diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index a23283aa1..b5dec4fa3 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -78,7 +78,8 @@ Run the service with:: .tox/py27/bin/ironic-inspector --config-file example.conf Of course you may have to modify ``example.conf`` to match your OpenStack -environment. +environment. See the `install guide <../install#sample-configuration-files>`_ +for information on generating or downloading an example configuration file. You can develop and test **ironic-inspector** using DevStack - see `Deploying Ironic Inspector with DevStack`_ for the current status. diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 3b7ad9c83..68c249e97 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -252,7 +252,9 @@ function configure_inspector { create_service_user "$IRONIC_INSPECTOR_ADMIN_USER" "admin" - cp "$IRONIC_INSPECTOR_DIR/example.conf" "$IRONIC_INSPECTOR_CONF_FILE" + # start with a fresh config file + rm -f "$IRONIC_INSPECTOR_CONF_FILE" + inspector_iniset DEFAULT debug $IRONIC_INSPECTOR_DEBUG inspector_configure_auth_for ironic configure_auth_token_middleware $IRONIC_INSPECTOR_CONF_FILE $IRONIC_INSPECTOR_ADMIN_USER $IRONIC_INSPECTOR_AUTH_CACHE_DIR/api diff --git a/doc/source/install/index.rst b/doc/source/install/index.rst index 2aa473eb8..052ae692b 100644 --- a/doc/source/install/index.rst +++ b/doc/source/install/index.rst @@ -55,10 +55,29 @@ Ocata+ 5.0 - 5.X 5.0 - 5.X ``3.X`` means there are no specific plans to deprecate support for this ironic version. This does not imply that it will be supported forever. +Sample Configuration Files +-------------------------- + +To generate a sample configuration file, run the following command from the +top level of the code tree:: + + tox -egenconfig + +For a pre-generated sample configuration file, see +:doc:`/configuration/sample-config`. + +To generate a sample policy file, run the following command from the +top level of the code tree:: + + tox -egenpolicy + +For a pre-generated sample configuration file, see +:doc:`/configuration/sample-policy`. + Configuration ------------- -Copy ``example.conf`` to some permanent place +Copy the sample configuration files to some permanent place (e.g. ``/etc/ironic-inspector/inspector.conf``). Fill in these minimum configuration values: @@ -79,9 +98,8 @@ Fill in these minimum configuration values: * if you wish to use the ``dnsmasq`` PXE/DHCP filter driver rather than the default ``iptables`` driver, see the :ref:`dnsmasq_pxe_filter` description. -See comments inside `example.conf -`_ -for other possible configuration options. +See comments inside :doc:`the sample configuration +` for other possible configuration options. .. note:: Configuration file contains a password and thus should be owned by ``root`` diff --git a/doc/source/user/workflow.rst b/doc/source/user/workflow.rst index 8030a8d08..542b3a066 100644 --- a/doc/source/user/workflow.rst +++ b/doc/source/user/workflow.rst @@ -37,7 +37,8 @@ Usual hardware introspection flow is as follows: NIC's found on the node. **ironic-inspector** is also capable of deleting ports that should not be present. There are two important configuration options that affect this behavior: ``add_ports`` and - ``keep_ports`` (please refer to ``example.conf`` for detailed explanation). + ``keep_ports`` (please refer to :doc:`the sample configuration file + ` for a detailed explanation). Default values as of **ironic-inspector** 1.1.0 are ``add_ports=pxe``, ``keep_ports=all``, which means that only one port will be added, which is diff --git a/example.conf b/example.conf deleted file mode 100644 index 60dd06b4e..000000000 --- a/example.conf +++ /dev/null @@ -1,1097 +0,0 @@ -[DEFAULT] - -# -# From ironic_inspector -# - -# IP to listen on. (string value) -#listen_address = 0.0.0.0 - -# Port to listen on. (port value) -# Minimum value: 0 -# Maximum value: 65535 -#listen_port = 5050 - -# Authentication method used on the ironic-inspector API. Either -# "noauth" or "keystone" are currently valid options. "noauth" will -# disable all authentication. (string value) -# Possible values: -# keystone - -# noauth - -#auth_strategy = keystone - -# Timeout after which introspection is considered failed, set to 0 to -# disable. (integer value) -#timeout = 3600 - -# DEPRECATED: For how much time (in seconds) to keep status -# information about nodes after introspection was finished for them. -# Set to 0 (the default) to disable the