Commit Graph

266 Commits

Author SHA1 Message Date
Takashi Kajinami e17f68a83b Deploy healthcheck middleware as app instead of filter
Using the healthcheck middleware as a filter is deprecated and
the middleware should be used as an application[1].
 [1] 6feaa13610c450c8486f969703768db5319b4846

This change updates definition and usage of the healthcheck middleware
accordingly to avoid the following deprecation warning.

DeprecationWarning: Using function/method 'Healthcheck.factory()' is
deprecated: The healthcheck middleware must now be configured as
an application, not as a filter.

This also refactors composite definitions based on flavor by the new
pipeline factory.

Story: 2009071
Task: 42881
Change-Id: I75386dc4a7dc14b3c753dfff01f147ef8233bf94
2022-06-06 23:47:16 +09:00
Thomas Goirand af245164a3 Add a /healthcheck URL
This is helpful for operators to use haproxy
or to do monitoring.

Change-Id: I551aa1a0c63d699a4830294024248468bd958922
2020-04-30 18:49:55 +02:00
Pavlo Shchelokovskyy 63cf3761be Restore auth-less version negotiation
change Change-Id: I097bf70431a999a0f6aa56079ffb5743b50d4d7f
inadvertently started to require (keystone) authentication
when accessing API root to get the API version document.

This breaks standard version negotiation (that usually does not require
auth) and also some monitoring / loadbalancing that used to check
returns on GET to API root.

Change-Id: If8f13def196442e6f28616e88972f28f8ec23d0d
Story: 2002531
Task: 22072
2018-06-12 10:57:08 +00:00
Zane Bitter 2efded7f28 Move context middleware earlier in pipeline
Until the context middleware has been processed, logs from any other
middleware will be logged with the request ID of the *previous* request.
Currently this is most logs in the API log files, which makes the request
ID worse than useless for determining what is going on.

To ensure all logs get the correct request ID, move the context middleware
close to the front of the pipeline, right after the request_id middleware
that generates the request ID and the auth middleware (the data from which
is needed to populate the context). Also, explicitly include the request_id
middleware in the cfn-compatibility APIs' pipelines.

Unfortunately, any failures in the auth middleware will still be logged
with the wrong request ID. This appears to be unavoidable, since we can't
create the context until after we have authenticated the request.

Change-Id: I097bf70431a999a0f6aa56079ffb5743b50d4d7f
2018-01-31 15:02:20 -05:00
rabi 6d55417f80 Remove CloudWatch API
This patch removes the API, the next set of patches in the
series would remove stack watch service and related
WatchRule implementation.

Change-Id: I8b0472be862907298c8da51f435b5d8b19610ec3
Partial-Bug: #1743707
2018-01-28 09:11:17 +05:30
ricolin 222a8ac5e9 [policy in code] part 7 add sample and releasenote
Since we're moving all policy into code and documenting it there we
should generate those docs automatically, so they are less likely to
be out-of-date.
Also add releasenote for ops to aware that Heat is now using
policies in code and their Orchestration service needs to avoid
depends on policy.json file if file not exist, since there is no
such file by default after this patch.
Partially-Implements: bp policy-in-code

Change-Id: I25fc5a110b1fe515918e042f220c23ac9a7e811f
2017-12-13 10:58:56 +08:00
ricolin f2bc379242 [policy in code] part 6(cfn, cloudwatch)
Add cloudformation and cloudwatch policy in code rules.
Remove policy.json. We don't keep any default policy rules in
policy.json from now. Still they can create policy.json file and
add any rules they try to override.
Partially-Implements: bp policy-in-code

Change-Id: I610115dc1974b2182ce673bb086a1da15b022de3
2017-12-13 10:58:47 +08:00
ricolin 0e45db46ba [policy in code] part 5 (software-*)
Add software_deployments rules, software_configs rules.
Partially-Implements: bp policy-in-code

Change-Id: If0c98ffcfceae395ab2443356aea3904edaf7b4e
2017-12-07 01:11:49 +00:00
ricolin 51e4f04693 [policy in code] part 4
Add service rule, resource rules, actions rules, build_info rules,
events rules.
Partially-Implements: bp policy-in-code

Change-Id: I497f4d02b5ea8399265dedc548214e4eca6b6a35
2017-12-01 01:34:59 +08:00
ricolin 46f0e16d11 [policy in code] part3 (resource types)
Allow use policy in code to resource type's rule.
Also add test for override the in-code resource type rule in json
file.
Partially-Implements: bp policy-in-code

