From dbab6640398013dd2dfa2cad2bede365309d4fb0 Mon Sep 17 00:00:00 2001 From: Abhishek Kekane Date: Mon, 8 Mar 2021 08:59:50 +0000 Subject: [PATCH] Refresh Glance example configs for Wallaby milestone 3 Change-Id: Ifc957de2bcf4d22c1b7cba31ce2b467df9d5aa85 --- etc/glance-api.conf | 121 ++++++++++++++++++++++++--------------- etc/glance-cache.conf | 51 ++++++++++++++++- etc/glance-scrubber.conf | 51 ++++++++++++++++- 3 files changed, 173 insertions(+), 50 deletions(-) diff --git a/etc/glance-api.conf b/etc/glance-api.conf index 1cee9b815c..ee6ed798ad 100644 --- a/etc/glance-api.conf +++ b/etc/glance-api.conf @@ -4,38 +4,6 @@ # From glance.api # -# DEPRECATED: -# Role used to identify an authenticated user as administrator. -# -# Provide a string value representing a Keystone role to identify an -# administrative user. Users with this role will be granted -# administrative privileges. -# -# NOTE: The default value for this option has changed in this release. -# -# Possible values: -# * A string value which is a valid Keystone role -# -# Related options: -# * None -# -# (string value) -# This option is deprecated for removal since Ussuri. -# Its value may be silently ignored in the future. -# Reason: -# This option is redundant as its goal can be achieved via policy file -# configuration. Additionally, it can override any configured policies, -# leading to unexpected behavior and difficulty in policy configuration. -# The option will be removed early in the Victoria development cycle, -# following the standard OpenStack deprecation policy. -# -# Because this can be a security issue, the default value of this -# configuration option has been changed in this release. -# -# Please see the 'Deprecation Notes' section of the Ussuri Glance -# Release Notes for more information. -#admin_role = __NOT_A_ROLE_07697c71e6174332989d3d5f2a7d2e7c_NOT_A_ROLE__ - # # Allow limited access to unauthenticated users. # @@ -502,6 +470,53 @@ # * [DEFAULT]/node_staging_uri (list value) #enabled_import_methods = [glance-direct,web-download,copy-image] +# DEPRECATED: +# Enforce API access based on common persona definitions used across OpenStack. +# Enabling this option formalizes project-specific read/write operations, like +# creating private images or updating the status of shared image, behind the +# `member` role. It also formalizes a read-only variant useful for +# project-specific API operations, like listing private images in a project, +# behind the `reader` role. +# +# Operators should take an opportunity to understand glance's new image +# policies, +# audit assignments in their deployment, and update permissions using the +# default +# roles in keystone (e.g., `admin`, `member`, and `reader`). +# +# Related options: +# * [oslo_policy]/enforce_new_defaults +# (boolean value) +# This option is deprecated for removal since Wallaby. +# Its value may be silently ignored in the future. +# Reason: +# This option has been introduced to require operators to opt into enforcing +# authorization based on common RBAC personas, which is EXPERIMENTAL as of the +# Wallaby release. This behavior will be the default and STABLE in a future +# release, allowing this option to be removed. +#enforce_secure_rbac = false + +# +# The URL to this worker. +# +# If this is set, other glance workers will know how to contact this one +# directly if needed. For image import, a single worker stages the image +# and other workers need to be able to proxy the import request to the +# right one. +# +# If unset, this will be considered to be `public_endpoint`, which +# normally would be set to the same value on all workers, effectively +# disabling the proxying behavior. +# +# Possible values: +# * A URL by which this worker is reachable from other workers +# +# Related options: +# * public_endpoint +# +# (string value) +#worker_self_reference_url = + # # Strategy to determine the preference order of image locations. # @@ -568,7 +583,7 @@ # contain a comma separated list of user roles indicating # permissions for each of the CRUD operations on each property # being protected. If set to ``policies``, a policy defined in -# policy.json is used to express property protections for each +# policy.yaml is used to express property protections for each # of the CRUD operations. Examples of how property protections # are enforced based on ``roles`` or ``policies`` can be found at: # https://docs.openstack.org/glance/latest/admin/property- @@ -1190,6 +1205,7 @@ # # Size of RPC connection pool. (integer value) +# Minimum value: 1 #rpc_conn_pool_size = 30 # The pool size limit for connections expiration policy (integer value) @@ -1223,6 +1239,10 @@ # exchange name specified in the transport_url option. (string value) #control_exchange = openstack +# Add an endpoint to answer to ping calls. Endpoint is named +# oslo_rpc_server_ping (boolean value) +#rpc_ping_enabled = false + [cinder] @@ -1257,7 +1277,7 @@ # * cinder_store_password # # (string value) -#cinder_catalog_info = volumev2::publicURL +#cinder_catalog_info = volumev3::publicURL # # Override service catalog lookup with template for cinder endpoint. @@ -3097,7 +3117,7 @@ # * cinder_store_password # # (string value) -#cinder_catalog_info = volumev2::publicURL +#cinder_catalog_info = volumev3::publicURL # # Override service catalog lookup with template for cinder endpoint. @@ -5131,12 +5151,15 @@ # Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_ca_certs #ssl_ca_file = -# EXPERIMENTAL: Run the health check heartbeat thread through a native python -# thread. By default if this option isn't provided the health check heartbeat -# will inherit the execution model from the parent process. By example if the -# parent process have monkey patched the stdlib by using eventlet/greenlet then -# the heartbeat will be run through a green thread. (boolean value) -#heartbeat_in_pthread = false +# DEPRECATED: Run the health check heartbeat thread through a native python +# thread by default. If this option is equal to False then the health check +# heartbeat will inherit the execution model from the parent process. For +# example if the parent process has monkey patched the stdlib by using +# eventlet/greenlet then the heartbeat will be run through a green thread. +# (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#heartbeat_in_pthread = true # How long to wait before reconnecting in response to an AMQP consumer cancel # notification. (floating point value) @@ -5203,10 +5226,16 @@ # (integer value) #heartbeat_rate = 2 -# Enable/Disable the RabbitMQ mandatory flag for direct send. The direct send is -# used as reply, so the MessageUndeliverable exception is raised in case the -# client queue does not exist. (integer value) -#direct_mandatory_flag = True +# DEPRECATED: (DEPRECATED) Enable/Disable the RabbitMQ mandatory flag for direct +# send. The direct send is used as reply, so the MessageUndeliverable exception +# is raised in case the client queue does not exist.MessageUndeliverable +# exception will be used to loop for a timeout to lets a chance to sender to +# recover.This flag is deprecated and it will not be possible to deactivate this +# functionality anymore (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Mandatory flag no longer deactivable. +#direct_mandatory_flag = true # Enable x-cancel-on-ha-failover flag so that rabbitmq server will cancel and # notify consumerswhen queue is down (boolean value) @@ -5249,7 +5278,7 @@ # The relative or absolute path of a file that maps roles to permissions for a # given service. Relative paths must be specified in relation to the # configuration file setting this option. (string value) -#policy_file = policy.json +#policy_file = policy.yaml # Default rule. Enforced when a requested rule is not found. (string value) #policy_default_rule = default diff --git a/etc/glance-cache.conf b/etc/glance-cache.conf index 6fde039169..b32124072e 100644 --- a/etc/glance-cache.conf +++ b/etc/glance-cache.conf @@ -412,6 +412,53 @@ # * [DEFAULT]/node_staging_uri (list value) #enabled_import_methods = [glance-direct,web-download,copy-image] +# DEPRECATED: +# Enforce API access based on common persona definitions used across OpenStack. +# Enabling this option formalizes project-specific read/write operations, like +# creating private images or updating the status of shared image, behind the +# `member` role. It also formalizes a read-only variant useful for +# project-specific API operations, like listing private images in a project, +# behind the `reader` role. +# +# Operators should take an opportunity to understand glance's new image +# policies, +# audit assignments in their deployment, and update permissions using the +# default +# roles in keystone (e.g., `admin`, `member`, and `reader`). +# +# Related options: +# * [oslo_policy]/enforce_new_defaults +# (boolean value) +# This option is deprecated for removal since Wallaby. +# Its value may be silently