Load a single api-paste.ini file, specified by config
Delete unused paste.ini files
Update docs for new paste.ini and config arrangement
There will be a corresponding devstack change, and once this is in
I will email the packagers on the packaging implications
Change-Id: Ic10b1a486094d15bfd832f0f934e6268ec323085
keystone auth_token middleware now allows heat to have auth_token
configuration in heat-api.conf. Moves the example of
auth_token configuration from heat-api-paste.ini to heat-api.conf.
This simplifies user configuations and users is no longer required
to edit heat-api-paste.ini.
This does not break backward compatibility. auth_token first
tries the configurations in /etc/heat/heat-api-paste.ini and then the
above configurations. Thus a user who already uses heat-api-paste.ini
does not need to change it.
Change-Id: Ia0a4d912cd7380094e121ee4af733277ca4d812e
Blueprint: keystone-middleware
Replace old forked auth_token with a subclass
of keystoneclient middleware.
The advantages of moving to keystoneclient middleware:
- can use v3 (or v2) keystone api
- PKI tokens
- token revocation
The subclass sets the following headers to be consumed by our
request context filter:
- X-Admin-User
- X-Admin-Pass
- X-Admin-Tenant-Name
- X-Auth-Url
The need to override _build_user_headers should be a short-term thing,
X-Admin-* isn't actually used currently, and there are a few options
that need to be discussed for getting X-Auth-Url to the engine.
Change-Id: Iacc5046fbf559724a4ae0bd6091d662e23d65544
Blueprint: keystone-middleware
The cloudwatch paste config should specify service/heat
like the other API services, not admin/admin
Change-Id: I0590c88edd6b544aba467ab171dd7f610b50c380
keystone.middleware.auth_token is now just aliased to
keystoneclient.middleware.auth_token.
Also heat_auth_token doesn't seem to exist, so this has likely
always been broken
Change-Id: I5eadd9a02e41921b39fc8b6783c22010893bb5e9
Change the configuration files to set use_stderr to False by
default. Oslo's log sets use_stderr to True by default, and
the only reasonable way to override is via the config files.
Change-Id: Ibc4ac3b8cb5d7478260d5d014eb48860bae4bc0b
Fixes: Bug #1146848
Boto does not, by default, validate https ceritificates on endpoints. We
now provide a way to specify it in the heat configuration along side
is_secure. Heat deployers may also need to turn this off if boto ever
does make it default and they want to use self signed certs.
Fixes bug #1130345
Change-Id: I09b684dd28a8a57c6ce514d1df1e699e7c8b182e
Currently the heat-jeos code defaults to http only, but we are
about to fix that, so we instead need a way to specify if
instances should connect via http or https - boto provides the
is_secure config file option, so add a new heat option which
controls this setting in the boto config we create in userdata
fixes bug 1117594
Change-Id: I0b9201107570334d9846d9613d252da1a91efe8a
Signed-off-by: Steven Hardy <shardy@redhat.com>
Currently we hardcode is_secure=False, but boto supports configuration
of this option from the config file (either ~/.boto or /etc/boto.cfg)
so better to do that
NOTE - you will need to update your boto config to include is_secure=0
to retain current (non https) behavior, since it defaults to on
ref bug 1117594
Change-Id: Ic13e8604f12d3d5be4ec132a1bc04ae7624ec85d
Signed-off-by: Steven Hardy <shardy@redhat.com>
Adds a basic policy.json to authorize all actions for the CW API -
this will deny access to the in-instance users defined in stack
templates (which are assigned the heat_stack_user role) to all API
actions apart from PutMetricData action, which is used by
cfn-push-stats to provide metric data from the instances
Change-Id: I2bbb885bec98b85828cdb92d7efc0688da7be3c1
Signed-off-by: Steven Hardy <shardy@redhat.com>
Adds a basic policy.json to authorize all actions for the CFN API -
this will deny access to the in-instance users defined in stack
templates (which are assigned the heat_stack_user role) to all API
actions apart from DescribeStackResource, which is used for metadata
updates
ref bug 1115758
Change-Id: I1431c1f23593fffd0f911f71ef9c186a43e5063a
Signed-off-by: Steven Hardy <shardy@redhat.com>
For token based auth to work, the auth_uri needs to use
auth_port, which points at the internalURL of the keystone
service, the current config uses publicURL which causes
token auth requests to keystone to fail
ref bug 1072944
Change-Id: If7e0c2246205377f57f879ccf8bf36ff8b0d92e1
Signed-off-by: Steven Hardy <shardy@redhat.com>
Custom backends will want to provide their own authentication mechanisms
instead of using the Keystone token or EC2-like systems we have in
place.
