This patch removes db layer hard-code permission checks for
quota_class_create/update.
For v2 API, this patch adds back-comptiable permission checks at REST
API layer.
For v2.1 API, this patch adds new rule for update method.
Partially implements bp nova-api-policy-final-part
SecurityImpact
UpgradeImpact: Due to the db layer permission checks deleted, the policy
rule "os_compute_api:os-quota-class-sets:update" was updated with
a default that match the permission as before. Admin should be notified
to update their policy configuration to keep permission as before.
Change-Id: Icddc7e5cc1c11ab3d272f61a2ef623d3f750030c
This patch removes the hard-code permission checks for db call
quota_class_get_all_by_name.
For v2 api, there already have same hard-code permission checks in REST API
layer, so it is back-compatible.
For v2.1 api, to distinguish show and update permission, this patch adds
new rule for show method.
Partially implements bp nova-api-policy-final-part
SecurityImpact
UpgradeImpact: Due to the db layer permission checks deleted, they need
default policy rule instead of that. In this patch,
"os_compute_api:os-quota-class-sets:show" was updated with a default
rule. Admin will be notfied to update their policy configure file to keep
the behavior as before.
Change-Id: I02da6cc8c766e5f43689449ef63121122f537b5b
Modules eventlet_backdoor, loopingcall, periodic_task,
service, sslutils, systemd, threadgroup were removed
from nova. These modules were imported from oslo.service
library.
Co-Authored-By: Marian Horban <mhorban@mirantis.com>
Depends-On: I305cf53bad6213c151395e93d656b53a8a28e1db
Change-Id: Iaef67e16af3d69f845742f7bdcb43667bf1576ee
This patches removes db layer hard-code permission checks for
floating_ip_dns.
Partially implements bp nova-api-policy-final-part
SecurityImpact
UpgradeImpact:
Due to the db layer permission checks are removed, we need to add default
policy rule into policy file. In this patch,
"os_compute_api:os-floating-ip-dns:domain:update" and
"os_compute_api:os-floating-ip-dns:domain:delete" were updated with a default
rule. Admin will be notfied to update their policy configure file to keep
the behavior as before.
Change-Id: Ibddf3529a219cb9a0c1d4cfdb89327b53454c436
Cinder change I03f8cae05cc117e14f7482115de685fc9f3fa54a sets the
'encrypted' key for all cinder volume drivers connection_info. When run
through the encrypted volume tests in Tempest, this hits the encryption
providers in Nova that fail for certain types of volume drivers, like
file system and fibre channel, due to the rootwrap filter not matching.
This change updates the symbolic link rootwrap filter so it works with
file system and fibre channel type volume backends rather than just
iSCSI.
The /dev/mapper/ prefix is always set in the encryptor modules, so that
can remain as before.
The symbolic link path is a complete wildcard, however, because the file
system volume backends all have a configurable option for the mount path
prefix, which defaults to $state_path/mnt but may not be that value.
An example call for NFS:
ln --symbolic --force \
/dev/mapper/volume-f5684ecc-959f-4de8-8d62-a8adf4bdb4cc \
/opt/stack/data/nova/mnt/21dd48babac42ae884d1192b8697a041/\
volume-f5684ecc-959f-4de8-8d62-a8adf4bdb4cc
An example call for fibre channel:
ln --symbolic --force \
/dev/mapper/pci-0000:06:00.0-fc-0x5006016508603f9f-lun-151 \
/dev/disk/by-path/pci-0000:06:00.0-fc-0x5006016508603f9f-lun-151
This change also updates the sg_info and sgscan entries to reference the
correct module since those are not called from nova.virt.libvirt.volume
anymore.
Closes-Bug: #1470142
Related-Bug: #1440227
Change-Id: I181b594a3119f7ad74c595fc7059d521079b1d74
Commit 390fab8da43339e04dae511b5a8bf4a6235cb8ea changed how nova.conf is
generated via the tox genconfig target, however, it fails to load the
'versionutils' namespace entry from nova-config-generator.conf since
nova.openstack.common.versionutils does not exist. The versionutils
module is now in oslo.utils rather than oslo-incubator. That was removed
in commit 2233675941c075c77208ecf379fc439c87d6fc5b.
