From dd69ff9e01532140d8acad2e4223f7d83c25cc1f Mon Sep 17 00:00:00 2001 From: Jesse Pretorius Date: Fri, 25 Sep 2015 14:14:23 +0100 Subject: [PATCH] Update Nova Configuration for Liberty This patch includes the following updates based on the updated source in Nova's Liberty release: - api-paste.ini - policy.json - rootwrap.d/compute.filters - rootwrap.d/network.filters The Nova S3 and v3 API's have been removed in Liberty, so all related variables and configuration file entries have been removed. The Nova EC2 API is deprecated in Liberty. All related variables in OpenStack-Ansible and configuration files have been removed as all deployers are recommended to make use of the actively developed replacement: https://github.com/stackforge/ec2-api The Nova v2 and v1.1 API's are enabled using the upstream default compatibility layer. Neither of these versions will be registered in the service catalog. The default API version is set to v2.1. For new environments, no other API versions are registered in the service catalog. The following variables have been removed: - S3 API - nova_s3_service_name - nova_s3_service_type - nova_s3_service_proto - nova_s3_service_publicuri_proto - nova_s3_service_adminuri_proto - nova_s3_service_internaluri_proto - nova_s3_service_port - nova_s3_service_description - nova_s3_service_publicuri - nova_s3_service_publicurl - nova_s3_service_adminuri - nova_s3_service_adminurl - nova_s3_service_internaluri - nova_s3_service_internalurl - nova_s3_program_name - nova_s3_deprecated_but_enabled - EC2 API - nova_ec2_service_name - nova_ec2_service_type - nova_ec2_service_proto - nova_ec2_service_publicuri_proto - nova_ec2_service_adminuri_proto - nova_ec2_service_internaluri_proto - nova_ec2_service_port - nova_ec2_service_description - nova_ec2_service_publicuri - nova_ec2_service_publicurl - nova_ec2_service_adminuri - nova_ec2_service_adminurl - nova_ec2_service_internaluri - nova_ec2_service_internalurl - nova_ec2_program_name - nova_ec2_deprecated_but_enabled - v3 API - nova_v3_service_name - nova_v3_service_type - nova_v3_service_proto - nova_v3_service_publicuri_proto - nova_v3_service_adminuri_proto - nova_v3_service_internaluri_proto - nova_v3_service_port - nova_v3_service_description - nova_v3_service_publicuri - nova_v3_service_publicurl - nova_v3_service_adminuri - nova_v3_service_adminurl - nova_v3_service_internaluri - nova_v3_service_internalurl - nova_v3_deprecated_but_enabled - v2.1 API - nova_v21_service_name -> nova_service_name - nova_v21_service_type -> nova_service_type - nova_v21_service_proto -> nova_service_proto - nova_v21_service_publicuri_proto -> nova_service_publicuri_proto - nova_v21_service_adminuri_proto -> nova_service_adminuri_proto - nova_v21_service_internaluri_proto -> nova_service_internaluri_proto - nova_v21_service_port -> nova_service_port - nova_v21_service_description -> nova_service_description - nova_v21_service_publicuri -> nova_service_publicuri - nova_v21_service_publicurl -> nova_service_publicurl - nova_v21_service_adminuri -> nova_service_adminuri - nova_v21_service_adminurl -> nova_service_adminurl - nova_v21_service_internaluri -> nova_service_internaluri - nova_v21_service_internalurl -> nova_service_internalurl - nova_v21_enabled DocImpact UpgradeImpact Implements: blueprint liberty-release Change-Id: Ie5a42059c10e7fd0bfc4dba8d87dea3f32db968e --- playbooks/roles/os_nova/defaults/main.yml | 84 +---- .../os_nova/files/rootwrap.d/compute.filters | 60 ++-- .../os_nova/files/rootwrap.d/network.filters | 3 - .../os_nova/tasks/nova_service_setup.yml | 78 ----- .../roles/os_nova/tasks/nova_upstart_init.yml | 22 -- .../roles/os_nova/templates/api-paste.ini.j2 | 102 ++---- .../roles/os_nova/templates/nova.conf.j2 | 20 +- .../roles/os_nova/templates/policy.json.j2 | 306 +++++++++++++++++- .../roles/os_nova/templates/rootwrap.conf.j2 | 2 +- 9 files changed, 381 insertions(+), 296 deletions(-) diff --git a/playbooks/roles/os_nova/defaults/main.yml b/playbooks/roles/os_nova/defaults/main.yml index 3e6a39e94d..5a8ab74927 100644 --- a/playbooks/roles/os_nova/defaults/main.yml +++ b/playbooks/roles/os_nova/defaults/main.yml @@ -65,59 +65,7 @@ nova_keystone_auth_plugin: password ## Nova enabled apis nova_enabled_apis: "osapi_compute,metadata" -## Nova s3 -nova_s3_service_name: s3 -nova_s3_service_type: s3 -nova_s3_service_proto: http -nova_s3_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(nova_s3_service_proto) }}" -nova_s3_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(nova_s3_service_proto) }}" -nova_s3_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(nova_s3_service_proto) }}" -nova_s3_service_port: 3333 -nova_s3_service_description: "S3 Compatibility Layer" -nova_s3_service_publicuri: "{{ nova_s3_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ nova_s3_service_port }}" -nova_s3_service_publicurl: "{{ nova_s3_service_publicuri }}" -nova_s3_service_adminuri: "{{ nova_s3_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ nova_s3_service_port }}" -nova_s3_service_adminurl: "{{ nova_s3_service_adminuri }}" -nova_s3_service_internaluri: "{{ nova_s3_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ nova_s3_service_port }}" -nova_s3_service_internalurl: "{{ nova_s3_service_internaluri }}" -nova_s3_program_name: nova-api-ec2 -nova_s3_deprecated_but_enabled: false - -## Nova v3 -nova_v3_service_name: novav3 -nova_v3_service_type: computev3 -nova_v3_service_proto: http -nova_v3_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(nova_v3_service_proto) }}" -nova_v3_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(nova_v3_service_proto) }}" -nova_v3_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(nova_v3_service_proto) }}" -nova_v3_service_port: 