Commit Graph

126 Commits

Author SHA1 Message Date
Dmitriy Rabotyagov 552fcac122 Reflect horizon_webroot setting in Apache vhost configuration
Changing only horizon_webroot is not sufficient without adjustments
to horizon Apache vhost.

Change-Id: I25707600c2b05a7f816a7c4ea38c8985717df2d3
2024-03-15 20:36:16 +01:00
Dmitriy Rabotyagov a57aeff938 Address Django Deprecations for 4.1
django.utils.translation.ugettext_lazy() is deprecated in favor of the
functions that they’re aliases for: django.utils.translationgettext_lazy()

With that MemcachedCache backend was also deprecated in favor of
PyMemcacheCache. MemcachedCache was removed in django 4.1

https: //docs.djangoproject.com/en/4.0/releases/3.0/#id3
Change-Id: I9b77b33fbc4a9560c72504f935bf7f9082fefdd7
2024-03-08 12:58:52 +01:00
Dmitriy Rabotyagov 5d635c469a Fix wrong neutron_ml2_drivers_type
neutron_ml2_drivers_type is a string, not a list, while default
value for it is a list. Local settings also assume that it is a list.

So we ensure that the falue is a string by default now and
treat it as string in the code.

Change-Id: Ida72c712153dcda4cd06e0959f98ade4fee8dfbd
2023-08-21 19:55:26 +00:00
Damian Dabrowski 4686326650 Rename horizon_enable_ssl to horizon_backend_ssl
To standarize variable name across roles, this change renames
`horizon_enable_ssl` to `horizon_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `horizon_enable_ssl` it's
unclear whether it is about frontend or backend.

Backward compatibility will be kept until 2024.1.

Change-Id: I218d45b7be667732e4204316b8d18fa3e136962b
2023-04-11 19:35:19 +02:00
Damian Dabrowski c92f45e3af Fix horizon_enable_ssl logic
Current logic does not allow horizon backend to listen on https
(`horizon_enable_ssl`) if external loadblanacer serves TLS
(`horizon_external_ssl`).
It basically forces backend to listen on plain http in this case which
does not make any sense. It should be possible to enable TLS on both
loadbalancer and horizon backend.

Additionally, with this patch, role defines a proper
HTTP_X_FORWARDED_PROTO header value(it's included in
`horizon_secure_proxy_ssl_header` and
`horizon_secure_proxy_ssl_header_django` and can be set to 'http' or
'https') based on whether external load balancer listens on https
(`horizon_external_ssl`)[1].
For example if loadbalancer listens on https and backend on http,
HTTP_X_FORWARDED_PROTO should be set to 'https'. Otherwise horizon will
respond with redirection to http.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto

Change-Id: I7706e52c01b3f0d72ea383a0476045e606078cff
2023-04-11 19:35:00 +02:00
Dmitriy Rabotyagov e61dab9a05 Allow to override supported_provider_types
Supported ML2 provided types depends on the ML2 driver
and we should make it configurable in order to reflect dropdown list
that appears for admin panel while creating a network.

Closes-Bug: #2002897
Change-Id: Iceedf6af9559d48c28e0ee782a44f9ceb480119d
2023-01-17 13:55:01 +01:00
Zuul e2e135c2cb Merge "Add python filter to eliminate deprecation warnings" 2022-09-24 20:14:11 +00:00
Kevin Carter 005d6d425e Add python filter to eliminate deprecation warnings
This change adds some python config to remove all of the deprecation
warnings horizon is spawning. The warnings are all coming from oslo
components which horizon is just inhereting inheriting and has no
control over. This change makes horizon logs legible.

Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: Idae4e42c971f53597ac3cf044ba82d7dd468e4a5
2022-09-08 11:53:14 -05:00
Kevin Carter 10126daa9c Add the ability to define CSRF_TRUSTED_ORIGINS
This change adds the ability within horizon to define a list of domains
which are trusted through the CSRF functions of django.

