To implement proper scope checking, we need some updated libraries that
properly handle tokens and relay that information to the underlying
service. This commit updates the oslo.policy, oslo.context, oslo.log,
and keystonemiddleware requirements to versions that understand all the
various scopes so that we can update the default policies.
Additionally, this commit updates transitive dependencies in
requirements.txt and lower-constraints.txt to install properly with
lower-constraints defined.
Implements: blueprint secure-rbac
Change-Id: I7dec6b9919e7679aff1a0bb5db1e806384730386
This patch adds functional tests for cinder multiple stores[1] legacy
image migration and new image create.
NOTE: This has been proposed separately as it has a dependency on a
glance-store change[2] which will require a new release of glance-store
to reflect changes on the gate.
[1] https://review.opendev.org/#/c/748039
[2] https://review.opendev.org/#/c/750131
Depends-On: https://review.opendev.org/#/c/750131
Change-Id: I2a3a99bd27db1c72d49b36b87e073e0b97fc874d
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:
1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.
2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.
Also convert the ./glance/tests/etc/policy.json to policy.yaml
file. Replace policy.json to policy.yaml ref from doc and tests.
[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Depends-On: https://review.opendev.org/c/openstack/nova/+/773192
Change-Id: I17d0374dd4223688e5f95253802a4ae87377953a
md5 is not an approved algorithm in FIPS mode, and trying to
instantiate a hashlib.md5() will fail when the system is running in
FIPS mode.
md5 is allowed when in a non-security context. There is a plan to
add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate
whether or not the instance is being used in a security context.
In the case where it is not, the instantiation of md5 will be allowed.
See https://bugs.python.org/issue9216 for more details.
Some downstream python versions already support this parameter. To
support these versions, a new encapsulation of md5() has been added to
oslo_utils. See https://review.opendev.org/#/c/750031/
This patch is to replace the instances of hashlib.md5() with this new
encapsulation, adding an annotation indicating whether the usage is
a security context or not.
Reviewers need to pay particular attention as to whether the keyword
parameter (usedforsecurity) is set correctly.
It looks like the usage of md5() here is solely to determine a checksum
of an image.
With this patch and the dependent patch for glance_store, all the
unit and functional tests pass on a FIPS enabled system.
Depends-On: https://review.opendev.org/#/c/756157
Depends-On: https://review.opendev.org/#/c/760160
Change-Id: I3b6d78d9792d4655bf0f4989cf82aced3f27491b
This patch updates the location URL of the legacy images while
upgrading from single cinder store to multiple stores.
It does that with the help of lazy loading logic i.e. while
GET images call, it checks the location URL and metadata
of the image against the configured store ids and updates
images to respective stores on the basis of volume type (comparing
image-volume's type with the configured cinder_volume_type).
Legacy image URL:
cinder://<volume-id>
New image URL:
cinder://<store-id>/<volume-id>
NOTE: bumping lower-constraints/requirements of glance-store to 2.3.0 as
it includes changes[1] that are a hard requirement for cinder multiple
stores to work with glance
[1] https://review.opendev.org/#/c/746556/
Change-Id: I087a89c20813378fea8ff22ddf81d7a10c220db3
Implements: blueprint multiple-cinder-backend-support
This updates lower constraints to versions that will work with py38 so
that when we move to running on focal nodes, which has py38 as its
default py3 runtime, the lower-constraints job will continue to pass.
It also cleans out some secondary requirements that are no longer needed
due to our direct dependencies being updated.
Linters are removed that are kept in the global requirements blacklist
as those are not version tracked and are not relevant for our
lower-constraints unit test runs.
Change-Id: Ie3698c7334b31c2291b41fd3f7e21add0dd6a19b
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
This patch removes majority of the registry and it's related
endpoints and config options that has been deprecated for
removal in various releases.
Change-Id: I75014bd50bf382efebe56bd89c20ffefbdde25f5
The mock third party library was needed for mock support in py2
runtimes. Since we now only support py36 and later, we can use the
standard lib unittest.mock module instead.
Change-Id: I5c32a049e3c8c84777ea4a01e04d1416881bfb5c
Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems
Update Sphinx version as well.
Disable openstackdocs_auto_name to use 'project' variable as name.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
Remove docs requirements from lower-constraints, they are not needed
during install or test but only for docs building.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
Change-Id: Ib1796ac0c786c16bade68668f0d978ee71d29307
Update to hacking 3.0.
Enable local hacking checks again, newer flake has a different
interface.
Remove hacking and friends from lower-constraints, they are not needed
for installation.
Unbreak docs:
Don't build apidocs for hacking - blacklist in doc/source/conf.py.
Change-Id: Ib230d72be9f0288d77cecd2c5ee0ff7aa91fc086
The default check_str for the "default" policy rule has changed. From
the Queens release until this series it was "role:admin" (prior to
Queens it was "@", which means allow all requests). In order to
accomodate existing policies as best as possible, the default check_str
has been changed back to "".