Change-Id: Id6c21732e66de6c421427ded98de52f5da0a4db2
2017-12-01 01:34:55 +08:00
ricolin 575a45b1c0 [policy in code] part 2 (stacks)
Allow use policy in code to stacks's rule.
Also convert check_is_admin to use new mechanism.
Partially-Implements: bp policy-in-code

Change-Id: I398ed162790294d0d4453f7f12c77b38e95a5580
2017-12-01 01:15:58 +08:00
ricolin b171490450 [policy in code] Part 1 Base framework
This adds the basic framework for registering and using default policy
rules. Rules should be defined and returned from a module in
heat/policies/, and then added to the list in heat/policies/__init__.py.

new policy wrapers `registered_identified_stack` and
`registered_policy_enforce` has been added for policy enforcement of
registered rules with same parameter as `identified_stack` and
`policy_enforce` besides set `is_registered_policy` flag to true.
This flag will decide to use new policy framework or not.

Now we can use `tox -e genpolicy` to check and generate policy file.

Change-Id: I7a232b3ea7ce0f69a5b7ffa278ceace7a76b666f
Partially-Implements: bp policy-in-code
2017-11-21 16:23:11 +08:00
huangtianhua e65d4e8475 Mark the default policy usage for neutron resource
The default policy usage of some neutron resources
is limited to administrators only. This change will
add the docstring and resource type policy for
the resources:
OS::Neutron::ProviderNet
OS::Neutron::Segment

Change-Id: Ia8c0bf1d0ceaf92416539ffba7ee85c6aa50e256
Closes-Bug: #1690328
2017-05-18 09:18:54 +08:00
Yosef Hoffman fc0f4a1291 Add OS::Neutron::Quota resource
This creates a new resource type whose intended use case is for admin-only
use to manage the Networking service quotas for projects.

implements bp neutron-quota-resource

Co-Authored-By: Julian Sy <julian.sy@att.com>

Change-Id: I968b67fcbdfc6b4ee7a953b92207181e5b257771
2017-01-11 20:11:49 +00:00
Jenkins ec5dff64ba Merge "Add noauth middleware" 2016-12-15 22:08:45 +00:00
Jenkins c3f1948069 Merge "Add policy for Keystone resource types" 2016-12-06 13:10:09 +00:00
rabi 698d70342e Add policy for Keystone resource types
Change-Id: Ie7b17f25209cc391af4dd69e58b93c8a6838e20b
Related-Bug: #1627706
2016-12-06 07:04:16 +00:00
Jenkins 6f998af1e5 Merge "Add OS::Nova::Quota resource" 2016-11-14 04:50:12 +00:00
Yosef Hoffman 65b3f847cf Add OS::Nova::Quota resource
This creates a new resource type whose intended use case is for admin-only
use and to manage the Compute service quotas for projects.

implements bp nova-quota-resource

Change-Id: Iffd72e8226536855221e856d3d92d8941c61d9c0
2016-11-11 15:20:15 +00:00
Dan Prince 43af5e45c7 Add noauth middleware
This patch implements noauth middleware that can be enabled by
adding the following to heat.conf:

[paste_deploy]
flavor = noauth

One use case for this middleware would be to use alongside of a single
process heat-all setup (using fake_rpc, sqlite) to avoid having to
bootstrap keystone to use only the Heat software deployments resources.
We could use this approach to help bootstrap TripleO's undercloud using
heat templates with pre-deployed servers (a single undercloud server
for the intial case).

Change-Id: I50a8cc46b4c3c235d438a711760fba94bf8e9715
2016-10-13 11:49:19 -04:00
Juan Antonio Osorio Robles 6ad6ca33e7 Add http_proxy_to_wsgi middleware to Heat CFN endpoint
This was already used in the API endpoint, but it's also needed in
the CFN endpoint. It's purpose is to process the X-Forwarded-Proto
header (or Proxy protocol if used) and set the protocol as directed
to https if done so. It's only needed if Heat is behind a TLS proxy
(such as HAProxy) and is also disabled by default.