Change-Id: Ib92480e6caa74e050a99b36a54b2032714efb509
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
2022-09-08 00:02:00 -05:00
Andrew Bonney 694169c700 Add support for websso http referer variable added in yoga
This variable was added in the Yoga release to permit changes
to how Horizon contacts Keystone in an IDP setup.

Change-Id: I959f0f84b264ffc25481e9becb3059f28a233010
2022-08-03 08:50:14 +01:00
Danila Balagansky 7db1f112ef Fix ALLOWED_HOSTS
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/846473
Change-Id: Ia9fa3341dfa1386501bf74a558e418414a58fd1f
2022-06-18 19:06:37 +00:00
Zuul 1ed0cea42a Merge "Improve defining horizon_lib_dir" 2022-04-27 19:10:47 +00:00
Burkhard Ott-Langer d19c9c2cbb horizon_local_settings.py.j2: adding SECURE_PROXY_ADDR_HEADER
- SECURE_PROXY_ADDR_HEADER is being used to return the clients
      remote address to the logs. On a failed login it is REMOTE_ADDR,
      which will be the loadbalancer address,
      SECURE_PROXY_ADDR_HEADER='HTTP_X_FORWARDED_FOR' makes sure the
      real client IP makes it into the logfiles.
    - https://docs.openstack.org/horizon/latest/configuration/settings.html#secure-proxy-addr-header

Change-Id: I0d68cd4ba7882eb4296a2e4df59afa6582c0303a
2022-03-01 19:26:23 +00:00
Dmitriy Rabotyagov 41f3380691 Move Listen definition to VHosts
In order to avoid conflicts with other applications running Apache,
like keystone, we avoid using ports.conf for Listen and using VHost files
for this purpose.

We place same dummy template as keystone does for upgrade purposes.

Change-Id: I8a5ef5234b8aee1e7b3517e9543d2af0a84e90ce
2022-02-09 13:49:21 +02:00
Dmitriy Rabotyagov 3c20e3607e Improve defining horizon_lib_dir
Instead of hardcoding lib directory for distro installs, we can
retrieve it dynamically based on the horizon.__file__ output

Change-Id: I8e87f9a9945b7526c90ca8c4dc09e43a86ab62e0
Closes-Bug: #1950798
2022-02-04 11:40:17 +00:00
Zuul aa976a0544 Merge "Fix default multidomain choices" 2022-01-26 17:01:19 +00:00
Dmitriy Rabotyagov db1bd3091d Fix default multidomain choices
We're missing comma at the end of set, which leads to error.

We additionally define condition when choices will be added to config.

Change-Id: I6b1c24fae22e9adb9e16fade4229d5761ac0b520
Closes-Bug: #1958645
2022-01-25 22:28:29 +00:00
Andrew Bonney 32e332b329 Adjust default configuration to support TLS v1.3
This adds a new variable to manage TLS v1.3 cipher suites.

The old variable for TLS v1.2 and below ciphers is renamed for
consistency, but is still supported as a default where overridden
by deployments.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823943
Change-Id: Ib43d465c8fa24ec7d14174ecc17bce0b3e8bd7a4
2022-01-10 13:47:50 +00:00
Dmitriy Rabotyagov 3b0abcbcd3 Implement WEBSSO redirect
This patch adds ability to configure horizon auto redirections when
WEBSSO is used.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/785800
Change-Id: I2a1beddaed3a31d1c01d1310dc8b739c9c93d9dd
Closes-Bug: #1922687
2021-04-19 14:44:33 +00:00
Jonathan Rosser 9c8062fb51 Use ansible_facts[] instead of fact variables
See https://github.com/ansible/ansible/issues/73654

Change-Id: Ia8eca0c54079f96f1160ac88670392794e7f747a
2021-02-26 22:53:36 +00:00
Marc Gariepy 8e3570e002 Add ability to configure ALLOWED_HOSTS for horizon.
This patch add the ability to configure the ALLOWED_HOSTS in
horizon_local_settings.py.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-repo_server/+/766257
Change-Id: I9712dc1e9a41757cf71d3d0704e9885493ce1583
2020-12-09 13:37:16 -05:00
Marc Gariepy 7098d125e8 Fix boolean in config file.
horizon do expect a boolean and not a string.

