From ffaf2d276023b64e3e29ad0c2a97a2ba3b702429 Mon Sep 17 00:00:00 2001 From: Kevin Carter Date: Mon, 16 Nov 2015 14:29:03 -0600 Subject: [PATCH] Update Master SHAs - 17 Jan 2016 This patch does the following: - updates the Master SHAs for new development work. - includes updates to policy, paste and rootwrap files as required - moves the Aodh repository to openstack_services as it now has implemented a stable branch - Updated the keystone-wsgi file as it was still running the code from liberty - add 2 package requirements to keystone which must be present for the new wsgi file. - updates tempest.conf.j2 to replace ssh_auth_method with auth_method, and change auth_method to 'keypair' (configured is no longer an a valid option) Change-Id: I933c24c03518865d9d40519dafb2ba46769a5453 Signed-off-by: Kevin Carter --- templates/glance-api-paste.ini.j2 | 42 ++++++++++++++++++++------ templates/glance-registry-paste.ini.j2 | 4 +-- templates/policy.json.j2 | 10 +++--- 3 files changed, 38 insertions(+), 18 deletions(-) diff --git a/templates/glance-api-paste.ini.j2 b/templates/glance-api-paste.ini.j2 index d4f36a26..e6f10e82 100644 --- a/templates/glance-api-paste.ini.j2 +++ b/templates/glance-api-paste.ini.j2 @@ -1,38 +1,38 @@ # Use this pipeline for no auth or image caching - DEFAULT [pipeline:glance-api] -pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context rootapp +pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context rootapp # Use this pipeline for image caching and no auth [pipeline:glance-api-caching] -pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context cache rootapp +pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context cache rootapp # Use this pipeline for caching w/ management interface but no auth [pipeline:glance-api-cachemanagement] -pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp +pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp # Use this pipeline for keystone auth [pipeline:glance-api-keystone] -pipeline = healthcheck versionnegotiation osprofiler authtoken context rootapp +pipeline = cors healthcheck versionnegotiation osprofiler authtoken context rootapp # Use this pipeline for keystone auth with image caching [pipeline:glance-api-keystone+caching] -pipeline = healthcheck versionnegotiation osprofiler authtoken context cache rootapp +pipeline = cors healthcheck versionnegotiation osprofiler authtoken context cache rootapp # Use this pipeline for keystone auth with caching and cache management [pipeline:glance-api-keystone+cachemanagement] -pipeline = healthcheck versionnegotiation osprofiler authtoken context cache cachemanage rootapp +pipeline = cors healthcheck versionnegotiation osprofiler authtoken context cache cachemanage rootapp # Use this pipeline for authZ only. This means that the registry will treat a # user as authenticated without making requests to keystone to reauthenticate # the user. [pipeline:glance-api-trusted-auth] -pipeline = healthcheck versionnegotiation osprofiler context rootapp +pipeline = cors healthcheck versionnegotiation osprofiler context rootapp # Use this pipeline for authZ only. This means that the registry will treat a # user as authenticated without making requests to keystone to reauthenticate # the user and uses cache management [pipeline:glance-api-trusted-auth+cachemanagement] -pipeline = healthcheck versionnegotiation osprofiler context cache cachemanage rootapp +pipeline = cors healthcheck versionnegotiation osprofiler context cache cachemanage rootapp [composite:rootapp] paste.composite_factory = glance.api:root_app_factory @@ -82,5 +82,27 @@ paste.filter_factory = glance.api.middleware.gzip:GzipMiddleware.factory [filter:osprofiler] paste.filter_factory = osprofiler.web:WsgiMiddleware.factory -hmac_keys = {{ glance_profiler_hmac_key }} -enabled = yes +hmac_keys = {{ glance_profiler_hmac_key }} #DEPRECATED +enabled = yes #DEPRECATED + +[filter:cors] +paste.filter_factory = oslo_middleware.cors:filter_factory +oslo_config_project = glance +oslo_config_program = glance-api +# Basic Headers (Automatic) +# Accept = Origin, Accept, Accept-Language, Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma +# Expose = Origin, Accept, Accept-Language, Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma + +# Glance Headers +# Accept = Content-MD5, X-Image-Meta-Checksum, X-Storage-Token, Accept-Encoding +# Expose = X-Image-Meta-Checksum + +# Keystone Headers +# Accept = X-Auth-Token, X-Identity-Status, X-Roles, X-Service-Catalog, X-User-Id, X-Tenant-Id +# Expose = X-Auth-Token, X-Subject-Token, X-Service-Token + +# Request ID Middleware Headers +# Accept = X-OpenStack-Request-ID +# Expose = X-OpenStack-Request-ID +latent_allow_headers = Content-MD5, X-Image-Meta-Checksum, X-Storage-Token, Accept-Encoding, X-Auth-Token, X-Identity-Status, X-Roles, X-Service-Catalog, X-User-Id, X-Tenant-Id, X-OpenStack-Request-ID +latent_expose_headers = X-Image-Meta-Checksum, X-Auth-Token, X-Subject-Token, X-Service-Token, X-OpenStack-Request-ID diff --git a/templates/glance-registry-paste.ini.j2 b/templates/glance-registry-paste.ini.j2 index ae675529..496529a3 100644 --- a/templates/glance-registry-paste.ini.j2 +++ b/templates/glance-registry-paste.ini.j2 @@ -31,5 +31,5 @@ paste.filter_factory = keystonemiddleware.auth_token:filter_factory [filter:osprofiler] paste.filter_factory = osprofiler.web:WsgiMiddleware.factory -hmac_keys = {{ glance_profiler_hmac_key }} -enabled = yes +hmac_keys = {{ glance_profiler_hmac_key }} #DEPRECATED +enabled = yes #DEPRECATED diff --git a/templates/policy.json.j2 b/templates/policy.json.j2 index 3a3042e0..4bbc8b46 100644 --- a/templates/policy.json.j2 +++ b/templates/policy.json.j2 @@ -1,7 +1,5 @@ { "context_is_admin": "role:admin", - "tenant_is_owner": "tenant:%(owner)s", - "admin_or_owner": "role:admin OR rule:tenant_is_owner", "default": "", "add_image": "", @@ -9,7 +7,7 @@ "get_image": "", "get_images": "", "modify_image": "", - "publicize_image": "rule:admin_or_owner", + "publicize_image": "role:admin", "copy_from": "", "download_image": "", @@ -19,11 +17,11 @@ "get_image_location": "", "set_image_location": "", - "add_member": "rule:admin_or_owner", - "delete_member": "rule:admin_or_owner", + "add_member": "", + "delete_member": "", "get_member": "", "get_members": "", - "modify_member": "rule:admin_or_owner", + "modify_member": "", "manage_image_cache": "role:admin",