8774 -nova_v3_service_description: "Nova Compute Service V3" -nova_v3_service_publicuri: "{{ nova_v3_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ nova_v3_service_port }}" -nova_v3_service_publicurl: "{{ nova_v3_service_publicuri }}/v3" -nova_v3_service_adminuri: "{{ nova_v3_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ nova_v3_service_port }}" -nova_v3_service_adminurl: "{{ nova_v3_service_adminuri }}/v3" -nova_v3_service_internaluri: "{{ nova_v3_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ nova_v3_service_port }}" -nova_v3_service_internalurl: "{{ nova_v3_service_internaluri }}/v3" -nova_v3_deprecated_but_enabled: false - ## Nova v2.1 -nova_v21_service_name: novav21 -nova_v21_service_type: computev21 -nova_v21_service_proto: http -nova_v21_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(nova_v21_service_proto) }}" -nova_v21_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(nova_v21_service_proto) }}" -nova_v21_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(nova_v21_service_proto) }}" -nova_v21_service_port: 8774 -nova_v21_service_description: "Nova Compute Service V2.1" -nova_v21_service_publicuri: "{{ nova_v21_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ nova_v21_service_port }}" -nova_v21_service_publicurl: "{{ nova_v21_service_publicuri }}/v2.1" -nova_v21_service_adminuri: "{{ nova_v21_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ nova_v21_service_port }}" -nova_v21_service_adminurl: "{{ nova_v21_service_adminuri }}/v2.1" -nova_v21_service_internaluri: "{{ nova_v21_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ nova_v21_service_port }}" -nova_v21_service_internalurl: "{{ nova_v21_service_internaluri }}/v2.1" -nova_v21_enabled: true - -## Nova v2 nova_service_name: nova nova_service_type: compute nova_service_proto: http @@ -127,33 +75,13 @@ nova_service_internaluri_proto: "{{ openstack_service_internaluri_proto | defaul nova_service_port: 8774 nova_service_description: "Nova Compute Service" nova_service_publicuri: "{{ nova_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ nova_service_port }}" -nova_service_publicurl: "{{ nova_service_publicuri }}/v2/%(tenant_id)s" +nova_service_publicurl: "{{ nova_service_publicuri }}/v2.1/%(tenant_id)s" nova_service_adminuri: "{{ nova_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ nova_service_port }}" -nova_service_adminurl: "{{ nova_service_adminuri }}/v2/%(tenant_id)s" +nova_service_adminurl: "{{ nova_service_adminuri }}/v2.1/%(tenant_id)s" nova_service_internaluri: "{{ nova_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ nova_service_port }}" -nova_service_internalurl: "{{ nova_service_internaluri }}/v2/%(tenant_id)s" +nova_service_internalurl: "{{ nova_service_internaluri }}/v2.1/%(tenant_id)s" nova_program_name: nova-api-os-compute -## Nova ec2 -# WARNNING: The EC2 api in the nova tree has been deprecated. To consume this API you'll need to -# uncomment the EC2 section found within the nova `api-paste.ini` file. -nova_ec2_service_name: ec2 -nova_ec2_service_type: ec2 -nova_ec2_service_proto: http -nova_ec2_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(nova_ec2_service_proto) }}" -nova_ec2_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(nova_ec2_service_proto) }}" -nova_ec2_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(nova_ec2_service_proto) }}" -nova_ec2_service_port: 8773 -nova_ec2_service_description: "EC2 Compatibility Layer" -nova_ec2_service_publicuri: "{{ nova_ec2_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ nova_ec2_service_port }}" -nova_ec2_service_publicurl: "{{ nova_ec2_service_publicuri }}/services/Cloud" -nova_ec2_service_adminuri: "{{ nova_ec2_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ nova_ec2_service_port }}" -nova_ec2_service_adminurl: "{{ nova_ec2_service_adminuri }}/services/Admin" -nova_ec2_service_internaluri: "{{ nova_ec2_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ nova_ec2_service_port }}" -nova_ec2_service_internalurl: "{{ nova_ec2_service_internaluri }}/services/Cloud" -nova_ec2_program_name: nova-api-ec2 -nova_ec2_deprecated_but_enabled: false - ## Nova cinder nova_cross_az_attach: True @@ -283,10 +211,6 @@ nova_ceph_client_uuid: 517a4663-3927-44bc-9ea7-4a90e1cd4c66 # compute the number of api workers to use. # nova_conductor_workers: 16 -# If ``nova_ec2_workers`` is unset the system will use half the number of available VCPUS to -# compute the number of api workers to use. -# nova_ec2_workers: 16 - # If ``nova_metadata_workers`` is unset the system will use half the number of available VCPUS to # compute the number of api workers to use. # nova_metadata_workers: 16 @@ -309,9 +233,7 @@ nova_service_names: - "{{ nova_metadata_program_name }}" - "{{ nova_cert_program_name }}" - "{{ nova_conductor_program_name }}" - - "{{ nova_s3_program_name }}" - "{{ nova_program_name }}" - - "{{ nova_ec2_program_name }}" - "{{ nova_scheduler_program_name }}" - "{{ nova_compute_program_name }}" - "{{ nova_spice_program_name }}" diff --git a/playbooks/roles/os_nova/files/rootwrap.d/compute.filters b/playbooks/roles/os_nova/files/rootwrap.d/compute.filters index 3e9b7f547c..2a38cca54b 100644 --- a/playbooks/roles/os_nova/files/rootwrap.d/compute.filters +++ b/playbooks/roles/os_nova/files/rootwrap.d/compute.filters @@ -31,6 +31,9 @@ qemu-nbd: CommandFilter, qemu-nbd, root # nova/virt/disk/mount/loop.py: 'losetup', '--detach', device losetup: CommandFilter, losetup, root +# nova/virt/disk/vfs/localfs.py: 'blkid', '-o', 'value', '-s', 'TYPE', device +blkid: CommandFilter, blkid, root + # nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path # nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.