timeout. (integer value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#node_status_keep_time = 0 - -# Amount of time in seconds, after which repeat clean up of timed out -# nodes and old nodes status information. (integer value) -#clean_up_period = 60 - -# SSL Enabled/Disabled (boolean value) -#use_ssl = false - -# Path to SSL certificate (string value) -#ssl_cert_path = - -# Path to SSL key (string value) -#ssl_key_path = - -# The green thread pool size. (integer value) -# Minimum value: 2 -#max_concurrency = 1000 - -# Delay (in seconds) between two introspections. (integer value) -#introspection_delay = 5 - -# Ironic driver_info fields that are equivalent to ipmi_address. (list -# value) -#ipmi_address_fields = ilo_address,drac_host,drac_address,cimc_address - -# Path to the rootwrap configuration file to use for running commands -# as root (string value) -#rootwrap_config = /etc/ironic-inspector/rootwrap.conf - -# Limit the number of elements an API list-call returns (integer -# value) -# Minimum value: 1 -#api_max_limit = 1000 - -# -# From oslo.log -# - -# If set to true, the logging level will be set to DEBUG instead of -# the default INFO level. (boolean value) -# Note: This option can be changed without restarting. -#debug = false - -# The name of a logging configuration file. This file is appended to -# any existing logging configuration files. For details about logging -# configuration files, see the Python logging module documentation. -# Note that when logging configuration files are used then all logging -# configuration is set in the configuration file and other logging -# configuration options are ignored (for example, -# logging_context_format_string). (string value) -# Note: This option can be changed without restarting. -# Deprecated group/name - [DEFAULT]/log_config -#log_config_append = - -# Defines the format string for %%(asctime)s in log records. Default: -# %(default)s . This option is ignored if log_config_append is set. -# (string value) -#log_date_format = %Y-%m-%d %H:%M:%S - -# (Optional) Name of log file to send logging output to. If no default -# is set, logging will go to stderr as defined by use_stderr. This -# option is ignored if log_config_append is set. (string value) -# Deprecated group/name - [DEFAULT]/logfile -#log_file = - -# (Optional) The base directory used for relative log_file paths. -# This option is ignored if log_config_append is set. (string value) -# Deprecated group/name - [DEFAULT]/logdir -#log_dir = - -# Uses logging handler designed to watch file system. When log file is -# moved or removed this handler will open a new log file with -# specified path instantaneously. It makes sense only if log_file -# option is specified and Linux platform is used. This option is -# ignored if log_config_append is set. (boolean value) -#watch_log_file = false - -# Use syslog for logging. Existing syslog format is DEPRECATED and -# will be changed later to honor RFC5424. This option is ignored if -# log_config_append is set. (boolean value) -#use_syslog = false - -# Enable journald for logging. If running in a systemd environment you -# may wish to enable journal support. Doing so will use the journal -# native protocol which includes structured metadata in addition to -# log messages.This option is ignored if log_config_append is set. -# (boolean value) -#use_journal = false - -# Syslog facility to receive log lines. This option is ignored if -# log_config_append is set. (string value) -#syslog_log_facility = LOG_USER - -# Use JSON formatting for logging. This option is ignored if -# log_config_append is set. (boolean value) -#use_json = false - -# Log output to standard error. This option is ignored if -# log_config_append is set. (boolean value) -#use_stderr = false - -# Format string to use for log messages with context. (string value) -#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s - -# Format string to use for log messages when context is undefined. -# (string value) -#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s - -# Additional data to append to log message when logging level for the -# message is DEBUG. (string value) -#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d - -# Prefix each line of exception output with this format. (string -# value) -#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s - -# Defines the format string for %(user_identity)s that is used in -# logging_context_format_string. (string