Commit Graph

136 Commits

Author SHA1 Message Date
Carlos Bravo ab66a192f4 Added OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED to config options
Starting from Openstack Bobcat (2023.2) Multi Factor Authentication
was added for Horizon. This change introduced a new variable called
OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED, which if set to True will display
a new form requesting for the user's TOTP code for MFA enabled users.

This change provides the missing OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED
config option for the charm, allowing the user to enable from the
charm's configuration. If the value is set to True, the new bobcat
template will render the following values:
OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED = True

AUTHENTICATION_PLUGINS = [
    'openstack_auth.plugin.totp.TotpPlugin',
    'openstack_auth.plugin.password.PasswordPlugin',
    'openstack_auth.plugin.token.TokenPlugin'
]

Closes-Bug: #2058689
Change-Id: Ifedf587356693b58612b1fc4d7404f0f446158ce
2024-03-27 21:57:28 -04:00
Rodrigo Barbieri 09c5871160 Adjust haproxy timeout to intended values
Many years ago change Ida7949113594b9b859ab7b4ba8b2bb440bab6e7d
attempted to change the timeouts of haproxy but did not succeed,
as deployments were still using the values from the charm's
templates/haproxy.cfg file, being effectively set to 30 seconds
and causing timeouts (see bug). Additionally, the description
of the config options became inaccurate, stating the default to
be a value that they were really not.

This patch addresses the timeout value discrepancy, adjusting
to the original change's intended values.

Closes-bug: #2045168
Change-Id: I83405727b4a116ec6f47b61211bf8ef3d2d9fbd6
2024-03-06 14:59:11 -03:00
Rodrigo Barbieri 6b93e9dd87 Allow configure of OPENSTACK_INSTANCE_RETRIEVE_IP_ADDRESSES
If network calls to retrieve ports and floating IPs take too long,
then the project > instances page cannot be loaded. This config
allows disabling the network calls when loading the page with
minor side-effects, as a workaround to avoid downtime while other
performance optimizations can be done on the side to allow
the page the load so the workaround is no longer needed.

Closes-bug: #2051003
Related-bug: #2045168
Change-Id: Iedad6ef48cbe0b776594f4ad8276d3d713cd360c
2024-01-24 11:19:01 -03:00
Corey Bryant 16c5a02641 Add local_settings.py template for Bobcat
This fixes issues found in testing with Django 4 in mantic.

ugettext_lazy was deprecated in Django 3.0 and removed in
Django 4.0. Switch to gettext_lazy.

Switch to PyMemcacheCache backend as the Django MemcachedCache
backend was removed in Django 4.1 in favor of the PyMemcacheCache
or PyLibMCCache backend. This depends on a new openstack-dashboard
package version that will be provided in an SRU for bug #2039225.

Closes-Bug: #2039226
Closes-Bug: #2039225
Change-Id: Ia8e4f6f5f50d58268e4c6fa80c9f9c65a56a26ea
2023-10-13 15:03:09 -04:00
Zuul cca834cb50 Merge "ALLOWED_HOSTS must be list format for django 4.x" 2022-09-16 13:57:06 +00:00
Erhan Sunar a11b43558f Disabled browser cache(excluding static files)
Added or replaced Cache-Control and Pragma http headers with:
Cache-Control: no-store
Pragma: no-cache

func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/865
Closes-Bug: #1836518
Change-Id: If437c5e41892e09adbaaa1add494c85671706622
2022-09-02 07:09:38 +00:00
Zuul 333501d88f Merge "Introduce source IP based rate limiting" 2022-08-19 13:52:29 +00:00
Mert Kırpıcı c0f8708761 Introduce source IP based rate limiting
Since we are running haproxy in L4, we are tracking the incoming
byte rate from client IPs and rejecting TCP connections in a
sliding window.

This approach limits the incoming HTTP requests however image uploading
through the horizon web app is unaffected.

Change-Id: Ie40d28acb2dc2983fc9edbbeacfd671b380a8f6d
Closes-Bug: #1836514
Signed-off-by: Mert Kırpıcı <mert.kirpici@canonical.com>
2022-08-05 15:29:43 +03:00
Muhammad Ahmad af7a57d539 Add enable_router config option
This patch adds an option of enabling/disabling router panel view
in the horizon. To hide the router/floatin-ip panel, set the config
option 'enable-router-panel=False'. Default value is True.