* @@ -45,7 +48,6 @@ mkdir: CommandFilter, mkdir, root # nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log # nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log # nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk') -# nova/utils.py: 'chown', owner_uid, path chown: CommandFilter, chown, root # nova/virt/disk/vfs/localfs.py: 'chmod' @@ -84,6 +86,12 @@ tunctl: CommandFilter, tunctl, root # nova/network/linux_net.py: 'ovs-vsctl', .... ovs-vsctl: CommandFilter, ovs-vsctl, root +# nova/virt/libvirt/vif.py: 'vrouter-port-control', ... +vrouter-port-control: CommandFilter, vrouter-port-control, root + +# nova/virt/libvirt/vif.py: 'ebrctl', ... +ebrctl: CommandFilter, ebrctl, root + # nova/network/linux_net.py: 'ovs-ofctl', .... ovs-ofctl: CommandFilter, ovs-ofctl, root @@ -93,8 +101,8 @@ dd: CommandFilter, dd, root # nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ... iscsiadm: CommandFilter, iscsiadm, root -# nova/virt/libvirt/volume.py: 'aoe-revalidate', aoedev -# nova/virt/libvirt/volume.py: 'aoe-discover' +# nova/virt/libvirt/volume/aoe.py: 'aoe-revalidate', aoedev +# nova/virt/libvirt/volume/aoe.py: 'aoe-discover' aoe-revalidate: CommandFilter, aoe-revalidate, root aoe-discover: CommandFilter, aoe-discover, root @@ -154,6 +162,9 @@ brctl: CommandFilter, brctl, root # nova/virt/xenapi/vm_utils.py: 'mkswap' mkswap: CommandFilter, mkswap, root +# nova/virt/libvirt/utils.py: 'nova-idmapshift' +nova-idmapshift: CommandFilter, nova-idmapshift, root + # nova/virt/xenapi/vm_utils.py: 'mkfs' # nova/utils.py: 'mkfs', fs, path, label mkfs: CommandFilter, mkfs, root @@ -164,16 +175,11 @@ qemu-img: CommandFilter, qemu-img, root # nova/virt/disk/vfs/localfs.py: 'readlink', '-e' readlink: CommandFilter, readlink, root -# nova/virt/disk/api.py: 'touch', target -touch: CommandFilter, touch, root - # nova/virt/disk/api.py: mkfs.ext3: CommandFilter, mkfs.ext3, root +mkfs.ext4: CommandFilter, mkfs.ext4, root mkfs.ntfs: CommandFilter, mkfs.ntfs, root -# nova/virt/libvirt/connection.py: -read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi - # nova/virt/libvirt/connection.py: lvremove: CommandFilter, lvremove, root @@ -186,24 +192,33 @@ lvs: CommandFilter, lvs, root # nova/virt/libvirt/utils.py: vgs: CommandFilter, vgs, root -# nova/virt/baremetal/volume_driver.py: 'tgtadm', '--lld', 'iscsi', ... -tgtadm: CommandFilter, tgtadm, root - # nova/utils.py:read_file_as_root: 'cat', file_path # (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file) read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow -# nova/virt/libvirt/volume.py: 'multipath' '-R' +# os-brick needed commands +read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi multipath: CommandFilter, multipath, root - -# nova/virt/libvirt/utils.py: +# multipathd show status +multipathd: CommandFilter, multipathd, root systool: CommandFilter, systool, root - -# nova/virt/libvirt/volume.py: sginfo: CommandFilter, sginfo, root +vgc-cluster: CommandFilter, vgc-cluster, root +# os_brick/initiator/connector.py +drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid + +# TODO(smcginnis) Temporary fix. +# Need to pull in os-brick os-brick.filters file instead and clean +# out stale brick values from this file. +scsi_id: CommandFilter, /lib/udev/scsi_id, root + +# nova/storage/linuxscsi.py: sg_scan device sg_scan: CommandFilter, sg_scan, root -ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/ip-.*-iscsi-iqn.2010-10.org.openstack:volume-.*, /dev/disk/by-path/ip-.*-iscsi-iqn.2010-10.org.openstack:volume-.* + +# nova/volume/encryptors/cryptsetup.py: +# nova/volume/encryptors/luks.py: +ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/.*, .* # nova/volume/encryptors.py: # nova/virt/libvirt/dmcrypt.py: @@ -212,9 +227,6 @@ cryptsetup: CommandFilter, cryptsetup, root # nova/virt/xenapi/vm_utils.py: xenstore-read: CommandFilter, xenstore-read, root -# nova/virt/baremetal/tilera.py: 'rpc.mountd' -rpc.mountd: CommandFilter, rpc.mountd, root - # nova/virt/libvirt/utils.py: rbd: CommandFilter, rbd, root @@ -226,3 +238,9 @@ cp: CommandFilter, cp, root # nova/virt/xenapi/vm_utils.py: sync: CommandFilter, sync, root + +# nova/virt/libvirt/imagebackend.py: +ploop: CommandFilter, ploop, root + +# nova/virt/libvirt/utils.py: 'xend', 'status' +xend: CommandFilter, xend, root diff --git a/playbooks/roles/os_nova/files/rootwrap.d/network.filters b/playbooks/roles/os_nova/files/rootwrap.d/network.filters index 568e8d493c..527ab40c27 100644 --- a/playbooks/roles/os_nova/files/rootwrap.d/network.filters +++ b/playbooks/roles/os_nova/files/rootwrap.d/network.filters @@ -42,9 +42,6 @@ ivs-ctl: CommandFilter, ivs-ctl, root # nova/virt/libvirt/vif.py: 'ifc_ctl', ... ifc_ctl: CommandFilter, /opt/pg/bin/ifc_ctl, root -# nova/virt/libvirt/vif.py: 'ebrctl', ... -ebrctl: CommandFilter, ebrctl, root - # nova/virt/libvirt/vif.py: 'mm-ctl', ... mm-ctl: CommandFilter, mm-ctl, root diff --git a/playbooks/roles/os_nova/tasks/nova_service_setup.yml b/playbooks/roles/os_nova/tasks/nova_service_setup.yml index a515eb7f6e..91bef1e012 100644 --- a/playbooks/roles/os_nova/tasks/nova_service_setup.yml +++ b/playbooks/roles/os_nova/tasks/nova_service_setup.yml @@ -28,81 +28,3 @@ role_name: "{{ nova_service_role_name }}" tags: - nova-api - - nova-api-v2 - - -- include: nova_service_add.yml - vars: - service_user_name: "{{ nova_service_user_name }}" - service_tenant_name: "{{ nova_service_project_name }}" - service_name: "{{ nova_v21_service_name }}" - service_type: "{{ nova_v21_service_type }}" - service_region: "{{ nova_service_region }}" - service_description: "{{ nova_v21_service_description }}" - service_password: "{{ nova_v21_service_password }}" - service_publicurl: "{{ nova_v21_service_publicurl }}" - service_internalurl: "{{ nova_v21_service_internalurl }}" - service_adminurl: "{{ nova_v21_service_adminurl }}" - role_name: "{{ nova_service_role_name }}" - when: > - nova_v21_enabled == true or nova_v21_enabled == 'True' - tags: - - nova-api - - nova-api-v21 - -- include: nova_service_add.yml - vars: - service_user_name: "{{ nova_service_user_name }}" - service_tenant_name: "{{ nova_service_project_name }}" - service_name: "{{ nova_v3_service_name }}" - service_type: "{{ nova_v3_service_type }}" - service_region: "{{ nova_service_region }}" - service_description: "{{ nova_v3_service_description }}" - service_password: "{{ nova_v3_service_password }}" - service_publicurl: "{{ nova_v3_service_publicurl }}" - service_internalurl: "{{ nova_v3_service_internalurl }}" - service_adminurl: "{{ nova_v3_service_adminurl }}" - role_name: "{{ nova_service_role_name }}" - when: > - nova_v3_deprecated_but_enabled == true or nova_v3_deprecated_but_enabled == 'True' - tags: - - nova-api - - nova-api-v3 - -- include: nova_service_add.yml - vars: - service_user_name: "{{ nova_service_user_name }}" - service_tenant_name: "{{ nova_service_project_name }}" - service_name: "{{ nova_s3_service_name }}" - service_type: "{{ nova_s3_service_type }}" - service_region: "{{ nova_service_region }}" - service_description: "{{ nova_s3_service_description }}" - service_password: "{{ nova_s3_service_password }}" - service_publicurl: "{{ nova_s3_service_publicurl }}" - service_internalurl: "{{ nova_s3_service_internalurl }}" - service_adminurl: "{{ nova_s3_service_adminurl }}" - role_name: "{{ nova_service_role_name }}" - when: > - nova_s3_deprecated_but_enabled == true or nova_s3_deprecated_but_enabled == 'True' - tags: - - nova-api - - nova-api-s3 - -- include: nova_service_add.yml - vars: - service_user_name: "{{ nova_service_user_name }}" - service_tenant_name: "{{ nova_service_project_name }}" - service_name: "{{ nova_ec2_service_name }}" - service_type: "{{ nova_ec2_service_type }}" - service_region: "{{ nova_service_region }}" - service_description: "{{ nova_ec2_service_description }}" - service_password: "{{ nova_ec2_service_password }}" - service_publicurl: "{{ nova_ec2_service_publicurl }}" - service_internalurl: "{{ nova_ec2_service_internalurl }}" - service_adminurl: "{{ nova_ec2_service_adminurl }}" - role_name: "{{ nova_service_role_name }}" - when: > - nova_ec2_deprecated_but_enabled == true or nova_ec2_deprecated_but_enabled == 'True' - tags: - - nova-api - - nova-api-ec2 diff --git a/playbooks/roles/os_nova/tasks/nova_upstart_init.yml b/playbooks/roles/os_nova/tasks/nova_upstart_init.yml index 03a194b8a3..dc9ba0d6b7 100644 --- a/playbooks/roles/os_nova/tasks/nova_upstart_init.yml +++ b/playbooks/roles/os_nova/tasks/nova_upstart_init.yml @@ -49,28 +49,6 @@ service_home: "{{ nova_system_home_folder }}" when: inventory_hostname in groups['nova_api_os_compute'] -- include: nova_upstart_common_init.yml - vars: - program_name: "{{ nova_s3_program_name }}" - service_name: "{{ nova_service_name }}" - system_user: "{{ nova_system_user_name }}" - system_group: "{{ nova_system_group_name }}" - service_home: "{{ nova_system_home_folder }}" - when: > - inventory_hostname in groups['nova_api_os_compute'] and - (nova_ec2_deprecated_but_enabled == true or nova_ec2_deprecated_but_enabled == 'True') - -- include: nova_upstart_common_init.yml - vars: - program_name: "{{ nova_ec2_program_name }}" - service_name: "{{ nova_service_name }}" - system_user: "{{ nova_system_user_name }}" - system_group: "{{ nova_system_group_name }}" - service_home: "{{ nova_system_home_folder }}" - when: > - inventory_hostname in groups['nova_api_os_compute'] and - (nova_ec2_deprecated_but_enabled == true or nova_ec2_deprecated_but_enabled == 'True') - - include: nova_upstart_common_init.yml vars: program_name: "{{ nova_scheduler_program_name }}" diff --git a/playbooks/roles/os_nova/templates/api-paste.ini.j2 b/playbooks/roles/os_nova/templates/api-paste.ini.j2 index 1a87f0c5a3..b53206c6ad 100644 --- a/playbooks/roles/os_nova/templates/api-paste.ini.j2 +++ b/playbooks/roles/os_nova/templates/api-paste.ini.j2 @@ -6,53 +6,11 @@ use = egg:Paste#urlmap /: meta [pipeline:meta] -pipeline = ec2faultwrap logrequest metaapp +pipeline = metaapp [app:metaapp] paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory -####### -# EC2 # -####### - -[composite:ec2] -use = egg:Paste#urlmap -/: ec2cloud - -[composite:ec2cloud] -use = call:nova.api.auth:pipeline_factory -noauth = ec2faultwrap logrequest ec2noauth cloudrequest validator ec2executor -noauth2 = ec2faultwrap logrequest ec2noauth cloudrequest validator ec2executor -keystone = ec2faultwrap logrequest ec2keystoneauth cloudrequest validator ec2executor - -[filter:ec2faultwrap] -paste.filter_factory = nova.api.ec2:FaultWrapper.factory - -[filter:logrequest] -paste.filter_factory = nova.api.ec2:RequestLogging.factory - -[filter:ec2lockout] -paste.filter_factory = nova.api.ec2:Lockout.factory - -[filter:ec2keystoneauth] -paste.filter_factory = nova.api.ec2:EC2KeystoneAuth.factory - -[filter:ec2noauth] -paste.filter_factory = nova.api.ec2:NoAuth.factory - -[filter:cloudrequest] -controller = nova.api.ec2.cloud.CloudController -paste.filter_factory = nova.api.ec2:Requestify.factory - -[filter:authorizer] -paste.filter_factory = nova.api.ec2:Authorizer.factory - -[filter:validator] -paste.filter_factory = nova.api.ec2:Validator.factory - -[app:ec2executor] -paste.app_factory = nova.api.ec2:Executor.factory - ############# # OpenStack # ############# @@ -60,32 +18,44 @@ paste.app_factory = nova.api.ec2:Executor.factory [composite:osapi_compute] use = call:nova.api.openstack.urlmap:urlmap_factory /: oscomputeversions -/v1.1: openstack_compute_api_v2 -/v2: openstack_compute_api_v2 +# starting in Liberty the v21 implementation replaces the v2 +# implementation and is suggested that you use it as the default. If +# this causes issues with your clients you can rollback to the +# *frozen* v2 api by commenting out the above stanza and using the +# following instead:: +# /v1.1: openstack_compute_api_legacy_v2 +# /v2: openstack_compute_api_legacy_v2 +# if rolling back to v2 fixes your issue please file a critical bug +# at - https://bugs.launchpad.net/nova/+bugs +# +# v21 is an exactly feature match for v2, except it has more stringent +# input validation on the wsgi surface (prevents fuzzing early on the +# API). It also provides new features via API microversions which are +# opt into for clients. Unaware clients will receive the same frozen +# v2 API feature set, but with some relaxed validation +/v1.1: openstack_compute_api_v21_legacy_v2_compatible +/v2: openstack_compute_api_v21_legacy_v2_compatible /v2.1: openstack_compute_api_v21 -/v3: openstack_compute_api_v3 -[composite:openstack_compute_api_v2] +# NOTE: this is deprecated in favor of openstack_compute_api_v21_legacy_v2_compatible +[composite:openstack_compute_api_legacy_v2] use = call:nova.api.auth:pipeline_factory -noauth = compute_req_id faultwrap sizelimit noauth ratelimit osapi_compute_app_v2 -noauth2 = compute_req_id faultwrap sizelimit noauth2 ratelimit osapi_compute_app_v2 -keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext ratelimit osapi_compute_app_v2 -keystone_nolimit = compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v2 +noauth2 = compute_req_id faultwrap sizelimit noauth2 legacy_ratelimit osapi_compute_app_legacy_v2 +keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_ratelimit osapi_compute_app_legacy_v2 +keystone_nolimit = compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_legacy_v2 [composite:openstack_compute_api_v21] use = call:nova.api.auth:pipeline_factory_v21 -noauth = compute_req_id faultwrap sizelimit noauth osapi_compute_app_v21 noauth2 = compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21 keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v21 -[composite:openstack_compute_api_v3] +[composite:openstack_compute_api_v21_legacy_v2_compatible] use = call:nova.api.auth:pipeline_factory_v21 -noauth = request_id faultwrap sizelimit noauth_v3 osapi_compute_app_v3 -noauth2 = request_id faultwrap sizelimit noauth_v3 osapi_compute_app_v3 -keystone = request_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v3 +noauth2 = compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21 +keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21 [filter:request_id] -paste.filter_factory = oslo.middleware:RequestId.factory +paste.filter_factory = oslo_middleware:RequestId.factory [filter:compute_req_id] paste.filter_factory = nova.api.compute_req_id:ComputeReqIdMiddleware.factory @@ -93,30 +63,24 @@ paste.filter_factory = nova.api.compute_req_id:ComputeReqIdMiddleware.factory [filter:faultwrap] paste.filter_factory = nova.api.openstack:FaultWrapper.factory -[filter:noauth] -paste.filter_factory = nova.api.openstack.auth:NoAuthMiddlewareOld.factory - [filter:noauth2] paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory -[filter:noauth_v3] -paste.filter_factory = nova.api.openstack.auth:NoAuthMiddlewareV3.factory - -[filter:ratelimit] +[filter:legacy_ratelimit] paste.filter_factory = nova.api.openstack.compute.limits:RateLimitingMiddleware.factory [filter:sizelimit] -paste.filter_factory = oslo.middleware:RequestBodySizeLimiter.factory +paste.filter_factory = oslo_middleware:RequestBodySizeLimiter.factory -[app:osapi_compute_app_v2] +[filter:legacy_v2_compatible] +paste.filter_factory = nova.api.openstack:LegacyV2CompatibleWrapper.factory + +[app:osapi_compute_app_legacy_v2] paste.app_factory = nova.api.openstack.compute:APIRouter.factory [app:osapi_compute_app_v21] paste.app_factory = nova.api.openstack.compute:APIRouterV21.factory -[app:osapi_compute_app_v3] -paste.app_factory = nova.api.openstack.compute:APIRouterV3.factory - [pipeline:oscomputeversions] pipeline = faultwrap oscomputeversionapp diff --git a/playbooks/roles/os_nova/templates/nova.conf.j2 b/playbooks/roles/os_nova/templates/nova.conf.j2 index 500db80d62..a7257e63b9 100644 --- a/playbooks/roles/os_nova/templates/nova.conf.j2 +++ b/playbooks/roles/os_nova/templates/nova.conf.j2 @@ -62,18 +62,10 @@ resume_guests_state_on_host_boot = {{ nova_resume_guests_state_on_host_boot }} # Api's enabled_apis = {{ nova_enabled_apis }} osapi_compute_workers = {{ nova_osapi_compute_workers | default(api_threads) }} -{% if nova_ec2_deprecated_but_enabled == true or nova_ec2_deprecated_but_enabled == 'True' %} -ec2_workers = {{ nova_ec2_workers | default(api_threads) }} -ec2_dmz_host = {{ external_lb_vip_address }} -{% endif %} -{% if nova_s3_deprecated_but_enabled == true or nova_s3_deprecated_but_enabled == 'True' %} -s3_port = {{ nova_s3_service_port }} -s3_host = {{ nova_management_address }} -{% endif %} # Rpc all rpc_backend = {{ nova_rpc_backend }} -rpc_thread_pool_size = {{ nova_rpc_thread_pool_size }} +executor_thread_pool_size = {{ nova_rpc_thread_pool_size }} rpc_conn_pool_size = {{ nova_rpc_conn_pool_size }} rpc_response_timeout = {{ nova_rpc_response_timeout }} @@ -162,7 +154,6 @@ port = {{ glance_service_port }} url = {{ neutron_service_adminurl }} region_name = {{ neutron_service_region }} auth_plugin = password -auth_strategy = keystone # Keystone client plugin password option