openstack
/
horizon
Code Issues Proposed changes

Define default settings explicitly (openstack_auth) 

This commit also moves descriptions of settings defined in openstack_auth
from openstack_dashboard/settings.py and local_settings.py(.example)
to openstack_auth/settings.py.

Note that if openstack_dashboard has different default settings
from openstack_auth defaults, they are now moved to
openstack_dashboard/defaults.py.

Part of blueprint ini-based-configuration
Change-Id: I59eebc388de0bcbd4d1fe35c6138efbd3e04c5b8
This commit is contained in:
Akihiro Motoki 2019-04-14 07:55:38 +09:00
parent a629d100be
commit e56e076ea8
12 changed files with 265 additions and 250 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
horizon/test/settings.py
View File

@ -19,6 +19,7 @@
import os
import socket
from openstack_auth.defaults import * # noqa: F403,H303
from openstack_dashboard.utils import settings as settings_utils
socket.setdefaulttimeout(1)

12
openstack_auth/backend.py
View File

@ -44,14 +44,8 @@ class KeystoneBackend(object):
@property
def auth_plugins(self):
if self._auth_plugins is None:
plugins = getattr(
settings,
'AUTHENTICATION_PLUGINS',
['openstack_auth.plugin.password.PasswordPlugin',
'openstack_auth.plugin.token.TokenPlugin'])
plugins = settings.AUTHENTICATION_PLUGINS
self._auth_plugins = [import_string(p)() for p in plugins]
return self._auth_plugins
def get_user(self, user_id):
@ -174,7 +168,7 @@ class KeystoneBackend(object):
region_name = id_endpoint['region']
break
interface = getattr(settings, 'OPENSTACK_ENDPOINT_TYPE', 'public')
interface = settings.OPENSTACK_ENDPOINT_TYPE
endpoint, url_fixed = utils.fix_auth_url_version_prefix(
scoped_auth_ref.service_catalog.url_for(
@ -215,7 +209,7 @@ class KeystoneBackend(object):
request.session['domain_token'] = domain_auth_ref
request.user = user
timeout = getattr(settings, "SESSION_TIMEOUT", 3600)
timeout = settings.SESSION_TIMEOUT
token_life = user.token.expires - datetime.datetime.now(pytz.utc)
session_time = min(timeout, int(token_life.total_seconds()))
request.session.set_expiry(session_time)

