Cluster conductor creates trusts for all drivers, but does not clean
them up. The Heat driver has previously performed this action.
This change moves the lifecycle of trust and certificate creation
to the Conductor, so drivers do not need to clean up resources they
didn't create.
Change-Id: I2b3e99589d2d3069191d0727406601f0647a9722
We do currently not support www_authentication_uri at all, which
is the new standard, as auth_uri has long been deprecated.
* Make sure we support both auth_uri and www_authenticate_uri.
* Switched to www_authenticate_uri for devstack.
* Fixed a bug where a bad exception would be thrown if auth_uri
was not set.
Story: 2004271
Task: 27819
Change-Id: Ibc932d35f3d6ba2ac7ffb6193aa37bd4a3d4422e
Octavia is already an official LBaaS solution for Openstack
(https://governance.openstack.org/tc/reference/projects/octavia.html) and
will deprecate the neutron-lbaas extension starting from Queens release.
For deployment support Octavia service for load balancing functionlity,
Octavia related resources instead of LBaaS should be used in Heat template.
Tested in my DevStack environment.
Change-Id: Icc45e0a126c648fbcba4ebcd1bb258d60957f2d6
Closes-Bug: #1748577
Currently is_admin flag is always False. As a result
some of the admin operations are not working.
For example, quotas-list is not listing all the
user quotas.
This change sets the flag correctly based on the
roles assigned to the user and policies defined
in policy.json.
Change-Id: I01534ccf1cf1e635282db497e0e026bea19c3bd2
Closes-Bug: #1660843
This commit addresses multiple potential vulnerabilities in
Magnum. It makes the following changes:
* Permissions for /etc/sysconfig/heat-params inside Magnum
created instances are tightened to 0600 (used to be 0755).
* Certificate retrieval is modified to work without the need
for a Keystone trust.
* The cluster's Keystone trust id is only passed into
instances for clusters where that is actually needed. This
prevents the trustee user from consuming the trust in cases
where it is not needed.
* The configuration setting trust/cluster_user_trust (False by
default) is introduced. It needs to be explicitely enabled
by the cloud operator to allow clusters that need the
trust_id to be passed into instances to work. Without this
setting, attempts to create such clusters will fail.
Please note, that none of these changes apply to existing
clusters. They will have to be deleted and rebuilt to benefit
from these changes.
Change-Id: I643d408cde0d6e30812cf6429fb7118184793400
String interpolation should be delayed to be handled by the logging code,
rather than being done at the point of the logging call.
Ref:http://docs.openstack.org/developer/oslo.i18n/guidelines.html#log-translation
For example:
LOG.info(_LI('some message: variable=%s') % variable)
LOG.info(_LI('some message: variable=%s'), variable)
Change-Id: Ifaf1dfe589615732e412c4e640cf46679abc9023
Closes-Bug: #1643463
This is patch 3 of 3 to change the internal usage of the terms
Bay and BayModel. This patch updates Bay to Cluster in DB and
Object as well as all the usages. No functionality should be
changed by this patch, just naming and db updates.
Change-Id: Ife04b0f944ded03ca932d70e09e6766d09cf5d9f
Implements: blueprint rename-bay-to-cluster
The periodic task unneccessarily lists Heat stacks in the
global tenant (across all tenants) which the Magnum service
user may lack permission for. Also, the most restrictive way
to let it use global stack-list is chose a Keystone role and
open that operation to any user in any project holding that
role.
This commit substitutes a direct lookup of all bays' stack_id
attributes for this global stack list. This direct lookup will
yield the same net result. In order to get the neccessary
permissions it will use each bay's stored Keystone trust to
act on behalf of the bay's creating user.
Co-Authored-By: Jiri Suchomel <jiri.suchomel@suse.com>
Closes-Bug: #1589955
Change-Id: I67b176c137c463e37e037970cc4e468d51db30c9
To setup magnum easier, name based configuration is important.
This patch makes config file support trustee_domain_name and
trustee_domain_admin_name in trust section.
If name and id of trustee domain are provided by user, both
values are passed through into keystone.
Closes-Bug: #1581372
Change-Id: Ia691aca7c29a471f6ba36a1a371ec1edf830b365
Pass the verify parameter to keystone when creating a
session with the trustee account.
Change-Id: Ic26d656fc434d097c2015db47b1539f83aaf3cd0
Closes-Bug: 1581057
Trust can only be deleted by the user who creates it. So when
other users in the same project want to delete the bay, we need
use the trustee which can impersonate the trustor to delete the
trust.
Change-Id: I9f87cdf07066d316722e798cd0755f0fff5c2a02
Closes-Bug: #1552457
This patch does, basically, three things:
* Updates the default auth section to keystone_auth;
* Introduces keystoneauth sessions and plugins;
* Adds a deprecation warning and options when loading
legacy auth.
Config, tests and client code are also updated.
Co-Authored-By: Henrique Truta <henrique@lsd.ufcg.edu.br>
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Closes-Bug: 1496810
Closes-Bug: 1515014
Change-Id: I5c1cd24ca28d66ae7ae40e7f707b81870cf0e457
The trustee_domain_admin_password config option needs to be marked
secret in order to avoid leaking of the password into the logs.
Change-Id: I45d87b5fc09ffbc075cba2575869a8c5cf10bc8b
Closes-Bug: #1555276
Config volume_driver rexray need region_name
The patch gets region_name, validates the region_name and add
Unit test.
Co-Authored By: Kai Qiang Wu(Kennan)<wkqwu@cn.ibm.com>
Co-Authored By: Ton Ngo<ton@us.ibm.com>
Partially-Implements: blueprint magnum-integrate-with-cinder
Change-Id: I3fcef0ffb7cda162fffcbedf4628cad81168d09d
Docker registry, k8s load balancer and volume driver have a similar
need to use trust, so we need to create a trustee for each bay.
Change-Id: If034e74ce2ea80a7faa886d4edf789e576c30eb5
Partially-Implements: blueprint create-trustee-user-for-each-bay
LOG.exception can record the exception automatically, so we should
add exception in msg.
Change-Id: I60694fd8d1b1c0bd62461900c6746a0cc300cf5b
Closes-Bug: #1529534
All bays use the same trustee_user and different trust. A trust is
created for a bay when the bay is created, and is deleted when the
bay is deleted.
Partially-Implements: blueprint registryv2-in-master
Change-Id: Iab2037677f683fe4c562915b98303da02c59c299
1.Rename magnum_keystone_client to keystone.
2.Code refactor to let keystoneclient can create trust for
any user, not only admin user.
Change-Id: Iac20185f2cc89ac8d6fe7cf30b2362302614df77
Partially-Implements: blueprint generate-keystone-trust
Previous version of heat client couldn't work correctly
because of keystone auth error in actual use.
So, heat client and keystone client are copied from solum.
Change-Id: I49fef01bcec581f470e05aa82526b31fe47d0adc
This client will be used by novaclient and heatclient to create a bay.
The original sources are come from Ironic.
Change-Id: Ib075148afb0ddf503e71b333cef85523561a2732
Dale Smith