When sending a literal empty response, Flask does not include a
ContentType in the response. While in many cases, we don't need
need a ContentType nor expect one on the API client, Apache
webserver can treat this as an error and generate an Error
indicating a Bad Gateway. When doing this, we also now include
an empty JSON body in the response for 202 messages. For 204
message errors, the message body is expected to be empty.
However, when this Bad Gateway error occurs, the API/Conductor
were proceeding like there was no issue. The API client on the
other hand thinks that a hard failure has occured.
Also adds some additional catches to provide additional logging
which turned out not to be needed in this case, but it would be
useful for others.
Change-Id: If2e7697e3fde58ab0a4193787e29d3acdca81ebf
This change documents configuring inspector for client-side
authentication with a standalone Ironic API service.
Since this documention refers to a keystone auth feature which is
about to be released, requirements and lower-constraints are updated
to reflect the required release (see https://review.opendev.org/737365 ).
Change-Id: I567fc8c7f2147339856563ad880334791f93d99b
When the config option ``auth_strategy`` is set to ``http_basic`` then
non-public API calls require a valid HTTP Basic authentication header to be
set. The config option ``http_basic_auth_user_file`` defaults to
``/etc/ironic-inspector/htpasswd`` and points to a file which supports the
Apache htpasswd syntax[1]. This file is read for every request, so no
service restart is required when changes are made.
The only password digest supported is bcrypt, and the ``bcrypt``
python library is used for password checks since it supports ``$2y$``
prefixed bcrypt passwords as generated by the Apache htpasswd utility.
To try basic authentication, the following can be done:
* Set ``/etc/ironic-inspector/inspector.conf`` ``DEFAULT`` ``auth_strategy``
to ``http_basic``
* Populate the htpasswd file with entries, for example:
``htpasswd -nbB myName myPassword >> /etc/ironic-inspector/htpasswd``
* Make basic authenticated HTTP requests, for example:
``curl --user myName:myPassword http://localhost:6385/v1/introspection``
[1] https://httpd.apache.org/docs/current/misc/password_encryptions.html
Change-Id: If50dfbfc18445ad9fe27e17cb0ee1b317ff25a0b
Depends-On: https://review.opendev.org/729070
Story: 2007656
Task: 39826
This patches removes the ironic-client dependency from the
ironic module in favor of openstacksdk.
Increase minimum required version of openstacksdk to use
recent added features.
Change-Id: I31964179835ad454e8205a59f483b419de4fb62d
Latest version of Werkzeug (1.0.0 at the moment) broke
compatibility with older Flask, actually causing issues when
running lower-constraints tests, since Flask will install
highest version of Werkzueg after 0.7.
With this patch we require Flask to be at least version 1.0
to re-establish compatibility.
See failed test https://review.opendev.org/706701 or run
lower-constraints test locally for confirmation.
Change-Id: Id05b4a205379fdf1b26cb239757bd370f3fe88e3
Since we've dropped support for Python 2.7, it's time to look at
the bright future that Python 3.x will bring and stop forcing
compatibility with older versions.
This patch removes the six library from requirements, not
looking back.
Change-Id: Ic443c7e4d5a5a849c4dc220207f8957e4c90bf53
Also increasing lower version of keystoneauth1 to a recommended
version for openstacksdk >= 0.30.0
Change-Id: Ifb9bbb8d091f28a8d65444caaeba301e2f707a14
oslo.db was not compatible with Python 3.7 until version 4.40.0
because Python 3.7 makes "async" a keyword [1].
To prevent bad surprises, this patch increases the minumum version
required for oslo.db to 4.40.0.
[1] https://review.opendev.org/574833
Change-Id: I6b915a0b0f78690defa962be96c8ae9d35d69345
Fix testenv which only installs test-requirement, also updated
upper constraint url.
mock minimum version is bumped to 3.0.0,
keystonemiddleware minimum version is bumped to 4.18.0.
Change-Id: I162bcf372598c2268c9c5e30947e49eedb0147e3
This change replaces the swiftclient dependency with openstacksdk.