password = {{ neutron_service_password }} # Keystone client plugin username option @@ -183,15 +174,6 @@ manager = nova.conductor.manager.ConductorManager workers = {{ nova_conductor_workers | default(api_threads) }} -[osapi_v3] -# note that this setting enables both the v3 and v2.1 APIs in kilo -{% if nova_v3_deprecated_but_enabled == true or nova_v3_deprecated_but_enabled == 'True' or nova_v21_enabled == true or nova_v21_enabled == 'True' %} -enabled = true -{% else %} -enabled = false -{% endif %} - - [keystone_authtoken] insecure = {{ keystone_service_internaluri_insecure | bool }} auth_plugin = {{ nova_keystone_auth_plugin }} diff --git a/playbooks/roles/os_nova/templates/policy.json.j2 b/playbooks/roles/os_nova/templates/policy.json.j2 index c8464b1f34..5f6023e5c3 100644 --- a/playbooks/roles/os_nova/templates/policy.json.j2 +++ b/playbooks/roles/os_nova/templates/policy.json.j2 @@ -9,20 +9,86 @@ "compute:create:attach_network": "", "compute:create:attach_volume": "", "compute:create:forced_host": "is_admin:True", + + "compute:get": "", "compute:get_all": "", - "compute:get_all_tenants": "", + "compute:get_all_tenants": "is_admin:True", + + "compute:update": "", + + "compute:get_instance_metadata": "", + "compute:get_all_instance_metadata": "", + "compute:get_all_instance_system_metadata": "", + "compute:update_instance_metadata": "", + "compute:delete_instance_metadata": "", + + "compute:get_instance_faults": "", + "compute:get_diagnostics": "", + "compute:get_instance_diagnostics": "", + "compute:start": "rule:admin_or_owner", "compute:stop": "rule:admin_or_owner", + + "compute:get_lock": "", + "compute:lock": "", + "compute:unlock": "", "compute:unlock_override": "rule:admin_api", + "compute:get_vnc_console": "", + "compute:get_spice_console": "", + "compute:get_rdp_console": "", + "compute:get_serial_console": "", + "compute:get_mks_console": "", + "compute:get_console_output": "", + + "compute:reset_network": "", + "compute:inject_network_info": "", + "compute:add_fixed_ip": "", + "compute:remove_fixed_ip": "", + + "compute:attach_volume": "", + "compute:detach_volume": "", + "compute:swap_volume": "", + + "compute:attach_interface": "", + "compute:detach_interface": "", + + "compute:set_admin_password": "", + + "compute:rescue": "", + "compute:unrescue": "", + + "compute:suspend": "", + "compute:resume": "", + + "compute:pause": "", + "compute:unpause": "", + "compute:shelve": "", "compute:shelve_offload": "", "compute:unshelve": "", + + "compute:snapshot": "", + "compute:snapshot_volume_backed": "", + "compute:backup": "", + "compute:resize": "", "compute:confirm_resize": "", "compute:revert_resize": "", + "compute:rebuild": "", "compute:reboot": "", + "compute:delete": "rule:admin_or_owner", + "compute:soft_delete": "rule:admin_or_owner", + "compute:force_delete": "rule:admin_or_owner", + + "compute:security_groups:add_to_instance": "", + "compute:security_groups:remove_from_instance": "", + + "compute:delete": "", + "compute:soft_delete": "", + "compute:force_delete": "", + "compute:restore": "", "compute:volume_snapshot_create": "", "compute:volume_snapshot_delete": "", @@ -54,6 +120,7 @@ "compute_extension:certificates": "", "compute_extension:cloudpipe": "rule:admin_api", "compute_extension:cloudpipe_update": "rule:admin_api", + "compute_extension:config_drive": "", "compute_extension:console_output": "", "compute_extension:consoles": "", "compute_extension:createserverext": "", @@ -103,6 +170,7 @@ "compute_extension:networks": "rule:admin_api", "compute_extension:networks:view": "", "compute_extension:networks_associate": "rule:admin_api", + "compute_extension:os-tenant-networks": "", "compute_extension:quotas:show": "", "compute_extension:quotas:update": "rule:admin_api", "compute_extension:quotas:delete": "rule:admin_api", @@ -182,5 +250,239 @@ "network:create_private_dns_domain": "", "network:create_public_dns_domain": "", "network:delete_dns_domain": "", - "network:attach_external_network": "rule:admin_api" + "network:attach_external_network": "rule:admin_api", + "network:get_vif_by_mac_address": "", + + "os_compute_api:servers:detail:get_all_tenants": "is_admin:True", + "os_compute_api:servers:index:get_all_tenants": "is_admin:True", + "os_compute_api:servers:confirm_resize": "", + "os_compute_api:servers:create": "", + "os_compute_api:servers:create:attach_network": "", + "os_compute_api:servers:create:attach_volume": "", + "os_compute_api:servers:create:forced_host": "rule:admin_api", + "os_compute_api:servers:delete": "", + "os_compute_api:servers:update": "", + "os_compute_api:servers:detail": "", + "os_compute_api:servers:index": "", + "os_compute_api:servers:reboot": "", + "os_compute_api:servers:rebuild": "", + "os_compute_api:servers:resize": "", + "os_compute_api:servers:revert_resize": "", + "os_compute_api:servers:show": "", + "os_compute_api:servers:create_image": "", + "os_compute_api:servers:create_image:allow_volume_backed": "", + "os_compute_api:servers:start": "rule:admin_or_owner", + "os_compute_api:servers:stop": "rule:admin_or_owner", + "os_compute_api:os-access-ips:discoverable": "", + "os_compute_api:os-access-ips": "", + "os_compute_api:os-admin-actions": "rule:admin_api", + "os_compute_api:os-admin-actions:discoverable": "", + "os_compute_api:os-admin-actions:reset_network": "rule:admin_api", + "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api", + "os_compute_api:os-admin-actions:reset_state": "rule:admin_api", + "os_compute_api:os-admin-password": "", + "os_compute_api:os-admin-password:discoverable": "", + "os_compute_api:os-aggregates:discoverable": "", + "os_compute_api:os-aggregates:index": "rule:admin_api", + "os_compute