Closes-Bug: #1966815
Change-Id: If6fb3b57f05a1ab6342077d2142bd47cfce57948
2022-07-28 18:57:15 +00:00
Corey Bryant c3f138ed27 ALLOWED_HOSTS must be list format for django 4.x
Closes-Bug: #1982199
Change-Id: I9f4251995481ca5970cb901c2fe27de3c5e31749
2022-07-19 15:10:56 -04:00
Felipe Reyes 15c0d34211 Set customization_module in local_settings.py
The configuration key customization-module is expected to set
HORIZON_CONFIG["customization_module"] in local_settings.py although
this was missing from the template for releases >= newton.

Change-Id: Ia741bf3d8298f66b4f1e2324159d4ab851634efb
Closes-Bug: #1977494
2022-06-03 14:56:40 -04:00
jneo8 b00c977b52 Add CREATE_INSTNACE_FLAVOR_SORT option
Closes-Bug: #1663191
Change-Id: I56a30b4b80ef2cb3ac96359a3932b53c735b5c01
2022-04-28 12:06:32 +00:00
Nobuto Murata bd0eed2c84 Allow customization of branding
Make the following values configurable:
- SITE_BRANDING
- SITE_BRANDING_LINK
- HORIZON_CONFIG["help_url"]

Closes-Bug: #1959366
Change-Id: I34716bd68cc50b53dd28f6bb7a19409ece355465
2022-02-01 01:00:09 +09:00
Nobuto Murata dbc4077ba5 Ease KeepAliveTimeout
Apache2's default value for KeepAliveTimeout is 5 seconds, which is okay
for general web-page serving use cases. However, connections from a web
browser to Horizon application can be terminated unnecessarily during
multiple requests in a session due to the short KeepAliveTimeout.

Let's ease KeepAliveTimeout to 75 seconds, which is fairly standard for
services behind a reverse proxy since it's the default value of nginx.

Closes-Bug: #1947010
Change-Id: Iff9357e5efb7937927a8d0a6de072d4afaa98906
2021-11-23 04:46:42 +00:00
Bartlomiej Poniecki-Klotz 18a9ac1171 hide-create-volume config added
The configuration option hide-create-volume was added and is passed into the horizon configuration as hide_create_volume.

Closes-Bug: #1939079
Change-Id: I639810d5908cc58f41907f9a3bd66dc78b9517d6
2021-11-16 09:55:37 +00:00
Felipe Reyes 530426ae69 Add config use-internal-endpoints option.
This patch adds a configuration option that instructs
openstack-dashboard to configure Horizon using the internal host
exposed by the keystone charm, this behavior is already present in
other charms like nova-cloud-controller.

Change-Id: Ic372a2c65c52a77229c5c2867919aa318e9ac0a1
Closes-Bug: #1812361
Depends-On: https://review.opendev.org/c/openstack/charm-keystone/+/696997
2021-03-08 12:45:44 -03:00
Garrett Thompson 8e4dc4844a Add ENFORCE_PASSWORD_CHECK setting
This setting is a behavior change, requring the admin password
to be provided when changing the password of an admin user. Enabling
this setting by default adheres to the security recommendation
provided in the OpenStack security guide [0].

To enable this setting for Queens (the oldest supported OpenStack
release at the time of this commit), a new local_settings.py file was
copied from the Ocata template to ensure that any future versions will
inherit this setting until a new change is made.

Due to the security-checklist action currently failing [1], these have been
extracted to another class, and refactored in the zaza-openstack-tests
repo [2].

[0] https://docs.openstack.org/security-guide/dashboard/checklist.html

[1] 2ef404be75/zaza/openstack/charm_tests/openstack_dashboard/tests.py (L418)

[2] https://github.com/openstack-charmers/zaza-openstack-tests/pull/501

func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/501
Closes-Bug: #1883196
Change-Id: Idfd8654732289481806aea8b47ffa28cf3f97697
2021-02-12 00:27:27 +00:00
Eric Desrochers 6ba0b72827 Revert "Update template to enable offline-compression"
This reverts commit 0fe556e389.

Closes-Bug: 1903911
Related-Bug: 1902890

Change-Id: I3e774e1ce98a9e77905bf49075c95ba478cb13c3
Signed-off-by: Eric Desrochers <eric.desrochers@canonical.com>
2020-11-13 11:38:58 -05:00
Michael Quiniola 0fe556e389 Update template to enable offline-compression
This update fixes slow page render times in the OpenStack
Dashboard charm. By default the charm is not set to enable
the COMPRESS_OFFLINE configuration option. Uncommenting
the line that contains this option resolves this issue.