Closes-Bug: #1469197
Change-Id: Id182469c4072827f987728f4e72933f97c8f1112
Oslo team is actively getting rid of the old style generator.py
in openstack/common/config. So we should switch to the newer
oslo-config-generator which is the way forward. For simplicity's
sake, i used one single list_opts in opts.py. However we can
split this up and add entrypoints in setup.cfg if we decide to
do that instead.
blueprint oslo-config-generator
Change-Id: Ib7c72af7be47df08983708ac6da0ce103518b78c
Currently, running 'nova list --all-tenants' with a policy change:
"compute:get_all_tenants": "role:special_role or is_admin:True"
will not work as expected, The returned list of servers will not
contain all instances of all tenants. We should support administrators
who wish to enable this functionality in their policy.json.
We need to fix this problem both in the v2 API and in the v2.1 as well.
Deep in instance_get_all_by_filters_sort, there is a check which adds
a filter of project_id or user_id if the context is NOT an admin context.
So, the returned list will be a subset of all the instances in the
database. To fix this scenario, the easy way is to call get_all with
an elevated context to pass this check in instance_get_all_by_filters_sort.
So in fixing the bug above, we need to fix the default policy so that
all-tenants is available by default only to administrators.
UpgradeImpact
SecurityImpact
DocImpact: --all-tenants will list all servers for non-admin
APIImpact: --all-tenants will list all servers for non-admin
Closes-Bug: #1464381
Change-Id: I6fe512ff00a0fde1c75d49efe8bfa5f3d2d34df6
Suds was removed as a dependency in
I28f29d3e5745c21b99dc0cf9eb0cfe4f95dffd17
So there is no reason to have default log values for suds since we don't
use it
Change-Id: I104edc80213cee8278c2641d2c391d2788bfa0f6
This patch removes the hard-code permission checks for db call
quota_get_all_*
For v2 API, there is same project owner hard-code permission checks
at REST API layer, so nothing we need to for it.
For v2.1, adds the 'target' for policy enforcement that used to
enforce owner checks. The default method use same rule with show
method before. After removed hard-code permission checks for show
method, this patch adds new rule for distinguish different permission
of defaults and show.
Partially implements bp nova-api-policy-final-part
UpgradeImpact: Due to the db layer permission checks was deleted. The
default rule is added to "os_compute_api:os-quota-sets:show" for
matching the same permission as before. Show and default action are
shared same rule before. But after the cleanup, those two methods have
different permission. So add new rule for default action
"os_compute_api:os-quota-sets:defaults".
Change-Id: I63f180770a9199046452be7ad6e031a142d3c79d
Commit 01be083 misses unlock_override policy check in V2.1 REST API layer.
This patch fixes this bug and adds related unittest.
Partially implements bp nova-api-policy-final-part
Closes-Bug: 1429126
Change-Id: Ie5481267d0631fae7f413e63ae6c38656d3ca933
nova-idmapshift is missing the rootwrap filter it needs to run as root.
This commit adds those filters.
Change-Id: I96572a495628cc072392e1d7248699450b3e0aeb
Closes-Bug: #1452143
This change adds a policy that can be configured to limit or prevent the
snapshotting of volume backed instances.
DocImpact
Change-Id: Id5486f3bb18c6431c4ae8def6540ba780ea15b0a
Currently ebrctl is network.filters, but the utility is
used by libvirt in nova compute, as part of a Mellanox vif driver.
The ubuntu packages install network.filters with the nova-network package.
But this vif driver only works with Neutron.
To help fix that, this patch move it to compute.filters to ensure it is
always installed with Nova.
Closes-Bug: #1453418
Change-Id: Ib61a565c10edfa662c15fac339b2cbd9bb673631
The Oslo libraries have moved all of their code out of the 'oslo'
namespace package into per-library packages. The namespace package was
retained during kilo for backwards compatibility, but will be removed by
the liberty-2 milestone. This change removes the use of the namespace
package, replacing it with the new package names.
The patches in the libraries will be put on hold until application
patches have landed, or L2, whichever comes first. At that point, new
versions of the libraries without namespace packages will be released as
a major version update.
Please merge this patch, or an equivalent, before L2 to avoid problems
with those library releases.
Blueprint: remove-namespace-packages
https://blueprints.launchpad.net/oslo-incubator/+spec/remove-namespace-packages
Change-Id: I38e7c60ec602c33f74de237b6014b4ac13ee4985
This patch adds default policy enforcement for extension info. By
default the rule is empty, but operator can configure it if they
don't want normal user to see extension info.
Closes-Bug: #1415286
Change-Id: I6afcf6f9e2cedb86e899a360e1abb22ccc1f0a27
Co-authored-by: Eli Qiao <liyong.qiao@intel.com>
This is a partial revert of Id8e1e84cd3717dfd0a3b3f80acec50f96c205251
The policy.d infrastructure was not previously tested anywhere real,
and turns out that it completely invalidates the caching of policy
files. Using policy.d means that nova-api makes > 33k reparses of the
policy files during a gate run.
