Move API cors config to their services

- Move out cors config from tripleo-ui to be in services.
- Configure allowed_origin to '*' for the containerized
  undercloud (when TripleO UI is containerized)
- Default param for allowed_origin is unset for security reasons.

Change-Id: Iee983d84c78fe055f295eedfadde336b25a5d6a1
This commit is contained in:
Emilien Macchi 2018-03-19 17:16:03 -07:00
parent 5513d94075
commit 88daf0d5da
6 changed files with 82 additions and 49 deletions

View File

@ -10,6 +10,7 @@ resource_registry:
parameter_defaults:
# ensure we enable ip_forward before docker gets run
KernelIpForward: 1
KeystoneCorsAllowedOrigin: '*'
EnablePackageInstall: true
StackAction: CREATE
SoftwareConfigTransport: POLL_SERVER_HEAT
@ -31,6 +32,7 @@ parameter_defaults:
NovaAutoDisabling: '0'
NeutronDhcpAgentsPerNetwork: 2
HeatConvergenceEngine: false
HeatCorsAllowedOrigin: '*'
HeatMaxResourcesPerStack: -1
HeatMaxJsonBodySize: 2097152
IronicCleaningDiskErase: 'metadata'
@ -77,3 +79,4 @@ parameter_defaults:
NeutronVniRanges: '10:100'
NeutronPortQuota: '-1'
MigrateLegacyNeutronDb: true
SwiftCorsAllowedOrigin: '*'

View File

@ -127,9 +127,15 @@ parameters:
description: Driver or drivers to handle sending notifications.
constraints:
- allowed_values: [ 'messagingv2', 'noop' ]
HeatCorsAllowedOrigin:
type: string
default: ''
description: Indicate whether this resource may be shared with the domain received in the request
"origin" header.
conditions:
service_debug_unset: {equals : [{get_param: HeatDebug}, '']}
cors_allowed_origin_unset: {equals : [{get_param: HeatCorsAllowedOrigin}, '']}
outputs:
role_data:
@ -137,45 +143,54 @@ outputs:
value:
service_name: heat_base
config_settings:
heat::notification_driver: {get_param: NotificationDriver}
heat::rabbit_userid: {get_param: RabbitUserName}
heat::rabbit_password: {get_param: RabbitPassword}
heat::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
heat::rabbit_port: {get_param: RabbitClientPort}
heat::debug:
if:
- service_debug_unset
- {get_param: Debug }
- {get_param: HeatDebug }
heat::enable_proxy_headers_parsing: true
heat::rpc_response_timeout: 600
heat::rabbit_heartbeat_timeout_threshold: 60
heat::keystone::authtoken::project_name: 'service'
heat::keystone::authtoken::user_domain_name: 'Default'
heat::keystone::authtoken::project_domain_name: 'Default'
heat::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
heat::keystone::authtoken::password: {get_param: HeatPassword}
heat::heat_keystone_clients_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
heat::keystone::domain::domain_name: 'heat_stack'
heat::keystone::domain::domain_admin: 'heat_stack_domain_admin'
heat::keystone::domain::domain_admin_email: 'heat_stack_domain_admin@localhost'
heat::db::database_db_max_retries: -1
heat::db::database_max_retries: -1
heat::yaql_memory_quota: 100000
heat::yaql_limit_iterators: 1000
heat::cron::purge_deleted::ensure: {get_param: HeatCronPurgeDeletedEnsure}
heat::cron::purge_deleted::minute: {get_param: HeatCronPurgeDeletedMinute}
heat::cron::purge_deleted::hour: {get_param: HeatCronPurgeDeletedHour}
heat::cron::purge_deleted::monthday: {get_param: HeatCronPurgeDeletedMonthday}
heat::cron::purge_deleted::month: {get_param: HeatCronPurgeDeletedMonth}
heat::cron::purge_deleted::weekday: {get_param: HeatCronPurgeDeletedWeekday}
heat::cron::purge_deleted::maxdelay: {get_param: HeatCronPurgeDeletedMaxDelay}
heat::cron::purge_deleted::user: {get_param: HeatCronPurgeDeletedUser}
heat::cron::purge_deleted::age: {get_param: HeatCronPurgeDeletedAge}
heat::cron::purge_deleted::age_type: {get_param: HeatCronPurgeDeletedAgeType}
heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
map_merge:
-
if:
- cors_allowed_origin_unset
- {}
- heat::cors::allowed_origin: {get_param: HeatCorsAllowedOrigin}
- heat::notification_driver: {get_param: NotificationDriver}
heat::rabbit_userid: {get_param: RabbitUserName}
heat::rabbit_password: {get_param: RabbitPassword}
heat::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
heat::rabbit_port: {get_param: RabbitClientPort}
heat::debug:
if:
- service_debug_unset
- {get_param: Debug }
- {get_param: HeatDebug }
heat::enable_proxy_headers_parsing: true
heat::rpc_response_timeout: 600
heat::rabbit_heartbeat_timeout_threshold: 60
heat::keystone::authtoken::project_name: 'service'
heat::keystone::authtoken::user_domain_name: 'Default'
heat::keystone::authtoken::project_domain_name: 'Default'
heat::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
heat::keystone::authtoken::password: {get_param: HeatPassword}
heat::heat_keystone_clients_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
heat::keystone::domain::domain_name: 'heat_stack'
heat::keystone::domain::domain_admin: 'heat_stack_domain_admin'
heat::keystone::domain::domain_admin_email: 'heat_stack_domain_admin@localhost'
heat::db::database_db_max_retries: -1
heat::db::database_max_retries: -1
heat::yaql_memory_quota: 100000
heat::yaql_limit_iterators: 1000
heat::cors::max_age: 3600
heat::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
heat::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
heat::cron::purge_deleted::ensure: {get_param: HeatCronPurgeDeletedEnsure}
heat::cron::purge_deleted::minute: {get_param: HeatCronPurgeDeletedMinute}
heat::cron::purge_deleted::hour: {get_param: HeatCronPurgeDeletedHour}
heat::cron::purge_deleted::monthday: {get_param: HeatCronPurgeDeletedMonthday}
heat::cron::purge_deleted::month: {get_param: HeatCronPurgeDeletedMonth}
heat::cron::purge_deleted::weekday: {get_param: HeatCronPurgeDeletedWeekday}
heat::cron::purge_deleted::maxdelay: {get_param: HeatCronPurgeDeletedMaxDelay}
heat::cron::purge_deleted::user: {get_param: HeatCronPurgeDeletedUser}
heat::cron::purge_deleted::age: {get_param: HeatCronPurgeDeletedAge}
heat::cron::purge_deleted::age_type: {get_param: HeatCronPurgeDeletedAgeType}
heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
service_config_settings:
keystone:
tripleo::profile::base::keystone::heat_admin_domain: 'heat_stack'

