Refresh Glance example configs for antelope milestone 3

Change-Id: Id27f12aecce5a981dedf0bc3513a2f19a1e2a24d
2023-02-16 09:37:25 +00:00 · 2023-02-16 09:37:25 +00:00 · 1d54dddaa0
commit 1d54dddaa0
parent b20cc91e6f
4 changed files with 93 additions and 84 deletions
--- a/etc/glance-api.conf
+++ b/etc/glance-api.conf
@ -487,32 +487,6 @@
 #         * [DEFAULT]/node_staging_uri (list value)
 #enabled_import_methods = [glance-direct,web-download,copy-image]

-# DEPRECATED:
-# Enforce API access based on common persona definitions used across OpenStack.
-# Enabling this option formalizes project-specific read/write operations, like
-# creating private images or updating the status of shared image, behind the
-# `member` role. It also formalizes a read-only variant useful for
-# project-specific API operations, like listing private images in a project,
-# behind the `reader` role.
-#
-# Operators should take an opportunity to understand glance's new image
-# policies,
-# audit assignments in their deployment, and update permissions using the
-# default
-# roles in keystone (e.g., `admin`, `member`, and `reader`).
-#
-# Related options:
-#     * [oslo_policy]/enforce_new_defaults
-#  (boolean value)
-# This option is deprecated for removal since Wallaby.
-# Its value may be silently ignored in the future.
-# Reason:
-# This option has been introduced to require operators to opt into enforcing
-# authorization based on common RBAC personas, which is EXPERIMENTAL as of the
-# Wallaby release. This behavior will be the default and STABLE in a future
-# release, allowing this option to be removed.
-#enforce_secure_rbac = false
-
 #
 # The URL to this worker.
 #
@ -1771,6 +1745,11 @@
 # (string value)
 #mysql_sql_mode = TRADITIONAL

+# For Galera only, configure wsrep_sync_wait causality checks on new
+# connections.  Default is None, meaning don't configure any setting. (integer
+# value)
+#mysql_wsrep_sync_wait = <None>
+
 # DEPRECATED: If True, transparently enables support for handling MySQL Cluster
 # (NDB). (boolean value)
 # This option is deprecated for removal since 12.1.0.
@ -2224,6 +2203,22 @@
 #  (string value)
 #s3_store_host = <None>

+#
+# The S3 region name.
+#
+# This parameter will set the region_name used by boto.
+# If this parameter is not set, we we will try to compute it from the
+# s3_store_host.
+#
+# Possible values:
+#     * A valid region name
+#
+# Related Options:
+#     * s3_store_host
+#
+#  (string value)
+#s3_store_region_name =
+
 #
 # The S3 query token access key.
 #
@ -3941,6 +3936,22 @@
 #  (string value)
 #s3_store_host = <None>

+#
+# The S3 region name.
+#
+# This parameter will set the region_name used by boto.
+# If this parameter is not set, we we will try to compute it from the
+# s3_store_host.
+#
+# Possible values:
+#     * A valid region name
+#
+# Related Options:
+#     * s3_store_host
+#
+#  (string value)
+#s3_store_region_name =
+
 #
 # The S3 query token access key.
 #
@ -4872,6 +4883,14 @@
 # Deprecated group/name - [DEFAULT]/disk_formats
 #disk_formats = ami,ari,aki,vhd,vhdx,vmdk,raw,qcow2,vdi,iso,ploop

+# A list of strings describing allowed VMDK 'create-type' subformats that will
+# be allowed. This is recommended to only include single-file-with-sparse-header
+# variants to avoid potential host file exposure due to processing named
+# extents. If this list is empty, then no VDMK image types allowed. Note that
+# this is currently only checked during image conversion (if enabled), and
+# limits the types of VMDK images we will convert from. (list value)
+#vmdk_allowed_types = streamOptimized,monolithicSparse
+

 [key_manager]

@ -5761,7 +5780,7 @@
 # ``InvalidScope`` exception will be raised. If ``False``, a message will be
 # logged informing operators that policies are being invoked with mismatching
 # scope. (boolean value)
-#enforce_scope = false
+#enforce_scope = true

 # This option controls whether or not to use old deprecated defaults when
 # evaluating policies. If ``True``, the old deprecated defaults are not going to
@ -5772,7 +5791,7 @@
 # deprecated policy check string is logically OR'd with the new policy check
 # string, allowing for a graceful upgrade experience between releases with new
 # policies, which is the default behavior. (boolean value)
-#enforce_new_defaults = false
+#enforce_new_defaults = true

 # The relative or absolute path of a file that maps roles to permissions for a
 # given service. Relative paths must be specified in relation to the
--- a/etc/glance-cache.conf
+++ b/etc/glance-cache.conf
@ -429,32 +429,6 @@
 #         * [DEFAULT]/node_staging_uri (list value)
 #enabled_import_methods = [glance-direct,web-download,copy-image]