168
openstack_auth/defaults.py Normal file
View File

@ -0,0 +1,168 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# NOTE: The following are from Django settings.
# LOGIN_URL
# LOGIN_REDIRECT_URL
# SESSION_ENGINE
# USE_TZ
# WEBROOT is the location relative to Webserver root
# should end with a slash in openstack_dashboard.settings..
WEBROOT = '/'
# TODO(amotoki): What is the right default value in openstack_auth?
LOGIN_ERROR = 'error/'
OPENSTACK_KEYSTONE_URL = "http://localhost:5000/v3"
# OPENSTACK_KEYSTONE_URL = 'http://localhost/identity/v3'
# TODO(amotoki): The default value in openstack_dashboard is different:
# publicURL. It should be consistent.
OPENSTACK_ENDPOINT_TYPE = 'public'
OPENSTACK_SSL_NO_VERIFY = False
# TODO(amotoki): Is it correct?
OPENSTACK_SSL_CACERT = True
OPENSTACK_API_VERSIONS = {
'identity': 3,
}
AUTHENTICATION_PLUGINS = ['openstack_auth.plugin.password.PasswordPlugin',
'openstack_auth.plugin.token.TokenPlugin']
# This SESSION_TIMEOUT is a method to supercede the token timeout with a
# shorter horizon session timeout (in seconds). If SESSION_REFRESH is True (the
# default) SESSION_TIMEOUT acts like an idle timeout rather than being a hard
# limit, but will never exceed the token expiry. If your token expires in 60
# minutes, a value of 1800 will log users out after 30 minutes of inactivity,
# or 60 minutes with activity. Setting SESSION_REFRESH to False will make
# SESSION_TIMEOUT act like a hard limit on session times.
SESSION_TIMEOUT = 3600
TOKEN_TIMEOUT_MARGIN = 0
AVAILABLE_REGIONS = []
# For setting the default service region on a per-endpoint basis. Note that the
# default value for this setting is {}, and below is just an example of how it
# should be specified.
# A key of '*' is an optional global default if no other key matches.
# Example:
# DEFAULT_SERVICE_REGIONS = {
# '*': 'RegionOne'
# OPENSTACK_KEYSTONE_URL: 'RegionTwo'
# }
DEFAULT_SERVICE_REGIONS = {}
SECURE_PROXY_ADDR_HEADER = False
# Password will have an expiration date when using keystone v3 and enabling
# the feature.
# This setting allows you to set the number of days that the user will be
# alerted prior to the password expiration.
# Once the password expires keystone will deny the access and users must
# contact an admin to change their password.
PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = -1
OPENSTACK_KEYSTONE_ADMIN_ROLES = ['admin']
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False
# Set this to True if you want available domains displayed as a dropdown menu
# on the login screen. It is strongly advised NOT to enable this for public
# clouds, as advertising enabled domains to unauthenticated customers
# irresponsibly exposes private information. This should only be used for
# private clouds where the dashboard sits behind a corporate firewall.
OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = False
# If OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN is enabled, this option can be used to
# set the available domains to choose from. This is a list of pairs whose first
# value is the domain name and the second is the display name.
# Example:
# OPENSTACK_KEYSTONE_DOMAIN_CHOICES = (
# ('Default', 'Default'),
# )
OPENSTACK_KEYSTONE_DOMAIN_CHOICES = ()
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'
# Enables keystone web single-sign-on if set to True.
WEBSSO_ENABLED = False
# Authentication mechanism to be selected as default.
# The value must be a key from WEBSSO_CHOICES.
WEBSSO_INITIAL_CHOICE = 'credentials'
# The list of authentication mechanisms which include keystone
# federation protocols and identity provider/federation protocol
# mapping keys (WEBSSO_IDP_MAPPING). Current supported protocol
# IDs are 'saml2' and 'oidc' which represent SAML 2.0, OpenID
# Connect respectively.
# Do not remove the mandatory credentials mechanism.
# Note: The last two tuples are sample mapping keys to a identity provider
# and federation protocol combination (WEBSSO_IDP_MAPPING).
# Example:
# WEBSSO_CHOICES = (
# ("credentials", _("Keystone Credentials")),
# ("oidc", _("OpenID Connect")),
# ("saml2", _("Security Assertion Markup Language")),
# ("acme_oidc", "ACME - OpenID Connect"),
# ("acme_saml2", "ACME - SAML2"),
# )
WEBSSO_CHOICES = ()
# A dictionary of specific identity provider and federation protocol
# combinations. From the selected authentication mechanism, the value
# will be looked up as keys in the dictionary. If a match is found,
# it will redirect the user to a identity provider and federation protocol
# specific WebSSO endpoint in keystone, otherwise it will use the value
# as the protocol_id when redirecting to the WebSSO by protocol endpoint.
# NOTE: The value is expected to be a tuple formatted as:
# (<idp_id>, <protocol_id>).
# Example:
# WEBSSO_IDP_MAPPING = {
# "acme_oidc": ("acme", "oidc"),
# "acme_saml2": ("acme", "saml2"),
# }
WEBSSO_IDP_MAPPING = {}
# Enables redirection on login to the identity provider defined on
# WEBSSO_DEFAULT_REDIRECT_PROTOCOL and WEBSSO_DEFAULT_REDIRECT_REGION
WEBSSO_DEFAULT_REDIRECT = False
# Specifies the protocol to use for default redirection on login
WEBSSO_DEFAULT_REDIRECT_PROTOCOL = None
# Specifies the region to which the connection will be established on login
WEBSSO_DEFAULT_REDIRECT_REGION = OPENSTACK_KEYSTONE_URL
# Enables redirection on logout to the method specified on the identity
# provider. Once logout the client will be redirected to the address specified
# in this variable.
WEBSSO_DEFAULT_REDIRECT_LOGOUT = None
# If set this URL will be used for web single-sign-on authentication
# instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment
# scenarios where network segmentation is used per security requirement.
# In this case, the controllers are not reachable from public network.
# Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL
# if it is set to the internal endpoint.
# Example: WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3"
WEBSSO_KEYSTONE_URL = None
# The Keystone Provider drop down uses Keystone to Keystone federation
# to switch between Keystone service providers.
# Set display name for Identity Provider (dropdown display name)
KEYSTONE_PROVIDER_IDP_NAME = 'Local Keystone'
# This id is used for only for comparison with the service provider IDs.
# This ID should not match any service provider IDs.
KEYSTONE_PROVIDER_IDP_ID = 'localkeystone'
POLICY_FILES_PATH = ''
POLICY_FILES = {}
POLICY_DIRS = {}

