Added CORS support to Magnum

This adds the CORS support middleware to Magnum, allowing a deployer
to optionally configure rules under which a javascript client may
break the single-origin policy and access the API directly.

For magnum, the CORS middleware was directly added to the setup_app
method, as the last middleware to be wrapped around the application
instance. Common headers were added, in order to avoid magic
configuration moments where a feature does not function without
an operator having to read code.

OpenStack CrossProject Spec:
   http://specs.openstack.org/openstack/openstack-specs/specs/cors-support.html
Oslo_Middleware Docs:
   http://docs.openstack.org/developer/oslo.middleware/cors.html
OpenStack Cloud Admin Guide:
   http://docs.openstack.org/admin-guide-cloud/cross_project_cors.html
DocImpact

Change-Id: I7e6d7e2145e3bf883b8a28071c949e10e5c207e0
Closes-bug: #1508209

etc/magnum/magnum.conf.sample

@@ -361,6 +361,66 @@
 #conductor_life_check_timeout = 4
 
 
+[cors]
+
+#
+# From oslo.middleware.cors
+#
+
+# Indicate whether this resource may be shared with the domain
+# received in the requests "origin" header. (string value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials
+# (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to
+# HTTP Simple Headers. (list value)
+#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list
+# value)
+#allow_methods = GET,POST,PUT,DELETE,OPTIONS
+
+# Indicate which header field names may be used during the actual
+# request. (list value)
+#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+
+[cors.subdomain]
+
+#
+# From oslo.middleware.cors
+#
+
+# Indicate whether this resource may be shared with the domain
+# received in the requests "origin" header. (string value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials
+# (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to
+# HTTP Simple Headers. (list value)
+#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list
+# value)
+#allow_methods = GET,POST,PUT,DELETE,OPTIONS
+
+# Indicate which header field names may be used during the actual
+# request. (list value)
+#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+
 [database]
 
 #

magnum/api/app.py

@@ -11,6 +11,7 @@
 #    limitations under the License.
 
 from oslo_config import cfg
+from oslo_middleware import cors
 import pecan
 
 from magnum.api import auth
@@ -59,4 +60,14 @@ def setup_app(config=None):
         **app_conf
     )
 
-    return auth.install(app, CONF, config.app.acl_public_routes)
+    app = auth.install(app, CONF, config.app.acl_public_routes)
+
+    # CORS must be the last one.
+    app = cors.CORS(app, CONF)
+    app.set_latent(
+        allow_headers=['X-Auth-Token', 'X-Server-Management-Url'],
+        allow_methods=['GET', 'PUT', 'POST', 'DELETE', 'PATCH'],
+        expose_headers=['X-Auth-Token', 'X-Server-Management-Url']
+    )
+
+    return app

requirements.txt

@@ -27,6 +27,7 @@ oslo.db>=3.0.0 # Apache-2.0
 oslo.i18n>=1.5.0 # Apache-2.0
 oslo.log>=1.8.0 # Apache-2.0
 oslo.messaging!=1.17.0,!=1.17.1,!=2.6.0,!=2.6.1,>=1.16.0 # Apache-2.0
+oslo.middleware>=2.8.0 # Apache-2.0
 oslo.policy>=0.5.0 # Apache-2.0
 oslo.serialization>=1.10.0 # Apache-2.0
 oslo.service>=0.10.0 # Apache-2.0

tox.ini

@@ -51,6 +51,7 @@ commands =
     --namespace oslo.db \
     --namespace oslo.log \
     --namespace oslo.messaging \
+    --namespace oslo.middleware.cors \
     --namespace oslo.policy \
     --namespace oslo.service.periodic_task \
     --namespace oslo.service.service \