diff --git a/horizon/test/settings.py b/horizon/test/settings.py index 5834cdd871..9b2f748aa9 100644 --- a/horizon/test/settings.py +++ b/horizon/test/settings.py @@ -19,6 +19,7 @@ import os import socket +from openstack_auth.defaults import * # noqa: F403,H303 from openstack_dashboard.utils import settings as settings_utils socket.setdefaulttimeout(1) diff --git a/openstack_auth/backend.py b/openstack_auth/backend.py index c2eee0b4c0..2599cbd0a7 100644 --- a/openstack_auth/backend.py +++ b/openstack_auth/backend.py @@ -44,14 +44,8 @@ class KeystoneBackend(object): @property def auth_plugins(self): if self._auth_plugins is None: - plugins = getattr( - settings, - 'AUTHENTICATION_PLUGINS', - ['openstack_auth.plugin.password.PasswordPlugin', - 'openstack_auth.plugin.token.TokenPlugin']) - + plugins = settings.AUTHENTICATION_PLUGINS self._auth_plugins = [import_string(p)() for p in plugins] - return self._auth_plugins def get_user(self, user_id): @@ -174,7 +168,7 @@ class KeystoneBackend(object): region_name = id_endpoint['region'] break - interface = getattr(settings, 'OPENSTACK_ENDPOINT_TYPE', 'public') + interface = settings.OPENSTACK_ENDPOINT_TYPE endpoint, url_fixed = utils.fix_auth_url_version_prefix( scoped_auth_ref.service_catalog.url_for( @@ -215,7 +209,7 @@ class KeystoneBackend(object): request.session['domain_token'] = domain_auth_ref request.user = user - timeout = getattr(settings, "SESSION_TIMEOUT", 3600) + timeout = settings.SESSION_TIMEOUT token_life = user.token.expires - datetime.datetime.now(pytz.utc) session_time = min(timeout, int(token_life.total_seconds())) request.session.set_expiry(session_time) diff --git a/openstack_auth/defaults.py b/openstack_auth/defaults.py new file mode 100644 index 0000000000..a72141b47f --- /dev/null +++ b/openstack_auth/defaults.py @@ -0,0 +1,168 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# NOTE: The following are from Django settings. +# LOGIN_URL +# LOGIN_REDIRECT_URL +# SESSION_ENGINE +# USE_TZ + +# WEBROOT is the location relative to Webserver root +# should end with a slash in openstack_dashboard.settings.. +WEBROOT = '/' + +# TODO(amotoki): What is the right default value in openstack_auth? +LOGIN_ERROR = 'error/' + +OPENSTACK_KEYSTONE_URL = "http://localhost:5000/v3" +# OPENSTACK_KEYSTONE_URL = 'http://localhost/identity/v3' + +# TODO(amotoki): The default value in openstack_dashboard is different: +# publicURL. It should be consistent. +OPENSTACK_ENDPOINT_TYPE = 'public' +OPENSTACK_SSL_NO_VERIFY = False +# TODO(amotoki): Is it correct? +OPENSTACK_SSL_CACERT = True +OPENSTACK_API_VERSIONS = { + 'identity': 3, +} + +AUTHENTICATION_PLUGINS = ['openstack_auth.plugin.password.PasswordPlugin', + 'openstack_auth.plugin.token.TokenPlugin'] + +# This SESSION_TIMEOUT is a method to supercede the token timeout with a +# shorter horizon session timeout (in seconds). If SESSION_REFRESH is True (the +# default) SESSION_TIMEOUT acts like an idle timeout rather than being a hard +# limit, but will never exceed the token expiry. If your token expires in 60 +# minutes, a value of 1800 will log users out after 30 minutes of inactivity, +# or 60 minutes with activity. Setting SESSION_REFRESH to False will make +# SESSION_TIMEOUT act like a hard limit on session times. +SESSION_TIMEOUT = 3600 + +TOKEN_TIMEOUT_MARGIN = 0 +AVAILABLE_REGIONS = [] + +# For setting the default service region on a per-endpoint basis. Note that the +# default value for this setting is {}, and below is just an example of how it +# should be specified. +# A key of '*' is an optional global default if no other key matches. +# Example: +# DEFAULT_SERVICE_REGIONS = { +# '*': 'RegionOne' +# OPENSTACK_KEYSTONE_URL: 'RegionTwo' +# } +DEFAULT_SERVICE_REGIONS = {} + +SECURE_PROXY_ADDR_HEADER = False + +# Password will have an expiration date when using keystone v3 and enabling +# the feature. +# This setting allows you to set the number of days that the user will be +# alerted prior to the password expiration. +# Once the password expires keystone will deny the access and users must +# contact an admin to change their