View File

@ -277,6 +277,11 @@ parameters:
description: >-
This controls the number of previous user password iterations to keep in
history, in order to enforce that newly created passwords are unique.
KeystoneCorsAllowedOrigin:
type: string
default: ''
description: Indicate whether this resource may be shared with the domain received in the request
"origin" header.
parameter_groups:
- label: deprecated
@ -318,6 +323,7 @@ conditions:
password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}}
password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}}
unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}}
cors_allowed_origin_unset: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']}
outputs:
role_data:
@ -328,6 +334,11 @@ outputs:
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
-
if:
- cors_allowed_origin_unset
- {}
- keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin}
- keystone::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}

View File

@ -99,6 +99,8 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, MistralApiNetwork]}
mistral::wsgi::apache::ssl: {get_param: EnableInternalTLS}
mistral::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
mistral::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
mistral::policy::policies: {get_param: MistralApiPolicies}
mistral::cron_trigger::execution_interval: {get_param: MistralExecutionInterval}
mistral::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'

View File

@ -86,12 +86,18 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
SwiftCorsAllowedOrigin:
type: string
default: ''
description: Indicate whether this resource may be shared with the domain received in the request
"origin" header.
conditions:
ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, true]}
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
swift_encryption_enabled: {equals : [{get_param: SwiftEncryptionEnabled}, true]}
cors_allowed_origin_unset: {equals : [{get_param: SwiftCorsAllowedOrigin}, '']}
resources:
SwiftBase:
@ -123,6 +129,11 @@ outputs:
map_merge:
- get_attr: [SwiftBase, role_data, config_settings]
- get_attr: [TLSProxyBase, role_data, config_settings]
-
if:
- cors_allowed_origin_unset
- {}
- swift::proxy::cors_allow_origin: {get_param: SwiftCorsAllowedOrigin}
- swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
swift::proxy::authtoken::password: {get_param: SwiftPassword}

View File

@ -64,16 +64,7 @@ outputs:
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
- keystone::cors::allowed_origin: '*'
heat::cors::allowed_origin: '*'
heat::cors::max_age: 3600
heat::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
heat::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
mistral::cors::allowed_origin: '*'
mistral::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
mistral::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
swift::proxy::cors_allow_origin: '*'
tripleo::ui::endpoint_proxy_zaqar: {get_param: [EndpointMap, ZaqarWebSocketInternal, uri_no_suffix]}
- tripleo::ui::endpoint_proxy_zaqar: {get_param: [EndpointMap, ZaqarWebSocketInternal, uri_no_suffix]}
tripleo::ui::endpoint_proxy_keystone: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
tripleo::ui::endpoint_proxy_heat: {get_param: [EndpointMap, HeatInternal, uri_no_suffix]}
tripleo::ui::endpoint_proxy_ironic: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}