This adds a new middleware and paste pipeline for the custom backend
that will skip the normal authentication and queries the backend's
`authenticated(context)` method instead.
Since the backend is connected to the Engine whereas the auth middleware
is run in the API service (which may sit on a separate box and have no
access to the engine config or the custom backend itself), we add a new
RPC call that lets API verify the passed credentials.
Change-Id: I2fc4a19564b1e410adb79bd9266f6b6da07dd6c9
Signed-off-by: Tomas Sedovic <tomas@sedovic.cz>
This allows us to use a different IaaS backend (other than OpenStack).
OpenStack is still used by default.
Change-Id: I1772d57ae583a281204edfb80fbfde220b004a9d
Signed-off-by: Tomas Sedovic <tomas@sedovic.cz>
Remove heat-metadata service, since the last remaining function
(waitcondition handle notification) is now handled via the CFN
API
blueprint metsrv-remove
Signed-off-by: Steven Hardy <shardy@redhat.com>
Change-Id: Ie36c86ce86f6c47e8d9f8accf8ec17084fb8cffd
Change WaitConditionHandle so it provides a pre-signed URL which
allows authenticated wait condition notification via the CFN API
blueprint metsrv-remove
Change-Id: I5c1c3a17ade35c810e49b1f27d80bcfea9e89485
Signed-off-by: Steven Hardy <shardy@redhat.com>
Append url for watch server to instance userdata, which avoids
post-install sed mangling in the template, and will make it easier
to transparently switch to a different metric service
Change-Id: I59b9b7efcd75d44e88ebe0a116a9ce1e3ef20c14
Signed-off-by: Steven Hardy <shardy@redhat.com>
This is to allow python-heatclient to eventually become the default heat
client.
Documentation in heat.wiki will be updated to refer to heat-cfn when this
change is pushed.
Change-Id: I2209c36adf41fa5d0df0caf9200f7fedbdd51805
Add config option for waitcondition server, since metadata
and waitcondition notifications are no longer handled by the
same API
Change-Id: Idc1b39c6c60b8473316fe4861f0f060568540b09
Signed-off-by: Steven Hardy <shardy@redhat.com>
Remove logic where the heat-metadata server registers a
URL on startup with the engine. The instance metadata is
now served via the CFN api, so we just have a config-file
option specifying the URL of the CFN API. We don't want to
preserve the "register on startup" logic, because we need the
engine to have access to this information even if it is
restarted independent of some other service (avoid reliance on
services coming up in a particular order)
Change-Id: I690170977227ec96451d2a2fd25f7e507370b604
Signed-off-by: Steven Hardy <shardy@redhat.com>
Add all keystone users created by the User resource type
to a special keystone role, which can be used later for
defining RBAC policy for these users, and also works around
a keystone bug (1060959) on Folsom
Fixes #279
Change-Id: I94931e427ed51f4332bcb506220925b7ce8097bc
Signed-off-by: Steven Hardy <shardy@redhat.com>
The user which authenticates keystone tokens should be the "heat" user in
the "service" tenant. This changes the default configuration to do this, as
devstack already does.
Ref #269
Change-Id: I89978ec0b490f6d404c568197dd4208097a4b695
Signed-off-by: Zane Bitter <zbitter@redhat.com>
So far only access to stacks (not resources and events) is implemented.
Change-Id: I9655e9441087ef60c06e67e2d6ae68ec4a3b2d11
Signed-off-by: Zane Bitter <zbitter@redhat.com>
Previously, all APIs used single versioning definition. Since these are
likely to change at different rates (AWS APIs are unlikely to change at
all, but OpenStack APIs probably will), give each their own version
definition.
