The Magnum service allow enables policies (RBAC) new defaults and scope by
default. The Default value of config options ``[oslo_policy] enforce_scope``
and ``[oslo_policy] oslo_policy.enforce_new_defaults`` are both to
``False``, but will change to ``True`` in following cycles.
To enable them then modify the below config options value in
``magnum.conf`` file::
[oslo_policy]
enforce_new_defaults=True
enforce_scope=True
reference tc goal for more detail:
https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
Related blueprint secure-rbac
Change-Id: I249942a355577c4f1ef51b3988f0cc4979959d0b
Tenant has been removed from context.
Fixes UTs and pep8.
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
Change-Id: I10daa22b614aab456b837c03278eb04da0355ff7
Update usage of tenant to project_id and user to user_id when handling context
fields. This drops deprecation warnings.
Change-Id: I8001be34bcc25678ed99b6b6717ad170ae6d2d77
Currently is_admin flag is always False. As a result
some of the admin operations are not working.
For example, quotas-list is not listing all the
user quotas.
This change sets the flag correctly based on the
roles assigned to the user and policies defined
in policy.json.
Change-Id: I01534ccf1cf1e635282db497e0e026bea19c3bd2
Closes-Bug: #1660843
* Add osprofiler wsgi middleware. This middleware is used for 2 things:
1) It checks that person who wants to trace is trusted and knows
secret HMAC key.
2) It starts tracing in case of proper trace headers
and adds first wsgi trace point, with info about HTTP request
* Add initialization of osprofiler at start of service
Currently that includes oslo.messaging notifer instance creation
to send Ceilometer backend notifications.
* Traces HTTP/RPC/DB API calls
Demo: https://hieulq.github.io/cluster-create-false-new-html.html
Co-Authored-By: Hieu LE <hieulq@vn.fujitsu.com>
Implements: blueprint osprofiler-support-in-magnum
Change-Id: I7d68995aab81d365433950aada078ef1fcd5469b
We should pass roles to oslo_context to initialize instead of
manually set it.
Change-Id: Ice05204d789bb1770ab6605f06d670c5fc7c6726
Closes-Bug: #1654813
Centralize config option of urlfetch and periodic section.
Replace oslo_config cfg to magnum.conf.
Clean up some oslo_config import_opt and use magnum.conf.
Finish Implements: blueprint centralize-config-magnum
Change-Id: I11fb85159b260865beae9686734ca102ebc3154b
This is patch 3 of 3 to change the internal usage of the terms
Bay and BayModel. This patch updates Bay to Cluster in DB and
Object as well as all the usages. No functionality should be
changed by this patch, just naming and db updates.
Change-Id: Ife04b0f944ded03ca932d70e09e6766d09cf5d9f
Implements: blueprint rename-bay-to-cluster
The periodic task unneccessarily lists Heat stacks in the
global tenant (across all tenants) which the Magnum service
user may lack permission for. Also, the most restrictive way
to let it use global stack-list is chose a Keystone role and
open that operation to any user in any project holding that
role.
This commit substitutes a direct lookup of all bays' stack_id
attributes for this global stack list. This direct lookup will
yield the same net result. In order to get the neccessary
permissions it will use each bay's stored Keystone trust to
act on behalf of the bay's creating user.
Co-Authored-By: Jiri Suchomel <jiri.suchomel@suse.com>
Closes-Bug: #1589955
Change-Id: I67b176c137c463e37e037970cc4e468d51db30c9
Roles is added as a member of oslo.context since oslo 2.2.0
https://review.openstack.org/#/c/271928/
This causes magnum gate fail because roles is overwrited by
oslo_context. Let's init oslo_context first and then make
our local changes.
Change-Id: Iac8c568bd49fbc66d2d65c9b6083bc9895a8069c
Closes-Bug: #1549694
1.auth_url can not be obtained from request headers, it can only
be read from config file.
2.is_public_api is not used, so let's remove it from context.
Change-Id: Ie7207ef5311e3168b64c47aef4041ed2dd0e39c6
Partially-Implements: blueprint generate-keystone-trust
Magnum API's magnum_service:get_all is enforced by admin_api.
Modifying the rule to use context_is_admin. Also changing the to_dict()
call to include change in roles.
Change-Id: I44dda27857945dfd3ad43fa28ea458ce2966388c
Closes-Bug: #1503402
We use oslo.policy to check the policy. Oslo.policy needs
roles held for the given token scope [1]. So we should add roles
to context.