value) -#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s - -# List of package logging levels in logger=LEVEL pairs. This option is -# ignored if log_config_append is set. (list value) -#default_log_levels = sqlalchemy=WARNING,iso8601=WARNING,requests=WARNING,urllib3.connectionpool=WARNING,keystonemiddleware=WARNING,swiftclient=WARNING,keystoneauth=WARNING,ironicclient=WARNING - -# Enables or disables publication of error events. (boolean value) -#publish_errors = false - -# The format for an instance that is passed with the log message. -# (string value) -#instance_format = "[instance: %(uuid)s] " - -# The format for an instance UUID that is passed with the log message. -# (string value) -#instance_uuid_format = "[instance: %(uuid)s] " - -# Interval, number of seconds, of log rate limiting. (integer value) -#rate_limit_interval = 0 - -# Maximum number of logged messages per rate_limit_interval. (integer -# value) -#rate_limit_burst = 0 - -# Log level name used by rate limiting: CRITICAL, ERROR, INFO, -# WARNING, DEBUG or empty string. Logs with level greater or equal to -# rate_limit_except_level are not filtered. An empty string means that -# all levels are filtered. (string value) -#rate_limit_except_level = CRITICAL - -# Enables or disables fatal status of deprecations. (boolean value) -#fatal_deprecations = false - - -[capabilities] - -# -# From ironic_inspector -# - -# Whether to store the boot mode (BIOS or UEFI). (boolean value) -#boot_mode = false - -# Mapping between a CPU flag and a capability to set if this flag is -# present. (dict value) -#cpu_flags = aes:cpu_aes,pdpe1gb:cpu_hugepages_1g,pse:cpu_hugepages,smx:cpu_txt,svm:cpu_vt,vmx:cpu_vt - - -[cors] - -# -# From oslo.middleware.cors -# - -# Indicate whether this resource may be shared with the domain -# received in the requests "origin" header. Format: -# "://[:]", no trailing slash. Example: -# https://horizon.example.com (list value) -#allowed_origin = - -# Indicate that the actual request can include user credentials -# (boolean value) -#allow_credentials = true - -# Indicate which headers are safe to expose to the API. Defaults to -# HTTP Simple Headers. (list value) -#expose_headers = - -# Maximum cache age of CORS preflight requests. (integer value) -#max_age = 3600 - -# Indicate which methods can be used during the actual request. (list -# value) -#allow_methods = GET,POST,PUT,HEAD,PATCH,DELETE,OPTIONS - -# Indicate which header field names may be used during the actual -# request. (list value) -#allow_headers = X-Auth-Token,X-OpenStack-Ironic-Inspector-API-Minimum-Version,X-OpenStack-Ironic-Inspector-API-Maximum-Version,X-OpenStack-Ironic-Inspector-API-Version - - -[database] - -# -# From oslo.db -# - -# If True, SQLite uses synchronous mode. (boolean value) -#sqlite_synchronous = true - -# The back end to use for the database. (string value) -# Deprecated group/name - [DEFAULT]/db_backend -#backend = sqlalchemy - -# The SQLAlchemy connection string to use to connect to the database. -# (string value) -# Deprecated group/name - [DEFAULT]/sql_connection -# Deprecated group/name - [DATABASE]/sql_connection -# Deprecated group/name - [sql]/connection -#connection = - -# The SQLAlchemy connection string to use to connect to the slave -# database. (string value) -#slave_connection = - -# The SQL mode to be used for MySQL sessions. This option, including -# the default, overrides any server-set SQL mode. To use whatever SQL -# mode is set by the server configuration, set this to no value. -# Example: mysql_sql_mode= (string value) -#mysql_sql_mode = TRADITIONAL - -# If True, transparently enables support for handling MySQL Cluster -# (NDB). (boolean value) -#mysql_enable_ndb = false - -# Connections which have been present in the connection pool longer -# than this number of seconds will be replaced with a new one the next -# time they are checked out from the pool. (integer value) -# Deprecated group/name - [DATABASE]/idle_timeout -# Deprecated group/name - [database]/idle_timeout -# Deprecated group/name - [DEFAULT]/sql_idle_timeout -# Deprecated group/name - [DATABASE]/sql_idle_timeout -# Deprecated group/name - [sql]/idle_timeout -#connection_recycle_time = 3600 - -# Minimum number of SQL connections to keep open in a pool. (integer -# value) -# Deprecated group/name - [DEFAULT]/sql_min_pool_size -# Deprecated group/name - [DATABASE]/sql_min_pool_size -#min_pool_size = 1 - -# Maximum number of SQL