Using the healthcheck middleware as a filter is deprecated and
the middleware should be used as an application[1].
[1] 6feaa13610c450c8486f969703768db5319b4846
This change updates definition and usage of the healthcheck middleware
accordingly to avoid the following deprecation warning.
DeprecationWarning: Using function/method 'Healthcheck.factory()' is
deprecated: The healthcheck middleware must now be configured as
an application, not as a filter.
This also refactors composite definitions based on flavor by the new
pipeline factory.
Story: 2009071
Task: 42881
Change-Id: I75386dc4a7dc14b3c753dfff01f147ef8233bf94
change Change-Id: I097bf70431a999a0f6aa56079ffb5743b50d4d7f
inadvertently started to require (keystone) authentication
when accessing API root to get the API version document.
This breaks standard version negotiation (that usually does not require
auth) and also some monitoring / loadbalancing that used to check
returns on GET to API root.
Change-Id: If8f13def196442e6f28616e88972f28f8ec23d0d
Story: 2002531
Task: 22072
Until the context middleware has been processed, logs from any other
middleware will be logged with the request ID of the *previous* request.
Currently this is most logs in the API log files, which makes the request
ID worse than useless for determining what is going on.
To ensure all logs get the correct request ID, move the context middleware
close to the front of the pipeline, right after the request_id middleware
that generates the request ID and the auth middleware (the data from which
is needed to populate the context). Also, explicitly include the request_id
middleware in the cfn-compatibility APIs' pipelines.
Unfortunately, any failures in the auth middleware will still be logged
with the wrong request ID. This appears to be unavoidable, since we can't
create the context until after we have authenticated the request.
Change-Id: I097bf70431a999a0f6aa56079ffb5743b50d4d7f
This patch removes the API, the next set of patches in the
series would remove stack watch service and related
WatchRule implementation.
Change-Id: I8b0472be862907298c8da51f435b5d8b19610ec3
Partial-Bug: #1743707
Since we're moving all policy into code and documenting it there we
should generate those docs automatically, so they are less likely to
be out-of-date.
Also add releasenote for ops to aware that Heat is now using
policies in code and their Orchestration service needs to avoid
depends on policy.json file if file not exist, since there is no
such file by default after this patch.
Partially-Implements: bp policy-in-code
Change-Id: I25fc5a110b1fe515918e042f220c23ac9a7e811f
Add cloudformation and cloudwatch policy in code rules.
Remove policy.json. We don't keep any default policy rules in
policy.json from now. Still they can create policy.json file and
add any rules they try to override.
Partially-Implements: bp policy-in-code
Change-Id: I610115dc1974b2182ce673bb086a1da15b022de3
Allow use policy in code to resource type's rule.
Also add test for override the in-code resource type rule in json
file.
Partially-Implements: bp policy-in-code
Change-Id: Id6c21732e66de6c421427ded98de52f5da0a4db2
Allow use policy in code to stacks's rule.
Also convert check_is_admin to use new mechanism.
Partially-Implements: bp policy-in-code
Change-Id: I398ed162790294d0d4453f7f12c77b38e95a5580
This adds the basic framework for registering and using default policy
rules. Rules should be defined and returned from a module in
heat/policies/, and then added to the list in heat/policies/__init__.py.
new policy wrapers `registered_identified_stack` and
`registered_policy_enforce` has been added for policy enforcement of
registered rules with same parameter as `identified_stack` and
`policy_enforce` besides set `is_registered_policy` flag to true.
This flag will decide to use new policy framework or not.
Now we can use `tox -e genpolicy` to check and generate policy file.
Change-Id: I7a232b3ea7ce0f69a5b7ffa278ceace7a76b666f
Partially-Implements: bp policy-in-code
The default policy usage of some neutron resources
is limited to administrators only. This change will
add the docstring and resource type policy for
the resources:
OS::Neutron::ProviderNet
OS::Neutron::Segment
Change-Id: Ia8c0bf1d0ceaf92416539ffba7ee85c6aa50e256
Closes-Bug: #1690328
This creates a new resource type whose intended use case is for admin-only
use to manage the Networking service quotas for projects.
implements bp neutron-quota-resource
Co-Authored-By: Julian Sy <julian.sy@att.com>
Change-Id: I968b67fcbdfc6b4ee7a953b92207181e5b257771
This creates a new resource type whose intended use case is for admin-only
use and to manage the Compute service quotas for projects.
implements bp nova-quota-resource
Change-Id: Iffd72e8226536855221e856d3d92d8941c61d9c0
This patch implements noauth middleware that can be enabled by
adding the following to heat.conf:
[paste_deploy]
flavor = noauth
One use case for this middleware would be to use alongside of a single
process heat-all setup (using fake_rpc, sqlite) to avoid having to
bootstrap keystone to use only the Heat software deployments resources.
