Murano cfapi used to have a custom, always-enabled ssl middleware, to parse
X-Forwarded-Proto header, to let murano cfapi work correctly behind an SSL
proxy. There is now an oslo middleware, that does the
same thing, but more thoroughly.
This commit replaces custom implementation with oslo one.
murano-paste.ini has implementated in this commit:
I5444542b878434fb656e19b12d0f6e71df1ab95f
Change-Id: I701f9d2496935e71bf847955c43fa239474bc38e
Adds a new yaql function 'decryptData' which pairs with 'encryptData' on
the dashboard side.
Requires a valid secret storage backend (e.g. Barbican) to be configured
via Castellan in murano.conf, e.g.
[key_manager]
auth_type = keystone_password
auth_url = <auth_url>
username = <username>
password = <password>
project_id = <project_id>
user_domain_name = <user_domain_name>
Murano will still work fine without this config but the encrypt/decrypt
functions will be unavailable.
Partially-Implements blueprint: allow-encrypting-of-muranopl-properties
Depends-On: I1be3a1e11e3f4c2170062927ad359bf679eb25d9
Change-Id: I09416b6d35ed2dafa823eca98262a4e23081e6eb
This adds the entry point and config file necessary for using the
oslo.policy sample generation script. It also adds a tox target to
simplify the usage of it. Finally, this commit adds
murano.common.policies.base.list_rules to
murano.common.polices (__init__.py) so that the base rules are
also included in the generated policy file.
Note that the policy sample is generated as a YAML which is
the standard adopted by Nova [0] and Keystone [1] and is now
the standard across OpenStack since Ocata [2]:
While the old json format policy file is still supported,
we recommend using the newer YAML format file, more intuitive
syntax.
The output from tox -egenpolicy will be:
murano.policy.sample.yaml in murano/etc.
The policy documentation was already updated in
I1a8581a559e4333a74d56a5bdce7e6d1f117907d
[0] e845d66a1b/etc/nova/nova-policy-generator.conf
[1] https://github.com/openstack/keystone/blob/master/config-generator/keystone-policy-generator.conf
[2] https://docs.openstack.org/ocata/config-reference/policy-yaml-file.html#older-json-format-policy
Change-Id: I2356ac0b2033bd83caaf2672189670fc300e55fd
Partially-Implements: blueprint policy-in-code
This commit removes the murano default policy.json file from
etc/murano and references to it in murano's devstack plugin.
(References to the policy.json in muranodashboard remain
the same).
This commit specifically:
- removes the default policy.json
- removes references to it in devstack plugin
- adds base rules to murano.common.policies.__init__ because
they are the last rules to be included
- updates base admin_api rule to is_admin:True from
is_admin:1 (because the latter was causing issues)
- updates Murano policy documentation
Partially Implements: blueprint policy-in-code
Depends-On: Ia372983d2bd1010cd19f04061f3276ed16e9c1c9
Change-Id: I1a8581a559e4333a74d56a5bdce7e6d1f117907d
This commit implements policy in code for (static) actions
API. The default rules for the (static) actions API were
removed from the policy.json and moved into code under
`murano.common.policies.action`.
This commit specifically:
- Moves policy actions related to the (static) actions
API from the policy.json into code.
- Documents the API information and paths associated with
each actions-related policy.
Partially Implements: blueprint policy-in-code
Change-Id: Ia372983d2bd1010cd19f04061f3276ed16e9c1c9
This commit implements policy in code for categories
API. The default rules for the categories API were
removed from the policy.json and moved into code under
murano.common.policies.category.
This commit specifically:
- Moves policy actions related to the categories
API from the policy.json into code.
- Documents the API information and paths associated with
each category-related policy.
Partially Implements: blueprint policy-in-code
Change-Id: I7171369650d7d55ed44154481d03d48153f3640a
This commit implements policy in code for deployments
API. The default rules for the deployments API were
removed from the policy.json and moved into code under
murano.common.policies.deployment.
This commit specifically:
- Moves policy actions related to the deployments
API from the policy.json into code.
- Documents the API information and paths associated with
each deployment-related policy.
Partially Implements: blueprint policy-in-code
Change-Id: I246261b6df4b5225b67499c89281b942013007ed
This commit implements policy in code for packages
API. The default rules for the packages API were
removed from the policy.json and moved into code under
murano.common.policies.env_template.
This commit specifically:
- Moves policy actions related to the packages
API from the policy.json into code.
- Documents the API information and paths associated with
each package policy.
Partially Implements: blueprint policy-in-code
Change-Id: I9a091606bec7c74ce7cf53fd327a2a40c6b9c364
This commit implements policy in code for the environment templates
API. The default rules for the environment templates API were
removed from the policy.json and moved into code under
murano.common.policies.env_template.
This commit specifically:
- Moves policy actions related to the environment templates
API from the policy.json into code.