Change-Id: I6985205dfcb5baf6f49ad32b091d811f97d1552a
Signed-off-by: Zane Bitter <zbitter@redhat.com>
boto.cfg needs to be under /etc not /etc/heat
or boto won't find it
Change-Id: I0981bb3bd46dd1630633576fc77d085410bf6362
Signed-off-by: Steven Hardy <shardy@redhat.com>
Comment out the credentials section in /etc/boto.cfg
this allows us to pass the correct host/endpoint without
having world-readable credentials. This can then be used
as a template for per-user ~/.boto files if desired
Change-Id: I4cea0cb3b790186ddc041edad0ab4ee4b7e8f956
Signed-off-by: Steven Hardy <shardy@redhat.com>
This also means that the install script will install bash-completion for
heat.
Change-Id: Ib60346c72ce6277951cb51952e359f97be20a1be
Signed-off-by: Zane Bitter <zbitter@redhat.com>
The previous heat-api is, in fact, a CloudFormation-compatible API. Rename
it to heat-api-cfn, analogous to how the EC2 API in Nova is named
nova-api-ec2.
Change-Id: I9759f10cee6a60cdc9cb917966eb9fb95a618f85
Signed-off-by: Zane Bitter <zbitter@redhat.com>
Implements new client to demonstrate new Cloudwatch API
Currently only provides options for DescribeAlarms,
ListMetrics, PutMetricData and SetAlarmState
Signed-off-by: Steven Hardy <shardy@redhat.com>
Change-Id: I3963a07694cec9af96d9d7369cc7d18d629fcd2d
Initial AWS-compatible CloudWatch API implementation
Supports the following API actions:
- DescribeAlarms : describe alarm/watch details
- ListMetrics : List watch metric datapoints
- PutMetricData : Create metric datapoint
- SetAlarmState : temporarily set alarm state
Skeleton implementation of all other TODO actions which
returns HeatAPINotImplementedError.
Only basic filtering parameters supported at this time.
Signed-off-by: Steven Hardy <shardy@redhat.com>
Change-Id: I8628854a135fff07b675e85150ea0b50184ed2e1
Move aws api common files to common directory
(so they can be more easily reused by cloudwatch)
Change-Id: I1a455ef11226dd960503bac5d79fa5c28607a1f6
Signed-off-by: Steven Hardy <shardy@redhat.com>
This patch uses an encryption key generated in install.sh to perform
symmetrical encryption on sensitive authentication information stored
in the database for HA operations.
Change-Id: Ifd09f3f566ba3ebd941a6f453953576011b518b9
Signed-off-by: Ian Main <imain@redhat.com>
Just use a direct filter factory for ContextMiddleware
Change-Id: Ie17bb88c331bdb4354d0abb24346ab80f13cd323
Signed-off-by: Steven Dake <sdake@redhat.com>
heat-engine.conf, heat-api.conf, heat-metadata.conf
should have:
rpc_backend=heat.openstack.common.rpc.impl_qpid
to work with the reworked rpc code.
Change-Id: I2e5b136240db2fe8f6dfad27da7e31b2a5053a1c
Signed-off-by: Steven Hardy <shardy@redhat.com>
Add initial version of the heat cli tool which uses boto
- revised following review comments to remove jeos/cfn paths
ref #92
Change-Id: I61b5815b250f3b01d33844ff46dd1612000d51fd
Signed-off-by: Steven Hardy <shardy@redhat.com>
This patch updates the authentication system set up in heat:
- We now authenticate against the 'heat' service at the entry
point to each api call in the engine.
- We are now using the 'Context' class to contain the authentication
information as intended.
- The two context classes are unified and we now use the same one
for both WSGI and RPC. This is the intended design as the
context is loaded by the WSGI middleware and then passed into the
RPC methods.
- We are now doing token authentication in the API that works with
both native keystone and AWS style authentication. That token is
then passed on to the engine for further authentication for various
endpoints.
Note that the heat-api-paste.ini file requires updating in order for
this to work on your system. Admin user and password must be set
properly in the authtoken section in order to perform token based
authentication.
I suspect there will be a few bugs in here yet. This is just part of
the authentication/identification changes we need to make but I wanted
to get this in so we could continue to work with a boto based client.
Change-Id: Ib635ecd3088304e8d51d8e1fc31a8b1bf751caf3
Signed-off-by: Ian Main <imain@redhat.com>