Change-Id: Ibd81e1cf6bc1e3f63728b485e295478afa7f573c
Closes-Bug: #1590608
2016-10-10 09:46:14 +03:00
ricolin cd090780eb Add resource OS::Cinder::QoSAssociation
Add association resource between volume types and QoS specs.

blueprint update-cinder-resources

Change-Id: I448bfeed7914308779ab36fe33966e57acaec02b
2016-09-19 12:30:23 +08:00
Jenkins c3540c73c0 Merge "Add OS::Cinder::Quota resource" 2016-09-03 00:06:41 +00:00
ricolin 831e23d2af Add OS::Cinder::QoSSpecs
Add resource for Cinder QoS to define Volume specs.

blueprint update-cinder-resources

Change-Id: Ib30ddd90b661100f2c7ec532d7e9d9ed745925f7
2016-08-30 11:51:39 +08:00
Julian Sy 7954bcf638 Add OS::Cinder::Quota resource
This creates new resource type whose intended use case is for admin-only
use and to manage the cinder quotas (gigabytes, volumes, snapshots).

implements bp cinder-quota-resource

Co-Authored-By: Andy Hsiang <yh418t@att.com>
Co-Authored-By: Yosef Hoffman <yh128t@att.com>

Change-Id: I49d01d229199d9c472dc59ba2bb95d455f6dfb76
2016-08-17 03:26:56 -04:00
Rabi Mishra 168a7797e5 Use is_admin_project from context
Now that oslo.context has been bumped to >=2.6.0,
we can use `is_admin_project` from the context which
is backward compatible.

This also adds a new rule `project_admin` to make
resource types accessible inline with current policy
of other services like nova, that are yet to use the
`is_admin_project` feature. Once those services start
using the is_admin_project feature, we can remove this.

Change-Id: I5be8176042f8839e86f77984222e7fac66dfaed6
Related-Bug: #1466694
2016-08-12 04:52:38 +00:00
Jenkins 509ebc6a5d Merge "Add stack files retrieval API" 2016-07-12 11:20:30 +00:00
Steven Hardy 316b5b6381 Add stack files retrieval API
Similar to the recent addition that enables retrieval of the current
environment for a stack, this enables reading the current files map
for a running stack, which is useful if you want to introspect the
current state, and/or deploy another similar stack without necessarily
having the exact command/repo used initially.

APIImpact
Implements: blueprint files-show

Change-Id: I3198b6a7dc06648af24c198d39470f3b0d5d6f11
2016-07-11 18:02:59 +01:00
huangtianhua 8a4df57c37 Change namespace 'ceilometer' to 'aodh'
Change namespace of some files to '*aodh*' instead of '*ceilometer*'.

Blueprint migrate-to-use-aodh-for-alarms

Change-Id: I2c4d565ded5f9f7146b23479acd2702f976b8833
2016-07-04 03:22:49 +00:00
huangtianhua 26bab914a0 Deprecate combination alarm
The combination alarm is deprecated and disabled
by default in Aodh, and will removed after two release
cycles in Aodh. Keep the same with Aodh, this change
deprecates combination alarm resource, before hidden it
we use ceilometer client as before because aodh client doesn't
support to manage combination alarm.

Blueprint migrate-to-use-aodh-for-alarms

Change-Id: Ibe8fe35a0cf9efe3d2809041ee480c99a75166cd
2016-07-04 11:09:50 +08:00
huangtianhua 42fb92907b Migrate to aodh for gnocchi alarms
This changes:
1. use aodhclient to manage gnocchi alarm
resources, including create, update, delete, check, suspend,
resume and show.
2. rename OS::Ceilometer::Gnocchi* to OS::Aodh::Gnochhi*
3. considering to compatible with old templates with gnocchi
alarm resources, set resource_registry to map Ceilometer gnocchi
alarms to Aodh gnocchi alarms.

Blueprint migrate-to-use-aodh-for-alarms

Change-Id: I1507e5c82dbd7437000900eb1a46fe37806833b1
2016-07-01 01:45:24 +00:00
huangtianhua 4a79f7ca53 Migrate to aodh for OS::Ceilometer::Alarm
This changes:
1. use aodhclient to manage OS::Ceilometer::Alarm
resource, including create, update, delete, check, suspend,
resume and show.
2. rename OS::Ceilometer::Alarm to OS::Aodh::Alarm
3. considering to compatible with old templates with resource
OS::Ceilometer::Alarm, set resource_registry to map Ceilometer alarm
to Aodh alarm

Blueprint migrate-to-use-aodh-for-alarms

Change-Id: I6e2d14f15a345b927b53adc237cf2bf4010842f0
2016-06-29 02:50:27 +00:00
huangtianhua faec3a0962 Decouple hot and cfn for outputs
The changes including:
1. Avoid hard code of resource and output keys
2. Decouple hot and cfn for outputs

Change-Id: I1fd7e08ff5c699ddfcf98c81aed5f0d91c4248b3
2016-06-24 10:08:28 +00:00
rabi ac86702172 Authorize super admin actions on all projects
This allows admin super user (user with admin role in admin_project)
to do stack operations across all projects.