26
openstack_auth/forms.py
View File

@ -31,7 +31,7 @@ LOG = logging.getLogger(__name__)
def get_region_endpoint(region_id):
if region_id == "default":
return settings.OPENSTACK_KEYSTONE_URL
all_regions = getattr(settings, 'AVAILABLE_REGIONS', [])
all_regions = settings.AVAILABLE_REGIONS
return all_regions[int(region_id)][0]
@ -65,19 +65,13 @@ class Login(django_auth_forms.AuthenticationForm):
def __init__(self, *args, **kwargs):
super(Login, self).__init__(*args, **kwargs)
fields_ordering = ['username', 'password', 'region']
if getattr(settings,
'OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT',
False):
if settings.OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT:
last_domain = self.request.COOKIES.get('login_domain', None)
if getattr(settings,
'OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN',
False):
if settings.OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN:
self.fields['domain'] = forms.ChoiceField(
label=_("Domain"),
initial=last_domain,
choices=getattr(settings,
'OPENSTACK_KEYSTONE_DOMAIN_CHOICES',
()))
choices=settings.OPENSTACK_KEYSTONE_DOMAIN_CHOICES)
else:
self.fields['domain'] = forms.CharField(
initial=last_domain,
@ -96,17 +90,17 @@ class Login(django_auth_forms.AuthenticationForm):
# if websso is enabled and keystone version supported
# prepend the websso_choices select input to the form
if utils.is_websso_enabled():
initial = getattr(settings, 'WEBSSO_INITIAL_CHOICE', 'credentials')
initial = settings.WEBSSO_INITIAL_CHOICE
self.fields['auth_type'] = forms.ChoiceField(
label=_("Authenticate using"),
choices=getattr(settings, 'WEBSSO_CHOICES', ()),
choices=settings.WEBSSO_CHOICES,
required=False,
initial=initial)
# add auth_type to the top of the list
fields_ordering.insert(0, 'auth_type')
# websso is enabled, but keystone version is not supported
elif getattr(settings, 'WEBSSO_ENABLED', False):
elif settings.WEBSSO_ENABLED:
msg = ("Websso is enabled but horizon is not configured to work " +
"with keystone version 3 or above.")
LOG.warning(msg)
@ -115,7 +109,7 @@ class Login(django_auth_forms.AuthenticationForm):
@staticmethod
def get_region_choices():
all_regions = getattr(settings, 'AVAILABLE_REGIONS', [])
all_regions = settings.AVAILABLE_REGIONS
if all_regions:
regions = [("%d" % i, name) for i, (url, name) in
enumerate(all_regions)]
@ -125,9 +119,7 @@ class Login(django_auth_forms.AuthenticationForm):
@sensitive_variables()
def clean(self):
default_domain = getattr(settings,
'OPENSTACK_KEYSTONE_DEFAULT_DOMAIN',
'Default')
default_domain = settings.OPENSTACK_KEYSTONE_DEFAULT_DOMAIN
username = self.cleaned_data.get('username')
password = self.cleaned_data.get('password')
domain = self.cleaned_data.get('domain', default_domain)

3
openstack_auth/plugin/k2k.py
View File

@ -49,8 +49,7 @@ class K2KAuthPlugin(base.BasePlugin):
if utils.get_keystone_version() < 3 or not service_provider:
return None
keystone_idp_id = getattr(settings, 'KEYSTONE_PROVIDER_IDP_ID',
'localkeystone')
keystone_idp_id = settings.KEYSTONE_PROVIDER_IDP_ID
if service_provider == keystone_idp_id:
return None