We could use this approach to help bootstrap TripleO's undercloud using
heat templates with pre-deployed servers (a single undercloud server
for the intial case).
Change-Id: I50a8cc46b4c3c235d438a711760fba94bf8e9715
This was already used in the API endpoint, but it's also needed in
the CFN endpoint. It's purpose is to process the X-Forwarded-Proto
header (or Proxy protocol if used) and set the protocol as directed
to https if done so. It's only needed if Heat is behind a TLS proxy
(such as HAProxy) and is also disabled by default.
Change-Id: Ibd81e1cf6bc1e3f63728b485e295478afa7f573c
Closes-Bug: #1590608
This creates new resource type whose intended use case is for admin-only
use and to manage the cinder quotas (gigabytes, volumes, snapshots).
implements bp cinder-quota-resource
Co-Authored-By: Andy Hsiang <yh418t@att.com>
Co-Authored-By: Yosef Hoffman <yh128t@att.com>
Change-Id: I49d01d229199d9c472dc59ba2bb95d455f6dfb76
Now that oslo.context has been bumped to >=2.6.0,
we can use `is_admin_project` from the context which
is backward compatible.
This also adds a new rule `project_admin` to make
resource types accessible inline with current policy
of other services like nova, that are yet to use the
`is_admin_project` feature. Once those services start
using the is_admin_project feature, we can remove this.
Change-Id: I5be8176042f8839e86f77984222e7fac66dfaed6
Related-Bug: #1466694
Similar to the recent addition that enables retrieval of the current
environment for a stack, this enables reading the current files map
for a running stack, which is useful if you want to introspect the
current state, and/or deploy another similar stack without necessarily
having the exact command/repo used initially.
APIImpact
Implements: blueprint files-show
Change-Id: I3198b6a7dc06648af24c198d39470f3b0d5d6f11
Change namespace of some files to '*aodh*' instead of '*ceilometer*'.
Blueprint migrate-to-use-aodh-for-alarms
Change-Id: I2c4d565ded5f9f7146b23479acd2702f976b8833
The combination alarm is deprecated and disabled
by default in Aodh, and will removed after two release
cycles in Aodh. Keep the same with Aodh, this change
deprecates combination alarm resource, before hidden it
we use ceilometer client as before because aodh client doesn't
support to manage combination alarm.
Blueprint migrate-to-use-aodh-for-alarms
Change-Id: Ibe8fe35a0cf9efe3d2809041ee480c99a75166cd
This changes:
1. use aodhclient to manage gnocchi alarm
resources, including create, update, delete, check, suspend,
resume and show.
2. rename OS::Ceilometer::Gnocchi* to OS::Aodh::Gnochhi*
3. considering to compatible with old templates with gnocchi
alarm resources, set resource_registry to map Ceilometer gnocchi
alarms to Aodh gnocchi alarms.
Blueprint migrate-to-use-aodh-for-alarms
Change-Id: I1507e5c82dbd7437000900eb1a46fe37806833b1
This changes:
1. use aodhclient to manage OS::Ceilometer::Alarm
resource, including create, update, delete, check, suspend,
resume and show.
2. rename OS::Ceilometer::Alarm to OS::Aodh::Alarm
3. considering to compatible with old templates with resource
OS::Ceilometer::Alarm, set resource_registry to map Ceilometer alarm
to Aodh alarm
Blueprint migrate-to-use-aodh-for-alarms
Change-Id: I6e2d14f15a345b927b53adc237cf2bf4010842f0
The changes including:
1. Avoid hard code of resource and output keys
2. Decouple hot and cfn for outputs
Change-Id: I1fd7e08ff5c699ddfcf98c81aed5f0d91c4248b3
This allows admin super user (user with admin role in admin_project)
to do stack operations across all projects.
Change-Id: Ifbf56fde02b89248ee788e6a212ef9d11e665dc0
Partial-Bug: #1466694
Adds default policy rule for resources which are limited to
administrator, to forbid non-admin to create these resources
at the very start.
Change-Id: I9e1ef86f0c44bce5bde3f9e26e1f2b9cb3aef06d
Closes-Bug: #1582187
Adds a call to the REST API to retrieve the environment for a running
stack.
APIImpact
Implements: blueprint environment-show
Change-Id: I7e3577dfc854018245d79afdfee45a9d250d73a7
The default values needed for heat's implementation of cors
middleware have been moved from paste.ini into the configuration
hooks provided by oslo.config. Furthermore, these values have been
added to the default configuration parsing. This ensures
that if a value remains unset in heat.conf, it will be set
to use sane defaults, and that an operator modifying the
configuration file will be presented with a default set of
necessary sane headers.