Closes-Bug: 1867938

Change-Id: I6edac134d40fe8196795c245e8589be85f49cc9c
2020-10-01 10:10:06 -07:00
Nobuto Murata e462df7401 Refresh cipher suites and protocols
The last update was 2016, and it's time to drop TLSv1 and TLSv1.1 as the
base configuration recommended by Mozilla.
https://wiki.mozilla.org/Security/Server_Side_TLS

Follow-up of the following commits:
106f418f13

Related changes in charm-helpers:
https://github.com/juju/charm-helpers/pull/485

Change-Id: Ib959663634bc648328e5cb35ed3d3622d759412c
Closes-Bug: #1886630
2020-07-07 21:44:49 +09:00
Xav Paice 957a6adc03 Add disable-password-reveal option
Adds config item to add HORIZON_CONFIG['disable_password_reveal'] = True
option to Horizon's local_settings.py, from Mitaka onwards.  This
prevents the reveal password button from being displayed.

Change-Id: I299f6a6388c3a2ab68cabaeb16e5104ec319e144
Closes-bug: #1840251
2020-03-12 15:59:06 +13:00
Alex Kavanagh 03cb557fc8 Add disable-instance-snapshot config item
This patchset adds the disable-instance-snapshot config item that
controls the "disable_instance_snapshot" dictionary item in the
LAUNCH_INSTANCE_DEFAULTS setting in local_settings.py

Change-Id: Ic15f60517ed8a7f67704b15f4b42baabe74f83c6
Closes-Bug: #1818221
2020-01-13 12:01:51 +00:00
cjohnston 8b6d16698a Add config option for exposing HAProxy stats interface.
Change-Id: I41799835a4d59dd7d4e0c0becf0908eaab6281ae
Closes-Bug: #1710208
func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/147
2019-12-17 22:28:17 +00:00
Alex Kavanagh 5375df0b12 Remove Set-Cookie .... HttpOnly;secure to allow CSRF access
Angular (running in the page) can't access the CSRF token if the cookie
is set to secure.  This is a temporary patch to resolve the issue whilst
a more permanent fix is found.

This reverts patch I1ded951d79ad9fa832d1e88f656a1e064b1ef007
(essentially).

Change-Id: Id99abb429a0dc541ab5a3603962db8a563835eea
Related-Bug: #1822751
Closes-Bug: #1853173
2019-11-25 13:05:40 +00:00
Alex Kavanagh 1b1e7c583c Policyd override implementation
This patchset implements policy overrides for octavia.  It uses the
code in charmhelpers [1] which has been modified to support the richer
and more complex approach to handling policy overrides.

[1]: https://github.com/juju/charm-helpers/pull/393

func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/126

Change-Id: Ib51fd2c7c540c680083c2928eab4ce4df0d43e23
Closed-Bug: #1741723
2019-11-20 14:40:03 +00:00
Sahid Orentino Ferdjaoui 101098a1c2 apache2: add secure flag header when enforce_ssl
The Secure attribute tells the browser to only send the cookie if the
request is being sent over a secure channel such as HTTPS. This will
help protect the cookie from being passed over unencrypted requests.

Change-Id: I1ded951d79ad9fa832d1e88f656a1e064b1ef007
Closes-bug: #1822751
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@canonical.com>
2019-08-22 11:01:16 +00:00
Dmitrii Shcherbakov 2e927f2c42 Fix incorrect policy rules
The template for Rocky+ contains incorrect policy rules.

user_id and domain_id are not rules and are built-in to oslo.policy.

Change-Id: Ia8678063ad332731c5d09dc908f0282a91badb4d
Closes-Bug: #1827526
2019-05-03 18:14:07 +03:00
Dmitrii Shcherbakov 4573def42a Add app-credentials-specific policy rules
In order to have Create and Delete buttons for application credentials
in non-admin projects we need to add the respective policy.json rules.

The dashboard pane for application credentials was added in Rocky.

Change-Id: I42d4772ebe185c35cc5e81c36ebdb3f6f6c169c4
Closes-Bug: #1827107
2019-04-30 21:44:22 +03:00
tpsilva ca21ac8116 Add option to hide/show consistency groups tab
Cinder by default does not enable Consistency Groups, but Horizon always
show its tabs and there is not an option to hide them. This patch adds a
config option to change the policy file to hide or show those tabs.