- Documents the API information and paths associated with
each environment template policy.
- Updates the ``create_environment`` policy action documentation
in murano.common.policies.environment to include API
/v1/templates/{env_template_id}/create-environment
which enforces this policy as well.
Partially Implements: blueprint policy-in-code
Change-Id: I715f4b0a61fd4404e20b88736a9a4c86fc038b55
This patch introduces the beginning implementation for registering
default policy rules in code. Default rules are defined under
murano.common.policies. Each API's policies are defined in a
sub-folder under that path and __init__.py contains all the
default policies in code which are registered in the ``init``
enforcer function in murano/common/policy.py.
The default rules for the environments API was removed from the
policy.json and moved into code under
murano.common.policies.environment. This can be gradually done
for the rest of the APIs in follow-up patches.
This commit does the following:
- Creates the ``policies`` module that contains all the default
policies in code.
- Adds the base policy rules into code (the admin_api,
context_is_admin, and default rules).
- Adds the environment default policy module with default
policy rules for the environments API.
Partially Implements: blueprint policy-in-code
Change-Id: Iebf2c60d1d31b73829fad189ada7ceee28e714bd
Murano used to have a custom, always-enabled ssl middleware, to parse
X-Forwarded-Proto header, to let murano work correctly behind an SSL
proxy. There is now an oslo middleware, that does the
same thing, but more thoroughly.
This commit replaces custom implementation with oslo one.
Co-Authored-By: Kirill Zaitsev <k.zaitsev@me.com>
Change-Id: I5444542b878434fb656e19b12d0f6e71df1ab95f
Adds new endpoint /deployments to Murano, to enable
Murano Dashboard to get all deployments for all environments.
This is needed in order to improve log browsing for
deployments, which calls for creating a new view in which
all deployments across all environments can be viewed.
Also made deployment unit tests more robust.
Partially-implements: blueprint improve-deployment-log-browsing
Change-Id: I1b6a313af1a0c4aa57bd4e6f51da92b396b35165
1.Add the devstack support for new cfapi
2.service broker use separate paste file
3.service broker use separate db
Closes-Bug: #1500777
Closes-Bug: #1500827
Change-Id: I2842828fe14878e6ff5ac194473f2ffa619370df
partial-implement: bp separate-service-broker-from-murano
Create separate murano-cfapi-paste.ini for service broker,
Change service broker start command to:
`murano-cfapi --config-file etc/murano/murano-cfapi.conf`
And move service broker api to the top level.
Change-Id: Id56786f31c16da11019a2064cc4285bdd266f538
partial-implement: bp separate-service-broker-from-murano
1) Create separate config use the separate config.py
to use: tox -egencfconfig
2) Create separate db for murano service broker
to use: tox -e venv murano-cfapi-db-manage \
--config-file etc/murano/murano-cfapi.conf upgrade
Change-Id: Ifd3551ace000e496d99725f46dbead62f7ef64b0
partial-implement: bp separate-service-broker-from-murano
The default values needed for murano's implementation of cors
middleware have been moved from paste.ini into the configuration
hooks provided by oslo.config. Furthermore, these values have been
added to the default initialization procedure. This ensures
that if a value remains unset in the configuration file, it will
fallback to using sane defaults. It also ensures that an operator
modifying the configuration will be presented with that same
set of defaults.
Change-Id: I50a204e27a43991d94cfb5f39c1dd3e904eb5696
Closes-Bug: #1551836
When we use `tox -egenconfig`, murano configuration file
is generated incorrectly. Some options in `[keystone_authtoken]`
section are missed. This is because keystonemiddleware now use
another function for oslo_config sample generation [1].
This function now returns a smaller list of options than before
without number of deprecated options and some options required
by murano.
This patch changes entrypoint for oslo-config-generator in order
to use older keystonemiddleware's function which lists all
neccesary options
1. https://review.openstack.org/#/c/267277/
Change-Id: I61b9c102e0e07e382237f2d09206df85322cc699
Closes-Bug: #1552226
Example of net-config file is added by
commit 0d42f01f68,
and file is assumed etc/murano/netconfig.yaml.sample
in commit message. But netconfig.yaml.samle was added.
This patch renames netconfig.yaml.samle to netconfig.yaml.sample.
Change-Id: I9d86b95bc54e2b6d6124b699e9cf256aeb067efa
Closes-Bug: #1515904
Now we can use keystonemiddleware and murano context middleware for requests
from outside OpenStack so we don't need to recreate keystoneclient for each
request and can easily get token from the request headers. That makes
authorization proccess a lot easier in terms of source code.
Change-Id: If937501074b85d43921fdb108f8af3babeded828
Closes-Bug: #1512254
New middleware will solve the problem with non-Openstack requests by
adding some minimal required headers.
