ea5dff48ca
In Xena, cinder adds support for project personas but not system personas. This patch adds a CinderPolicyEnforceNewDefaults parameter that controls whether cinder disables its deprecated policies, which in turn enforces the project-admin, project-member, and project-reader personas. The parameter defaults to False (cinder's deprecated policies are enabled). Change-Id: Ia97fda640b6476b2eade5d202eb0192ee7d79e9b
173 lines
6.7 KiB
YAML
173 lines
6.7 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack Cinder base service. Shared by all Cinder services.
|
|
|
|
parameters:
|
|
CinderStorageAvailabilityZone:
|
|
default: nova
|
|
description: The Cinder service's storage availability zone.
|
|
type: string
|
|
CinderPassword:
|
|
description: The password for the cinder service and db account.
|
|
type: string
|
|
hidden: true
|
|
Debug:
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
type: boolean
|
|
CinderDebug:
|
|
default: false
|
|
description: Set to True to enable debugging on Cinder services.
|
|
type: boolean
|
|
EnableSQLAlchemyCollectd:
|
|
type: boolean
|
|
description: >
|
|
Set to true to enable the SQLAlchemy-collectd server plugin
|
|
default: false
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
CinderCronDbPurgeMinute:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - Minute
|
|
default: '1'
|
|
CinderCronDbPurgeHour:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - Hour
|
|
default: '0'
|
|
CinderCronDbPurgeMonthday:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - Month Day
|
|
default: '*'
|
|
CinderCronDbPurgeMonth:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - Month
|
|
default: '*'
|
|
CinderCronDbPurgeWeekday:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - Week Day
|
|
default: '*'
|
|
CinderCronDbPurgeUser:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - User
|
|
default: 'cinder'
|
|
CinderCronDbPurgeAge:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - Age
|
|
default: '30'
|
|
CinderCronDbPurgeDestination:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - Log destination
|
|
default: '/var/log/cinder/cinder-rowsflush.log'
|
|
CinderCronDbPurgeMaxDelay:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - Max Delay
|
|
default: '3600'
|
|
CinderRpcResponseTimeout:
|
|
default: 60
|
|
description: Cinder's RPC response timeout, in seconds.
|
|
type: number
|
|
NovaPassword:
|
|
type: string
|
|
description: The password for the nova service and db account
|
|
hidden: true
|
|
CinderPolicyEnforceNewDefaults:
|
|
default: false
|
|
description: Set to True to disable cinder's deprecated default policies.
|
|
Doing so causes cinder's default policies to enforce the
|
|
project based personas associated with secure RBAC. This
|
|
parameter will be deprecated in favor of a global EnforceSecureRbac
|
|
parameter after cinder adds support for system scoped policies.
|
|
type: boolean
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Cinder base service.
|
|
value:
|
|
service_name: cinder_base
|
|
config_settings:
|
|
cinder::db::database_connection:
|
|
make_url:
|
|
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
|
|
username: cinder
|
|
password: {get_param: CinderPassword}
|
|
host: {get_param: [EndpointMap, MysqlInternal, host]}
|
|
path: /cinder
|
|
query:
|
|
if:
|
|
- {get_param: EnableSQLAlchemyCollectd}
|
|
- read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
read_default_group: tripleo
|
|
plugin: collectd
|
|
collectd_program_name: cinder
|
|
collectd_host: localhost
|
|
- read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
read_default_group: tripleo
|
|
cinder::logging::debug:
|
|
if:
|
|
- {get_param: CinderDebug}
|
|
- true
|
|
- {get_param: Debug}
|
|
cinder::storage_availability_zone: {get_param: CinderStorageAvailabilityZone}
|
|
cinder::rabbit_heartbeat_timeout_threshold: 60
|
|
cinder::rpc_response_timeout: {get_param: CinderRpcResponseTimeout}
|
|
cinder::db::database_db_max_retries: -1
|
|
cinder::db::database_max_retries: -1
|
|
cinder::cron::db_purge::minute: {get_param: CinderCronDbPurgeMinute}
|
|
cinder::cron::db_purge::hour: {get_param: CinderCronDbPurgeHour}
|
|
cinder::cron::db_purge::monthday: {get_param: CinderCronDbPurgeMonthday}
|
|
cinder::cron::db_purge::month: {get_param: CinderCronDbPurgeMonth}
|
|
cinder::cron::db_purge::weekday: {get_param: CinderCronDbPurgeWeekday}
|
|
cinder::cron::db_purge::user: {get_param: CinderCronDbPurgeUser}
|
|
cinder::cron::db_purge::age: {get_param: CinderCronDbPurgeAge}
|
|
cinder::cron::db_purge::destination: {get_param: CinderCronDbPurgeDestination}
|
|
cinder::cron::db_purge::maxdelay: {get_param: CinderCronDbPurgeMaxDelay}
|
|
cinder::glance::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]}
|
|
cinder::keystone::service_user::send_service_user_token: true
|
|
cinder::keystone::service_user::project_name: service
|
|
cinder::keystone::service_user::auth_type: password
|
|
cinder::keystone::service_user::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]}
|
|
cinder::keystone::service_user::password: {get_param: CinderPassword}
|
|
cinder::keystone::service_user::region_name: {get_param: KeystoneRegion}
|
|
cinder::nova::interface: admin
|
|
cinder::nova::project_name: service
|
|
cinder::nova::auth_type: password
|
|
cinder::nova::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]}
|
|
cinder::nova::password: {get_param: NovaPassword}
|
|
cinder::nova::region_name: {get_param: KeystoneRegion}
|
|
cinder::policy::enforce_new_defaults: {get_param: CinderPolicyEnforceNewDefaults}
|