This patch fixes multiple issues related to request ids:
- Duplicated request ID in logs
- Missing request id header in response
- Wrong request ID in response header when using noauth
The source of these issues is the fact that the request ID and the
request context are set too late, or not at all, in the paste filter
chain.
And the last bug is fixed as a freebie when the code in auth.py is
refactored to reduce code duplication on setting the cinder.context key
in the request's environment.
The patch fixes these issue by changing the filter chains to have the
request_id filter as the first filter, and using our own filter for it,
to ensure that the context is correctly set.
Not sure if values now defined in ENV_OVERWRITES are still necessary,
so the patch preserves current behavior.
Closes-Bug: #1960019
Closes-Bug: #1960020
Closes-Bug: #1960021
Closes-Bug: #1960329
Change-Id: Ide831a221a7561bbb7da193f0edb011f1989420e
Inclusion of a project_id in API URLs is now optional, and no longer
required. Removing the project_id requirement facilitates supporting
Secure RBAC's notion of system scope, in which an API method is not
associated with a specific project.
The API v3 routing is enhanced to provide duplicate routes for API
methods that traditionally required a project_id in the URL:
- The existing route for which a project_id is in the URL
- A new route for when the URL does not include a project_id
To test both routes and ensure there are no regresssions, the "API
samples" functional tests include a project_id in the URLs, and the
rest of the functional tests do not include the project_id. This is
handled by changing the 'noauth' WSGI middleware to no longer add the
project_id, and adding a new 'noauth_include_project_id' middleware
filter that implements the legacy behavior.
A new microversion V3.67 is introduced, but it only serves to inform
clients whether the project_id is optional or required. When an API
node supports mv 3.67, the project_id is optional in all API requests,
even when the request specifies a earlier microversion. See the spec
Ia44f199243be8f862520d7923007e7182b32f67d for more details on this
behavior.
Note: Much of the groundwork for this is based on manila's patch
I5127e150e8a71e621890f30dba6720b3932cf583.
DocImpact
APIImpact
Implements: blueprint project-id-optional-in-urls
Change-Id: I3729cbe1902ab4dc335451d13ed921ec236fb8fd
The current rootwrap.conf file is outdated and doesn't include some
parameters. This change updates the content to make it consistent with
the latest example file in oslo.rootwrap.
Change-Id: Ief8858c9f236f28388d77902df41eba698e503fe
The following volume type extra specs are now visible to regular
users (non-administrators):
- RESKEY:availability_zones
- multiattach
- replication_enabled
The list is defined in the code, and is not configurable.
Regular users may view these user visible specs, and use them as a
filter when listing volume types, but access is essentially read-only.
Only cloud administrators are authorized to create or modify extra
specs, including the user visible ones.
The feature works by relaxing a few policies that were previously
admin-only, and adds a new volume_extension:types_extra_specs:read_sensitive
policy that limits access to all other (non-user visible) specs so
that only cloud administrators can see them.
DocImpact
Implements: bp expose-user-visible-extra-specs
Change-Id: I5434ea4199cce8158b75771fb6127be001baf328
This patch adds a new REST API microversion to expose the new use_quota
DB field present in volumes and snapshots.
The field will be reported when listing and showing resources and can be
used when filtering as well.
The field is exposed in the REST API as `consumes_quota` to prevent
confusion for users and admins, since exposing it as `use_quota` may
give them the wrong impression that they can set it up for their own
purposes.
For users we say what is happening with the quota for that resource -it
consumes or doesn't consume quota-, whereas internally we express
instruction to the core code -whether to use quota or not-, hence the
difference in the naming.
APIImpact
DocImpact
Implements: blueprint temp-resources
Change-Id: I655a47fc75ddc11caf1defe984d9a66a9ad5a2e7
In this patch:
- adjusted VersionsController to return only v3
- removed cinder.api.v2.router
- adjustments to cinder.tests.unit.api.contrib to use /v3 only
- moved cinder.api.v2.snapshot_metadata (and tests) to cinder.api.v3
- moved cinder.api.v2.types (and view, tests) to cinder.api.v3
- updated versions response in api-ref
- removed unnecessary config option
- updated various sample config files
- removed experimental tempest-cinder-v2-api job
- updated some docs
- updated non-voting rally job config
Some cinder.api.v2 modules are left because the v3 classes depend on
them, but with the v2 router removed, these are unreachable via the
/v2 path.
Depends-on: https://review.opendev.org/c/openstack/rally-openstack/+/794891
(changes rally to use Block Storage API v3)
Depends-on: https://review.opendev.org/c/openstack/requirements/+/794894
(corrects regression in upper-constraint on Sphinx)
Change-Id: I2093d77db9beec7543c7524d2cd273e79dd5fd5d
TSM backup driver is not supported by vendor
for a while and deprecated in Victoria release,
so it's safe to delete it now.
Change-Id: I0ab07708843fcbb64bf932667e9b79aab259f698
By default, cinder-api isn't providing a /healthcheck URL, which is
super useful for setting-up monitoring and HAProxy. This patch adds
it by default.
Change-Id: I03a93bf14a5ba159b68bfba15a7f4f26c8200e36
GlusterFS volume driver has been removed[1], and chgrp is now used
in NFS backup driver and GlusterFS backup driver.