_api:os-aggregates:create": "rule:admin_api", + "os_compute_api:os-aggregates:show": "rule:admin_api", + "os_compute_api:os-aggregates:update": "rule:admin_api", + "os_compute_api:os-aggregates:delete": "rule:admin_api", + "os_compute_api:os-aggregates:add_host": "rule:admin_api", + "os_compute_api:os-aggregates:remove_host": "rule:admin_api", + "os_compute_api:os-aggregates:set_metadata": "rule:admin_api", + "os_compute_api:os-agents": "rule:admin_api", + "os_compute_api:os-agents:discoverable": "", + "os_compute_api:os-attach-interfaces": "", + "os_compute_api:os-attach-interfaces:discoverable": "", + "os_compute_api:os-baremetal-nodes": "rule:admin_api", + "os_compute_api:os-baremetal-nodes:discoverable": "", + "os_compute_api:os-block-device-mapping-v1:discoverable": "", + "os_compute_api:os-cells": "rule:admin_api", + "os_compute_api:os-cells:create": "rule:admin_api", + "os_compute_api:os-cells:delete": "rule:admin_api", + "os_compute_api:os-cells:update": "rule:admin_api", + "os_compute_api:os-cells:sync_instances": "rule:admin_api", + "os_compute_api:os-cells:discoverable": "", + "os_compute_api:os-certificates:create": "", + "os_compute_api:os-certificates:show": "", + "os_compute_api:os-certificates:discoverable": "", + "os_compute_api:os-cloudpipe": "rule:admin_api", + "os_compute_api:os-cloudpipe:discoverable": "", + "os_compute_api:os-config-drive": "", + "os_compute_api:os-consoles:discoverable": "", + "os_compute_api:os-consoles:create": "", + "os_compute_api:os-consoles:delete": "", + "os_compute_api:os-consoles:index": "", + "os_compute_api:os-consoles:show": "", + "os_compute_api:os-console-output:discoverable": "", + "os_compute_api:os-console-output": "", + "os_compute_api:os-remote-consoles": "", + "os_compute_api:os-remote-consoles:discoverable": "", + "os_compute_api:os-create-backup:discoverable": "", + "os_compute_api:os-create-backup": "rule:admin_or_owner", + "os_compute_api:os-deferred-delete": "", + "os_compute_api:os-deferred-delete:discoverable": "", + "os_compute_api:os-disk-config": "", + "os_compute_api:os-disk-config:discoverable": "", + "os_compute_api:os-evacuate": "rule:admin_api", + "os_compute_api:os-evacuate:discoverable": "", + "os_compute_api:os-extended-server-attributes": "rule:admin_api", + "os_compute_api:os-extended-server-attributes:discoverable": "", + "os_compute_api:os-extended-status": "", + "os_compute_api:os-extended-status:discoverable": "", + "os_compute_api:os-extended-availability-zone": "", + "os_compute_api:os-extended-availability-zone:discoverable": "", + "os_compute_api:extensions": "", + "os_compute_api:extension_info:discoverable": "", + "os_compute_api:os-extended-volumes": "", + "os_compute_api:os-extended-volumes:discoverable": "", + "os_compute_api:os-fixed-ips": "rule:admin_api", + "os_compute_api:os-fixed-ips:discoverable": "", + "os_compute_api:os-flavor-access": "", + "os_compute_api:os-flavor-access:discoverable": "", + "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api", + "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api", + "os_compute_api:os-flavor-rxtx": "", + "os_compute_api:os-flavor-rxtx:discoverable": "", + "os_compute_api:flavors:discoverable": "", + "os_compute_api:os-flavor-extra-specs:discoverable": "", + "os_compute_api:os-flavor-extra-specs:index": "", + "os_compute_api:os-flavor-extra-specs:show": "", + "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api", + "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api", + "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api", + "os_compute_api:os-flavor-manage:discoverable": "", + "os_compute_api:os-flavor-manage": "rule:admin_api", + "os_compute_api:os-floating-ip-dns": "", + "os_compute_api:os-floating-ip-dns:discoverable": "", + "os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api", + "os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api", + "os_compute_api:os-floating-ip-pools": "", + "os_compute_api:os-floating-ip-pools:discoverable": "", + "os_compute_api:os-floating-ips": "", + "os_compute_api:os-floating-ips:discoverable": "", + "os_compute_api:os-floating-ips-bulk": "rule:admin_api", + "os_compute_api:os-floating-ips-bulk:discoverable": "", + "os_compute_api:os-fping": "", + "os_compute_api:os-fping:discoverable": "", + "os_compute_api:os-fping:all_tenants": "rule:admin_api", + "os_compute_api:os-hide-server-addresses": "is_admin:False", + "os_compute_api:os-hide-server-addresses:discoverable": "", + "os_compute_api:os-hosts": "rule:admin_api", + "os_compute_api:os-hosts:discoverable": "", + "os_compute_api:os-hypervisors": "rule:admin_api", + "os_compute_api:os-hypervisors:discoverable": "", + "os_compute_api:images:discoverable": "", + "os_compute_api:image-size": "", + "os_compute_api:image-size:discoverable": "", + "os_compute_api:os-instance-actions": "", + "os_compute_api:os-instance-actions:discoverable": "", + "os_compute_api:os-instance-actions:events": "rule:admin_api", + "os_compute_api:os-instance-usage-audit-log": "rule:admin_api", + "os_compute_api:os-instance-usage-audit-log:discoverable": "", + "os_compute_api:ips:discoverable": "", + "os_compute_api:ips:index": "rule:admin_or_owner", + "os_compute_api:ips:show": "rule:admin_or_owner", + "os_compute_api:os-keypairs:discoverable": "", + "os_compute_api:os-keypairs": "", + "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s", + "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s", + "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s", + "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s", + "os_compute_api:limits:discoverable": "", + "os_compute_api:limits": "", + "os_compute_api:os-lock-server:discoverable": "