8
openstack_auth/policy.py
View File

@ -27,7 +27,7 @@ from openstack_auth import utils as auth_utils
LOG = logging.getLogger(__name__)
_ENFORCER = None
_BASE_PATH = getattr(settings, 'POLICY_FILES_PATH', '')
_BASE_PATH = settings.POLICY_FILES_PATH
def _get_policy_conf(policy_file, policy_dirs=None):
@ -47,9 +47,9 @@ def _get_policy_conf(policy_file, policy_dirs=None):
def _get_policy_file_with_full_path(service):
policy_files = getattr(settings, 'POLICY_FILES', {})
policy_files = settings.POLICY_FILES
policy_file = os.path.join(_BASE_PATH, policy_files[service])
policy_dirs = getattr(settings, 'POLICY_DIRS', {}).get(service, [])
policy_dirs = settings.POLICY_DIRS.get(service, [])
policy_dirs = [os.path.join(_BASE_PATH, policy_dir)
for policy_dir in policy_dirs]
return policy_file, policy_dirs
@ -59,7 +59,7 @@ def _get_enforcer():
global _ENFORCER
if not _ENFORCER:
_ENFORCER = {}
policy_files = getattr(settings, 'POLICY_FILES', {})
policy_files = settings.POLICY_FILES
for service in policy_files.keys():
policy_file, policy_dirs = _get_policy_file_with_full_path(service)
conf = _get_policy_conf(policy_file, policy_dirs)

33
openstack_auth/tests/settings.py
View File

@ -13,6 +13,8 @@
import os
from openstack_auth.defaults import * # noqa: F403,H303
ALLOWED_HOSTS = ['*']
DATABASES = {'default': {'ENGINE': 'django.db.backends.sqlite3'}}
@ -38,22 +40,14 @@ MIDDLEWARE = [
AUTHENTICATION_BACKENDS = ['openstack_auth.backend.KeystoneBackend']
OPENSTACK_KEYSTONE_URL = "http://localhost:5000/v3"
ROOT_URLCONF = 'openstack_auth.tests.urls'
LOGIN_REDIRECT_URL = '/'
LOGIN_REDIRECT_URL = WEBROOT
SECRET_KEY = 'badcafe'
OPENSTACK_API_VERSIONS = {
"identity": 3
}
USE_TZ = True
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'domain'
# NOTE(saschpe): The openstack_auth.user.Token object isn't
@ -74,27 +68,6 @@ TEMPLATES = [
},
]
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'handlers': {
'null': {
'level': 'DEBUG',
'class': 'logging.NullHandler',
},
'test': {
'level': 'ERROR',
'class': 'logging.StreamHandler',
}
},
'loggers': {
'openstack_auth': {
'handlers': ['test'],
'propagate': False,
},
}
}
AUTH_USER_MODEL = 'openstack_auth.User'
LOGGING = {

