Added CORS support to Heat

This adds the CORS support middleware to Heat, allowing a deployer
to optionally configure rules under which a javascript client may
break the single-origin policy and access the API directly.

For heat, the paste.ini method of deploying the middleware was
chosen, because it needs to be able to annotate responses created
by keystonemiddleware. If the middleware were explicitly included
as in the previous patch, keystone would reject the request before
the cross-domain headers could be annotated, resulting in an
error response that was unreadable by the user agent.

OpenStack CrossProject Spec:
   http://specs.openstack.org/openstack/openstack-specs/specs/cors-support.html
Oslo_Middleware Docs:
   http://docs.openstack.org/developer/oslo.middleware/cors.html
OpenStack Cloud Admin Guide:
   http://docs.openstack.org/admin-guide-cloud/cross_project_cors.html docimpact

Change-Id: I185f0d9f85617dd2f482cac4994ccc0a4cb6cf16
This commit is contained in:
Michael Krotscheck 2015-10-19 09:15:26 -07:00
parent 20b5e05be7
commit 1d94dd4f2a
2 changed files with 12 additions and 7 deletions

View File

@ -12,6 +12,7 @@ namespace = heat.api.middleware.ssl
namespace = heat.api.aws.ec2token namespace = heat.api.aws.ec2token
namespace = keystonemiddleware.auth_token namespace = keystonemiddleware.auth_token
namespace = oslo.messaging namespace = oslo.messaging
namespace = oslo.middleware
namespace = oslo.db namespace = oslo.db
namespace = oslo.log namespace = oslo.log
namespace = oslo.policy namespace = oslo.policy

View File

@ -1,7 +1,7 @@
# heat-api pipeline # heat-api pipeline
[pipeline:heat-api] [pipeline:heat-api]
pipeline = request_id faultwrap ssl versionnegotiation osprofiler authurl authtoken context apiv1app pipeline = cors request_id faultwrap ssl versionnegotiation osprofiler authurl authtoken context apiv1app
# heat-api pipeline for standalone heat # heat-api pipeline for standalone heat
# ie. uses alternative auth backend that authenticates users against keystone # ie. uses alternative auth backend that authenticates users against keystone
@ -12,7 +12,7 @@ pipeline = request_id faultwrap ssl versionnegotiation osprofiler authurl authto
# flavor = standalone # flavor = standalone
# #
[pipeline:heat-api-standalone] [pipeline:heat-api-standalone]
pipeline = request_id faultwrap ssl versionnegotiation authurl authpassword context apiv1app pipeline = cors request_id faultwrap ssl versionnegotiation authurl authpassword context apiv1app
# heat-api pipeline for custom cloud backends # heat-api pipeline for custom cloud backends
# i.e. in heat.conf: # i.e. in heat.conf:
@ -20,25 +20,25 @@ pipeline = request_id faultwrap ssl versionnegotiation authurl authpassword cont
# flavor = custombackend # flavor = custombackend
# #
[pipeline:heat-api-custombackend] [pipeline:heat-api-custombackend]
pipeline = request_id faultwrap versionnegotiation context custombackendauth apiv1app pipeline = cors request_id faultwrap versionnegotiation context custombackendauth apiv1app
# heat-api-cfn pipeline # heat-api-cfn pipeline
[pipeline:heat-api-cfn] [pipeline:heat-api-cfn]
pipeline = cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app pipeline = cors cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app
# heat-api-cfn pipeline for standalone heat # heat-api-cfn pipeline for standalone heat
# relies exclusively on authenticating with ec2 signed requests # relies exclusively on authenticating with ec2 signed requests
[pipeline:heat-api-cfn-standalone] [pipeline:heat-api-cfn-standalone]
pipeline = cfnversionnegotiation ec2authtoken context apicfnv1app pipeline = cors cfnversionnegotiation ec2authtoken context apicfnv1app
# heat-api-cloudwatch pipeline # heat-api-cloudwatch pipeline
[pipeline:heat-api-cloudwatch] [pipeline:heat-api-cloudwatch]
pipeline = versionnegotiation osprofiler ec2authtoken authtoken context apicwapp pipeline = cors versionnegotiation osprofiler ec2authtoken authtoken context apicwapp
# heat-api-cloudwatch pipeline for standalone heat # heat-api-cloudwatch pipeline for standalone heat
# relies exclusively on authenticating with ec2 signed requests # relies exclusively on authenticating with ec2 signed requests
[pipeline:heat-api-cloudwatch-standalone] [pipeline:heat-api-cloudwatch-standalone]
pipeline = versionnegotiation ec2authtoken context apicwapp pipeline = cors versionnegotiation ec2authtoken context apicwapp
[app:apiv1app] [app:apiv1app]
paste.app_factory = heat.common.wsgi:app_factory paste.app_factory = heat.common.wsgi:app_factory
@ -56,6 +56,10 @@ heat.app_factory = heat.api.cloudwatch:API
paste.filter_factory = heat.common.wsgi:filter_factory paste.filter_factory = heat.common.wsgi:filter_factory
heat.filter_factory = heat.api.openstack:version_negotiation_filter heat.filter_factory = heat.api.openstack:version_negotiation_filter
[filter:cors]
paste.filter_factory = oslo_middleware.cors:filter_factory
oslo_config_project = heat
[filter:faultwrap] [filter:faultwrap]
paste.filter_factory = heat.common.wsgi:filter_factory paste.filter_factory = heat.common.wsgi:filter_factory
heat.filter_factory = heat.api.openstack:faultwrap_filter heat.filter_factory = heat.api.openstack:faultwrap_filter