As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:
1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.
2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.
Also replace policy.json to policy.yaml ref from doc and tests.
CONF object needs to be initialized before policy enforcer(). That
need to remove cfg.CONF.unregister_opts from TestAuthUtils cleanup
as this is taken care by cfg.clear() with proper workflow otherwise
it end up with error
"oslo_config.cfg.ArgsAlreadyParsedError: arguments
already parsed: reset before unregistering options"
- https://b132754ee7062a9ab187-9add4719a9922a9385555a8552fc2366.ssl.cf5.rackcdn.com/768520/5/check/openstack-tox-py38/7964354/testr_results.html
[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: I1b6c6485bc651fd0b87244a68204036dd4aa37f4
This patch introduces a common rpc pattern to ensure
that the rpc transport is shared where possible. This
helps prevent rpc connection leaks and should ensure
that we are making the best possible use of all
available rpc connections.
Change-Id: Ib42e368cfda2b148a07df0bd74046739f40f7018
Now use admin client to delete the trust gives the error:
"You are not authorized to perform the requested action:
Only admin or trustor can delete a trust.: ForbiddenAction:
You are not authorized to perform the requested action:
Only admin or trustor can delete a trust."
This patch use trustor's session to delete the trust.
Change-Id: Ib673128be860f548195181a465a9dff784cdef1a
When executing 'murano environment create test' command, the result
is failed because keystone has delete V2 api. Therefore murano need
to use V3 auth_url.
Change-Id: Ia9874949c0e7bdef733815ae6d37a3f19784abe3
Co-Authored-By: zhurong <aaronzhu1121@gmail.com>
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]: https://review.openstack.org/#/c/508522/
Change-Id: Ib8623a359a27b8a4aa90bf69a3fe3f3a5c2411a6
With this small changes it becomes possible to instruct murano to
provision murano-agent of version other than latest, or from
custom git branch or from a http source.
Use cases:
* Use agent with custom modifications that are not available in
PyPI version
* Development of new agent features - agent can be installed from
the private git repo
* Environments without internet connectivity
Change-Id: Icbea95abf070ef35781474a54461cc34bb9927af
As log says, 'oslo_messaging.transport.get_transport()' is deprecated.
The reference link of oslo_messaging is at [1].
[1] https://review.openstack.org/#/c/454194/
Change-Id: I89061bd348988f9555f6bb77875bfdbf0aa76d07
Since [murano_auth] section is introduced in Pike, no need to
fallback to [keystone_authtoken] now.
Change-Id: I24e2475997feb9fdcf388af03d51fd5ced9e3885
Add notifications about environment events that are required for
tracking. These are AMQP notifications and oslo.messaging library
is used for sending them.
The follow event types are provided:
- environment.deploy.end
This event is issued on successful finish of environment deployment,
provides general information about environment and also deployment
start and finish times
- environment.delete.end
This event is issued on environment delete (and abandon as well)
- environment.exists
This is a period event, it's issued for every existing environment
that has successful deployments
There are 2 new configuration options controlling these notifications:
- stats.env_audit_period
Controls how often to send environment.exists notification, by
it's once per hour (60 minutes)
- env_audit_enabled
Allows to completely disable environment-related notifications. By
default notifications are enabled.
Change-Id: I8dee2456b7ccab7c0c167aa21abb9710959ebb30
Various components defines different options for the client sessions.
Standardize them with the help of keystonauth1 lib.
Change-Id: I2f791caaf230a58b8426d1c1d6e1eb4316a85a28
Use the OpenStack standard keystoneauth1 library for loading
authentication plugins and register their options in the
murano_auth section.
Still provide a fallback if no murano_auth.auth_type is specified
to make old config files work.
Closes-bug: 1705838
Change-Id: Ie74364a4401f64fe42bf2206b6df760d2fc60edb
To remove hardcoded constant called 'ITERATORS_LIMIT', that can be
exceeded (2000) having big amount of objects. It is easy to achieve
in big cloud with user that is allowed to view lots of resources.
Change-Id: I818561ca044bad505402b69d22a41ea892e15fcc
Closes-Bug: #1690179
This commit removes the murano default policy.json file from
etc/murano and references to it in murano's devstack plugin.
(References to the policy.json in muranodashboard remain
the same).
This commit specifically:
- removes the default policy.json
- removes references to it in devstack plugin
- adds base rules to murano.common.policies.__init__ because
they are the last rules to be included
- updates base admin_api rule to is_admin:True from
is_admin:1 (because the latter was causing issues)
- updates Murano policy documentation
Partially Implements: blueprint policy-in-code
Depends-On: Ia372983d2bd1010cd19f04061f3276ed16e9c1c9
Change-Id: I1a8581a559e4333a74d56a5bdce7e6d1f117907d
This commit implements policy in code for (static) actions
API. The default rules for the (static) actions API were
removed from the policy.json and moved into code under
`murano.common.policies.action`.
This commit specifically:
- Moves policy actions related to the (static) actions
API from the policy.json into code.
- Documents the API information and paths associated with
each actions-related policy.
Partially Implements: blueprint policy-in-code
Change-Id: Ia372983d2bd1010cd19f04061f3276ed16e9c1c9
This commit implements policy in code for categories
API. The default rules for the categories API were
removed from the policy.json and moved into code under
murano.common.policies.category.
This commit specifically:
- Moves policy actions related to the categories
API from the policy.json into code.
- Documents the API information and paths associated with
each category-related policy.
