The oslo-incubator log modlule has been removed, so port to the oslo_log
library. Note this uses the new (non namespaced, e.g oslo.log) import
convention, we'll need to align other imports in a future commit.
Some import reordering was required due to pedantic H30[57] checks, and
the services have all been converted to initialize the oslo_log library
as this is done differently to the log.py in incubator.
Change-Id: Ib5a97123fe1b287bc531e42d7887c13ba6205628
When keystone is deployed behind SSL, the ec2_authtoken options doesn't
have a way to include the same SSL options that the various clients use,
so it's not possible to authenticate tokens.
Capability to handle SSL options is added. ec2token makes use of HTTP
request object from httplib. Config options to specify CA file, client
side certificate, key file and "verify server certificate option" will
be listed under "ec2authtoken" group in conf file.
Change-Id: Ibede73a17ae951cff00a7d9629a4c08f82208139
Closes-Bug: #1415223
Replace usage of old incubator configuration generator by the
oslo.config tool.
tools/config/generate_sample.sh has been replaced by tox -egenconfig.
heat_integrationtests/generate_sample.sh has been replaced by
oslo-config-generator
--config-file=heat_integrationtests/config-generator.conf
Change-Id: I6d95df203b556c8ec2088d40a446427f7087b9a7
There's references to the auth_token middleware in keystoncelient.
The auth_token middleware has been moved to keystonemiddleware and
the version in keystoneclient shouldn't be used anymore.
If these references aren't updated, then when options are changed in
keystonemiddleware.auth_token the heat-api will fail to start because
there's duplicate options in keystoneclient.middleware.auth_token.
Change-Id: I04573aa5ff967afe3e00329f797fcc71b779e7b3
Closes-Bug: #1379082
Currently, Log translation is motivated by oslo's move to prioritized
translation of strings, as documented at
https://wiki.openstack.org/wiki/LoggingStandards#Log_Translation
- add log translation hints for warning, error and info levels
- move from LOG.warning to LOG.warn
- remove use of % as a string formatter, use the log functionality
instead
Partial implements blueprint log-translation-hints
Change-Id: Ie17871f42f75085c2ac6a14fb1526df7bc3a9603
If (as is currently done by the puppet-heat manifiests) the ec2authtoken
auth_uri is specified, and it looks like http://127.0.0.1:5000/v2.0/ec2tokens
ec2token authentication will fail, because we always append "ec2tokens" to
the auth_uri. Instead, only add it when needed.
This probably needs to be combined with a change to the puppet manifiests so
we don't set the ec2authtoken auth_uri, as it's an optional section - we can
derive the correct path with only the auth_uri from the keystone_authtoken
section.
Change-Id: I8c89772b40523b30f1c46b2ca8b68f9e20d5c213
Closes-Bug: #1318599
Commit https://review.openstack.org/#/c/94255/1 introduces check for
translating log messages. This check uses in pattern name 'LOG', so in
heat code also should be used this name intead of 'logger'. Also same
name is used in other projects.
Change-Id: Iba24c7eb1c13e68a91d090d7bcdbcb40d6e16071
Partial-Bug: #1321283
According to the OpenStack translation policy available at
https://wiki.openstack.org/wiki/LoggingStandards debug messages
should not be translated. Like mentioned in several changes in
Nova by garyk this is to help prioritize log translation.
Change-Id: I770dfc2fd474123a8ccc37311ef69d0c03e85545
Closes-Bug: #1318713
This patch is one in a series to re-enable H306 style check rule
(imports are in alphabetical order). It touches API files.
Implements: blueprint reduce-flake8-ignored-rules (partial)
Change-Id: I81c7c79516ce1a17055c3b9c12a94312ed3d1940
Follow oslo.config style guide for help strings better to create
consistent help strings:
* Capitalize first word of each help string
* Finish help strings with "."
* Improve wording
* Add missing space between strings
Change-Id: Ia86734d44fdf4eb3711fef800fe6bdfd1a1b59d4
In heat, almost 200 log message and at least 30 exception
message are not processed by _(), and will not been translated.
We should use '_("STRING ...")' to enable i18n support.
I will split to two parts for review easier because the files
lost of _() are too much.