password. +PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = -1 + +OPENSTACK_KEYSTONE_ADMIN_ROLES = ['admin'] +OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False +# Set this to True if you want available domains displayed as a dropdown menu +# on the login screen. It is strongly advised NOT to enable this for public +# clouds, as advertising enabled domains to unauthenticated customers +# irresponsibly exposes private information. This should only be used for +# private clouds where the dashboard sits behind a corporate firewall. +OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = False + +# If OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN is enabled, this option can be used to +# set the available domains to choose from. This is a list of pairs whose first +# value is the domain name and the second is the display name. +# Example: +# OPENSTACK_KEYSTONE_DOMAIN_CHOICES = ( +# ('Default', 'Default'), +# ) +OPENSTACK_KEYSTONE_DOMAIN_CHOICES = () +OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default' + +# Enables keystone web single-sign-on if set to True. +WEBSSO_ENABLED = False + +# Authentication mechanism to be selected as default. +# The value must be a key from WEBSSO_CHOICES. +WEBSSO_INITIAL_CHOICE = 'credentials' + +# The list of authentication mechanisms which include keystone +# federation protocols and identity provider/federation protocol +# mapping keys (WEBSSO_IDP_MAPPING). Current supported protocol +# IDs are 'saml2' and 'oidc' which represent SAML 2.0, OpenID +# Connect respectively. +# Do not remove the mandatory credentials mechanism. +# Note: The last two tuples are sample mapping keys to a identity provider +# and federation protocol combination (WEBSSO_IDP_MAPPING). +# Example: +# WEBSSO_CHOICES = ( +# ("credentials", _("Keystone Credentials")), +# ("oidc", _("OpenID Connect")), +# ("saml2", _("Security Assertion Markup Language")), +# ("acme_oidc", "ACME - OpenID Connect"), +# ("acme_saml2", "ACME - SAML2"), +# ) +WEBSSO_CHOICES = () + +# A dictionary of specific identity provider and federation protocol +# combinations. From the selected authentication mechanism, the value +# will be looked up as keys in the dictionary. If a match is found, +# it will redirect the user to a identity provider and federation protocol +# specific WebSSO endpoint in keystone, otherwise it will use the value +# as the protocol_id when redirecting to the WebSSO by protocol endpoint. +# NOTE: The value is expected to be a tuple formatted as: +# (, ). +# Example: +# WEBSSO_IDP_MAPPING = { +# "acme_oidc": ("acme", "oidc"), +# "acme_saml2": ("acme", "saml2"), +# } +WEBSSO_IDP_MAPPING = {} + +# Enables redirection on login to the identity provider defined on +# WEBSSO_DEFAULT_REDIRECT_PROTOCOL and WEBSSO_DEFAULT_REDIRECT_REGION +WEBSSO_DEFAULT_REDIRECT = False + +# Specifies the protocol to use for default redirection on login +WEBSSO_DEFAULT_REDIRECT_PROTOCOL = None + +# Specifies the region to which the connection will be established on login +WEBSSO_DEFAULT_REDIRECT_REGION = OPENSTACK_KEYSTONE_URL + +# Enables redirection on logout to the method specified on the identity +# provider. Once logout the client will be redirected to the address specified +# in this variable. +WEBSSO_DEFAULT_REDIRECT_LOGOUT = None + +# If set this URL will be used for web single-sign-on authentication +# instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment +# scenarios where network segmentation is used per security requirement. +# In this case, the controllers are not reachable from public network. +# Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL +# if it is set to the internal endpoint. +# Example: WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3" +WEBSSO_KEYSTONE_URL = None + +# The Keystone Provider drop down uses Keystone to Keystone federation +# to switch between Keystone service providers. +# Set display name for Identity Provider (dropdown display name) +KEYSTONE_PROVIDER_IDP_NAME = 'Local Keystone' +# This id is used for only for comparison with the service provider IDs. +# This ID should not match any service provider IDs. +KEYSTONE_PROVIDER_IDP_ID = 'localkeystone' + +POLICY_FILES_PATH = '' +POLICY_FILES = {} +POLICY_DIRS = {} diff --git a/openstack_auth/forms.py b/openstack_auth/forms.py index 3ead788484..9ab7529b20 100644 --- a/openstack_auth/forms.py +++ b/openstack_auth/forms.py @@ -31,7 +31,7 @@ LOG = logging.getLogger(__name__) def get_region_endpoint(region_id): if region_id == "default": return settings.OPENSTACK_KEYSTONE_URL - all_regions = getattr(settings, 'AVAILABLE_REGIONS', []) + all_regions = settings.AVAILABLE_REGIONS return all_regions[int(region_id)][0] @@ -65,19 +65,13 @@ class Login(django_auth_forms.AuthenticationForm): def __init__(self, *args, **kwargs): super(Login, self).__init__(*args, **kwargs) fields_ordering = ['username', 'password', 'region'] - if getattr(settings, - 'OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT', - False): + if settings.OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT: last_domain = self.request.COOKIES.get('login_domain', None) - if getattr(settings, - 'OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN', - False): + if settings.OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN: self.fields['domain'] = forms.ChoiceField( label=_("Domain"), initial=last_domain, - choices=getattr(settings, - 'OPENSTACK_KEYSTONE_DOMAIN_CHOICES', - ())) + choices=settings.OPENSTACK_KEYSTONE_DOMAIN_CHOICES) else: self.fields['domain'] = forms.CharField( initial=last_domain, @@ -96,17 +90,17 @@ class Login(django_auth_forms.AuthenticationForm): # if websso is enabled and keystone version supported # prepend the websso_choices select input to the form if utils.is_websso_enabled(): - initial = getattr(settings, 'WEBSSO_INITIAL_CHOICE', 'credentials') + initial = settings.WEBSSO_INITIAL_CHOICE self.fields['auth_type'] = forms.ChoiceField( label=_("Authenticate using"), - choices=getattr(settings, 'WEBSSO_CHOICES', ()), + choices=settings.WEBSSO_CHOICES, required=False, initial=initial) # add auth_type to the top of the list fields_ordering.insert(0, 'auth_type') # websso is enabled, but keystone version is not supported - elif getattr(settings, 'WEBSSO_ENABLED', False): + elif settings.WEBSSO_ENABLED: msg = ("Websso is enabled but horizon is not configured to work " + "with keystone version 3 or above.") LOG.warning(msg) @@ -115,7 +109,7 @@ class Login(django_auth_forms.AuthenticationForm): @staticmethod def get_region_choices(): - all_regions = getattr(settings, 'AVAILABLE_REGIONS', []) + all_regions = settings.AVAILABLE_REGIONS if all_regions: regions = [("%d" % i, name) for i, (url, name) in enumerate(all_regions)] @@ -125,9 +119,7 @@ class Login(django_auth_forms.AuthenticationForm): @sensitive_variables() def clean(self): - default_domain = getattr(settings, - 'OPENSTACK_KEYSTONE_DEFAULT_DOMAIN', - 'Default') + default_domain = settings.OPENSTACK_KEYSTONE_DEFAULT_DOMAIN username = self.cleaned_data.get('username') password = self.cleaned_data.get('password') domain = self.cleaned_data.get('domain', default_domain) diff --git a/openstack_auth/plugin/k2k.py b/openstack_auth/plugin/k2k.py index d5a67bfa11..5f6cdc9880 100644 --- a/openstack_auth/plugin/k2k.py +++ b/openstack_auth/plugin/k2k.py @@ -49,8 +49,7 @@ class K2KAuthPlugin(base.BasePlugin): if utils.get_keystone_version() < 3 or not service_provider: return None - keystone_idp_id = getattr(settings, 'KEYSTONE_PROVIDER_IDP_ID', - 'localkeystone') + keystone_idp_id = settings.KEYSTONE_PROVIDER_IDP_ID if service_provider == keystone_idp_id: return None diff --git a/openstack_auth/policy.py b/openstack_auth/policy.py index e8cc6d2dda..7658a96173 100644 --- a/openstack_auth/policy.py +++ b/openstack_auth/policy.py @@ -27,7 +27,7 @@ from openstack_auth import utils as auth_utils LOG = logging.getLogger(__name__) _ENFORCER = None -_BASE_PATH = getattr(settings, 'POLICY_FILES_PATH', '') +_BASE_PATH = settings.POLICY_FILES_PATH def _get_policy_conf(policy_file, policy_dirs=None): @@ -47,9 +47,9 @@ def _get_policy_conf(policy_file, policy_dirs=None): def _get_policy_file_with_full_path(service): - policy_files = getattr(settings, 'POLICY_FILES', {}) + policy_files = settings.POLICY_FILES