From 1d94dd4f2a2971e0a7dfff21a27b3f44b2cb8a0e Mon Sep 17 00:00:00 2001 From: Michael Krotscheck Date: Mon, 19 Oct 2015 09:15:26 -0700 Subject: [PATCH] Added CORS support to Heat This adds the CORS support middleware to Heat, allowing a deployer to optionally configure rules under which a javascript client may break the single-origin policy and access the API directly. For heat, the paste.ini method of deploying the middleware was chosen, because it needs to be able to annotate responses created by keystonemiddleware. If the middleware were explicitly included as in the previous patch, keystone would reject the request before the cross-domain headers could be annotated, resulting in an error response that was unreadable by the user agent. OpenStack CrossProject Spec: http://specs.openstack.org/openstack/openstack-specs/specs/cors-support.html Oslo_Middleware Docs: http://docs.openstack.org/developer/oslo.middleware/cors.html OpenStack Cloud Admin Guide: http://docs.openstack.org/admin-guide-cloud/cross_project_cors.html docimpact Change-Id: I185f0d9f85617dd2f482cac4994ccc0a4cb6cf16 --- config-generator.conf | 1 + etc/heat/api-paste.ini | 18 +++++++++++------- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/config-generator.conf b/config-generator.conf index 6b4eefed8c..469ec00fec 100644 --- a/config-generator.conf +++ b/config-generator.conf @@ -12,6 +12,7 @@ namespace = heat.api.middleware.ssl namespace = heat.api.aws.ec2token namespace = keystonemiddleware.auth_token namespace = oslo.messaging +namespace = oslo.middleware namespace = oslo.db namespace = oslo.log namespace = oslo.policy diff --git a/etc/heat/api-paste.ini b/etc/heat/api-paste.ini index e75c3a1247..7246e14df3 100644 --- a/etc/heat/api-paste.ini +++ b/etc/heat/api-paste.ini @@ -1,7 +1,7 @@ # heat-api pipeline [pipeline:heat-api] -pipeline = request_id faultwrap ssl versionnegotiation osprofiler authurl authtoken context apiv1app +pipeline = cors request_id faultwrap ssl versionnegotiation osprofiler authurl authtoken context apiv1app # heat-api pipeline for standalone heat # ie. uses alternative auth backend that authenticates users against keystone @@ -12,7 +12,7 @@ pipeline = request_id faultwrap ssl versionnegotiation osprofiler authurl authto # flavor = standalone # [pipeline:heat-api-standalone] -pipeline = request_id faultwrap ssl versionnegotiation authurl authpassword context apiv1app +pipeline = cors request_id faultwrap ssl versionnegotiation authurl authpassword context apiv1app # heat-api pipeline for custom cloud backends # i.e. in heat.conf: @@ -20,25 +20,25 @@ pipeline = request_id faultwrap ssl versionnegotiation authurl authpassword cont # flavor = custombackend # [pipeline:heat-api-custombackend] -pipeline = request_id faultwrap versionnegotiation context custombackendauth apiv1app +pipeline = cors request_id faultwrap versionnegotiation context custombackendauth apiv1app # heat-api-cfn pipeline [pipeline:heat-api-cfn] -pipeline = cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app +pipeline = cors cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app # heat-api-cfn pipeline for standalone heat # relies exclusively on authenticating with ec2 signed requests [pipeline:heat-api-cfn-standalone] -pipeline = cfnversionnegotiation ec2authtoken context apicfnv1app +pipeline = cors cfnversionnegotiation ec2authtoken context apicfnv1app # heat-api-cloudwatch pipeline [pipeline:heat-api-cloudwatch] -pipeline = versionnegotiation osprofiler ec2authtoken authtoken context apicwapp +pipeline = cors versionnegotiation osprofiler ec2authtoken authtoken context apicwapp # heat-api-cloudwatch pipeline for standalone heat # relies exclusively on authenticating with ec2 signed requests [pipeline:heat-api-cloudwatch-standalone] -pipeline = versionnegotiation ec2authtoken context apicwapp +pipeline = cors versionnegotiation ec2authtoken context apicwapp [app:apiv1app] paste.app_factory = heat.common.wsgi:app_factory @@ -56,6 +56,10 @@ heat.app_factory = heat.api.cloudwatch:API paste.filter_factory = heat.common.wsgi:filter_factory heat.filter_factory = heat.api.openstack:version_negotiation_filter +[filter:cors] +paste.filter_factory = oslo_middleware.cors:filter_factory +oslo_config_project = heat + [filter:faultwrap] paste.filter_factory = heat.common.wsgi:filter_factory heat.filter_factory = heat.api.openstack:faultwrap_filter