45
openstack_auth/utils.py
View File

@ -91,7 +91,7 @@ def is_token_valid(token, margin=None):
if expiration is None:
return False
if margin is None:
margin = getattr(settings, 'TOKEN_TIMEOUT_MARGIN', 0)
margin = settings.TOKEN_TIMEOUT_MARGIN
expiration = expiration - datetime.timedelta(seconds=margin)
if settings.USE_TZ and timezone.is_naive(expiration):
# Presumes that the Keystone is using UTC.
@ -102,12 +102,12 @@ def is_token_valid(token, margin=None):
# Helper for figuring out keystone version
# Implementation will change when API version discovery is available
def get_keystone_version():
return getattr(settings, 'OPENSTACK_API_VERSIONS', {}).get('identity', 3)
return settings.OPENSTACK_API_VERSIONS['identity']
def get_session():
insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
verify = getattr(settings, 'OPENSTACK_SSL_CACERT', True)
insecure = settings.OPENSTACK_SSL_NO_VERIFY
verify = settings.OPENSTACK_SSL_CACERT
if insecure:
verify = False
@ -124,7 +124,7 @@ def get_keystone_client():
def is_websso_enabled():
"""Websso is supported in Keystone version 3."""
websso_enabled = getattr(settings, 'WEBSSO_ENABLED', False)
websso_enabled = settings.WEBSSO_ENABLED
keystonev3_plus = (get_keystone_version() >= 3)
return websso_enabled and keystonev3_plus
@ -134,28 +134,26 @@ def is_websso_default_redirect():
As with websso, this is only supported in Keystone version 3.
"""
websso_default_redirect = getattr(settings,
'WEBSSO_DEFAULT_REDIRECT', False)
websso_default_redirect = settings.WEBSSO_DEFAULT_REDIRECT
keystonev3_plus = (get_keystone_version() >= 3)
return websso_default_redirect and keystonev3_plus
def get_websso_default_redirect_protocol():
return getattr(settings, 'WEBSSO_DEFAULT_REDIRECT_PROTOCOL', None)
return settings.WEBSSO_DEFAULT_REDIRECT_PROTOCOL
def get_websso_default_redirect_region():
return getattr(settings, 'WEBSSO_DEFAULT_REDIRECT_REGION',
settings.OPENSTACK_KEYSTONE_URL)
return settings.WEBSSO_DEFAULT_REDIRECT_REGION
def get_websso_default_redirect_logout():
return getattr(settings, 'WEBSSO_DEFAULT_REDIRECT_LOGOUT', None)
return settings.WEBSSO_DEFAULT_REDIRECT_LOGOUT
def build_absolute_uri(request, relative_url):
"""Ensure absolute_uri are relative to WEBROOT."""
webroot = getattr(settings, 'WEBROOT', '')
webroot = settings.WEBROOT
if webroot.endswith("/") and relative_url.startswith("/"):
webroot = webroot[:-1]
@ -222,7 +220,7 @@ def get_websso_url(request, auth_url, websso_auth):
"""
origin = build_absolute_uri(request, '/auth/websso/')
idp_mapping = getattr(settings, 'WEBSSO_IDP_MAPPING', {})
idp_mapping = settings.WEBSSO_IDP_MAPPING
idp_id, protocol_id = idp_mapping.get(websso_auth,
(None, websso_auth))
@ -386,11 +384,9 @@ def default_services_region(service_catalog, request=None,
if request:
region_options.append(request.COOKIES.get('services_region'))
if ks_endpoint:
default_service_regions = getattr(
settings, 'DEFAULT_SERVICE_REGIONS', {})
default_service_regions = settings.DEFAULT_SERVICE_REGIONS
region_options.append(default_service_regions.get(ks_endpoint))
region_options.append(
getattr(settings, 'DEFAULT_SERVICE_REGIONS', {}).get('*'))
region_options.append(settings.DEFAULT_SERVICE_REGIONS.get('*'))
for region in region_options:
if region in available_regions:
@ -425,7 +421,7 @@ def get_endpoint_region(endpoint):
def using_cookie_backed_sessions():
engine = getattr(settings, 'SESSION_ENGINE', '')
engine = settings.SESSION_ENGINE
return "signed_cookies" in engine
@ -442,8 +438,7 @@ def get_admin_roles():
"""
admin_roles = {role.lower() for role
in getattr(settings, 'OPENSTACK_KEYSTONE_ADMIN_ROLES',
['admin'])}
in settings.OPENSTACK_KEYSTONE_ADMIN_ROLES}
return admin_roles
@ -490,9 +485,7 @@ def get_client_ip(request):
:returns: Possible client ip address
:rtype: string
"""
_SECURE_PROXY_ADDR_HEADER = getattr(
settings, 'SECURE_PROXY_ADDR_HEADER', False
)
_SECURE_PROXY_ADDR_HEADER = settings.SECURE_PROXY_ADDR_HEADER
if _SECURE_PROXY_ADDR_HEADER:
return request.META.get(
_SECURE_PROXY_ADDR_HEADER,
@ -530,10 +523,8 @@ def store_initial_k2k_session(auth_url, request, scoped_auth_ref,
providers = getattr(providers, '_service_providers', None)
if providers:
keystone_idp_name = getattr(settings, 'KEYSTONE_PROVIDER_IDP_NAME',
'Local Keystone')
keystone_idp_id = getattr(
settings, 'KEYSTONE_PROVIDER_IDP_ID', 'localkeystone')
keystone_idp_name = settings.KEYSTONE_PROVIDER_IDP_NAME
keystone_idp_id = settings.KEYSTONE_PROVIDER_IDP_ID
keystone_identity_provider = {'name': keystone_idp_name,
'id': keystone_idp_id}
# (edtubill) We will use the IDs as the display names