[1] 16e93ccd4f
Change-Id: I297274905a1416c6041c7572a89d9336e6951e60
Support users can query resources by specifying the time
that resources are created at or updated at with time
comparison operators: "gt/gte/eq/neq/lt/lte",
and cinder will return all which match the condition.
The date and time stamp format is ISO 8601: CCYY-MM-DDThh:mm:ss±hh:mm.
The ±hh:mm value, if included, returns the time zone as an offset from UTC.
Add two filters updated_at and created_at in querying API.
"volumes/detail?created_at=gt:2016-01-01T01:00:00,lt:2016-12-31T01:00:00"
Change-Id: I1f43c37c2266e43146637beadc027ccf6dec017e
Partial-Implements: blueprint support-to-query-cinder-resources-filter-by-time-comparison-operators
Co-Authored-By: wangxiyuan <wangxiyuan@huawei.com>
When trying to upload volume to glance as image, currently all the
format transformation is done by software and the performance is not
good.
Leverage hardware accelerator to do the image compression, so as to
offload CPU, release CPU to do more common and complex thing.
Professional hardware accelerator will get better performance and
shorter conversion time than software solution. Currently hardware
accelerator is getting more popular and some are integrated in server
chipset by default.
This patch includes:
1. Uses the new image container_format 'compressed' introduced by Glance
in the Train release
2. Implemented a simple framework: if there's an accelerator detected in
system, then try to use it
3. Supported Intel QAT as one of the accelerator
4. Add command filter for command 'qzip' and 'gzip' in rootwrap
5. New configuration option 'allow_compression_on_image_upload' and
'compression_format' added
6. Releasenote added
Change-Id: I8460f58d2ad95a6654cf4d6a6bb367f3c537536b
Implements: blueprint leverage-compression-accelerator
Signed-off-by: Liang Fang <liang.a.fang@intel.com>
When cloning an encrypted volume, change the
encryption key used on the destination volume.
This is currently implemented for iSCSI/FC
drivers only.
Change-Id: Id797af4f8ff001ec3d55cb4eda19988a314b700d
The Tintri driver was marked as unsupported in
the Stein release. It hasn't reported on a patch in 312
days which is outside of Cinder's 3rd Party CI requirements.
As a result the driver should be removed.
This patch proposes that removal.
Change-Id: I8e69dc2199ad28b99144ba2618d114392e6fa5e5
This patch handles the following filters :
1) all_tenants : Restoring to previous functionality of ignoring
invalid filters
2) is_public (volume_type): This filter has the 3 valid values,
* True : show only public volume types (valid for non-admins)
* False : show only private volume types (valid for admins)
* None : show both private and public volume types
Since this filter is valid for admins as well as non-admins,
we can pass this through filtering API to lower level code where
this is handled correctly.
3) name (group, group snapshot): 'name' is a valid parameter for
non-admins while showing a group or group snapshot.
Closes-Bug: #1753885
Change-Id: I1545c165087f80a9fdc9f576114a820ac95be5c5
This reverts commit a62c9dfdd4.
This did not account for cases where truncate is
called w/o elevated privileges.
Related-Bug: #1818504
Change-Id: I3cb85be854e68fda525cfebe254ce7c85d8e3d37
Various iscsi_* options were replaced with target_* options. The former
were initially deprecated and have now been removed.
This patch updates relevant documentation to use the new names.
There were some other hits in the documentation and code for these
names, but these appeared to be for third-party drivers, and I don't
have the context about which, if any, need to change.
Change-Id: Ic37ea85f4ec778644bc9d49f513e58dc28c87907
Remove drbdadm from rootwrap filters
no longer being used.
Change-Id: Ic067acf944dc5eb1a5aeab2f8782a6fc51b1edc2
Signed-off-by: Chuck Short <chucks@redhat.com>
Use olso.privsep rather than oslo.rootwrap for the 'lvcreate'
Change-Id: I9e8f74ef74ef3f7cbbcf7967304246e9dfafb5c0
Signed-off-by: Charles Short <chucks@redhat.com>
Remove 'tgtadm' from rootwrap, its been moved to privsep.
Change-Id: I498be7f69530079d5370cd0518478b74d25ce7cc
Signed-off-by: Charles Short <chucks@redhat.com>
Remove 'mmcrsnapshot' and 'mmdelsnapshot' since
they are no longer being used.
Change-Id: I2eb00fb1323d91d0834a222964b7db768207ba60
Signed-off-by: Charles Short <chucks@redhat.com>
Switch ietadm to use oslo.privsep rather than olso.rootwrap.
This is mostly a straight copy of the the methods used to
create targets.
Change-Id: Ia4dc63d75960935e770a7fef352b51a7c75be4d6
Signed-off-by: Chuck Short <chucks@redhat.com>
Remove 'ln' command from rootwrap filter and oslo.privsep.
Change-Id: I78307620d4dd350656c3350aace2069c9929e850
Signed-off-by: Chuck Short <chucks@redhat.com>
Convert usage of tgt-admin and tgtadm to use privsep rather than
the rootwrap wrapper.
Change-Id: Ibdb94fc3aebb01fee6e2e76adeaa5d34a4af8753
Signed-off-by: Chuck Short <chucks@redhat.com>
Use oslo.privsep for scstadmin and remove it from
etc/cinder/rootwrap.d/volume.filters.
Change-Id: I55c8d40ee082a32fa51c893845a0b0aa4dad1492
Signed-off-by: Chuck Short <chucks@redhat.com>