policy_file = os.path.join(_BASE_PATH, policy_files[service]) - policy_dirs = getattr(settings, 'POLICY_DIRS', {}).get(service, []) + policy_dirs = settings.POLICY_DIRS.get(service, []) policy_dirs = [os.path.join(_BASE_PATH, policy_dir) for policy_dir in policy_dirs] return policy_file, policy_dirs @@ -59,7 +59,7 @@ def _get_enforcer(): global _ENFORCER if not _ENFORCER: _ENFORCER = {} - policy_files = getattr(settings, 'POLICY_FILES', {}) + policy_files = settings.POLICY_FILES for service in policy_files.keys(): policy_file, policy_dirs = _get_policy_file_with_full_path(service) conf = _get_policy_conf(policy_file, policy_dirs) diff --git a/openstack_auth/tests/settings.py b/openstack_auth/tests/settings.py index 22e272e274..8a59391ab8 100644 --- a/openstack_auth/tests/settings.py +++ b/openstack_auth/tests/settings.py @@ -13,6 +13,8 @@ import os +from openstack_auth.defaults import * # noqa: F403,H303 + ALLOWED_HOSTS = ['*'] DATABASES = {'default': {'ENGINE': 'django.db.backends.sqlite3'}} @@ -38,22 +40,14 @@ MIDDLEWARE = [ AUTHENTICATION_BACKENDS = ['openstack_auth.backend.KeystoneBackend'] -OPENSTACK_KEYSTONE_URL = "http://localhost:5000/v3" - ROOT_URLCONF = 'openstack_auth.tests.urls' -LOGIN_REDIRECT_URL = '/' +LOGIN_REDIRECT_URL = WEBROOT SECRET_KEY = 'badcafe' -OPENSTACK_API_VERSIONS = { - "identity": 3 -} - USE_TZ = True -OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False - OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'domain' # NOTE(saschpe): The openstack_auth.user.Token object isn't @@ -74,27 +68,6 @@ TEMPLATES = [ }, ] -LOGGING = { - 'version': 1, - 'disable_existing_loggers': False, - 'handlers': { - 'null': { - 'level': 'DEBUG', - 'class': 'logging.NullHandler', - }, - 'test': { - 'level': 'ERROR', - 'class': 'logging.StreamHandler', - } - }, - 'loggers': { - 'openstack_auth': { - 'handlers': ['test'], - 'propagate': False, - }, - } -} - AUTH_USER_MODEL = 'openstack_auth.User' LOGGING = { diff --git a/openstack_auth/utils.py b/openstack_auth/utils.py index ad4c7ab19e..4c2d02f129 100644 --- a/openstack_auth/utils.py +++ b/openstack_auth/utils.py @@ -91,7 +91,7 @@ def is_token_valid(token, margin=None): if expiration is None: return False if margin is None: - margin = getattr(settings, 'TOKEN_TIMEOUT_MARGIN', 0) + margin = settings.TOKEN_TIMEOUT_MARGIN expiration = expiration - datetime.timedelta(seconds=margin) if settings.USE_TZ and timezone.is_naive(expiration): # Presumes that the Keystone is using UTC. @@ -102,12 +102,12 @@ def is_token_valid(token, margin=None): # Helper for figuring out keystone version # Implementation will change when API version discovery is available def get_keystone_version(): - return getattr(settings, 'OPENSTACK_API_VERSIONS', {}).get('identity', 3) + return settings.OPENSTACK_API_VERSIONS['identity'] def get_session(): - insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False) - verify = getattr(settings, 'OPENSTACK_SSL_CACERT', True) + insecure = settings.OPENSTACK_SSL_NO_VERIFY + verify = settings.OPENSTACK_SSL_CACERT if insecure: verify = False @@ -124,7 +124,7 @@ def get_keystone_client(): def is_websso_enabled(): """Websso is supported in Keystone version 3.""" - websso_enabled = getattr(settings, 'WEBSSO_ENABLED', False) + websso_enabled = settings.WEBSSO_ENABLED keystonev3_plus = (get_keystone_version() >= 3) return websso_enabled and keystonev3_plus @@ -134,28 +134,26 @@ def is_websso_default_redirect(): As with websso, this is only supported in Keystone version 3. """ - websso_default_redirect = getattr(settings, - 'WEBSSO_DEFAULT_REDIRECT', False) + websso_default_redirect = settings.WEBSSO_DEFAULT_REDIRECT keystonev3_plus = (get_keystone_version() >= 3) return websso_default_redirect and keystonev3_plus def get_websso_default_redirect_protocol(): - return getattr(settings, 'WEBSSO_DEFAULT_REDIRECT_PROTOCOL', None) + return settings.WEBSSO_DEFAULT_REDIRECT_PROTOCOL def get_websso_default_redirect_region(): - return getattr(settings, 'WEBSSO_DEFAULT_REDIRECT_REGION', - settings.OPENSTACK_KEYSTONE_URL) + return settings.WEBSSO_DEFAULT_REDIRECT_REGION def get_websso_default_redirect_logout(): - return