", + "os_compute_api:os-lock-server:lock": "rule:admin_or_owner", + "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner", + "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api", + "os_compute_api:os-migrate-server:discoverable": "", + "os_compute_api:os-migrate-server:migrate": "rule:admin_api", + "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api", + "os_compute_api:os-multinic": "", + "os_compute_api:os-multinic:discoverable": "", + "os_compute_api:os-networks": "rule:admin_api", + "os_compute_api:os-networks:view": "", + "os_compute_api:os-networks:discoverable": "", + "os_compute_api:os-networks-associate": "rule:admin_api", + "os_compute_api:os-networks-associate:discoverable": "", + "os_compute_api:os-pause-server:discoverable": "", + "os_compute_api:os-pause-server:pause": "rule:admin_or_owner", + "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner", + "os_compute_api:os-pci:pci_servers": "", + "os_compute_api:os-pci:discoverable": "", + "os_compute_api:os-pci:index": "rule:admin_api", + "os_compute_api:os-pci:detail": "rule:admin_api", + "os_compute_api:os-pci:show": "rule:admin_api", + "os_compute_api:os-personality:discoverable": "", + "os_compute_api:os-preserve-ephemeral-rebuild:discoverable": "", + "os_compute_api:os-quota-sets:discoverable": "", + "os_compute_api:os-quota-sets:show": "rule:admin_or_owner", + "os_compute_api:os-quota-sets:defaults": "", + "os_compute_api:os-quota-sets:update": "rule:admin_api", + "os_compute_api:os-quota-sets:delete": "rule:admin_api", + "os_compute_api:os-quota-sets:detail": "rule:admin_api", + "os_compute_api:os-quota-class-sets:update": "rule:admin_api", + "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s", + "os_compute_api:os-quota-class-sets:discoverable": "", + "os_compute_api:os-rescue": "", + "os_compute_api:os-rescue:discoverable": "", + "os_compute_api:os-scheduler-hints:discoverable": "", + "os_compute_api:os-security-group-default-rules:discoverable": "", + "os_compute_api:os-security-group-default-rules": "rule:admin_api", + "os_compute_api:os-security-groups": "", + "os_compute_api:os-security-groups:discoverable": "", + "os_compute_api:os-server-diagnostics": "rule:admin_api", + "os_compute_api:os-server-diagnostics:discoverable": "", + "os_compute_api:os-server-password": "", + "os_compute_api:os-server-password:discoverable": "", + "os_compute_api:os-server-usage": "", + "os_compute_api:os-server-usage:discoverable": "", + "os_compute_api:os-server-groups": "", + "os_compute_api:os-server-groups:discoverable": "", + "os_compute_api:os-services": "rule:admin_api", + "os_compute_api:os-services:discoverable": "", + "os_compute_api:server-metadata:discoverable": "", + "os_compute_api:server-metadata:index": "rule:admin_or_owner", + "os_compute_api:server-metadata:show": "rule:admin_or_owner", + "os_compute_api:server-metadata:delete": "rule:admin_or_owner", + "os_compute_api:server-metadata:create": "rule:admin_or_owner", + "os_compute_api:server-metadata:update": "rule:admin_or_owner", + "os_compute_api:server-metadata:update_all": "rule:admin_or_owner", + "os_compute_api:servers:discoverable": "", + "os_compute_api:os-shelve:shelve": "", + "os_compute_api:os-shelve:shelve:discoverable": "", + "os_compute_api:os-shelve:shelve_offload": "rule:admin_api", + "os_compute_api:os-simple-tenant-usage:discoverable": "", + "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner", + "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api", + "os_compute_api:os-suspend-server:discoverable": "", + "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner", + "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner", + "os_compute_api:os-tenant-networks": "rule:admin_or_owner", + "os_compute_api:os-tenant-networks:discoverable": "", + "os_compute_api:os-shelve:unshelve": "", + "os_compute_api:os-user-data:discoverable": "", + "os_compute_api:os-virtual-interfaces": "", + "os_compute_api:os-virtual-interfaces:discoverable": "", + "os_compute_api:os-volumes": "", + "os_compute_api:os-volumes:discoverable": "", + "os_compute_api:os-volumes-attachments:index": "", + "os_compute_api:os-volumes-attachments:show": "", + "os_compute_api:os-volumes-attachments:create": "", + "os_compute_api:os-volumes-attachments:update": "", + "os_compute_api:os-volumes-attachments:delete": "", + "os_compute_api:os-volumes-attachments:discoverable": "", + "os_compute_api:os-availability-zone:list": "", + "os_compute_api:os-availability-zone:discoverable": "", + "os_compute_api:os-availability-zone:detail": "rule:admin_api", + "os_compute_api:os-used-limits": "rule:admin_api", + "os_compute_api:os-used-limits:discoverable": "", + "os_compute_api:os-migrations:index": "rule:admin_api", + "os_compute_api:os-migrations:discoverable": "", + "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api", + "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api", + "os_compute_api:os-assisted-volume-snapshots:discoverable": "", + "os_compute_api:os-console-auth-tokens": "rule:admin_api", + "os_compute_api:os-server-external-events:create": "rule:admin_api" } diff --git a/playbooks/roles/os_nova/templates/rootwrap.conf.j2 b/playbooks/roles/os_nova/templates/rootwrap.conf.j2 index fb2997abdb..aa466c5d50 100644 --- a/playbooks/roles/os_nova/templates/rootwrap.conf.j2 +++ b/playbooks/roles/os_nova/templates/rootwrap.conf.j2 @@ -17,7 +17,7 @@ exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin use_syslog=False # Which syslog facility to use. -# Valid values include auth, authpriv, syslog, user0, user1... +# Valid values include auth, authpriv, syslog, local0, local1... # Default value is 'syslog' syslog_log_facility=syslog