Depends-On: https://review.opendev.org/756244
Change-Id: I247f29f66466fc7b398dee2d132710e59a087354
2020-10-07 11:03:52 +00:00
Georgina Shippey ee0a0711e8 Display name in IDP dropdown
If an operator would like a different display name
on the horizon Identity Provider dropdown to the one used
for their IDP in the backend they may specify a display_name
in their entry within the keystone_sp.trusted_idp_list.
Otherwise this continues to default to the IDPs name as usual.

Change-Id: Iba8c6e6b66480cdd575f75162c9be80e84ec868b
2020-06-18 15:44:52 +01:00
Zuul 5fe8f7e8f9 Merge "update WSGI multidomain values" 2020-05-12 08:28:05 +00:00
Andre 1ec9350823 Update permissions for apache >= 2.4
When running in apache 2.4(Debian 10), the following error was observed
when acessing the openstack dasboard:
AH01626: authorization result of Require all denied: denied.

This change allow to use the correct wsgi file and apply the correct
permissions based on Apache version

Change-Id: I57cdc73b3c3e466e77f6ed2d21671acb8157df84
2020-05-08 14:58:43 +01:00
Andre e2ef8afb99 update WSGI multidomain values
When activating multidomain support, the following error was observed:
ValueError: not enough values to unpack (expected 2, got 1)

This change allows for the WSGI file to correctly read the boolean
dropdown and list of tuples in domain choices.

Change-Id: I195ac2089baf3ba76c2201cc8b7e6abef1be4b54
2020-05-08 14:56:08 +01:00
Dmitriy Rabotyagov 9678045a70 Use horizon native wsgi app
The only difference between our and native wsgi app
were adding extra path [1] to sys.path.
However, nowadays this path is already part of syspath

[1] /openstack/venvs/horizon-20.1.1.dev7/lib/python3.6

Change-Id: I90a502fbdeb0040832b66e9df389ab3517b951f4
2020-05-06 10:48:09 +03:00
Zuul dfce587e72 Merge "Horizon configuration to support domains dropdown" 2020-04-10 22:25:18 +00:00
Max Kochubey d86285b377 Horizon configuration to support domains dropdown
An openstack-ansible deployment does not have options to set the local_settings.py params
for Horizon to support Keystone V3 multiple domains dropdown menu and its variants to choose.

These options in local_settings.py are:
OPENSTACK_KEYSTONE_DOMAIN_CHOICES - default value to "(('Default', 'Default'))"

Change-Id: I9f1b8e4c6f5b4fe2601e5ee1dacf90bded60f93d
Closes-Bug: 1795788
2020-04-07 17:24:11 +03:00
Georgina Shippey 3e60a13650 Config options around federation URLs
Added support for templating out LOGIN_URL, LOGOUT_URL and
WEBSSO_KEYSTONE_URL Horizon configuration options.

Change-Id: I5152e2484ea2a22b74774a763180b03a44a64e9c
2020-04-01 16:23:13 +01:00
Dmitriy Rabotyagov 9c3c776c7a Switch SESSION_ENGINE to memcached
Previously we were using cached_db session backend by default.
However with django version update, it requires more recent
mysqlclient module which is not part of requirements.
Moreover usage of cached_db makes us to carry and maintain
extra stuff, which can be dropped with memcached backend.