getattr(settings, 'WEBSSO_DEFAULT_REDIRECT_LOGOUT', None) + return settings.WEBSSO_DEFAULT_REDIRECT_LOGOUT def build_absolute_uri(request, relative_url): """Ensure absolute_uri are relative to WEBROOT.""" - webroot = getattr(settings, 'WEBROOT', '') + webroot = settings.WEBROOT if webroot.endswith("/") and relative_url.startswith("/"): webroot = webroot[:-1] @@ -222,7 +220,7 @@ def get_websso_url(request, auth_url, websso_auth): """ origin = build_absolute_uri(request, '/auth/websso/') - idp_mapping = getattr(settings, 'WEBSSO_IDP_MAPPING', {}) + idp_mapping = settings.WEBSSO_IDP_MAPPING idp_id, protocol_id = idp_mapping.get(websso_auth, (None, websso_auth)) @@ -386,11 +384,9 @@ def default_services_region(service_catalog, request=None, if request: region_options.append(request.COOKIES.get('services_region')) if ks_endpoint: - default_service_regions = getattr( - settings, 'DEFAULT_SERVICE_REGIONS', {}) + default_service_regions = settings.DEFAULT_SERVICE_REGIONS region_options.append(default_service_regions.get(ks_endpoint)) - region_options.append( - getattr(settings, 'DEFAULT_SERVICE_REGIONS', {}).get('*')) + region_options.append(settings.DEFAULT_SERVICE_REGIONS.get('*')) for region in region_options: if region in available_regions: @@ -425,7 +421,7 @@ def get_endpoint_region(endpoint): def using_cookie_backed_sessions(): - engine = getattr(settings, 'SESSION_ENGINE', '') + engine = settings.SESSION_ENGINE return "signed_cookies" in engine @@ -442,8 +438,7 @@ def get_admin_roles(): """ admin_roles = {role.lower() for role - in getattr(settings, 'OPENSTACK_KEYSTONE_ADMIN_ROLES', - ['admin'])} + in settings.OPENSTACK_KEYSTONE_ADMIN_ROLES} return admin_roles @@ -490,9 +485,7 @@ def get_client_ip(request): :returns: Possible client ip address :rtype: string """ - _SECURE_PROXY_ADDR_HEADER = getattr( - settings, 'SECURE_PROXY_ADDR_HEADER', False - ) + _SECURE_PROXY_ADDR_HEADER = settings.SECURE_PROXY_ADDR_HEADER if _SECURE_PROXY_ADDR_HEADER: return request.META.get( _SECURE_PROXY_ADDR_HEADER, @@ -530,10 +523,8 @@ def store_initial_k2k_session(auth_url, request, scoped_auth_ref, providers = getattr(providers, '_service_providers', None) if providers: - keystone_idp_name = getattr(settings, 'KEYSTONE_PROVIDER_IDP_NAME', - 'Local Keystone') - keystone_idp_id = getattr( - settings, 'KEYSTONE_PROVIDER_IDP_ID', 'localkeystone') + keystone_idp_name = settings.KEYSTONE_PROVIDER_IDP_NAME + keystone_idp_id = settings.KEYSTONE_PROVIDER_IDP_ID keystone_identity_provider = {'name': keystone_idp_name, 'id': keystone_idp_id} # (edtubill) We will use the IDs as the display names diff --git a/openstack_auth/views.py b/openstack_auth/views.py index 1a6f2ec535..dd768d7b22 100644 --- a/openstack_auth/views.py +++ b/openstack_auth/views.py @@ -69,8 +69,9 @@ def login(request): auth_type = request.POST.get('auth_type', 'credentials') if utils.is_websso_enabled() and auth_type != 'credentials': region_id = request.POST.get('region') - auth_url = getattr(settings, 'WEBSSO_KEYSTONE_URL', - forms.get_region_endpoint(region_id)) + auth_url = getattr(settings, 'WEBSSO_KEYSTONE_URL', None) + if auth_url is None: + auth_url = forms.get_region_endpoint(region_id) url = utils.get_websso_url(request, auth_url, auth_type) return shortcuts.redirect(url) @@ -88,7 +89,7 @@ def login(request): initial = {} current_region = request.session.get('region_endpoint', None) requested_region = request.GET.get('region', None) - regions = dict(getattr(settings, "AVAILABLE_REGIONS", [])) + regions = dict(settings.AVAILABLE_REGIONS) if requested_region in regions and requested_region != current_region: initial.update({'region': requested_region}) @@ -97,7 +98,7 @@ def login(request): else: form = functional.curry(forms.Login, initial=initial) - choices = getattr(settings, 'WEBSSO_CHOICES', ()) + choices = settings.WEBSSO_CHOICES extra_context = { 'redirect_field_name': auth.REDIRECT_FIELD_NAME, 'csrf_failure': request.GET.get('csrf_failure'), @@ -136,8 +137,7 @@ def login(request): request.session['region_endpoint'] = region request.session['region_name'] = region_name expiration_time = request.user.time_until_expiration() - threshold_days = getattr( - settings, 'PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS', -1) + threshold_days = settings.PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS if expiration_time is not None and \ expiration_time.days <= threshold_days: expiration_time = str(expiration_time).rsplit(':', 1)[0] @@ -307,8 +307,7 @@ def switch_keystone_provider(request, keystone_provider=None, redirect_to = settings.LOGIN_REDIRECT_URL unscoped_auth_ref = None - keystone_idp_id = getattr( - settings, 'KEYSTONE_PROVIDER_IDP_ID', 'localkeystone') + keystone_idp_id = settings.KEYSTONE_PROVIDER_IDP_ID if keystone_provider == keystone_idp_id: current_plugin = plugin.TokenPlugin() diff --git a/openstack_dashboard/defaults.py b/openstack_dashboard/defaults.py index fbe685ed1c..e6a208a7bd 100644 --- a/openstack_dashboard/defaults.py +++ b/openstack_dashboard/defaults.py @@ -12,14 +12,23 @@ """Default settings for openstack_dashboard""" +import os + from django.utils.translation import ugettext_lazy as _ -# This must be configured -# OPENSTACK_KEYSTONE_URL = 'http://localhost/identity/v3' +from openstack_auth.defaults import * # noqa: F403,H303 + + +def _get_root_path(): + return os.path.dirname(os.path.abspath(__file__)) + + +# ------------------------------------------- +# Override openstack_auth and Django settings +# ------------------------------------------- + +WEBROOT = '/' # from openstack_auth -# WEBROOT is the location relative to Webserver root -# should end with a slash. -WEBROOT = '/' # NOTE: The following are calculated baed on WEBROOT # after loading local_settings # LOGIN_URL = WEBROOT + 'auth/login/' @@ -27,7 +36,7 @@ WEBROOT = '/' # LOGIN_ERROR = WEBROOT + 'auth/error/' LOGIN_URL = None LOGOUT_URL = None -LOGIN_ERROR = None +LOGIN_ERROR = None # from openstack_auth # NOTE: The following are calculated baed on WEBROOT # after loading local_settings # LOGIN_REDIRECT_URL can be used as an alternative for @@ -43,6 +52,42 @@ MEDIA_URL = None STATIC_ROOT = None STATIC_URL = None +# The Horizon Policy Enforcement engine uses these values to load per service +# policy rule files. The content of these files should match the files the +# OpenStack services are using to determine role based access control in the +# target installation. + +# Path to directory containing policy.json files +POLICY_FILES_PATH = os.path.join(_get_root_path(), "conf") + +# Map of local copy of service policy files. +# Please insure that your identity policy file matches the one being used on +# your keystone servers. There is an alternate policy file that may be used +# in the Keystone v3 multi-domain case, policy.v3cloudsample.json. +# This file is not included in the Horizon repository by default but can be +# found at +# http://git.openstack.org/cgit/openstack/keystone/tree/etc/ \ +# policy.v3cloudsample.json +# Having matching policy files on the Horizon and Keystone servers is essential +# for normal operation. This holds true for all services and their policy files. +POLICY_FILES = { + 'identity': 'keystone_policy.json', + 'compute': 'nova_policy.json', + 'volume': 'cinder_policy.json', + 'image': 'glance_policy.json', + 'network': 'neutron_policy.json', +} +# Services for which horizon has extra policies are defined +# in POLICY_DIRS by default. +POLICY_DIRS = { + 'compute': ['nova_policy.d'], + 'volume': ['cinder_policy.d'], +} + +# ---------------------------------------- +# openstack_dashboard settings +# ---------------------------------------- + # Dict used to restrict user private subnet cidr range. # An empty list means that user input will not be restricted # for a corresponding IP version. By default, there is diff --git a/openstack_dashboard/local/local_settings.py.example b/openstack_dashboard/local/local_settings.py.example index f7ae2bf64c..79bf67fb65 100644 --- a/openstack_dashboard/local/local_settings.py.example +++ b/openstack_dashboard/local/local_settings.py.example @@ -39,20 +39,6 @@ DEBUG = True #CSRF_COOKIE_SECURE = True #SESSION_COOKIE_SECURE = True -# Set this to True if you want available domains displayed as a dropdown