Added CORS support middleware to Ironic

This adds the CORS support middleware to Ironic, allowing a deployer to optionally configure rules under which a javascript client may break the single-origin policy and access the API directly. OpenStack Spec: https://review.openstack.org/#/c/179866/ Oslo_Middleware Docs: http://docs.openstack.org/developer/oslo.middleware/cors.html OpenStack Cloud Admin Guide Documentation: http://docs.openstack.org/admin-guide-cloud/cross_project_cors.html Co-Authored-By: Devananda van der Veen <devananda.vdv@gmail.com> Depends-on: I2deed897f8f9ef87e4a74227c4fcea9afdb151e8 Change-Id: Ic55305607e44069d893baf2a261d5fe7da777303
2015-05-06 12:05:24 -07:00 · 2015-05-06 12:05:24 -07:00 · 05f4a64aed
parent ec461e7e38
commit 05f4a64aed
5 changed files with 87 additions and 2 deletions
--- a/etc/ironic/ironic.conf.sample
+++ b/etc/ironic/ironic.conf.sample
@ -598,6 +598,68 @@
 #subprocess_timeout=10
 [cors]
 #
 # Options defined in oslo.middleware.cors
 #
 # Indicate whether this resource may be shared with the domain
 # received in the requests "origin" header. (string value)
 #allowed_origin=<None>
 # Indicate that the actual request can include user
 # credentials (boolean value)
 #allow_credentials=true
 # Indicate which headers are safe to expose to the API.
 # Defaults to HTTP Simple Headers. (list value)
 #expose_headers=Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
 # Maximum cache age of CORS preflight requests. (integer
 # value)
 #max_age=3600
 # Indicate which methods can be used during the actual
 # request. (list value)
 #allow_methods=GET,POST,PUT,DELETE,OPTIONS
 # Indicate which header field names may be used during the
 # actual request. (list value)
 #allow_headers=Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
 [cors.subdomain]
 #
 # Options defined in oslo.middleware.cors
 #
 # Indicate whether this resource may be shared with the domain
 # received in the requests "origin" header. (string value)
 #allowed_origin=<None>
 # Indicate that the actual request can include user
 # credentials (boolean value)
 #allow_credentials=true
 # Indicate which headers are safe to expose to the API.
 # Defaults to HTTP Simple Headers. (list value)
 #expose_headers=Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
 # Maximum cache age of CORS preflight requests. (integer
 # value)
 #max_age=3600
 # Indicate which methods can be used during the actual
 # request. (list value)
 #allow_methods=GET,POST,PUT,DELETE,OPTIONS
 # Indicate which header field names may be used during the
 # actual request. (list value)
 #allow_headers=Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
 [database]
 #
--- a/ironic/api/app.py
+++ b/ironic/api/app.py
@ -16,10 +16,12 @@
 #    under the License.
 from oslo_config import cfg
 import oslo_middleware.cors as cors_middleware
 import pecan
 from ironic.api import acl
 from ironic.api import config
 from ironic.api.controllers.base import Version
 from ironic.api import hooks
 from ironic.api import middleware
 from ironic.common.i18n import _
@ -73,6 +75,15 @@ def setup_app(pecan_config=None, extra_hooks=None):
        wrap_app=middleware.ParsableErrorMiddleware,
    )
    # Create a CORS wrapper, and attach ironic-specific defaults that must be
    # included in all CORS responses.
    app = cors_middleware.CORS(app, CONF)
    app.set_latent(
        allow_headers=[Version.max_string, Version.min_string, Version.string],
        allow_methods=['GET', 'PUT', 'POST', 'DELETE', 'PATCH'],
        expose_headers=[Version.max_string, Version.min_string, Version.string]
    )
    if pecan_config.app.enable_acl:
        return acl.install(app, cfg.CONF, pecan_config.app.acl_public_routes)
--- a/requirements.txt
+++ b/requirements.txt
@ -27,6 +27,7 @@ oslo.db>=2.4.1 # Apache-2.0
 oslo.rootwrap>=2.0.0 # Apache-2.0
 oslo.i18n>=1.5.0 # Apache-2.0
 oslo.log>=1.8.0 # Apache-2.0
 oslo.middleware>=2.8.0  # Apache-2.0
 oslo.policy>=0.5.0 # Apache-2.0
 oslo.serialization>=1.4.0 # Apache-2.0
 oslo.service>=0.7.0 # Apache-2.0
--- a/tools/config/oslo.config.generator.rc
+++ b/tools/config/oslo.config.generator.rc
@ -1,2 +1,2 @@
-export IRONIC_CONFIG_GENERATOR_EXTRA_LIBRARIES='oslo.db oslo.messaging keystonemiddleware.auth_token oslo.concurrency oslo.policy oslo.log oslo.service.service oslo.service.periodic_task'
+export IRONIC_CONFIG_GENERATOR_EXTRA_LIBRARIES='oslo.db oslo.messaging oslo.middleware.cors keystonemiddleware.auth_token oslo.concurrency oslo.policy oslo.log oslo.service.service oslo.service.periodic_task'
 export IRONIC_CONFIG_GENERATOR_EXTRA_MODULES=
--- a/vagrant.yaml
+++ b/vagrant.yaml
@ -124,6 +124,14 @@
            section: 'DEFAULT',
            option: 'pecan_debug', value: 'true'
          }
        - {
            section: 'DEFAULT',
            option: 'verbose', value: 'true'
          }
        - {
            section: 'DEFAULT',
            option: 'debug', value: 'true'
          }
        - {
            section: 'oslo_messaging_rabbit',
            option: 'rabbit_host', value: "{{ip}}"
@ -136,7 +144,10 @@
            section: 'oslo_messaging_rabbit',
            option: 'rabbit_password', value: "ironic"
          }
-
+        - { # CORS Domain For Ironic-Webclient's dev server.
            section: 'cors',
            option: 'allowed_origin', value: "http://localhost:8000"
          }
  #############################################################################
  # Handlers
`@ -1,2 +1,2 @@`
	`export IRONIC_CONFIG_GENERATOR_EXTRA_LIBRARIES='oslo.db oslo.messaging keystonemiddleware.auth_token oslo.concurrency oslo.policy oslo.log oslo.service.service oslo.service.periodic_task'`	`export IRONIC_CONFIG_GENERATOR_EXTRA_LIBRARIES='oslo.db oslo.messaging oslo.middleware.cors keystonemiddleware.auth_token oslo.concurrency oslo.policy oslo.log oslo.service.service oslo.service.periodic_task'`
	`export IRONIC_CONFIG_GENERATOR_EXTRA_MODULES=`	`export IRONIC_CONFIG_GENERATOR_EXTRA_MODULES=`