There is no straight forward fix at this point in the cycle given
various library freezes in oslo. Instead we should revert using the
policy.d directory and merge those rules back into the policy.json
file.
Change-Id: I588c46819728e839f9e6c03ac3d673646d76b7ff
Closes-Bug: #1438861
There is no policy check consoles v3(v2.1) API. This patch
adds policy check for each operations.
Partially implements blueprint v3-api-policy
Change-Id: Ia0aa260ac31eb359275273fdcdfbfde3cfc47d87
This patch rename the v2.1 api policy with 'os_compute_api' prefix,
that used to distinguish with v2 and ec2 API. And also move all
v2.1 api policy rule out of policy.conf.
Partially implements bp v3-api-policy
Depends-On: Iec23b095176332414faf76a9c329f8bb5f3aa6c3
Change-Id: Id8e1e84cd3717dfd0a3b3f80acec50f96c205251
Because V2.1 must be identical with V2 and must not contain any new
attributes and new method. So the swap/attach/deatch in extend_volume
was removed. But there still left some policy rules related to it.
This patch cleanup them.
Change-Id: I6e7e3263261519f72fa6b067db6a5930026f02dd
This patch moves the policy enforcement into REST API layer for v2.1
servers and adds related unittest.
Partially implements bp v3-api-policy
DocImpact
Change-Id: If3c68af8a438e77045b2b719873fc39e8473b6ea
This creates a noauth2 auth_strategy which is similar to noauth,
except it only gives you an admin context if the username passed in is
'admin'. This allows testing of non admin activities.
noauth is deprecated as of this commit. While we expect that it would
only be used in testing, it is exposed as a conf option, so could be
used behind a different auth proxy.
Also make the error path for pipeline loading contain a full
LOG.exception. This is a fatal condition for nova, and the current
error was often quite opaque. The full stack trace during this fatal
error makes addressing paste.ini issues much more straight forward.
DocImpact
Change-Id: I7cb5ab3e43a1e3bd7ccba0480053361743f859b2
Blkid is used by nova/virt/disk/vfs/localfs.py and needs to be added to the
rootwrap filter.
Closes-Bug: #1424054
Change-Id: I28b8eb2464f8c2b27edea42dc24e3b49f1d4444e
Looks like the touch command hasn't been used in
nova/virt/disk/api.py since folsom. It also doesn't appear to be
used anywhere else within the Nova codebase.
Change-Id: I322a9eeee291ed9cd45e4dc71fa7ac65f6cc9b69
nova/virt/libvirt/utils.py call 'xend status' to guess which toolstack
(xend or libxl) libvirtd will use.
Change-Id: I860d86e3c59afbf71f283531f6e10841ad2dba38
Partial-Bug: #1323722
Add OpenContrail vif handling method for Creation/Deletion/Get of interfaces
in Nova VIF driver.
In this commit, we will also add new Vif Model - VIF_TYPE_VROUTER.
implements: blueprint opencontrail-nova-vif-driver-plugin
Change-Id: I202fdefb474319f8efbb0449d3fcb48b8a2ece13
This patch moves the policy enforcement into REST API layer for v2.1
ips extension and adds related unittest.
And because ips extension haven't policy rules before, this patch adds
policy rules for it.
Partially implements bp v3-api-policy
DocImpact
Change-Id: I9cf45390af6f60ef420b33b3037f618f67276e88
This patch moves the policy enforcement into REST API layer for v2.1
server metadata extension and adds related unittest.
Because server-metadata extension haven't policy rules before, this
patch adds rules for it.
Partially implements bp v3-api-policy
DocImpact
Change-Id: Iec1d7995c5cde6f0574f3a862308b62dad8c8df0
The preserve ephemeral on rebuild functionality was merged into the servers plugin
code. This should never have happened and the hook for handling extra parameters
for the rebuild api used instead (otherwise we end up with monster functions).
This patch splits the relevant bits out to their own plugin.
Partially implements bp v2-on-v3-api
Change-Id: I0f35f897b9470039d509a97e6513c6cc806169b4
The way how PCS works with disks slightly differs from
how qemu does. In PCS each disk has metadata, stored in
a separate xml file. The most important thing in this
metadata is paths and types of base image and deltas.
The name of xml file is fixed (DiskDescriptor.xml) and
usually all images are stored in the same directory.