Change-Id: I8df7ee967d8dcbeb09a42fd568f98acc3e88adad
2019-12-18 19:52:38 +02:00
Dmitriy Rabotyagov a66592b334 Replace git.openstack.org with opendev.org
This patch replaces git.openstack.org with opendev.org as redirection
from old path was enabled.
Also we change upper constraints url due to [1]

[1] http://lists.openstack.org/pipermail/openstack-discuss/2019-May/006478.html

Depends-On: https://review.opendev.org/693841/
Change-Id: I9f8a80437a315aeaae61105f3bc9e3017bc37cf7
2019-11-14 20:42:38 +02:00
Georgina Shippey f64c3d8fd7 Variable name accidentally being templated out
Seeing <VirtualHost 0.0.0.0:horizon_listen_ports.http> in
openstack-dashboard.conf instead of the port number.
Removed unnecessary quotes in the ternary so the variable works.

Change-Id: I126c03267361abfe894b17dc97c76a19a6b090dc
2019-10-29 16:26:44 +00:00
Marc Gariepy 10aa884a16 Add new config to disable openrc_v2 in horizon
it's now possible to remove the openstack rc file v2 from horizon download list.

Change-Id: I7aa8d7a911585e00d8ede92bf909492cf70cba6e
2019-10-28 15:48:54 -04:00
Dmitriy Rabotyagov 9f9b66a985 Allow to configure horizon bind address
Added variable horizon_bind_address which allows to define address
on which horizon will be listening.

horizon_listen_ports variable was converted to dict()
and used in apache vhost template.

As an addition metal jobs were added for horizon CI.

Depends-On: https://review.opendev.org/681722
Change-Id: I11c3edec6d58e39da8de5e214fab9731eb5df9e2
2019-09-19 09:32:09 +00:00
Dmitriy Rabotyagov a2280e2e90 Retire neutron-lbaas UI plugin
Because of global retirement process of neutron-lbaas  we stop providing
neutron-lbaas-ui plugin installation for horizon.

Change-Id: Ic39a4d1cc03df72a4080abd6513bf8f4036da456
2019-09-13 13:37:54 +03:00
Jonathan Rosser 20e47c9e4b Add python3 compatibility to horizon role
* Remove horizon_python_lib_dir, this is not used anywhere
* Autodetect the horizon_lib_dir for source installs
* Remove hardcoded python2.7 path from uwsgi template

Change-Id: I0747ad5c50c0c007385b4756f1b386363bafcf93
2019-09-10 06:07:05 +00:00
Dmitriy Rabotyagov 7bb294b92a Add encoding to local_settings.py
In order to allow usage of non-latin symbols inside local_settings.py
magic comment is required according to PEP263[1]

While this can be overriden on master with config_template (since [2]),
this might be easily backported to earlier releases.

[1] https://www.python.org/dev/peps/pep-0263/
[2] https://review.opendev.org/#/c/672170/

Change-Id: I9b07cf4a1ffdffab752f59e1510796c29a259b45
2019-08-03 13:15:43 +03:00
Dmitriy Rabotyagov ef1c53fa88 Use systemd-journald instead of log files
This patch aims to migrate apache from usage of regular syslog files
to journald.

Change-Id: Ifde6b86bec87fdd2fa161f8d28aed7f6ffa52f74
2019-07-24 18:32:47 +03:00
Jimmy McCrory 67db4e81a9 Fix distro installs on Ubuntu
Beginning in the Stein release, Ubuntu distro packages are now using
Python3. Conflicting packages have been removed or updated to their
Python3 equivalents. The 'horizon_manage' variable has been updated to
ensure that python3 is used to run manage.py commands.

Values for STATIC_ROOT and LOCALE_PATHS have also been added to the
local_settings.py template. Defaults for these settings are defined
in the setting.py provided by Ubuntu packages, but those defaults
required the 'Collect and compress static files' and 'Compile messages'
tasks be run by the root user, instead of horizon. STATIC_ROOT also
needed to correlate to the folder apache is configured to serve.

Change-Id: Iaa41593e3a91640bd9c5d531da8238c04d7e747b
2019-06-05 14:10:43 -07:00
Guilherme Steinmüller 1d3deabcff Drop horizon_keystone_host variable
The horizon_keystone_host is only used as interpolation
for OPENSTACK_KEYSTONE_URL, which we define manually. So
horizon_keystone_hosts server no purpose.

