Two of the zone policies were referencing the wrong policy variables in
the same file. This causes oslo.policy to think the rules were changing
when they are not. This commit updates the policy deprecations to use
the proper deprecated rules for the appropriate policies.
Change-Id: I68b71e680cd72692b0bcb470be1bc4902d5e7bc8
The oslo.reports library provides some options under the [oslo_reports]
section. This change ensures these parameters are rendered by
the oslo-config-generator command.
Closes-Bug: #1940733
Change-Id: Ia5491fc97e431e5fce52091729738e6958f764e2
Previously, the grenade API started check during the upgrade was
checking if the root of the web server was functioning. In this job
that is testing the horizon endpoint and not the designate API.
This patch fixes this to have the check run against the designate
endpoint under apache. This prevents false failures when horizon
has an issue.
Change-Id: Idbfec1adca2024cd5f352017a7c9319dcec65d42
Sphinx 4.x has renamed add_stylesheet to add_css_file and
add_javascript to add_js_file.
This patch updates the sphinx extensions in designate to use the
new methods.
Change-Id: I71baf9abb5566908da580d0c104831dea20c9d3c
This patchset adds support for DNS CERT Resource Record which is
described in RFC 4398
(https://tools.ietf.org/html/rfc4398)
Closes-Bug: 1937113
Change-Id: I0cdfa1decd28096b7135b820b01ee7ec17b1a57d
Since 3.7.0, oslo policy started the DeprecationWarning[1] if
deprecated_reason and deprecated_since param are not passed
in DeprecatedRule or they are passed in RuleDefault object.
These warnings are logged for every test which increase the
log size and sometime can full the log buffer and fail the
job.
[1] https://github.com/openstack/oslo.policy/blob/3.7.0/oslo_policy/policy.py#L1538
Change-Id: I7034a70950b787f1cdbc510e88ab777957339ba7
md5 is not an approved algorithm in FIPS mode, and trying to
instantiate a hashlib.md5() will fail when the system is running in
FIPS mode.
md5 is allowed when in a non-security context. There is a plan to
add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate
whether or not the instance is being used in a security context.
In the case where it is not, the instantiation of md5 will be allowed.
See https://bugs.python.org/issue9216 for more details.
Some downstream python versions already support this parameter. To
support these versions, a new encapsulation of md5() has been added to
oslo_utils. See https://review.opendev.org/#/c/750031/
In this case, md5 is used to calculate the hash of a database record
to ensure record uniqueness.
Change-Id: Ic2571caa71dc99c417ea0933d5d4947287cbe312
Replaced http api calls with openstack client commands.
Note blacklist exception policy for admin users.
Changed voicing to be more passive
Blacklists only apply to zones, not records.
Change-Id: I7f3662c57ee9bccb42381134523e8fdd21e93740
This patch is not changing any functionality, but instead it is
aimed at cleaning up the scheduler code. It also removes the use
of reserved keywords in the scheduler code.
Change-Id: I93cede3371f1ec650adf3b00bf8250457a38f96c
List operations should add the task_type criterion to the user
provided criterion.
Change-Id: I983d930f975c109cce24a9587bba6db563b3f19f
Launchpad: 1926058
This patch fixes a database migration for sqlalchemy 1.4.
It also removes some unused functions from that migration.
Note: This patch temporarily disables the scenario jobs to allow
this gate fix to merge while the tempest test issue is being
resolved.
A direct follow up patch will re-enable the tests.
Change-Id: I4fee32f9be080eea6eef38fcecbdb2dd3940b9e6
When running individual unit tests there was a possibility
of triggering a circular dependency. This patch fixes
this by moving DEFAULT MDNS and AGENT ports into
the configuration.
Change-Id: I5f7c1ef14daf0a01e4d37cc5416d08cc75f2b485
Resolves warnings like the following:
UserWarning: Usage of dash-separated 'description-file' will not be
supported in future versions. Please use the underscore name
'description_file' instead
Change-Id: I6c161fc4bbc1fafa576916bb9dc3a039c06f9ffa
Add some basic documentation for users covering how to create zones.