Images are being downloaded from glance to cache in a form
of files. So imagecache will work in the same way as with Raw
image type.
Here is and example of libvirt's disk config:
<disk type='file' device='disk'>
<driver type='ploop'/>
<source file='/path/to/dir/with/xml'/>
<target dev='sda' bus='sata'/>
</disk>
Since you need to provide a directory with xml file to
libvirt, separate class is needed imagebackend.py for
working with such images.
This patch introduces class Ploop which are similar to Raw,
it copies base image to the instance's dir and prepares it
for starting VM or container from this image.
If force_raw_images is false, then only raw and ploop image
types allowed. If force_raw_images is true, then all image
types, which are supported by qemu-img can be used.
Partially implements blueprint pcs-support
Change-Id: I9c2a0da52dbda7d45f749f9d42b2760a0d2e790f
AWS CLI is a recommended Amazon's CLI and it uses botocore library instead of
boto to access EC2 API:
http://aws.amazon.com/cli/
Amazon's URL for AWS EC2 API is:
https://ec2.amazonaws.com/
OpenStack nova's EC2 API service URL is:
http://some.server.com:8773/services/Cloud
AWS CLI works with the root URLs (without something trailing, like ../services/Cloud).
This is so because of the following bug in botocore:
https://github.com/boto/botocore/issues/420
We did supply the fix here:
162bdc22de
However, we do not control botocore and cannot predict when this fix is going to be
applied or guarantee that in the future nothing alike happens again (in fact, older
botocore didn't have this bug).
Another problem is that there is a set of Tempest tests currently used to work against
stackforge/ec2-api but which is about to be employed against nova's ec2-api.
These Tempest tests use botocore too. And won't work with the nova's EC2-API
until either botocore or nova is fixed.
So we suggest to fix the situation in nova by changing the URL to http://some.server.com:8773/.
It'll provide the solution for OpenStack independent of botocore bugs
and fixes in this area, and will make the service URL more alike (compatible, sort of)
with the AWS EC2 API.
Change-Id: If9fcddcd455090f4b76a16251f69b361d6260291
Closes-Bug: 1417555
The ext3 filesystem does orders of magnitude more I/O than ext4 in
mkfs - a brief benchmark showed 14m to make a 1TB ext3 filesystem
vs 7 seconds to make a 1TB ext4 filesystem, with the ext3 filesystem
doing upwards of 6GB I/O.
Since ext4 has been a default in all major Linux distributions for
a long time now - RHEL5 has it as default, for instance - there is
no reason to default to ext3: users that need ext3 can configure
that themselves. So the default now is ext4 for all linux with
this commit. Also note that for non-linux and non-windows
the default used to be ext3, now it is vfat.
Note that there is still support for ext3 as the default if some
deployers do choose to keep that as the default, by using either
virt_mkfs or default_ephemeral_format configuration option. We
are just trying to move the default for everyone who is starting
fresh.
Originally logged by lifeless as I833356af81df743a63d4442d389be82bc25f3914,
reverted in I8de225729bbc77b263fcac2fa72b0e9cc6c1b2bf by phil and re-proposed
by swapnil in Ibe9e9ba4265125c5bd933cde1a93cca02511bb46
DocImpact
Closes-Bug: #1266262
Change-Id: I92cb51c6118e48fd66ada0e2fee624597c4ad8f0
the policy file is default shipped nova policy file.
However, some actions such as reboot only have policy
check at compute layer, not in API layer. So the
etc/nova/policy.json as sample should contain the
configuration to end users.
The other patches will handle incorrect setting of
compute layer policies.
Prtially implements bp v3-api-policy
DocImpact
Change-Id: I66e20d9898ac4cc8787ce7c495ade4038eb4da52
There are some duplicated and useless policy enforcement at nova-network
FlatManager. The floatingip related function just stubbed out for FlatManager
and the same policies already enforcement at network api layer:
669e1c5d3a/
nova/network/api.py#L170
If the request violated the policy rule, the network api layer enforcement will
stop the request, it nerver can reach the nova network manager side.
This patch just clean them up.
Partially implements blueprint v3-api-policy
Change-Id: I8ca807aee42191c19e11ea322aa8174cd56773a5
This patch changes some of the alias names to be compatible with v2.
so the extension info output will be as same with v2.
consoles -> os-consoles
flavor-extra-specs -> os-flavor-extra-specs
flavor-manage -> os-flavor-manage
Partially implements blueprint v2-on-v3-api
Change-Id: Ia8c6a0144e43134667636db9ba862b26f265a433