-# DEPRECATED:
-# Enforce API access based on common persona definitions used across OpenStack.
-# Enabling this option formalizes project-specific read/write operations, like
-# creating private images or updating the status of shared image, behind the
-# `member` role. It also formalizes a read-only variant useful for
-# project-specific API operations, like listing private images in a project,
-# behind the `reader` role.
-#
-# Operators should take an opportunity to understand glance's new image
-# policies,
-# audit assignments in their deployment, and update permissions using the
-# default
-# roles in keystone (e.g., `admin`, `member`, and `reader`).
-#
-# Related options:
-#     * [oslo_policy]/enforce_new_defaults
-#  (boolean value)
-# This option is deprecated for removal since Wallaby.
-# Its value may be silently ignored in the future.
-# Reason:
-# This option has been introduced to require operators to opt into enforcing
-# authorization based on common RBAC personas, which is EXPERIMENTAL as of the
-# Wallaby release. This behavior will be the default and STABLE in a future
-# release, allowing this option to be removed.
-#enforce_secure_rbac = false
-
 #
 # The URL to this worker.
 #
@ -1557,6 +1531,22 @@
 #  (string value)
 #s3_store_host = <None>

+#
+# The S3 region name.
+#
+# This parameter will set the region_name used by boto.
+# If this parameter is not set, we we will try to compute it from the
+# s3_store_host.
+#
+# Possible values:
+#     * A valid region name
+#
+# Related Options:
+#     * s3_store_host
+#
+#  (string value)
+#s3_store_region_name =
+
 #
 # The S3 query token access key.
 #
@ -2468,7 +2458,7 @@
 # ``InvalidScope`` exception will be raised. If ``False``, a message will be
 # logged informing operators that policies are being invoked with mismatching
 # scope. (boolean value)
-#enforce_scope = false
+#enforce_scope = true

 # This option controls whether or not to use old deprecated defaults when
 # evaluating policies. If ``True``, the old deprecated defaults are not going to
@ -2479,7 +2469,7 @@
 # deprecated policy check string is logically OR'd with the new policy check
 # string, allowing for a graceful upgrade experience between releases with new
 # policies, which is the default behavior. (boolean value)
-#enforce_new_defaults = false
+#enforce_new_defaults = true

 # The relative or absolute path of a file that maps roles to permissions for a
 # given service. Relative paths must be specified in relation to the
--- a/etc/glance-manage.conf
+++ b/etc/glance-manage.conf
@ -178,6 +178,11 @@
 # (string value)
 #mysql_sql_mode = TRADITIONAL

+# For Galera only, configure wsrep_sync_wait causality checks on new
+# connections.  Default is None, meaning don't configure any setting. (integer
+# value)
+#mysql_wsrep_sync_wait = <None>
+
 # DEPRECATED: If True, transparently enables support for handling MySQL Cluster
 # (NDB). (boolean value)
 # This option is deprecated for removal since 12.1.0.
--- a/etc/glance-scrubber.conf
+++ b/etc/glance-scrubber.conf
@ -429,32 +429,6 @@
 #         * [DEFAULT]/node_staging_uri (list value)
 #enabled_import_methods = [glance-direct,web-download,copy-image]

-# DEPRECATED:
-# Enforce API access based on common persona definitions used across OpenStack.
-# Enabling this option formalizes project-specific read/write operations, like
-# creating private images or updating the status of shared image, behind the
-# `member` role. It also formalizes a read-only variant useful for
-# project-specific API operations, like listing private images in a project,
-# behind the `reader` role.
-#
-# Operators should take an opportunity to understand glance's new image
-# policies,
-# audit assignments in their deployment, and update permissions using the
-# default
-# roles in keystone (e.g., `admin`, `member`, and `reader`).
-#
-# Related options:
-#     * [oslo_policy]/enforce_new_defaults
-#  (boolean value)
-# This option is deprecated for removal since Wallaby.
-# Its value may be silently ignored in the future.
-# Reason:
-# This option has been introduced to require operators to opt into enforcing
-# authorization based on common RBAC personas, which is EXPERIMENTAL as of the
-# Wallaby release. This behavior will be the default and STABLE in a future
-# release, allowing this option to be removed.
-#enforce_secure_rbac = false
-
 #
 # The URL to this worker.
 #
@ -789,6 +763,11 @@
 # (string value)
 #mysql_sql_mode = TRADITIONAL

+# For Galera only, configure wsrep_sync_wait causality checks on new
+# connections.  Default is None, meaning don't configure any setting. (integer
+# value)
+#mysql_wsrep_sync_wait = <None>
+
 # DEPRECATED: If True, transparently enables support for handling MySQL Cluster
 # (NDB). (boolean value)
 # This option is deprecated for removal since 12.1.0.
@ -1654,6 +1633,22 @@
 #  (string value)
 #s3_store_host = <None>

+#
+# The S3 region name.
+#
+# This parameter will set the region_name used by boto.
+# If this parameter is not set, we we will try to compute it from the
+# s3_store_host.
+#
+# Possible values:
+#     * A valid region name
+#
+# Related Options:
+#     * s3_store_host
+#
+#  (string value)
+#s3_store_region_name =
+
 #
 # The S3 query token access key.
 #
@ -2581,7 +2576,7 @@
 # ``InvalidScope`` exception will be raised. If ``False``, a message will be
 # logged informing operators that policies are being invoked with mismatching
 # scope. (boolean value)
-#enforce_scope = false
+#enforce_scope = true

 # This option controls whether or not to use old deprecated defaults when
 # evaluating policies. If ``True``, the old deprecated defaults are not going to
@ -2592,7 +2587,7 @@
 # deprecated policy check string is logically OR'd with the new policy check
 # string, allowing for a graceful upgrade experience between releases with new
 # policies, which is the default behavior. (boolean value)
-#enforce_new_defaults = false
+#enforce_new_defaults = true

 # The relative or absolute path of a file that maps roles to permissions for a
 # given service. Relative paths must be specified in relation to the