In the unlikely event that any existing policies are relying on the
default check_str for the "default" rule, they need to start explicitly
specifying it to maintain similar behaviour. This patch adds a
deprecation warning when using the "default" rule without overriding the
value in the policy file.
This will result in users who carry over an unsafe policy file from the
Queens-Train error seeing a warning. Unfortunately it will also result
in a warning for users who no longer supply a policy file and are
relying on the default policies in code.
Change-Id: I3d3ab9b0172521fb42314f2de33ff02985ad4864
Depends-On: https://review.opendev.org/698790
Depends-On: https://review.opendev.org/699299
We were capped at a very old version of hacking. Hacking itself caps the
various linters it uses to remain consistent, so our pep8 job was not
checking quite a bit that current versions have added.
This raises that limit to the latest to get up to the level of other
projects and addresses the errors the updated linters uncovered.
Change-Id: I89a9d73fbd59606a649e26077acebc5c42873d67
Co-authored-by: Sean McGinnis <sean.mcginnis@gmail.com>
Glance isn't explicitly installing requirements, so add requirements
as tox deps in such a way that they'll be properly constrained by the
current openstack upper-constraints.
This change also bumps the version of psycopg to that of the current
upper-constraints in test-requirements and lower-constraints. (The
version in our current lower-constraints is subject to the "could not
determine PostgreSQL version from '10.x'" error, which causes the
lower-constraints job to fail.)
Change-Id: I1bb5759e6b1e3f8545ab417617072a61323b59a7
Closes-bug: #1852356
Oslo Reports enables OpenStack projects to dump Guru Meditation
Reports with useful debugging information on live services
to files or stderr.
Change-Id: I33b6e52870b583c70aa8141ab55d8738beaf5c59
Kombu 4.6.4 causes issues with eventlet 0.23.0 and 0.25.0[1].
Due to an upper-constraint version bump, we're seeing failures
on openstack gate.
This patch fixes the issue.
[1] https://review.opendev.org/#/c/678078
Change-Id: I7e89a9710b6be8b58872d4f44168fcf92b15f711
As a part of vocabulary correction, changed the location
metadata key name from 'backend' to 'store'. Modified
corresponding tests as well.
bp:multi-store-vocabulary-correction
Change-Id: Iae3503cba6be362b372e1fc3e75c2ddb1e99b763
Some options are now automatically configured by the version 1.20:
- project
- html_last_updated_fmt
- latex_engine
- latex_elements
- version
- release.
Change-Id: Ica74f2982a75e3faf7a5244390f2299381eb5b89
This change will allow glance services to run on Windows, using
eventlet wsgi for API services.
This change will:
* avoid monkey patching the os module on Windows (which causes Popen
to fail)
* avoiding unavailable signals
* avoid renaming in-use files or leaking handles
* update the check that ensures that just one scrubber process may
run at a time. We can't rely on process names as there might be
wrapper processes that have similar names (no she-bangs on Windows,
so the scripts are called a bit differently). We'll use a global
named mutex instead.
A subsequent change will leverage Windows job objects as a
replacement for process groups, also avoiding forking when spawning
workers.
At the moment, some Glance tests cannot run on Windows, which is
also covered by subsequent patches.
DocImpact
blueprint windows-support
Change-Id: I3bca69638685ceb11a1a316511ad9a298c630ad5
One of the community goals for Stein is to implement a command-line
tool for operators that runs programmable checks that might impact
upgradability.
This commit lays down the basic structure for the upgrade checks and
ties it up to `glance-status` command.
Change-Id: I7fcf5235a76d15dbcb2c49255bc26c2b586cd71c
Story: 2003657
Task: 26135
Since it's no longer used we can stop requiring it.
This also fixes the requirements check job after
change Ib8c1bf08f5fa7463911602b0df19315907c81e04.
Change-Id: I2f165999fbcc208067a265a3bba049fc86943a47
The requirements/upper-constraints file was modified to allow WebOb
1.8.1 by commit 88bafa11deb9bd7595983d97ffabca338f073ba3. This
patch simplifies some Glance code that could handle both WebOb
1.7.4 and 1.8.1 so that it now only handles the latter, and updates
the glance/requirements.txt and glance/lower-constraints.txt to
reflect that we support WebOb 1.8.1+ only.
Change-Id: I03e03013927cc5434aa0d97657d5e7efd8223ee5
Closes-bug: #1770410
Adds .htaccess containing redirects so old URLs can retrieve
the correct document from the docs reorganization introduced
with commit 1c7f556d4f.
Change-Id: I9678eedd5634ac04482f3f8b5ee0e4177cf985e3
Needed-by: https://review.openstack.org/564344
Partial-bug: #1766257
Create a tox environment for running the unit tests against the lower
bounds of the dependencies.
Create a lower-constraints.txt to be used to enforce the lower bounds
in those tests.
Add openstack-tox-lower-constraints job to the zuul configuration.
See http://lists.openstack.org/pipermail/openstack-dev/2018-March/128352.html
for more details.
Change-Id: Ibd41a407f8f5f4eb2de1a44904fb7df5ab81e30c
Depends-On: https://review.openstack.org/555034
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
Dan Smith