Change-Id: I49986e73d0eb3da1ce13d22771c6bcb5a28ba846
Implements: bp external-request-middleware
Murano doesn't handle request properly if it is behind an SSL
termination proxy. In this case HTTP redirection and returned URLs
use http instead of https.
New middleware helps to handle the situation below properly. The purpose of the
SSLMiddleware is to update the wsgi.url_scheme environment variable of
the request with the value contained in an HTTP header that can be
configured in the configuration file (by default: 'X-Forwarded-Proto')
Closes-Bug: #1504610
Change-Id: Id7cfa1bce00c965b618a4f3e4ca2c915a57bbe52
In this commit we added new murano service called murano-cfapi.
It's Cloud Foundry Service Broker API implementation for OpenStack.
* add new entrypoint for murano-cfapi
* add provision/deprovision operations for Cloud Foundry.
partial-implement: bp cloudfoundry-api-support
Change-Id: I5cdb612774f5e46ec7fc787f961e5c7e16ed8501
Add new API calls that will provide logging and can be
consumed by MuranoPL workflows. It will improve debuggability.
Application author can use logs to improve application quality.
Implements: blueprint logging-api-for-muranopl
Change-Id: I747cf7f5fca20960f2304605e1c7241f465f5dc1
This commit adds request-id filter to paste config and adds support for
request_id to the ContextMiddleware. This would mean, that request-id,
generated for each particular request to api would be returned to the
caller in the form of 'x-openstack-request-id' header
Targets blueprint: murano-x-openstack-request-id-support
Change-Id: Id3d593c33fd31bae7226052b908750e5c000f730
To follow latest community practices we need to use oslo_log in
murano instead of handcrafted libs.
Unsupported log level 'audit' was changed to 'info'.
Change-Id: I40c0f3790e34bf80d0b63554e86b3cbc019eefca
oslo.service has graduated, so murano should consume it.
Use the 1.16.0 version of the oslo.messaging library.
Change-Id: I774c70bdf06b304f7d958eac488dc28b7625fb12
Closes-Bug: #1466851
Depends-On: I4159450f54609c5185146472179d4299fe0c9d30
Depends-On: Ifa7a03b21aaf6911039c465696a0476e97905793
Adds request param all_tenants allowing listing environments from all tenants.
Congress data source needs populate its tables by data from all tenants.
Similar machansim uses nova to allow list servers from all tenants.
Partially implements: blueprint murano-api-all-tenants-search
Change-Id: I842292720a475992a137c1e4715873a059ec605c
Corresponding changes were made in murano common policy file
and in requirements.
Change-Id: Ic7c4f61db0bb2655c4c0041500bd74e8890ea038
Closes-Bug: #1458945
Also, there were some issues with policy:
* 'publicize_image' instead of 'publicize_package';
* corresponding actions have different names;
* user could not upload packages by default;
* user could mark package public/unpublic;
* user could delete pablic packages.
Change-Id: I5459016a4e7401b58fcb343e40d0047a4959b7df
Closes-Bug: #1439240
Closes-Bug: #1436289
Network configuration is extracted into a separate file.
By default this is netconfig.yaml residing near murano.conf
But the name and path can be changed in config file.
Example of net-config can be found in etc/murano/netconfig.yaml.sample
If no file present old behavior is kept
Change-Id: I7b74eea69ee2ffe1c721b751e564b54252dcfbe3
Implements: blueprint configure-environment-network-defaults
Adds new API calls, responsible for add,
browse and delete categories.
Implements blueprint enable-category-management
Change-Id: I9da0680cfa244ef225be0706a54f492644c0dcba
* Set admin rule for a several API calls and remove direct check in code
* Now admin can configure policy.json and enable package management for regular users
* Update common policy module
Closes-Bug: #1412868
Change-Id: I8d0725b613564529d32a5acef289f4822f32915c
These scripts were not supported for a long time. Upstream
distributions have their own version of init scripts for Murano.
Change-Id: I80f439fc2667b05a5bcf2091559ae7a332bfcbee
Similarly with the way it was done in the murano-agent, added
the ability to use the oslo-config-generator for creating a sample
configuration file murano.conf.sample.
Now to create the file, you must run:
tox -egenconfig
Change-Id: I8b06336d75eccfd598ce9033333884f75f393a09
If it doesn't find a router by the name specified in router_name
in murano.conf, create a router with that name. Uses
external_network_id or external_network_name as the
external_gateway_info ID. Requires:
https://review.openstack.org/#/c/119800
Change-Id: If8b966a7d43eb2af485113de2a0708e554605725
Murano should not use first available router it may create
different networking issues cause router may not have access to
external network.
Closes-bug: #1366124
Change-Id: I223a4862c3b20cfb20281be6bd9376be3644ad92
* Provide exceptions details in the response body
* Decode package exception message to keep correct formatting
Partly-Closes-Bug: #1328662
Change-Id: I28000ec42db644d5db75f92d968955f7dd620091
zhurong