Change-Id: Ifbf56fde02b89248ee788e6a212ef9d11e665dc0
Partial-Bug: #1466694
2016-06-14 22:16:25 +05:30
huangtianhua a52b821857 Adds default policy rule for resources limited to administrator
Adds default policy rule for resources which are limited to
administrator, to forbid non-admin to create these resources
at the very start.

Change-Id: I9e1ef86f0c44bce5bde3f9e26e1f2b9cb3aef06d
Closes-Bug: #1582187
2016-05-18 09:52:14 +08:00
Jay Dobies b0ca694dd7 Add environment retrieval API
Adds a call to the REST API to retrieve the environment for a running
stack.

APIImpact
Implements: blueprint environment-show

Change-Id: I7e3577dfc854018245d79afdfee45a9d250d73a7
2016-04-18 14:30:52 -04:00
Michael Krotscheck 59ccb2f751 Moved CORS middleware configuration into oslo-config-generator
The default values needed for heat's implementation of cors
middleware have been moved from paste.ini into the configuration
hooks provided by oslo.config. Furthermore, these values have been
added to the default configuration parsing. This ensures
that if a value remains unset in heat.conf, it will be set
to use sane defaults, and that an operator modifying the
configuration file will be presented with a default set of
necessary sane headers.

Change-Id: Ie3791007b33788829417ce508a3c719ae626bbce
Closes-Bug: 1551836
2016-03-14 08:19:29 -07:00
Ahmed Elkhouly f52d77f0d2 Resource mark unhealthy RPC and ReST API
There may exist resources that the user (or application) knows are
unhealthy where Heat has no way of determining that.

Add a PATCH handler to the Resource endpoint::

  /stacks/<stack_name>/<stack_id>/resources/<resource_id>

The PATCH method will accept a JSON body of the form::

  {
    'mark_unhealthy': <bool>,
    'resource_status_reason': <string>
  }

This patch Implements:
- RPC API to mark resources as CHECK_FAILED in both the legacy and
convergence architectures in heat-engine
- ReST front end to the RPC API call in heat-api

Change-Id: Ifa48b179723a2100fff548467db9e162bc669d13
Partially-implements: blueprint mark-unhealthy
2016-02-24 18:00:44 -05:00
Jenkins a02d6305fd Merge "Added Keystone and RequestID headers to CORS middleware" 2016-02-17 18:59:33 +00:00
Jason Dunsmore c63411eef6 Add REST API for stack export
APIImpact
Closes-Bug: #1353670
Change-Id: I94d5abf5bfe148b4f25a2a8891e3cf4d1774e373
2016-01-20 14:51:14 -06:00
Javeme ed33ec56ab deprecate module heat.api.middleware.ssl
Use oslo_middleware.http_proxy_to_wsgi instead of oslo_middleware.ssl
due to the 'oslo_middleware.ssl' module is deprecated.

Change-Id: Ibb137049ca4005dd9a886de1ecc6b00dbae79789
Closes-Bug: #1526656
2016-01-19 13:33:11 +08:00
Michael Krotscheck 26b552f53d Added Keystone and RequestID headers to CORS middleware
CORS middleware's latent configuration feature, new in 3.0.0,
allows adding headers that apply to all valid origins.
This patch adds headers commonly used in openstack to heat's paste
pipeline, so that operators do not have to be aware of additional
configuration magic to ensure that browsers can talk to the API.

For more information:
http://docs.openstack.org/developer/oslo.middleware/cors.html#configuration-for-pastedeploy

Change-Id: Ic32d7d2b8d5e1433f806753e94abdc727db07c68
2016-01-08 11:29:33 -08:00
Jenkins 63cebcb0ea Merge "Add APIs implementation for output functions" 2015-11-26 15:35:00 +00:00
Dina Belova 8e72616d73 Do not use api-paste.ini osprofiler options
Starting with opsrofiler 0.3.1 release there is no need to set HMAC_KEYS
and ENABLED arguments in the api-paste.ini file, this can be set in the
heat.conf configuration file.

