Currently placement records REMOTE_ADDR environment as source ip but
this environment points load balancer ips instead of actual client ips
when placmenet runs behind load balancers like haproxy.
This change enables HTTPProxyToWSGI middleware to parse request
headers to look up actual client address.
Story: 2009049
Task: 42819
Change-Id: I4d15201dd2f94d00f4f2b53f773511ea020ef4ac
Add a combined README for config generation and replace references to
nova for policy generation.
Change-Id: I3e5fe46f1a63f929e7a73b454507c287574fb83a
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
The [placement]/policy_file option was necessary when placement
was in nova since nova uses the standard [oslo_policy]/policy_file
option for defining custom policy rules. Now that placement is
extracted (+1 release) we can deprecate the placement-specific
option and use the standard [oslo_policy]/policy_file option as well.
The tricky thing with this is both options define a default value
but those values are different, and neither need to exist or can
exist but be empty and we'll use policy defaults from code. So some
logic is necessary for detecting which option we should pass to the
oslo.policy Enforcer object. We prefer to use [oslo_policy]/policy_file
if it exists but will fallback to use [placement]/policy_file for
backward compatibility. We also check for a couple of edge cases to
try and detect misconfiguration and usage of the deprecated option.
The config generation docs are updated to include the [oslo_policy]
options as well as registering the options from that library for
runtime code.
Change-Id: Ifb14d2c14b17fc5bcdf7d124744ac2e1b58fd063
Story: #2005171
Task: #29913
OsProfiler is optional, but if it's installed we'll load up the configuration
options from the library, but they weren't in the generated config sample so
people would have to find the osprofiler docs, or worse the code, to figure
out how to configure it.
This simply adds the OsProfiler config options to the config sample, which
will also show up in the config reference docs.
Change-Id: I9a379e0e60ae8eb53280b8296229d2f0412eae4a
Story: 2005842
Task: 34191
CORS configuration settings are available to placement, so we
should include them in the sample and docs.
Change-Id: I15587af6a302f87b4159c819a8046ab489b684ea
Adds the oslo.log entry point to config-generator.conf so our docs get
the logging config options emitted.
Change-Id: I1d84754cf46852dbd15eeec4a7a244632fd78484
Story: 2005264
Task: 30077
Similar to I180a4df89d8338dc640dc2c5638775c65bde1cb7, this
removes the entire [keystone] group from placement.conf
since placement does not use it. The [keystone] group from
nova.conf was optionally used by a couple of compute APIs for
validating a user-provided project ID (flavor access and quota APIs).
Since placement doesn't use the options, they are removed here
so we don't have to go through a formal deprecation period after
placement is officially released. The placement/conf/utils.py
module is also not used so it is removed as well.
While doing this, it was noticed that the [keystone_authtoken]
options, which *are* used by placement.auth.PlacementAuthProtocol
for the auth token middleware, were missing from the generated
placement config docs, so that's fixed in this change as well.
Change-Id: Ic856a4a43a21fbae3fe98466d1dc716d2736d622
The etc/placement/policy-generator.conf file still referred
to nova. Now that it does not, policy generation happens as
expected. The name of the generated file has been changed
to policy.yaml.sample, as we no longer need to distinguish
from nova's.
Note that the readme still points to nova docs, because that
is where we currently have the docs. This will need to change
later.
Change-Id: I633431933666c15eaf8da7e91769d0b4335e6c8d
Change [1] added support for tox -e genconfig via a configuration file
called placement-config-generator.conf. Since we're in the placement
project and only have one config generator, the placement- part is
redundant. In keeping with similar pieces (e.g. policy-generator.conf)
this patch renames the file and fixes references.
[1] https://review.openstack.org/#/c/601838/
Change-Id: I8ea9c00d26539feab141ada493bc825987046b3d
When part of Nova, many files were named in such a way as to indicate
that they were separate from the nova files that did the same thing. Now
that that distinction is no longer needed, we can rename them to sound
more natural.
Additionally, references to these file names in other parts of the code
have been updated.
Change-Id: Id4439b4af827b64bbac213085ac74d1283c96db0
This is the result of running the following two commands:
git mv nova placement
git mv etc/nova/ etc/placement
Change-Id: Ied6e04462ac9d7b582df1411d3045048639f127b
This adds a granular policy checking framework for
placement based on nova.policy but with a lot of
the legacy cruft removed, like the is_admin and
context_is_admin rules.
A new PlacementPolicyFixture is added along with
a new configuration option, [placement]/policy_file,
which is needed because the default policy file
that gets used in config is from [oslo_policy]/policy_file
which is being used as the nova policy file. As
far as I can tell, oslo.policy doesn't allow for
multiple policy files with different names unless
I'm misunderstanding how the policy_dirs option works.
With these changes, we can have something like:
/etc/nova/policy.json - for nova policy rules
/etc/nova/placement-policy.yaml - for placement rules
The docs are also updated to include the placement
policy sample along with a tox builder for the sample.
This starts by adding granular rules for CRUD operations
on the /resource_providers and /resource_providers/{uuid}
routes which use the same descriptions from the placement
API reference. Subsequent patches will add new granular
rules for the other routes.
Part of blueprint granular-placement-policy
Change-Id: I17573f5210314341c332fdcb1ce462a989c21940
Takashi Kajinami