The ultimate goal is to use only openstacksdk for all cross-service
interactions.
The configuration option max_retires has been broken for several
releases since commit 7e8cdc0d0f,
this change deprecates it.
Change-Id: I635519f88e90f4267ff7a9cb063a697ff39e4710
Following recent changes to global requirements [1], we need
to update sphinx requirements locally.
Also uncapping jsonschema following this [2] change.
[1] If558f184c959e4b63b56dec3ca1571d1034cfe5c
[2] I328cbd8216ec4591e08414dafc9ea099391efd86
Change-Id: If628a93b95cf73cb5af19b847758e9e50c5bf7a8
This change adds an option to publish the endpoint via mDNS on start
up and clean it up on tear down.
Story: #2005393
Task: #30384
Change-Id: Ia9407cb065979aac6761d3e4122d3884e45b559d
This patch is part of inspector HA work, which wraps inspector api into
oslo service.
oslo.service has also provided support to signal processing like SIGHUP or
SIGTERM, so these code were removed in this patch.
Deprecated current SSL cert/key options used by ironic-inspector, code
manually creates ssl context were removed. These options will be fed
from [ssl] section.
Change-Id: Ia5e16fcb9104556d62c90f5507f17b41f73a5208
Story: #2001842
Task: #12609
According to Openstack summit session [1] stestr is maintained project
to which all Openstack projects should migrate.
Let's switch it then.
Also adjust requirements to pass the gate.
[1] https://etherpad.openstack.org/p/YVR-python-pti
Change-Id: I79b2220c20a04e2e33360bc330b5b4b4124caf71
Signed-off-by: Chuck Short <chucks@redhat.com>
As Flask version was updated we need to update our own requirements.txt
to avoid reqirements-check job to fail on every patch that changes
anything related to requirements.
Change-Id: I22f471534eded46a8deecccdb07db71d0705226b
Signed-off-by: Chuck Short <chucks@redhat.com>
Adds oslo.messaging to ironic-inspector, and convert
inspect, abort and reapply to synchronized rpc calls.
This is the first step of API and worker seperation.
Change-Id: I15e86d7feb623b6b2889891b9700e5de6b3164cd
Story: #2001842
Task: # 12609
Fix the lower constraints settings to match the expected values.
We will manage the eventlet version using constraints now. See the
thread starting at
http://lists.openstack.org/pipermail/openstack-dev/2018-April/129096.html
for more details.
Change-Id: Ic44a750002943920c2f517f22df670989460dbc9
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
These calls are subject to transient network problems, we should
not abort ironic-inspector process in this case. Also due to
bug 1748893 the port listing API can sometimes return HTTP 400.
This change retries port listing 5 times with 1 second break
before aborting the periodic task and thus the process.
This change introduces a dependency on the retrying library,
which is already widely used in OpenStack (including ironic).
Change-Id: I92fd70ca5692ce9f6798eedf9e540d5aa7c6f1af
Closes-Bug: #1748893
this patch introduces an oslo.policy-based API access policy
enforcement engine to ironic-inspector.
As part of implementation, a proper oslo.context-based request
context is also generated and assigned to each request.
Short overview of changes:
- added custom RequestContext class
- extends oslo.context to handle of "is_public_api" flag
(False by default)
- added context to request in each API route
- '/continue' api sets the "is_public_api" flag to True
- added documented definitions for API access policies and their
defaults
- added enforcement of these policies on API requests
- added oslo.policy-specific entry points to setup.cfg
- added autogenerated policy sample file with defaults
- added documentation with autogenerated policies
Change-Id: Iff6f98fa9950d78608f0a7c325d132c11a1383b3
Closes-Bug: #1719812
Julia Kreger
Steve Baker
Hervé Beraud
Iury Gregory Melo Ferreira
Riccardo Pittau
Dmitry Tantsur
Kaifeng Wang
Dmitry Tantsur
Chuck Short
Doug Hellmann
OpenStack Proposal Bot
Pavlo Shchelokovskyy