Change-Id: I77611c08d24839dc01766e994635cdb6a12922da
2015-11-17 09:34:18 +00:00
Peter Razumovsky 2e76bb0716 Add APIs implementation for output functions
APIImpact

Add new APIs for showing and listing stack outputs.
It can be used by heat client and separately for
getting stack outputs.

implements bp api-call-output

Change-Id: Ia24b24f59e2c592801e4e670ba5510f642ecf45c
2015-10-28 14:40:57 +03:00
Michael Krotscheck 1d94dd4f2a Added CORS support to Heat
This adds the CORS support middleware to Heat, allowing a deployer
to optionally configure rules under which a javascript client may
break the single-origin policy and access the API directly.

For heat, the paste.ini method of deploying the middleware was
chosen, because it needs to be able to annotate responses created
by keystonemiddleware. If the middleware were explicitly included
as in the previous patch, keystone would reject the request before
the cross-domain headers could be annotated, resulting in an
error response that was unreadable by the user agent.

OpenStack CrossProject Spec:
   http://specs.openstack.org/openstack/openstack-specs/specs/cors-support.html
Oslo_Middleware Docs:
   http://docs.openstack.org/developer/oslo.middleware/cors.html
OpenStack Cloud Admin Guide:
   http://docs.openstack.org/admin-guide-cloud/cross_project_cors.html docimpact

Change-Id: I185f0d9f85617dd2f482cac4994ccc0a4cb6cf16
2015-10-19 09:18:20 -07:00
Steven Hardy 604595a39c Update preview_update_stack to align with PATCH updates
Currently attempting to do a preview update call with PATCH fails,
because we didn't align the behavior of preview update with the
actual update in the recent additions to fix bug #1224828

So, refactor to ensure both preview_update & update use the same
code, and add a PATCH path to the update API.

Change-Id: I8ce5c0ea4035a7b9563db10ea10433e7f5f99a4f
Closes-Bug: #1501207
2015-10-01 19:05:07 +01:00
Ryan Brown 6513d3944c Add a preview endpoint for stack updates
Allow users to see what resources will be changed during a stack-update.

Docs change here https://review.openstack.org/132870/

Client change here https://review.openstack.org/#/c/126957/

BP: update-dry-run

Co-Authored-By: Jason Dunsmore <jasondunsmore@gmail.com>
Change-Id: If58bdcccfef6f5d36c0367c5267f95014232015e
2015-08-31 09:34:27 -05:00
Pavlo Shchelokovskyy 454a7b0ec1 Add resource_type-specific policies
Heat's `policy.json` now can contain policies of the following schema:

  "resource_types:<resource_type>": "rule"

This will allow cloud admins to control resource access utilizing
user roles, names, tenants and any other oslo.policy-supported rules.

Basic usage is to facilitate fail-early for stacks with resources
that a given user will not be able to actually create
due to role restrictions.

Default policy is 'allow to everyone' (who has passed previous policy
checks on REST API layer).

Resource types that the user will not be able to use due to
resources policy restrictions are hidden from `resource-type-list`.

Current operations that are prohibited if the user
does not pass policy check for a particular "forbidden" resource:
- show resource type for forbidden resource type
- show resource template for forbidden resource type
- create a stack containing a forbidden resource
- delete a stack containing a forbidden resource
- update a stack that already has a forbidden resource
- update a stack initroducing a new forbidden resource
- restore a stack snapshot to a stack that currently has forbidden
  resource
Not yet prohibited, need to be fixed:
- restore a stack snapshot that will create a forbidden resource

As first step (and for testing purposes) OS::Nova::Flavor is forbidden
to create for non-admin users. Simple functional test using this
resource is added.

Change-Id: I337306c4f1624552a2631e0ffbb43f0d3102813d
Implements blueprint conditional-resource-exposure
2015-08-25 15:37:26 +03:00
Oleksii Chuprykov 08608f5002 Add template-function-list
APIImpact
DOCImpact

Implements bp: template-function-list
Change-Id: I51fc9c7acc30ba46ec7d550df5cb3d85562c49d2
2015-07-10 09:39:39 -04:00