menu -# on the login screen. It is strongly advised NOT to enable this for public -# clouds, as advertising enabled domains to unauthenticated customers -# irresponsibly exposes private information. This should only be used for -# private clouds where the dashboard sits behind a corporate firewall. -#OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = False - -# If OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN is enabled, this option can be used to -# set the available domains to choose from. This is a list of pairs whose first -# value is the domain name and the second is the display name. -#OPENSTACK_KEYSTONE_DOMAIN_CHOICES = ( -# ('Default', 'Default'), -#) - # If provided, a "Report Bug" link will be displayed in the site header # which links to the value of this setting (ideally a URL containing # information on how to report issues). @@ -122,81 +108,6 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend' OPENSTACK_HOST = "127.0.0.1" OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST -# For setting the default service region on a per-endpoint basis. Note that the -# default value for this setting is {}, and below is just an example of how it -# should be specified. -# A key of '*' is an optional global default if no other key matches. -#DEFAULT_SERVICE_REGIONS = { -# '*': 'RegionOne' -# OPENSTACK_KEYSTONE_URL: 'RegionTwo' -#} - -# Enables keystone web single-sign-on if set to True. -#WEBSSO_ENABLED = False - -# Authentication mechanism to be selected as default. -# The value must be a key from WEBSSO_CHOICES. -#WEBSSO_INITIAL_CHOICE = "credentials" - -# The list of authentication mechanisms which include keystone -# federation protocols and identity provider/federation protocol -# mapping keys (WEBSSO_IDP_MAPPING). Current supported protocol -# IDs are 'saml2' and 'oidc' which represent SAML 2.0, OpenID -# Connect respectively. -# Do not remove the mandatory credentials mechanism. -# Note: The last two tuples are sample mapping keys to a identity provider -# and federation protocol combination (WEBSSO_IDP_MAPPING). -#WEBSSO_CHOICES = ( -# ("credentials", _("Keystone Credentials")), -# ("oidc", _("OpenID Connect")), -# ("saml2", _("Security Assertion Markup Language")), -# ("acme_oidc", "ACME - OpenID Connect"), -# ("acme_saml2", "ACME - SAML2"), -#) - -# A dictionary of specific identity provider and federation protocol -# combinations. From the selected authentication mechanism, the value -# will be looked up as keys in the dictionary. If a match is found, -# it will redirect the user to a identity provider and federation protocol -# specific WebSSO endpoint in keystone, otherwise it will use the value -# as the protocol_id when redirecting to the WebSSO by protocol endpoint. -# NOTE: The value is expected to be a tuple formatted as: (, ). -#WEBSSO_IDP_MAPPING = { -# "acme_oidc": ("acme", "oidc"), -# "acme_saml2": ("acme", "saml2"), -#} - -# Enables redirection on login to the identity provider defined on -# WEBSSO_DEFAULT_REDIRECT_PROTOCOL and WEBSSO_DEFAULT_REDIRECT_REGION -#WEBSSO_DEFAULT_REDIRECT = False - -# Specifies the protocol to use for default redirection on login -#WEBSSO_DEFAULT_REDIRECT_PROTOCOL = None - -# Specifies the region to which the connection will be established on login -#WEBSSO_DEFAULT_REDIRECT_REGION = OPENSTACK_KEYSTONE_URL - -# Enables redirection on logout to the method specified on the identity provider. -# Once logout the client will be redirected to the address specified in this -# variable. -#WEBSSO_DEFAULT_REDIRECT_LOGOUT = None - -# If set this URL will be used for web single-sign-on authentication -# instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment -# scenarios where network segmentation is used per security requirement. -# In this case, the controllers are not reachable from public network. -# Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL -# if it is set to the internal endpoint. -#WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3" - -# The Keystone Provider drop down uses Keystone to Keystone federation -# to switch between Keystone service providers. -# Set display