15
openstack_auth/views.py
View File

@ -69,8 +69,9 @@ def login(request):
auth_type = request.POST.get('auth_type', 'credentials')
if utils.is_websso_enabled() and auth_type != 'credentials':
region_id = request.POST.get('region')
auth_url = getattr(settings, 'WEBSSO_KEYSTONE_URL',
forms.get_region_endpoint(region_id))
auth_url = getattr(settings, 'WEBSSO_KEYSTONE_URL', None)
if auth_url is None:
auth_url = forms.get_region_endpoint(region_id)
url = utils.get_websso_url(request, auth_url, auth_type)
return shortcuts.redirect(url)
@ -88,7 +89,7 @@ def login(request):
initial = {}
current_region = request.session.get('region_endpoint', None)
requested_region = request.GET.get('region', None)
regions = dict(getattr(settings, "AVAILABLE_REGIONS", []))
regions = dict(settings.AVAILABLE_REGIONS)
if requested_region in regions and requested_region != current_region:
initial.update({'region': requested_region})
@ -97,7 +98,7 @@ def login(request):
else:
form = functional.curry(forms.Login, initial=initial)
choices = getattr(settings, 'WEBSSO_CHOICES', ())
choices = settings.WEBSSO_CHOICES
extra_context = {
'redirect_field_name': auth.REDIRECT_FIELD_NAME,
'csrf_failure': request.GET.get('csrf_failure'),
@ -136,8 +137,7 @@ def login(request):
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
expiration_time = request.user.time_until_expiration()
threshold_days = getattr(
settings, 'PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS', -1)
threshold_days = settings.PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS
if expiration_time is not None and \
expiration_time.days <= threshold_days:
expiration_time = str(expiration_time).rsplit(':', 1)[0]
@ -307,8 +307,7 @@ def switch_keystone_provider(request, keystone_provider=None,
redirect_to = settings.LOGIN_REDIRECT_URL
unscoped_auth_ref = None
keystone_idp_id = getattr(
settings, 'KEYSTONE_PROVIDER_IDP_ID', 'localkeystone')
keystone_idp_id = settings.KEYSTONE_PROVIDER_IDP_ID
if keystone_provider == keystone_idp_id:
current_plugin = plugin.TokenPlugin()

57
openstack_dashboard/defaults.py
View File

@ -12,14 +12,23 @@
"""Default settings for openstack_dashboard"""
import os
from django.utils.translation import ugettext_lazy as _
# This must be configured
# OPENSTACK_KEYSTONE_URL = 'http://localhost/identity/v3'
from openstack_auth.defaults import * # noqa: F403,H303
def _get_root_path():
return os.path.dirname(os.path.abspath(__file__))
# -------------------------------------------
# Override openstack_auth and Django settings
# -------------------------------------------
WEBROOT = '/' # from openstack_auth
# WEBROOT is the location relative to Webserver root
# should end with a slash.
WEBROOT = '/'
# NOTE: The following are calculated baed on WEBROOT
# after loading local_settings
# LOGIN_URL = WEBROOT + 'auth/login/'
@ -27,7 +36,7 @@ WEBROOT = '/'
# LOGIN_ERROR = WEBROOT + 'auth/error/'
LOGIN_URL = None
LOGOUT_URL = None
LOGIN_ERROR = None
LOGIN_ERROR = None # from openstack_auth
# NOTE: The following are calculated baed on WEBROOT
# after loading local_settings
# LOGIN_REDIRECT_URL can be used as an alternative for
@ -43,6 +52,42 @@ MEDIA_URL = None
STATIC_ROOT = None
STATIC_URL = None
# The Horizon Policy Enforcement engine uses these values to load per service
# policy rule files. The content of these files should match the files the
# OpenStack services are using to determine role based access control in the
# target installation.
# Path to directory containing policy.json files
POLICY_FILES_PATH = os.path.join(_get_root_path(), "conf")
# Map of local copy of service policy files.
# Please insure that your identity policy file matches the one being used on
# your keystone servers. There is an alternate policy file that may be used
# in the Keystone v3 multi-domain case, policy.v3cloudsample.json.
# This file is not included in the Horizon repository by default but can be
# found at
# http://git.openstack.org/cgit/openstack/keystone/tree/etc/ \
# policy.v3cloudsample.json
# Having matching policy files on the Horizon and Keystone servers is essential
# for normal operation. This holds true for all services and their policy files.
POLICY_FILES = {
'identity': 'keystone_policy.json',
'compute': 'nova_policy.json',
'volume': 'cinder_policy.json',
'image': 'glance_policy.json',
'network': 'neutron_policy.json',
}
# Services for which horizon has extra policies are defined
# in POLICY_DIRS by default.
POLICY_DIRS = {
'compute': ['nova_policy.d'],
'volume': ['cinder_policy.d'],
}
# ----------------------------------------
# openstack_dashboard settings
# ----------------------------------------
# Dict used to restrict user private subnet cidr range.
# An empty list means that user input will not be restricted
# for a corresponding IP version. By default, there is