[1]http://docs.openstack.org/developer/oslo.policy/
api/oslo_policy.html#generic-checks
Change-Id: I95afbf57f185ca1db9c68781c2fcd78cbafc1e17
Closes-Bug: #1489832
In before, bay and x509keypair supported list resources from all
tenants. It is desirable to generalize this capability while reducing
duplicated codes. Therefore, moving 'all_tenants' options to context.
Change-Id: Icfe31a6f2ac2e21fa7f377e244764f10892d25c7
Partially-Implements: blueprint autoscale-bay
This patch adds periodic task `sync_bay_status` which will be used for syncing
bay's status from heat stack, we will pull bays which status in
[bay_status.CREATE_IN_PROGRESS,
bay_status.UPDATE_IN_PROGRESS,
bay_status.DELETE_IN_PROGRESS]
which are all in a temporary status, and try to sync up the status with heat's
stack.
status changes will be like this:
bay_status stack_status sync up bay_status to
---------- ------------ ---------------------
CREATE_IN_PROGRESS CREATE_COMPLETE CREATE_COMPLETE
UPDATE_IN_PROGRESS UPDATE_COMPLETE UPDATE_COMPLETE
DELETE_IN_PROGRESS DELETE_COMPLETE DELETE_COMPLETE
CREATE_IN_PROGRESS CREATE_FAILED CREATE_FAILED
UPDATE_IN_PROGRESS UPDATE_FAILED UPDATE_FAILED
DELETE_IN_PROGRESS DELETE_FAILED DELETE_FAILED
CREATE_IN_PROGRESS Not Found CREATE_FAILED
UPDATE_IN_PROGRESS Not Found UPDATE_FAILED
DELETE_IN_PROGRESS Not Found destroy
Partial-Implements: blueprint add-periodic-task
Co-Authored-By: ShaoHe Feng <shaohe.feng@intel.com>
Change-Id: Ie9cc4d3f03c7938a8d988010604da79c9b8a22fd
make_admin_context will return a admin context which can be used to fake
a context which will be use for periodic task.
Partial-Implements: blueprint add-periodic-task
Co-Authored-By: ShaoHe Feng <shaohe.feng@intel.com>
Change-Id: I92ff05e6e40ea8bd0c08ae279b70ef5f1a7e70be
Problem description:
If DevStack is used to instantiate the magnum plugin, and the
devstack localrc/local.conf has the default values for:
LOG_COLOR (default value = True)
SYSLOG (default value = False)
then upon startup (i.e. running DevStack's stack.sh), the magnum devstack
lib calls the DevStack common setup_colorized_logging function, but
without passing the optional 'project_var' and 'user_var' arguments to
this function. As a result, the setup_colorized_logging
function uses its default values of "user_name" and "project_name"
when it defines the logging_context_format_string (which in turn gets
configured in /etc/magnum/magnum.conf). The problem is that "user_name"
and "project_name" are not defined in the API context used by Magnum,
so that whenever the magnum plugin does a logging call, a KeyError
exception for the non-existant key "user_name" is generated.
Fix description:
The fix is to modify the Magnum context to use "user_name" and
"project_name" attributes to be consistent with the default context
format string set up by DevStack.
Change-Id: Ia0c34899609735ff9d8b4597101e004e2684657e
Closes-Bug: #1464376
We need to call oslo_context.RequestContext to_dict method in magnum's
RequestContext method.
Closes-Bug: #1462261
Change-Id: Ibe866bdd9ddb06566f7b1967475a4cdd7ef2d936
Some python files do not need to encode in utf-8, so just remove
"# -*- encoding: utf-8 -*-" from those files.
Change-Id: Iafdf4eda876b6599b75c7710e69f62918842ebec
Closes-Bug: #1422067
The new patching only ensures that auth_token_info is properly
set up by default. A real RequestContext is returned, and it is
passed through to_dict and from_dict to ensure there are no
assumptions made that will not work through RPC.
If necessary, tests can still return a mock context by setting
a return_value or side_effect on self.mock_make_ctxt.
Change-Id: I6369e0bd89d83a5ea3ddde2b35423233fee18327
Ensure that auth_token_info is present on dictionary representation
of RequestContext otherwise it will get lost through RPC calls.
Change-Id: I0a52db38c67018239f99e39d330dd4386da41371
Closes-bug: #1415173
'auth_url', 'auth_token_info' and 'trust_id' is required to create heatclient.
So this commit added these.
Change-Id: If17c87770f2e4d93dae5e1262faa5b44cc5cfdef