Closes-Bug: #1249217
Change-Id: I2c86dc7770a7f6f107ba16711b9cba363ef9b906
We already require the keystone_authtoken heat.conf section for the
auth_token middleware, and heat_keystoneclient.py. So this patch
allows us to reuse the auth_uri specified in that section instead
of requiring a duplicate auth_uri to be specified in [ec2authtoken]
Change-Id: Ic5efafb7743aeddca990a4c560b423293108e1e0
Closes-Bug: #1229674
Currently if the CFN API is misconfigured, such that no auth_uri
is set in the config, we silently fail because we don't detect that
auth_uri==None in the code. Instead catch this situation and assert
that the service is misconfigured via a 500 response.
Change-Id: I47a385aa6a34fe3133de00cf2b18fec6a4f6645a
Partial-Bug: #1229674
Making ec2token middleware multi-cloud aware presents a
challenge as the API assumes there is only one cloud and
Heat must remain compatible. This means that unlike multi-cloud
heat-api, the request cannot explicitly say which endpoint it
wants to authenticate against.
However it must be possible to make authenticated cfn requests
against a multi-cloud heat for the sake of cfntools requests.
The approach taken in this commit is to attempt authentication
against each configured allowed_auth_uris until one succeeds.
This is safe for the following reasons:
1. AWSAccessKeyId is a randomly generated sequence
2. No secret is transferred to validate a request
If all auth attempts fail, the last failed reason is raised
as the error to the user.
Change-Id: I3a5a7adc97b110fcb8c6e8b156749fdec8924b88
This vastly simplifies the implementation and test mocking.
ec2token middleware is the last piece of code in the heat
repository to be making direct httplib calls.
Change-Id: I3807b27a7699ff19eb46e2721aaa5afd9d6c8ff9
ec2token auth_uri must be correctly configured for heat to work.
The /ec2tokens path is not an endpoint in its own right, it is
part of the keystone v2.0 API. The keystone_ec2_uri configuration
parameter was only used for ec2 style credentials validation in
the ec2token middleware. It might have also propagated all the
way into the user_creds table to be stored for each stack were it
not for this chain of failures (removed in this commit):
- X-Auth-EC2_URL header is set in ec2token, but header X-Auth-EC2-Url
is read by RequestContext
- RequestContext stores the ec2 uri in aws_auth_uri, but UserCreds
expects aws_auth_url
Change-Id: I9908e17bed33fdc64d058a6d6db7b29f9c8d53d6
This way it is possible to generate the config
files from the used config values automatically
(like done e.g. in other OpenStack modules)
Change-Id: I2683743330a8d3589637d967e16b5ba130bd45e1
avoid using two separate sets of translation messages when
HEAT_LOCALEDIR environment variable presents.
Fixes bug #1196184
Change-Id: Ief773b9f2674909de461e2b07f1b07d3c66521cc
Remove the try/catch around jsonutils dumps, since this is
handled internally by jsonutils via the dumps default parameter
Change-Id: I66c63b441f61cde506ef40e3eace60c3c41e90ca
Update ec2token so it can verify v4 signature formats.
Note for v4 signatures to work you currently need to install
the latest python-keystoneclient, as no release yet contains
patch ref https://review.openstack.org/#/c/26013/
This change should be backwards compatible, as older keystoneclient
versions will simply ignore the additional request keys
fixes bug #1122472
Change-Id: Iccc6be7913ab5ca5813a2e0c8f66cda0ccd85a0b
Since the change merged from https://review.openstack.org/#/c/27383/
ec2token auth no longer works, because there is a mismatch between
the config file section name and the section specified in ec2token
fixes bug #1174673
Change-Id: I5c0465de5c023f587b677b10717ca3a08ba411b7
Just like keystoneclient.middleware.auth_token
first checks paste.ini file then .conf file when fetching
a config value
Change-Id: I9db9744d0ab12fcf486de9a9d3f8e870a4ff66de
The ec2token middleware currently dumps the whole request into the
request context when using AWS Auth, when all we really want are
the credentials (accesskey/signature)
fixes bug 1072917
Change-Id: I8fb0d4d7ada29d7d19c702a7da1251384166c246
Lots of (mostly whitespace) cleanups to align all the non-test code with
pep8 v1.3.4
ref bug 1092057
Change-Id: I444b288444dba4ec1da5854bd276d091c06d8489
Signed-off-by: Steven Hardy <shardy@redhat.com>
Move aws api common files to common directory
(so they can be more easily reused by cloudwatch)
Change-Id: I1a455ef11226dd960503bac5d79fa5c28607a1f6
Signed-off-by: Steven Hardy <shardy@redhat.com>
Jenkins