Nameserver list is not in the client CLI, once that is
available an additional command can be added showing how to get
the backend nameserver to query when verifying results.
Change-Id: I914875cfd6273c01c74194c8a6296ae74537d169
Add file to the reno documentation build to show release notes for
stable/wallaby.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/wallaby.
Sem-Ver: feature
Change-Id: I2e7d89c3fe7ebdc6f88af3af0680206a4e7d41fc
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:
1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.
2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.
Also replace policy.json to policy.yaml ref from doc.
[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: I81e7ee3243af11ebb3589f530533731b87178a96
Added a new section to the documentation introducing the core
concepts of DNS, providing an overview of Designate and how
it integrates with Neutron and external nameservers and linking
to other documentation for more information.
The Designate architecture diagram has been updated to reflect
modern deployments:
- All services are run as HA
- Nova does not interact with the Designate API, it has been
replaced with 'Users'
- The DB only receives connections from MiniDNS or Central so
its arrows are all incoming
- The backend is a part of the worker service
- MiniDNS sends NOTIFY to customer DNS Servers and
also receives transfer requests so their connection is
bidirectional
A subsequent change can update the architecture section to reflect
these clarifications, though they are for the most part already
mentioned in the text there.
Change-Id: I471db98544332cb454d15f29d86407cd09e91d6c
An updated pip version has shown multiple inconsistencies within
our lower constraints, so bump the affected versions.
Change-Id: I558e77dbba6abf64e6857d7f880104f0237dca1b
This commit updates the policies for zone transfer requests to
understand scope checking and account for a read-only role. This is
part of a broader series of changes across OpenStack to provide a
consistent RBAC experience and improve security.
Change-Id: I56ae44c6ae302d521d8ec52c871f77ef1bbb072d
This commit updates the policies for zone transfer accepts to
understand scope checking and account for a read-only role. This is
part of a broader series of changes across OpenStack to provide a
consistent RBAC experience and improve security.
Change-Id: If1329182043001e27713457c2d591e6c55ad3e87
This commit updates the policies for zone imports to understand scope
checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC
experience and improve security.
Change-Id: I319b2398de9bd9d841bfb3bbdbe8f50434762602
This commit updates the policies for zone exports to understand scope
checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC
experience and improve security.
Change-Id: I5dde051a1ce565cd35cedc11cb0ff5afe35a8d72
This commit updates the policies for zones to understand scope
checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC
experience and improve security.
Change-Id: Ib31cb82cbf62460723f261f1eaeec918633508c0
This commit updates the policies for tsigkeys to understand scope
checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC
experience and improve security.
Change-Id: I8ad4e61337f00a2c7b0019a6748c2fab42a65255
This commit updates the policies for top-level domains to understand
scope checking and account for a read-only role. This is part of a
broader series of changes across OpenStack to provide a consistent
RBAC experience and improve security.
Change-Id: I0df00a826dcaf73c6a078a39585839022b71268a
This commit updates the tenant policies to understand scope checking
and account for a read-only role. This is part of a broader series of
changes across OpenStack to provide a consistent RBAC experience and
improve security.
I'm not entirely sure I understand these policies. It'll be good to
work through these policy changes with someone more familiar with
desginate and why these policies exist.
Change-Id: I9b6bce0c43720f61cdebfa416d953e5a2b920e87
This commit updates the policies for service status to understand
scope checking and account for a read-only role. This is part of a
broader series of changes across OpenStack to provide a consistent
RBAC experience and improve security.
Change-Id: I11c3d7ec8dc871338db7fcd3746e56516683ecd1
This commit updates the policies for recordsets to understand scope
checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC
experience and improve security.
Change-Id: I064a5021282be247ee7339a47871e3dba08ab2fa