Change-Id: Ia2fb52650201524acbb8d6aafe37e7c0ea26e99e
Closes-bug: #1684113
2019-03-19 09:50:25 -03:00
Zuul c59894df27 Merge "Use common ApacheSSLContext" 2019-02-22 11:00:14 +00:00
Frode Nordahl 19915f6806
Use common ApacheSSLContext
Remove the custom ApacheSSLContext class and use the common
one from ``charmhelpers.contrib.openstack`` instead.

Update ``default-ssl`` template so we can make use of multiple
endpoints with SNI.

Sync required changes to charm-helpers.

Change-Id: Icc990448d2c7469c5253d04ad43371d01d5580d9
Related-Bug: #1816621
2019-02-22 10:56:14 +01:00
Jesper Schmitz Mouridsen fd9fe98536 Make DROPDOWN_MAX_ITEMS configurable
This change implements a new option dropdown-max-items, that
sets the DROPDOWN_MAX_ITEMS of horizon.

Change-Id: I2ac03b406cc8b787424747c0bfeeedffd7712c9f
2019-02-21 19:36:05 +01:00
Andre Ruiz 7e2a9b4749 Implement new option: session-timeout
This change implements a new option in config.yaml that enables
a specific session timeout to be defined.

Change-Id: I4a521c672347e33718fd03427393eaa5356e57cb
Closes-Bug: #1599968
2019-02-19 14:21:27 -03:00
Edward Hope-Morley ac7793ffee Make fip topology check configurable
Horizon will by default check that a project has
a router with a port on an external network prior
to allowing floating ips to be attached to
instances. Since it is valid to use a shared
router from a different project we make this
configurable to allow disabling this check.

Closes-Bug: #1815032
Change-Id: I5c3e44e5daa683e14ac39979d6e9a7c2238dd120
2019-02-07 11:54:12 +00:00
Seyeong Kim 1534accb10 Adding default theme on AVAILABLE_THEME even if custom is enabled.
In case custom theme imports default theme's scss file, upgrading
openstack-dashboard pkg causes compression error. By adding default
theme to AVAILABLE_THEME list, collectstatic collects proper default
theme files to /var/lib/openstack-dashboard/static/ and custom theme
can import proper files.

Importing default theme's files seems to be normal when someone wants
to modify default theme a little not creating whole theme.

Closes-Bug: #1812148

Change-Id: Ic1aa03387814a57dde876aa6d95e64b555152b7c
2019-01-26 00:49:41 +00:00
Alex Kavanagh eca37a1dad Update charm to PY3 only code
This change upgrades the charm to PY3 only mode.
Note the changes to charm-helpers has also been made to support
Apache auditing code in PY3.

Change-Id: Idd347de5818ec57cb05f38170fe0d6536157a0da
2018-10-02 12:11:08 +01:00
Ryan Beisner f9c822e901 Update functional test definitions
Update testing setup and config.
Fixes to policy.json

Closes-Bug: #1789961
Change-Id: Iac5da7cd02a5c87f3002dbabf6c21a5c2f936536
2018-09-04 10:14:33 -07:00
Zuul 7c33c07858 Merge "Add ability to configure api_result_limit" 2018-07-16 07:11:05 +00:00
Chris Sanders e5d9c95724 Allow custom theme install
Adds a setting custom-theme which operats similar to ubuntu-theme and
default-theme. The provided resource is placed in the themes folder and
apache is setup to serve static content for the theme. This leaves the
default theme untouched allowing the custom theme to override files
based on the built in horizon theme capabilities. For details on theming
capabilities see:
https://docs.openstack.org/horizon/latest/configuration/themes.html

gnuoy: retry logic for unrelated test updated after a number of CI
failures.

Closes-Bug: #1778284

Change-Id: I91ad19e8aad5c0e0773d42fa4f085cbcecb82458
2018-07-12 08:09:05 +00:00
Shane Peters e58a1b2a3d Add ability to configure api_result_limit
In clouds with many containers or objects, listing them via Horizon
can cause a signficant increase of system load.

This patch enables configuration of the API_RESULT_LIMIT setting within
Horizon. This limits the maximum number of objects to display on a
single page before providing a paging element to paginate results.