Change-Id: Ie3791007b33788829417ce508a3c719ae626bbce
Closes-Bug: 1551836
There may exist resources that the user (or application) knows are
unhealthy where Heat has no way of determining that.
Add a PATCH handler to the Resource endpoint::
/stacks/<stack_name>/<stack_id>/resources/<resource_id>
The PATCH method will accept a JSON body of the form::
{
'mark_unhealthy': <bool>,
'resource_status_reason': <string>
}
This patch Implements:
- RPC API to mark resources as CHECK_FAILED in both the legacy and
convergence architectures in heat-engine
- ReST front end to the RPC API call in heat-api
Change-Id: Ifa48b179723a2100fff548467db9e162bc669d13
Partially-implements: blueprint mark-unhealthy
Use oslo_middleware.http_proxy_to_wsgi instead of oslo_middleware.ssl
due to the 'oslo_middleware.ssl' module is deprecated.
Change-Id: Ibb137049ca4005dd9a886de1ecc6b00dbae79789
Closes-Bug: #1526656
CORS middleware's latent configuration feature, new in 3.0.0,
allows adding headers that apply to all valid origins.
This patch adds headers commonly used in openstack to heat's paste
pipeline, so that operators do not have to be aware of additional
configuration magic to ensure that browsers can talk to the API.
For more information:
http://docs.openstack.org/developer/oslo.middleware/cors.html#configuration-for-pastedeploy
Change-Id: Ic32d7d2b8d5e1433f806753e94abdc727db07c68
Starting with opsrofiler 0.3.1 release there is no need to set HMAC_KEYS
and ENABLED arguments in the api-paste.ini file, this can be set in the
heat.conf configuration file.
Change-Id: I77611c08d24839dc01766e994635cdb6a12922da
APIImpact
Add new APIs for showing and listing stack outputs.
It can be used by heat client and separately for
getting stack outputs.
implements bp api-call-output
Change-Id: Ia24b24f59e2c592801e4e670ba5510f642ecf45c
This adds the CORS support middleware to Heat, allowing a deployer
to optionally configure rules under which a javascript client may
break the single-origin policy and access the API directly.
For heat, the paste.ini method of deploying the middleware was
chosen, because it needs to be able to annotate responses created
by keystonemiddleware. If the middleware were explicitly included
as in the previous patch, keystone would reject the request before
the cross-domain headers could be annotated, resulting in an
error response that was unreadable by the user agent.
OpenStack CrossProject Spec:
http://specs.openstack.org/openstack/openstack-specs/specs/cors-support.html
Oslo_Middleware Docs:
http://docs.openstack.org/developer/oslo.middleware/cors.html
OpenStack Cloud Admin Guide:
http://docs.openstack.org/admin-guide-cloud/cross_project_cors.html docimpact
Change-Id: I185f0d9f85617dd2f482cac4994ccc0a4cb6cf16
Currently attempting to do a preview update call with PATCH fails,
because we didn't align the behavior of preview update with the
actual update in the recent additions to fix bug #1224828
So, refactor to ensure both preview_update & update use the same
code, and add a PATCH path to the update API.
Change-Id: I8ce5c0ea4035a7b9563db10ea10433e7f5f99a4f
Closes-Bug: #1501207
Allow users to see what resources will be changed during a stack-update.
Docs change here https://review.openstack.org/132870/
Client change here https://review.openstack.org/#/c/126957/
BP: update-dry-run
Co-Authored-By: Jason Dunsmore <jasondunsmore@gmail.com>
Change-Id: If58bdcccfef6f5d36c0367c5267f95014232015e
Heat's `policy.json` now can contain policies of the following schema:
"resource_types:<resource_type>": "rule"
This will allow cloud admins to control resource access utilizing
user roles, names, tenants and any other oslo.policy-supported rules.
Basic usage is to facilitate fail-early for stacks with resources
that a given user will not be able to actually create
due to role restrictions.
Default policy is 'allow to everyone' (who has passed previous policy
checks on REST API layer).
Resource types that the user will not be able to use due to
resources policy restrictions are hidden from `resource-type-list`.
Current operations that are prohibited if the user
does not pass policy check for a particular "forbidden" resource:
- show resource type for forbidden resource type
- show resource template for forbidden resource type
- create a stack containing a forbidden resource
- delete a stack containing a forbidden resource
- update a stack that already has a forbidden resource
- update a stack initroducing a new forbidden resource
- restore a stack snapshot to a stack that currently has forbidden
resource
Not yet prohibited, need to be fixed:
- restore a stack snapshot that will create a forbidden resource
As first step (and for testing purposes) OS::Nova::Flavor is forbidden
to create for non-admin users. Simple functional test using this
resource is added.
Change-Id: I337306c4f1624552a2631e0ffbb43f0d3102813d
Implements blueprint conditional-resource-exposure