Allow operators to set a different (presumably looser) policy on PATCH
updates that don't make any changes to the stack, but just retrigger a
new update traversal (that will result in e.g. replacing any unhealthy
resources).
Change-Id: Id29e7ec7f6cf127177ea7ab29127b0568afaa18b
Task: 37305
We received huge amount of warnings during service start.
Most about stop using `deprecated_reason` and `deprecated_since` by
`policy.DocumentedRuleDefault` directly. And should use them under
`policy.DeprecatedRule instead.
This patch apply for above suggestion.
Also bump oslo.policy lower-constraints and requirements to `3.7.0` to alias
policy behavior.
Story: 2008707
Task: 42041
Change-Id: Iefcfc30a051fe25ccc5121c7ddb817e8c271fcb6
When swift and zaqar used for software_config_transport
are removed/disabled in the deployment, we should be
able to delete Server/DeplpyedServer resources.
Change-Id: I4c9e0729f338de67b4b598fcd0e72646289d5025
Task: 2008685
This commit updates default policies to account for system scope
and default roles. This is part of a broader change to provide a
consistent and secure authorization experience across OpenStack
projects.
- Introduces basic/reusable check strings in base.py
- Implements secure RBAC for build info API
- Implements secure RBAC for the action API
- Implements secure RBAC for cloud formations
- Implements secure RBAC for events
- Implements secure RBAC for the resource API
- Implements secure RBAC for the service API
- Implements secure RBAC for software configs
- Implements secure RBAC for software deployments
- Implements secure RBAC for stacks
- Adds unit tests for legacy and new secure-rbac policies.
Change-Id: Iff1e39481ea3b1f00bd89dba4a00aed30334ecec
Allow following db configs when calling wrap_db_retry:
* database.db_max_retries
* database.db_retry_interval
* database.db_inc_retry_interval
* database.db_max_retry_interval
So database cofig can now control db retries.
Please reference [1] for what each config options can do.
[1] https://opendev.org/openstack/oslo.db/src/branch/master/oslo_db/options.py
Change-Id: I034625733c2d22f0f5635f58e9df3d5785e58cf5
The server.addresses (/servers/{server_id}/ips)
endpoint can contain stale data causing attribute
lookups to fail.
This change replaces the use of server.addresses
and instead uses the neutron client to list ports
with 'device_id' matching the server id.
Story: 2008632
Task: 41843
Related: RHBZ#1902230
Change-Id: I1b9293041f2ad92eac0e9bc9646e7b2d7c6f7fd0
With SQlAlchemy 1.3.23 constraint.copy() fails with error[0].
This seems like a regression after[1].
This patch fixes the issue by providing the ``target_table``
argument to c.copy().
[0] http://paste.openstack.org/show/802486
[1] 7dd3381edb
Change-Id: Ia25b8443bbe576f73fb7debe54f307deadf34e04
Signed-off-by: Kevin Carter <kecarter@redhat.com>
Earlier when changing software config transport we used to
create a dummy deployment to push the metadata. However
this would not work with convergence as we take
resource lock for the update which updates the config
transport (another engine would try to update the resource
metadata for deployment when one engine has locked it).
Currently it works when updating transport as we ignore
the error in creating dummy deployment, but if there are
any new depoyments for the server they would fail.
We don't need to push the metadata as it would be pushed
when the there is a new/updated deployment.
Few additional changes in the patch:
- We don't need to ignore the error as servers are now
not replaced if the resource is in ERROR when nova server
is good/ACTIVE.
- Delete the existing tempurls and zaqar queues when
changing transport.
Task: 41744
Change-Id: Id592b29df36320d8697bd370252ada02612ba7d0
The abstract base classes previously defined in 'collections' were moved
to 'collections.abc' in 3.3. The aliases will be removed in 3.10.
Preempt this change now with a simple find-replace:
$ ag -l 'collections.($TYPES)' | \
xargs sed -i 's/\(collections\)\.\($TYPES\)/\1.abc.\2/g'
Where $TYPES is the list of moved ABCs from [1].
[1] https://docs.python.org/3/library/collections.abc.html
Change-Id: Ia282479bb1d466bd2189ebb21b51d91e89b9581e
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
The broader OpenStack community is working towards implementing secure
RBAC, which is a common set of personas (role and scope permutations)
that deliver the most common asks for custom policies. It also addresses
long-standing issues with tenancy and enforce scope checking.
This commit updates the requirements for oslo.log, oslo.context,
oslo.i18n, oslo.policy, oslo.serialization and keystonemiddleware, which
are necessary for implementing this work. Subsequent patches will go
through and update the default policies.
Change-Id: Ib28f1b333f032b8c9f960a2510e4d23487541631
- Remove B322 bandit from exclusions
- Fix tests for db resource update exposed by SQLAlchemy>=1.3.21
Change-Id: I18efbbbe211a42325a946f5ca74b4e26bfb3316e
New pip version is quite strict and does not allow conflicting
minimum version deps in lower-constraints.
Change-Id: Ie524c54e3b982bc6b0786c875d34d177444ec6fc
Fedora 31 was retired and the image is gone from mirrors.
heat-cfntools have been dropped from fedora images, disable
the test till that's resolved.
Also makes grenade job non-voting, till this is backported
to stable/victoria.
Change-Id: Id869f83a46454897c2fe7a532eebfa2863befe5e
UPPER_CONSTRAINTS_FILE is old name and deprecated
This allows to use upper-constraints file as more
readable way instead of UPPER_CONSTRAINTS_FILE=<lower-constraints file>.
Change-Id: I68d6faca20e5d8f1523dbd9f3e4f077a2680aa18