123
openstack_dashboard/local/local_settings.py.example
View File

@ -39,20 +39,6 @@ DEBUG = True
#CSRF_COOKIE_SECURE = True
#SESSION_COOKIE_SECURE = True
# Set this to True if you want available domains displayed as a dropdown menu
# on the login screen. It is strongly advised NOT to enable this for public
# clouds, as advertising enabled domains to unauthenticated customers
# irresponsibly exposes private information. This should only be used for
# private clouds where the dashboard sits behind a corporate firewall.
#OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = False
# If OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN is enabled, this option can be used to
# set the available domains to choose from. This is a list of pairs whose first
# value is the domain name and the second is the display name.
#OPENSTACK_KEYSTONE_DOMAIN_CHOICES = (
# ('Default', 'Default'),
#)
# If provided, a "Report Bug" link will be displayed in the site header
# which links to the value of this setting (ideally a URL containing
# information on how to report issues).
@ -122,81 +108,6 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
OPENSTACK_HOST = "127.0.0.1"
OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
# For setting the default service region on a per-endpoint basis. Note that the
# default value for this setting is {}, and below is just an example of how it
# should be specified.
# A key of '*' is an optional global default if no other key matches.
#DEFAULT_SERVICE_REGIONS = {
# '*': 'RegionOne'
# OPENSTACK_KEYSTONE_URL: 'RegionTwo'
#}
# Enables keystone web single-sign-on if set to True.
#WEBSSO_ENABLED = False
# Authentication mechanism to be selected as default.
# The value must be a key from WEBSSO_CHOICES.
#WEBSSO_INITIAL_CHOICE = "credentials"
# The list of authentication mechanisms which include keystone
# federation protocols and identity provider/federation protocol
# mapping keys (WEBSSO_IDP_MAPPING). Current supported protocol
# IDs are 'saml2' and 'oidc' which represent SAML 2.0, OpenID
# Connect respectively.
# Do not remove the mandatory credentials mechanism.
# Note: The last two tuples are sample mapping keys to a identity provider
# and federation protocol combination (WEBSSO_IDP_MAPPING).
#WEBSSO_CHOICES = (
# ("credentials", _("Keystone Credentials")),
# ("oidc", _("OpenID Connect")),
# ("saml2", _("Security Assertion Markup Language")),
# ("acme_oidc", "ACME - OpenID Connect"),
# ("acme_saml2", "ACME - SAML2"),
#)
# A dictionary of specific identity provider and federation protocol
# combinations. From the selected authentication mechanism, the value
# will be looked up as keys in the dictionary. If a match is found,
# it will redirect the user to a identity provider and federation protocol
# specific WebSSO endpoint in keystone, otherwise it will use the value
# as the protocol_id when redirecting to the WebSSO by protocol endpoint.
# NOTE: The value is expected to be a tuple formatted as: (<idp_id>, <protocol_id>).
#WEBSSO_IDP_MAPPING = {
# "acme_oidc": ("acme", "oidc"),
# "acme_saml2": ("acme", "saml2"),
#}
# Enables redirection on login to the identity provider defined on
# WEBSSO_DEFAULT_REDIRECT_PROTOCOL and WEBSSO_DEFAULT_REDIRECT_REGION
#WEBSSO_DEFAULT_REDIRECT = False
# Specifies the protocol to use for default redirection on login
#WEBSSO_DEFAULT_REDIRECT_PROTOCOL = None
# Specifies the region to which the connection will be established on login
#WEBSSO_DEFAULT_REDIRECT_REGION = OPENSTACK_KEYSTONE_URL
# Enables redirection on logout to the method specified on the identity provider.
# Once logout the client will be redirected to the address specified in this
# variable.
#WEBSSO_DEFAULT_REDIRECT_LOGOUT = None
# If set this URL will be used for web single-sign-on authentication
# instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment
# scenarios where network segmentation is used per security requirement.
# In this case, the controllers are not reachable from public network.
# Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL
# if it is set to the internal endpoint.
#WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3"
# The Keystone Provider drop down uses Keystone to Keystone federation
# to switch between Keystone service providers.
# Set display name for Identity Provider (dropdown display name)
#KEYSTONE_PROVIDER_IDP_NAME = "Local Keystone"
# This id is used for only for comparison with the service provider IDs. This ID
# should not match any service provider IDs.
#KEYSTONE_PROVIDER_IDP_ID = "localkeystone"
# The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional
# services provided by neutron. Options currently available are load
# balancer service, security groups, quotas, VPN service.
@ -244,32 +155,6 @@ INSTANCE_LOG_LENGTH = 35
# of your entire OpenStack installation, and hopefully be in UTC.
TIME_ZONE = "UTC"
# The Horizon Policy Enforcement engine uses these values to load per service
# policy rule files. The content of these files should match the files the
# OpenStack services are using to determine role based access control in the
# target installation.
# Path to directory containing policy.json files
#POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf")
# Map of local copy of service policy files.
# Please insure that your identity policy file matches the one being used on
# your keystone servers. There is an alternate policy file that may be used
# in the Keystone v3 multi-domain case, policy.v3cloudsample.json.
# This file is not included in the Horizon repository by default but can be
# found at
# https://opendev.org/openstack/keystone/src/branch/master/etc/ \
# policy.v3cloudsample.json
# Having matching policy files on the Horizon and Keystone servers is essential
# for normal operation. This holds true for all services and their policy files.
#POLICY_FILES = {
# 'identity': 'keystone_policy.json',
# 'compute': 'nova_policy.json',
# 'volume': 'cinder_policy.json',
# 'image': 'glance_policy.json',
# 'network': 'neutron_policy.json',
#}
# Change this patch to the appropriate list of tuples containing
# a key, label and static directory containing two files:
# _variables.scss and _styles.scss
@ -555,11 +440,3 @@ SECURITY_GROUP_RULES = {
# " [%(referer_url)s] [%(request_url)s] [%(message)s] [%(method)s]"
# " [%(http_status)s] [%(param)s]"),
#}
# Password will have an expiration date when using keystone v3 and enabling the
# feature.
# This setting allows you to set the number of days that the user will be alerted
# prior to the password expiration.
# Once the password expires keystone will deny the access and users must
# contact an admin to change their password.
#PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = 0

