The Magnum service allow enables policies (RBAC) new defaults and scope by
default. The Default value of config options ``[oslo_policy] enforce_scope``
and ``[oslo_policy] oslo_policy.enforce_new_defaults`` are both to
``False``, but will change to ``True`` in following cycles.
To enable them then modify the below config options value in
``magnum.conf`` file::
[oslo_policy]
enforce_new_defaults=True
enforce_scope=True
reference tc goal for more detail:
https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
Related blueprint secure-rbac
Change-Id: I249942a355577c4f1ef51b3988f0cc4979959d0b
* Added support for www_authenticate_uri in ContextHook.
* Made code path consistent with keystone.py impl.
Story: 2004271
Task: 28073
Change-Id: I7e3f23964a55be3255e87a4c4af7bae0a1415676
Several commands take much longer to complete after that commit.
Therefore, we should revert that specific commit first, and
investigate root cause before merging it back.
This reverts commit 873214b6e2.
Closes-Bug: #1540646
Change-Id: I0eb12f76e93fb1675c78bf60367db534061aceb1
The connection to amqp was not getting cleaned up, even after the
communication to conductor across amqp was complete, for a given
request. Thus, sockets were leaking with each communication and finally
led to a hang situation, where no more fds were available.
Change-Id: I1deabdbce6ba448fe4c25d7694aabe5e5fec7b5a
Closes-Bug: #1510776
1.auth_url can not be obtained from request headers, it can only
be read from config file.
2.is_public_api is not used, so let's remove it from context.
Change-Id: Ie7207ef5311e3168b64c47aef4041ed2dd0e39c6
Partially-Implements: blueprint generate-keystone-trust
Updated tox.ini and fixed rules.
Fix H405:
Multi line docstring summary not separated with an empty line
Fix E131:
Continuation line unaligned for hanging indent
Change-Id: I20cf75c75cffc434fbdcb05b8e04bffcd4059cd1
Closes-Bug: #1498870
We use oslo.policy to check the policy. Oslo.policy needs
roles held for the given token scope [1]. So we should add roles
to context.
[1]http://docs.openstack.org/developer/oslo.policy/
api/oslo_policy.html#generic-checks
Change-Id: I95afbf57f185ca1db9c68781c2fcd78cbafc1e17
Closes-Bug: #1489832
X-User is deprecated.
X-Storage-Token is supported for swift/cloud files and legacy
Rackspace use in [1], so it is not needed in magnum.
[1] http://docs.openstack.org/developer/keystonemiddleware/
middlewarearchitecture.html#exchanging-user-information
Change-Id: I48913c79b506210448ecd23769a98458f54adbe6
Closes-Bug: #1489801
Problem description:
If DevStack is used to instantiate the magnum plugin, and the
devstack localrc/local.conf has the default values for:
LOG_COLOR (default value = True)
SYSLOG (default value = False)
then upon startup (i.e. running DevStack's stack.sh), the magnum devstack
lib calls the DevStack common setup_colorized_logging function, but
without passing the optional 'project_var' and 'user_var' arguments to
this function. As a result, the setup_colorized_logging
function uses its default values of "user_name" and "project_name"
when it defines the logging_context_format_string (which in turn gets
configured in /etc/magnum/magnum.conf). The problem is that "user_name"
and "project_name" are not defined in the API context used by Magnum,
so that whenever the magnum plugin does a logging call, a KeyError
exception for the non-existant key "user_name" is generated.
Fix description:
The fix is to modify the Magnum context to use "user_name" and
"project_name" attributes to be consistent with the default context
format string set up by DevStack.
Change-Id: Ia0c34899609735ff9d8b4597101e004e2684657e
Closes-Bug: #1464376
Oslo team is recommending everyone to use the direct imports and
not use the Oslo namespaces. So switch all our code to use oslo_*
instead of "from oslo." or "import oslo" or "from oslo"
NOTE: some of the tests still have mocks referring to oslo.utils
@mock.patch('oslo.utils.timeutils.utcnow')
as the tests break otherwise. We should do this later.
Closes-bug: #1419385
Change-Id: I8e3fbeb833cddc3f55674a0e781ffe69d5033ad4
newer hacking has rules for the following:
H105 Don't use author tags
H238 old style class declaration, use new style (inherit from `object`)
W292 no newline at end of file
So we need to clean them up and stop ignoring them
Change-Id: I12b995cf87d6bc0938298f397b41a4693627bb4b
The new patching only ensures that auth_token_info is properly
set up by default. A real RequestContext is returned, and it is
passed through to_dict and from_dict to ensure there are no
assumptions made that will not work through RPC.
If necessary, tests can still return a mock context by setting
a return_value or side_effect on self.mock_make_ctxt.
Change-Id: I6369e0bd89d83a5ea3ddde2b35423233fee18327
To obtain conductor api instance easily, this add rpcapi attribute to
pecan.request.
So now, we can access to conductor api from "pecan.request.rpcapi".
Related-Bug: #1406539
Change-Id: I6edbf031d91e65d70637629c3b57d45322eee9fd
The auth.py file does a couple of things, It contains keystone authentication
and to set request context. So this split up to two files.
After this commit, request hook should be included in hooks.py.
Related-Bug: #1406539
Change-Id: I1754da40383976e48f6fd4ca23911717f918f9bb