Change-Id: I693bdb30e3d812592f023c00fbbbd62f069320bf
2019-04-01 03:35:12 +00:00
Dmitriy Rabotjagov d1eb417856 Adds ability to enable domain dropdown list on login page
Since Pike it's possible to set domains dropdown on horizon login screen
It might be usefull for private clouds, which allow users to see
full list of domains, which are present in openstack. As a pros it
simplifies login process for the customer, as they may select
corresponding domain from dropdown menu instead of regular input.
By default it is set to False, as this exposes list of domains
for unathorized users, which may not be good thing for public clouds.

Change-Id: I049489a552d99278c273feb6ae3cf5a4a7d4b8a1
2018-12-12 17:31:35 +02:00
Damian Cikowski 09b8a7d9e1 Add Neutron VPNaaS Dashboard to Horizon
This patch brings back VPNaaS Dashboard after its split out
into a separate project.

Change-Id: Iefa92fdb348df6d07bc557749e1f96dd47c68e30
2018-11-14 09:37:09 +01:00
Amy Marrich (spotz) 4283200534 Add ability for HTTP access to horizon
Horizon has, since OSA's inception, been deployed with HTTPS
access enabled, and has had no way to turn it off. Some use-cases
may want to access via HTTP instead, so this patch enables
the following:

1. Listen via HTTPS on a load balancer, but via HTTP on the
   horizon host and have the load balancer forward the correct
   headers. It will do this by default in the integrated build
   due to the presence of the load balancer, so the current
   behaviour is retained.

2. Enable HTTPS on the horizon host without a load balancer.
   This is the role's default behaviour which matches what it
   always has been.

3. Disable HTTPS entirely by setting ``haproxy_ssl: no`` (which
   will also disable https on haproxy. This setting is inherited
   by the new ``horizon_enable_ssl`` variable by default. This
   is a new option.

Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Change-Id: I823f2f949258157e306dbf80570abe53373da0c3
Closes-Bug: 1794337
2018-10-17 11:56:26 +00:00
Jesse Pretorius 53e79276c9 Rename SUSE vars file and remove mysql-python
The SUSE builds are failing due to a change in the galera_client
role causing the trove role's vars file to be found before the
galera_client vars file. We therefore rename the trove vars file
for SUSE. This also makes transitions between versions easier.

The mysql-python package is no longer maintained. We are using
pymysql instead, so this package does not need to be installed.
This resolves current build failures due to the mysql-python
package not being installable due to the new version of MariaDB
being used.

With this, we also switch django to use pymysql and ensure that
the appropriate distribution package is installed when doing
distro builds.

Depends-On: https://review.openstack.org/602924
Change-Id: I020678e0beb131836e3006e46eec22c02977f8ec
2018-09-15 20:53:09 -06:00
Zuul 9aadbba2f0 Merge "Add support for using distribution packages for OpenStack services" 2018-07-25 12:47:47 +00:00
Markos Chandras 2af1b7a6c4 Add support for using distribution packages for OpenStack services
Distributions provide packages for the OpenStack services so we add
support for using these instead of the pip ones.

Implements: blueprint openstack-distribution-packages
Change-Id: Ie6eeff541a319967715e619dcdc26177aec5be72
2018-07-23 17:29:14 +01:00
Zuul 51979f4951 Merge "Add support for the default_dns_nameservers variable" 2018-07-21 13:24:32 +00:00
Adrien Cunin 2eec94604c New horizon_enable_router variable
Set to False if you don't want router support in Horizon or if you don't
have Neutron L3 agent deployed.

Change-Id: I72eaa7829372b91c286efa06263e3f78b86ef35c
2018-07-20 15:41:33 +02:00
Robert Donovan b88e5f6015 Add support for the default_dns_nameservers variable
This variable was introduced in Newton and allows you to specify a
list of default DNS servers populated when creating a tenant subnet.

Change-Id: I7c6767bb883296c55b7a7302d7af8a8721fd2844
2018-07-05 10:45:54 +01:00