Partially Implements: blueprint policy-in-code
Change-Id: I7171369650d7d55ed44154481d03d48153f3640a
This commit implements policy in code for deployments
API. The default rules for the deployments API were
removed from the policy.json and moved into code under
murano.common.policies.deployment.
This commit specifically:
- Moves policy actions related to the deployments
API from the policy.json into code.
- Documents the API information and paths associated with
each deployment-related policy.
Partially Implements: blueprint policy-in-code
Change-Id: I246261b6df4b5225b67499c89281b942013007ed
This commit implements policy in code for packages
API. The default rules for the packages API were
removed from the policy.json and moved into code under
murano.common.policies.env_template.
This commit specifically:
- Moves policy actions related to the packages
API from the policy.json into code.
- Documents the API information and paths associated with
each package policy.
Partially Implements: blueprint policy-in-code
Change-Id: I9a091606bec7c74ce7cf53fd327a2a40c6b9c364
This commit implements policy in code for the environment templates
API. The default rules for the environment templates API were
removed from the policy.json and moved into code under
murano.common.policies.env_template.
This commit specifically:
- Moves policy actions related to the environment templates
API from the policy.json into code.
- Documents the API information and paths associated with
each environment template policy.
- Updates the ``create_environment`` policy action documentation
in murano.common.policies.environment to include API
/v1/templates/{env_template_id}/create-environment
which enforces this policy as well.
Partially Implements: blueprint policy-in-code
Change-Id: I715f4b0a61fd4404e20b88736a9a4c86fc038b55
This patch introduces the beginning implementation for registering
default policy rules in code. Default rules are defined under
murano.common.policies. Each API's policies are defined in a
sub-folder under that path and __init__.py contains all the
default policies in code which are registered in the ``init``
enforcer function in murano/common/policy.py.
The default rules for the environments API was removed from the
policy.json and moved into code under
murano.common.policies.environment. This can be gradually done
for the rest of the APIs in follow-up patches.
This commit does the following:
- Creates the ``policies`` module that contains all the default
policies in code.
- Adds the base policy rules into code (the admin_api,
context_is_admin, and default rules).
- Adds the environment default policy module with default
policy rules for the environments API.
Partially Implements: blueprint policy-in-code
Change-Id: Iebf2c60d1d31b73829fad189ada7ceee28e714bd
From 2016/10, there is no domain with name 'Default' in keystone.
And the user would create a domain whith name 'default', like this:
https://docs.openstack.org/mitaka/install-guide-obs/keystone-users.html
If there is no domain_name in murano.conf, set the default domain with name
'default'.
Change-Id: I1aa9efe4119c586bd6fb6c9442560813530a5e9d
1.As mentioned in [1], we should avoid using six.iteritems to achieve
iterators. We can use dict.items instead, as it will return iterators
in PY3 as well. And dict.items/keys will more readable.
2.In py2, the performance about list should be negligible, see the
link [2].
[1] https://wiki.openstack.org/wiki/Python3
[2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html
Change-Id: I45fa65427318e1c35bb521de46e81ea12ca7b770
This patch updates the pep8 tox job to also run bandit,
as is the convention across most projects.
The predefined bandit tox job is referenced by the pep8 tox job.
Change-Id: Ief99196c04f69499bcf328ec202971f82ff3c32e
This patch add a murano_auth for murano auth with keystone,
This gives ability to fine-tune role-based privileges for
service-user going to execute trust-delegated tasks and the auth
configuration properties do not need to change when keystonemiddleware
deprecates its configuration properties.
Closes-Bug: #1643583
Closes-Bug: #1658648
Change-Id: If10fa8c938c264c7b5cadb3c3ed77f39488dcab7
oslo.messaging allow dispatcher to restrict endpoint methods since
5.11.0 in I42239e6c8a8be158ddf5c3b1773463b7dc93e881, set with
LegacyRPCAccessPolicy explicitly to ensure it's compatible and
fix FutureWarning like:
"The access_policy argument is changing its default value to <class
'oslo_messaging.rpc.dispatcher.DefaultRPCAccessPolicy'> in version '?',
please update the code to explicitly set None as the value:
access_policy defaults to LegacyRPCAccessPolicy which exposes private
methods. Explicitly set access_policy to DefaultRPCAccessPolicy or
ExplicitRPCAccessPolicy.
Change-Id: I60dfaa09113ebf2460126c968e5839f1b6a4bda9
Openstack common has a wrapper for generating uuids. We should
use that function to generate uuids for consistency.
Change-Id: I9b6ba92d97c3f2d18b55752c1365184c5c342540
Some configuration options were accepting both IP addresses
and hostnames. Since there was no specific OSLO opt type to
support this, we were using ``StrOpt``. The change [1] that
added support for ``HostAddressOpt`` type was merged in Ocata
and became available for use with oslo version 3.22.
This patch changes the opt type of configuration options to use
this more relevant opt type - HostAddressOpt.
[1] I77bdb64b7e6e56ce761d76696bc4448a9bd325eb
Change-Id: I818d4a8f6741ae4c76f36932b469537f93eaab82
Set_defaults has been added into oslo_middleware. So we use it to
override the configuration defaults.
Co-Authored-By: zhurong <aaronzhu1121@gmail.com>
Change-Id: I5d624ac46f17c5628d30c983efe1417e7dc5ca6a
implements bp: murano-unit-test-coverage
Also decreased time it takes these tests by a few minutes and fixed a
few typos in wsgi.py.
Change-Id: I83ed6fcab4f95151e1bef46b280f51f7e12e1c73