From 0b42fb17ff155a0a857ef208288bdf26b16284a5 Mon Sep 17 00:00:00 2001 From: Rabi Mishra Date: Tue, 5 Feb 2019 10:21:34 +0530 Subject: [PATCH] Disable stack check and cancel update for undercloud 'overcloud update abort' command had been dropped since few releases. However, users can still use heat commands to cancel an update which is not recommended. Undercloud now uses heat convergence architecture and stack check has not been migrated to convergence yet. let's add heat policy to disable both on undercloud. Change-Id: Ib5e2dab1e94810ac02e5d64859d2e84f749f3994 (cherry picked from commit 18f4e11773bba8f2e4e5d4e2e175e713669f549f) --- environments/undercloud.yaml | 6 ++++++ ...le-heat-non-lifecycle-actions-d551fe4551d71770.yaml | 10 ++++++++++ 2 files changed, 16 insertions(+) create mode 100644 releasenotes/notes/disable-heat-non-lifecycle-actions-d551fe4551d71770.yaml diff --git a/environments/undercloud.yaml b/environments/undercloud.yaml index a4b1a950c6..6ea4af3982 100644 --- a/environments/undercloud.yaml +++ b/environments/undercloud.yaml @@ -71,6 +71,12 @@ parameter_defaults: HeatMaxResourcesPerStack: -1 HeatMaxJsonBodySize: 4194304 HeatReauthenticationAuthMethod: 'trusts' + # Disable non-lifecycle stack actions like + # snapshot, resume, cancel update and stack check. + HeatApiPolicies: + heat-deny-action: + key: 'actions:action' + value: 'rule:deny_everybody' IronicCleaningDiskErase: 'metadata' IronicCorsAllowedOrigin: '*' IronicDefaultInspectInterface: 'inspector' diff --git a/releasenotes/notes/disable-heat-non-lifecycle-actions-d551fe4551d71770.yaml b/releasenotes/notes/disable-heat-non-lifecycle-actions-d551fe4551d71770.yaml new file mode 100644 index 0000000000..dc0206894d --- /dev/null +++ b/releasenotes/notes/disable-heat-non-lifecycle-actions-d551fe4551d71770.yaml @@ -0,0 +1,10 @@ +--- +upgrade: + - | + Non-lifecycle stack actions like stack check and cancel + update for undercloud are now disabled. Stack check is + yet to be migrated to heat convergence architecture + and cancel update is not recommended for overcloud. Both + are disabled by adding required heat policy for undercloud. + 'overcloud update abort' wrapper for stack cancel update + had been dropped since few releases.