster_template
+from magnum.common.policies import credential
 from magnum.common.policies import federation
 from magnum.common.policies import magnum_service
 from magnum.common.policies import nodegroup
@@ -31,6 +32,7 @@ def list_rules():
         certificate.list_rules(),
         cluster.list_rules(),
         cluster_template.list_rules(),
+        credential.list_rules(),
         federation.list_rules(),
         magnum_service.list_rules(),
         quota.list_rules(),

magnum/common/policies/credential.py

@@ -0,0 +1,35 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+from oslo_policy import policy
+
+from magnum.common.policies import base
+
+rules = [
+    policy.DocumentedRuleDefault(
+        name='credential:rotate',
+        check_str=base.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER,
+        scope_types=["project"],
+        description='Rotate the credential of a cluster.',
+        operations=[
+            {
+                'path': '/v1/credentials/{cluster_uuid}',
+                'method': 'PATCH'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules

magnum/conductor/api.py

@@ -175,6 +175,14 @@ def nodegroup_update(self, cluster, nodegroup):
     def nodegroup_update_async(self, cluster, nodegroup):
         self._cast('nodegroup_update', cluster=cluster, nodegroup=nodegroup)
 
+    # Credential Operations
+
+    def credential_rotate(self, cluster):
+        return self._call('credential_rotate', cluster=cluster)
+
+    def credential_rotate_async(self, cluster):
+        return self._cast('credential_rotate', cluster=cluster)
+
 
 @profiler.trace_cls("rpc")
 class ListenerAPI(rpc_service.API):

magnum/conductor/handlers/credential_conductor.py

@@ -0,0 +1,58 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_log import log as logging
+
+from magnum.common import exception
+from magnum.common import profiler
+import magnum.conf
+from magnum.drivers.common import driver
+from magnum.i18n import _
+from magnum.objects import fields
+
+CONF = magnum.conf.CONF
+
+LOG = logging.getLogger(__name__)
+
+ALLOWED_CLUSTER_STATES = {
+    fields.ClusterStatus.CREATE_COMPLETE,
+    fields.ClusterStatus.UPDATE_COMPLETE,
+    fields.ClusterStatus.UPDATE_IN_PROGRESS,
+    fields.ClusterStatus.UPDATE_FAILED,
+    fields.ClusterStatus.RESUME_COMPLETE,
+    fields.ClusterStatus.RESTORE_COMPLETE,
+    fields.ClusterStatus.ROLLBACK_COMPLETE,
+    fields.ClusterStatus.SNAPSHOT_COMPLETE,
+    fields.ClusterStatus.CHECK_COMPLETE,
+    fields.ClusterStatus.ADOPT_COMPLETE
+}
+
+
+@profiler.trace_cls("rpc")
+class Handler(object):
+
+    def __init__(self):
+        super(Handler, self).__init__()
+
+    def credential_rotate(self, context, cluster):
+        if cluster.status not in ALLOWED_CLUSTER_STATES:
+            operation = _(
+                f'{__name__} when cluster status is "{cluster.status}"')
+            raise exception.NotSupported(operation=operation)
+
+        cluster_driver = driver.Driver.get_driver_for_cluster(context, cluster)
+
+        try:
+            cluster_driver.rotate_credential(context, cluster)
+        except NotImplementedError:
+            raise exception.NotSupported(
+                message=_("Credential rotation is not supported by driver."))

magnum/drivers/common/driver.py

@@ -257,6 +257,10 @@ def delete_nodegroup(self, context, cluster, nodegroup):
         raise NotImplementedError("Subclasses must implement "
                                   "'delete_nodegroup'.")
 
+    def rotate_credential(self, context, cluster):
+        raise NotImplementedError(
+            "Driver does not support credential rotate.")
+
     def get_monitor(self, context, cluster):
         """return the monitor with container data for this driver."""