24
openstack_dashboard/settings.py
View File

@ -187,15 +187,6 @@ SESSION_COOKIE_SECURE = False
# False, SESSION_TIMEOUT acts as a hard limit.
SESSION_REFRESH = True
# This SESSION_TIMEOUT is a method to supercede the token timeout with a
# shorter horizon session timeout (in seconds). If SESSION_REFRESH is True (the
# default) SESSION_TIMEOUT acts like an idle timeout rather than being a hard
# limit, but will never exceed the token expiry. If your token expires in 60
# minutes, a value of 1800 will log users out after 30 minutes of inactivity,
# or 60 minutes with activity. Setting SESSION_REFRESH to False will make
# SESSION_TIMEOUT act like a hard limit on session times.
SESSION_TIMEOUT = 3600
# When using cookie-based sessions, log error when the session cookie exceeds
# the following size (common browsers drop cookies above a certain size):
SESSION_COOKIE_MAX_SIZE = 4093
@ -240,21 +231,6 @@ USE_TZ = True
DEFAULT_EXCEPTION_REPORTER_FILTER = 'horizon.exceptions.HorizonReporterFilter'
POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf")
# Map of local copy of service policy files
POLICY_FILES = {
'identity': 'keystone_policy.json',
'compute': 'nova_policy.json',
'volume': 'cinder_policy.json',
'image': 'glance_policy.json',
'network': 'neutron_policy.json',
}
# Services for which horizon has extra policies are defined
# in POLICY_DIRS by default.
POLICY_DIRS = {
'compute': ['nova_policy.d'],
}
SECRET_KEY = None
LOCAL_PATH = None