ignored in the future. +# Reason: +# This option has been introduced to require operators to opt into enforcing +# authorization based on common RBAC personas, which is EXPERIMENTAL as of the +# Wallaby release. This behavior will be the default and STABLE in a future +# release, allowing this option to be removed. +#enforce_secure_rbac = false + +# +# The URL to this worker. +# +# If this is set, other glance workers will know how to contact this one +# directly if needed. For image import, a single worker stages the image +# and other workers need to be able to proxy the import request to the +# right one. +# +# If unset, this will be considered to be `public_endpoint`, which +# normally would be set to the same value on all workers, effectively +# disabling the proxying behavior. +# +# Possible values: +# * A URL by which this worker is reachable from other workers +# +# Related options: +# * public_endpoint +# +# (string value) +#worker_self_reference_url = + # # The relative path to sqlite file database that will be used for image cache # management. @@ -818,7 +865,7 @@ # * cinder_store_password # # (string value) -#cinder_catalog_info = volumev2::publicURL +#cinder_catalog_info = volumev3::publicURL # # Override service catalog lookup with template for cinder endpoint. @@ -2356,7 +2403,7 @@ # The relative or absolute path of a file that maps roles to permissions for a # given service. Relative paths must be specified in relation to the # configuration file setting this option. (string value) -#policy_file = policy.json +#policy_file = policy.yaml # Default rule. Enforced when a requested rule is not found. (string value) #policy_default_rule = default diff --git a/etc/glance-scrubber.conf b/etc/glance-scrubber.conf index 72849e5ba0..d460c8367a 100644 --- a/etc/glance-scrubber.conf +++ b/etc/glance-scrubber.conf @@ -412,6 +412,53 @@ # * [DEFAULT]/node_staging_uri (list value) #enabled_import_methods = [glance-direct,web-download,copy-image] +# DEPRECATED: +# Enforce API access based on common persona definitions used across OpenStack. +# Enabling this option formalizes project-specific read/write operations, like +# creating private images or updating the status of shared image, behind the +# `member` role. It also formalizes a read-only variant useful for +# project-specific API operations, like listing private images in a project, +# behind the `reader` role. +# +# Operators should take an opportunity to understand glance's new image +# policies, +# audit assignments in their deployment, and update permissions using the +# default +# roles in keystone (e.g., `admin`, `member`, and `reader`). +# +# Related options: +# * [oslo_policy]/enforce_new_defaults +# (boolean value) +# This option is deprecated for removal since Wallaby. +# Its value may be silently ignored in the future. +# Reason: +# This option has been introduced to require operators to opt into enforcing +# authorization based on common RBAC personas, which is EXPERIMENTAL as of the +# Wallaby release. This behavior will be the default and STABLE in a future +# release, allowing this option to be removed. +#enforce_secure_rbac = false + +# +# The URL to this worker. +# +# If this is set, other glance workers will know how to contact this one +# directly if needed. For image import, a single worker stages the image +# and other workers need to be able to proxy the import request to the +# right one. +# +# If unset, this will be considered to be `public_endpoint`, which +# normally would be set to the same value on all workers, effectively +# disabling the proxying behavior. +# +# Possible values: +# * A URL by which this worker is reachable from other workers +# +# Related options: +# * public_endpoint +# +# (string value) +#worker_self_reference_url = + # # The amount of time, in seconds, to delay image scrubbing. # @@ -927,7 +974,7 @@ # * cinder_store_password # # (string value) -#cinder_catalog_info = volumev2::publicURL +#cinder_catalog_info = volumev3::publicURL # # Override service catalog lookup with template for cinder endpoint. @@ -2481,7 +2528,7 @@ # The relative or absolute path of a file that maps roles to permissions for a # given service. Relative paths must be specified in relation to the # configuration file setting this option. (string value) -#policy_file = policy.json +#policy_file = policy.yaml # Default rule. Enforced when a requested rule is not found. (string value) #policy_default_rule = default