When the config option ``auth_strategy`` is set to ``http_basic`` then
non-public API calls require a valid HTTP Basic authentication header to be
set. The config option ``http_basic_auth_user_file`` defaults to
``/etc/ironic-inspector/htpasswd`` and points to a file which supports the
Apache htpasswd syntax[1]. This file is read for every request, so no
service restart is required when changes are made.
The only password digest supported is bcrypt, and the ``bcrypt``
python library is used for password checks since it supports ``$2y$``
prefixed bcrypt passwords as generated by the Apache htpasswd utility.
To try basic authentication, the following can be done:
* Set ``/etc/ironic-inspector/inspector.conf`` ``DEFAULT`` ``auth_strategy``
to ``http_basic``
* Populate the htpasswd file with entries, for example:
``htpasswd -nbB myName myPassword >> /etc/ironic-inspector/htpasswd``
* Make basic authenticated HTTP requests, for example:
``curl --user myName:myPassword http://localhost:6385/v1/introspection``
[1] https://httpd.apache.org/docs/current/misc/password_encryptions.html
Change-Id: If50dfbfc18445ad9fe27e17cb0ee1b317ff25a0b
Depends-On: https://review.opendev.org/729070
Story: 2007656
Task: 39826
This patch splits API and conductor services for ironic-inspector.
Previous patch utilized lock from tooz coordinator, this patch adds
a coordinator wrapper for easier usage and further introduces group
interfaces.
Each conductor service will join a predefined group to mark it's
availability, on each request, API service will query members from
the group and randomly choose on of them, create desiginated topic
and deliver request to it.
The feature is tested with the memcached, file backend of tooz.
Other backends are not fully tested but may work as well, please
refer to tooz documentation for driver compatibilities[1].
[1] https://docs.openstack.org/tooz/latest/user/compatibility.html
Story: 2001842
Task: 30376
Change-Id: I419176cd6d44d74c066db275ef008fe8bb6ef37a
This patch is part of inspector HA work, which wraps inspector api into
oslo service.
oslo.service has also provided support to signal processing like SIGHUP or
SIGTERM, so these code were removed in this patch.
Deprecated current SSL cert/key options used by ironic-inspector, code
manually creates ssl context were removed. These options will be fed
from [ssl] section.
Change-Id: Ia5e16fcb9104556d62c90f5507f17b41f73a5208
Story: #2001842
Task: #12609
This patch is part of work splitting inspector api and worker.
The rpc server is wrapped into oslo.service, and launched from
api process.
Now api and worker belongs to separate thread, functional tests
use the fake messaging driver, while devstack jobs use rabbitmq.
Change-Id: Ie03d16f9d115c3561723463dea6a57d2a763bcc6
Story: #2001842
Task: #23109
Adds oslo.messaging to ironic-inspector, and convert
inspect, abort and reapply to synchronized rpc calls.
This is the first step of API and worker seperation.
Change-Id: I15e86d7feb623b6b2889891b9700e5de6b3164cd
Story: #2001842
Task: # 12609
This adds signal handler to reload mutable configuration options
on SIGHUP.
It has to be done manually, because ironic-inspector doesn't use
oslo.service.
Change-Id: I38955fe9dbfd339df2a10dcbb55e996bf515034a
Story: #1585595
Task: #12543
This patch allows a periodic task to shut down the inspector upon a
(critical) failure. This is needed in case of a (future) PXE filter driver
malfunction to avoid inspector running with a broken filter.
The test_wsgi_service unit test module was refactored to address test
ordering dependency issues and to enhance the mocking.
Change-Id: I50e6408bf30416d8c7ff9e30be0e938cec12b7cd
Related-Bug: 1665666
Creates new WSGIService class which keeps base API sercice
initialization functionality and serve flask application. Also
it will configure application for wsgi container[1].
Also creates new `cmd` directory for storing console scripts.
[1] https://governance.openstack.org/tc/goals/pike/deploy-api-in-wsgi.html
Related-Bug: #1525218
Change-Id: Ia64228c47a79a3008d435e8323a964f2bc45dfa7