Change-Id: Ifaf39d6c9bf549428afd7653243c82cd719956f6
Closes-Bug: 1775002
2018-07-09 11:34:20 -04:00
Billy Olsen e10f120a1d Update keystonev3_policy.json to enable UI buttons
The horizon interface enables/displays actions based on the
keystonev3_policy.json file provided. The keystonev3_policy.json file
included by the charm has rules for various actions that depend on the
target object's domain id (user, group, project). The buttons displayed
for creating and deleting the objects (shown above the tables) are also
based on these policy rules but no target object exists because they are
bound to the table and not a specific target object.

This patch changes some of the policy rules to create/delete users,
projects, and groups to not require the target object's domain_id. This
is safe to do because the table is shown within the context of the
target domain_id already. Additionally, the actual ability to alter
objects is controlled by the actual policy installed in Keystone and not
the Horizon UI.

Without this change, actions such as "Create User" will only show for
a user who is a cloud admin and not for any domain admins (even if the
domain admin is allowed to perform the action via the API or CLI).

Change-Id: Ie0a85e11e6a171083deb19b0eb26c7e552390c00
Closes-Bug: #1775224
Closes-Bug: #1775229
2018-06-10 23:16:06 -07:00
Dmitrii Shcherbakov 45be17c904 add WebSSO support
* add support for relating with subordinate charms providing Service
Provider functionality via apache2 authentication modules;
* retrieve protocol, identity provider and user-facing name info from
  keystone service provider charm subordinates;
* provide trusted dashboard information to keystone charm

Change-Id: I15ca0dd1616ec12c7ad47dc05961b51bb45bb770
2018-05-09 00:28:14 +03:00
Corey Bryant e0f9ad5a02 Align Ocata Apache conf with other releases
This runs the Apache conf for Ocata under horizon:horizon as we
already do for other releases.

Change-Id: I07775bd13c117b8a56295f348a9383c8ecb1ed76
Partial-bug: #1755027
2018-03-15 11:21:11 -04:00
James Page c35faf4cbc Auto-configure WSGI worker processes
Automatically configure WSGI worker processes inline with other
charms using the worker-multiplier configuration option and the
WSGI worker configuration context from charm-helpers.

Change-Id: Ib8af4a5a54fcff13a05ba4f4094bf123d5282c4a
2018-03-15 14:39:41 +00:00
Nobuto Murata 48119619a0 OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT expects boolean
Previously the single domain mode has been implemented. This is a
follow-up commit to set the value properly as boolean instead of string.

Change-Id: I0e34d93d05693bf0ca5e8f68bc9af198fd29680a
Closes-Bug: #1744346
Related-Bug: #1712999
2018-01-19 17:44:35 +00:00
James Page b4019e45bf Remove deploy from source support
Drop support for deployment from Git repositories, as deprecated
in the 17.02 charm release.  This feature is unmaintained and has
no known users.

Change-Id: I19732b50483ab7284723f847f182fd1cfa67e425
2018-01-08 15:09:53 +00:00
Xav Paice 18030fe75b Add option for image formats config
For Mitaka -> Ocata, add image_formats to local_settings.py.

Change-Id: I582e516eb306a52cdee2a0bd4b31046b45af7a51
Closes-bug: 1724271
2017-12-11 10:03:08 +13:00
Nobuto Murata 55b9667193 Allow to override the default volume creation behavior
Now that Horizon upstream added the ability to configure the default
"create volume" value when launching an instance (See. LP: #1678109),
expose it as a new charm config.

Change-Id: I68a6f199a72c11ad4eff2b587cb4279c91da52ae
Closes-Bug: #1711342
2017-11-15 10:22:08 +09:00
Corey Bryant 5e0f9e508b Fix theme rendering for kilo
Set WEBROOT in openstack-dashboard's local_settings.py to the value
of webroot from the charm's config (see config.yaml).

Add /horizon/static alias to apache2 config in addition to /static
to cover both paths to static resources.

Change-Id: I29a156d322bac91ca02fb0f08f291fc805e59110
Closes-Bug: #1728086
2017-10-27 20:02:26 +00:00
Nobuto Murata a055181658 Allow to enable password autocompletion by browser
Horizon tries to inhibit browsers' password autocompletion by default.
Offer a configurable option in the charm so that admin can allow
password autocompletion if necessary.

Change-Id: I461752d1d1175f777de5bff26953b200efb17137
Closes-Bug: 1714676
2017-10-23 14:13:32 +00:00