name for Identity Provider (dropdown display name) -#KEYSTONE_PROVIDER_IDP_NAME = "Local Keystone" -# This id is used for only for comparison with the service provider IDs. This ID -# should not match any service provider IDs. -#KEYSTONE_PROVIDER_IDP_ID = "localkeystone" - # The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional # services provided by neutron. Options currently available are load # balancer service, security groups, quotas, VPN service. @@ -244,32 +155,6 @@ INSTANCE_LOG_LENGTH = 35 # of your entire OpenStack installation, and hopefully be in UTC. TIME_ZONE = "UTC" -# The Horizon Policy Enforcement engine uses these values to load per service -# policy rule files. The content of these files should match the files the -# OpenStack services are using to determine role based access control in the -# target installation. - -# Path to directory containing policy.json files -#POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf") - -# Map of local copy of service policy files. -# Please insure that your identity policy file matches the one being used on -# your keystone servers. There is an alternate policy file that may be used -# in the Keystone v3 multi-domain case, policy.v3cloudsample.json. -# This file is not included in the Horizon repository by default but can be -# found at -# https://opendev.org/openstack/keystone/src/branch/master/etc/ \ -# policy.v3cloudsample.json -# Having matching policy files on the Horizon and Keystone servers is essential -# for normal operation. This holds true for all services and their policy files. -#POLICY_FILES = { -# 'identity': 'keystone_policy.json', -# 'compute': 'nova_policy.json', -# 'volume': 'cinder_policy.json', -# 'image': 'glance_policy.json', -# 'network': 'neutron_policy.json', -#} - # Change this patch to the appropriate list of tuples containing # a key, label and static directory containing two files: # _variables.scss and _styles.scss @@ -555,11 +440,3 @@ SECURITY_GROUP_RULES = { # " [%(referer_url)s] [%(request_url)s] [%(message)s] [%(method)s]" # " [%(http_status)s] [%(param)s]"), #} - -# Password will have an expiration date when using keystone v3 and enabling the -# feature. -# This setting allows you to set the number of days that the user will be alerted -# prior to the password expiration. -# Once the password expires keystone will deny the access and users must -# contact an admin to change their password. -#PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = 0 diff --git a/openstack_dashboard/settings.py b/openstack_dashboard/settings.py index 1655706a68..6b92f62138 100644 --- a/openstack_dashboard/settings.py +++ b/openstack_dashboard/settings.py @@ -187,15 +187,6 @@ SESSION_COOKIE_SECURE = False # False, SESSION_TIMEOUT acts as a hard limit. SESSION_REFRESH = True -# This SESSION_TIMEOUT is a method to supercede the token timeout with a -# shorter horizon session timeout (in seconds). If SESSION_REFRESH is True (the -# default) SESSION_TIMEOUT acts like an idle timeout rather than being a hard -# limit, but will never exceed the token expiry. If your token expires in 60 -# minutes, a value of 1800 will log users out after 30 minutes of inactivity, -# or 60 minutes with activity. Setting SESSION_REFRESH to False will make -# SESSION_TIMEOUT act like a hard limit on session times. -SESSION_TIMEOUT = 3600 - # When using cookie-based sessions, log error when the session cookie exceeds # the following size (common browsers drop cookies above a certain size): SESSION_COOKIE_MAX_SIZE = 4093 @@ -240,21 +231,6 @@ USE_TZ = True DEFAULT_EXCEPTION_REPORTER_FILTER = 'horizon.exceptions.HorizonReporterFilter' -POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf") -# Map of local copy of service policy files -POLICY_FILES = { - 'identity': 'keystone_policy.json', - 'compute': 'nova_policy.json', - 'volume': 'cinder_policy.json', - 'image': 'glance_policy.json', - 'network': 'neutron_policy.json', -} -# Services for which horizon has extra policies are defined -# in POLICY_DIRS by default. -POLICY_DIRS = { - 'compute': ['nova_policy.d'], -} - SECRET_KEY = None LOCAL_PATH = None