connections to keep open in a pool. Setting a -# value of 0 indicates no limit. (integer value) -# Deprecated group/name - [DEFAULT]/sql_max_pool_size -# Deprecated group/name - [DATABASE]/sql_max_pool_size -#max_pool_size = 5 - -# Maximum number of database connection retries during startup. Set to -# -1 to specify an infinite retry count. (integer value) -# Deprecated group/name - [DEFAULT]/sql_max_retries -# Deprecated group/name - [DATABASE]/sql_max_retries -#max_retries = 10 - -# Interval between retries of opening a SQL connection. (integer -# value) -# Deprecated group/name - [DEFAULT]/sql_retry_interval -# Deprecated group/name - [DATABASE]/reconnect_interval -#retry_interval = 10 - -# If set, use this value for max_overflow with SQLAlchemy. (integer -# value) -# Deprecated group/name - [DEFAULT]/sql_max_overflow -# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow -#max_overflow = 50 - -# Verbosity of SQL debugging information: 0=None, 100=Everything. -# (integer value) -# Minimum value: 0 -# Maximum value: 100 -# Deprecated group/name - [DEFAULT]/sql_connection_debug -#connection_debug = 0 - -# Add Python stack traces to SQL as comment strings. (boolean value) -# Deprecated group/name - [DEFAULT]/sql_connection_trace -#connection_trace = false - -# If set, use this value for pool_timeout with SQLAlchemy. (integer -# value) -# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout -#pool_timeout = - -# Enable the experimental use of database reconnect on connection -# lost. (boolean value) -#use_db_reconnect = false - -# Seconds between retries of a database transaction. (integer value) -#db_retry_interval = 1 - -# If True, increases the interval between retries of a database -# operation up to db_max_retry_interval. (boolean value) -#db_inc_retry_interval = true - -# If db_inc_retry_interval is set, the maximum seconds between retries -# of a database operation. (integer value) -#db_max_retry_interval = 10 - -# Maximum retries in case of connection error or deadlock error before -# error is raised. Set to -1 to specify an infinite retry count. -# (integer value) -#db_max_retries = 20 - - -[discovery] - -# -# From ironic_inspector -# - -# The name of the Ironic driver used by the enroll hook when creating -# a new node in Ironic. (string value) -#enroll_node_driver = fake - - -[dnsmasq_pxe_filter] - -# -# From ironic_inspector -# - -# The MAC address cache directory, exposed to dnsmasq.This directory -# is expected to be in exclusive control of the driver. (string value) -#dhcp_hostsdir = /var/lib/ironic-inspector/dhcp-hostsdir - -# Purge the hostsdir upon driver initialization. Setting to false -# should only be performed when the deployment of inspector is such -# that there are multiple processes executing inside of the same host -# and namespace. In this case, the Operator is responsible for setting -# up a custom cleaning facility. (boolean value) -#purge_dhcp_hostsdir = true - -# A (shell) command line to start the dnsmasq service upon filter -# initialization. Default: don't start. (string value) -#dnsmasq_start_command = - -# A (shell) command line to stop the dnsmasq service upon inspector -# (error) exit. Default: don't stop. (string value) -#dnsmasq_stop_command = - - -[iptables] - -# -# From ironic_inspector -# - -# DEPRECATED: Whether to manage firewall rules for PXE port. This -# configuration option was deprecated in favor of the ``driver`` -# option in the ``pxe_filter`` section. Please, use the ``noop`` -# filter driver to disable the firewall filtering or the ``iptables`` -# filter driver to enable it. (boolean value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#manage_firewall = true - -# Interface on which dnsmasq listens, the default is for VM's. (string -# value) -#dnsmasq_interface = br-ctlplane - -# iptables chain name to use. (string value) -#firewall_chain = ironic-inspector - -# List of Etherent Over InfiniBand interfaces on the Inspector host -# which are used for physical access to the DHCP network. Multiple -# interfaces would be attached to a bond or bridge specified in -# dnsmasq_interface. The MACs of the InfiniBand nodes which are not in -# desired state are going to be blacklisted based on the list of -# neighbor MACs on these interfaces. (list value) -#ethoib_interfaces = - - -[ironic] - -# -# From ironic_inspector -# - -# Authentication URL (string value) -#auth_url = - -# DEPRECATED: Method to use for authentication: noauth or keystone. -# (string value) -# Possible values: -# keystone - -# noauth - -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use [ironic]/auth_type, for noauth case set -# [ironic]/auth_type to `none` and specify ironic API URL via -# [ironic]/endpoint_override option. -#auth_strategy = keystone - -# Authentication type to load (string value) -# Deprecated group/name - [ironic]/auth_plugin -#auth_type = - -# PEM encoded Certificate Authority to use when verifying HTTPs -# connections. (string value) -#cafile = - -# PEM encoded client certificate cert file (string value) -#certfile = - -# Optional domain ID to use with v3 and v2 parameters. It will be used -# for both the user and project domain in v3 and ignored in v2 -# authentication. (string value) -#default_domain_id = - -# Optional domain name to use with v3 API and v2 parameters. It will -# be used for both the user and project domain in v3 and ignored in v2 -# authentication. (string value) -#default_domain_name = - -# Domain ID to scope to (string value) -#domain_id = - -# Domain name to scope to (string value) -#domain_name = - -# Always use this endpoint URL for requests for this client. NOTE: The -# unversioned endpoint should be specified here; to request a -# particular API version, use the `version`, `min-version`, and/or -# `max-version` options. (string value) -#endpoint_override = - -# Verify HTTPS connections. (boolean value) -#insecure = false - -# DEPRECATED: Ironic API URL, used to set Ironic API URL when -# auth_strategy option is noauth or auth_type is "none" to work with -# standalone Ironic without keystone. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use [ironic]/endpoint_override option to set a specific -# ironic API url. -#ironic_url = http://localhost:6385/ - -# PEM encoded client certificate key file (string value) -#keyfile = - -# The maximum major version of a given API, intended to be used as the -# upper bound of a range with min_version. Mutually exclusive with -# version. (string value) -#max_version = - -# Maximum number of retries in case of conflict error (HTTP 409). -# (integer value) -#max_retries = 30 - -# The minimum major version of a given API, intended to be used as the -# lower bound of a range with max_version. Mutually exclusive with -# version. If min_version is given with no max_version it is as if max -# version is "latest". (string value) -#min_version = - -# DEPRECATED: Ironic endpoint type. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use [ironic]/valid_interfaces option to specify endpoint -# interfaces. -#os_endpoint_type = internalURL - -# DEPRECATED: Keystone region used to get Ironic endpoints. (string -# value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use [ironic]/region_name option instead to configure region. -#os_region = - -# DEPRECATED: Ironic service type. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use [ironic]/service_type option to set a specific type. -#os_service_type = baremetal - -# User's password (string value) -#password = - -# Domain ID containing project (string value) -#project_domain_id = - -# Domain name containing project (string value) -#project_domain_name = - -# Project ID to scope to (string value) -# Deprecated group/name - [ironic]/tenant_id -#project_id = - -# Project name to scope to (string value) -# Deprecated group/name - [ironic]/tenant_name -#project_name = - -# The default region_name for endpoint URL discovery. (string value) -#region_name = - -# Interval between retries in case of conflict error (HTTP 409). -# (integer value) -#retry_interval = 2 - -# The default service_name for endpoint URL discovery. (string value) -#service_name = - -# The default service_type for endpoint URL discovery. (string value) -#service_type = baremetal - -# Tenant ID (string value) -#tenant_id = - -# Tenant Name (string value) -#tenant_name = - -# Timeout value for http requests (integer value) -#timeout = - -# Trust ID (string value) -#trust_id = - -# User's domain id (string value) -#user_domain_id = - -# User's domain name (string value) -#user_domain_name = - -# User id (string value) -#user_id = - -# Username (string value) -# Deprecated group/name - [ironic]/user_name -#username = - -# List of interfaces, in order of preference, for endpoint URL. (list -# value) -#valid_interfaces = internal,public - -# Minimum Major API version within a given Major API version for -# endpoint URL discovery. Mutually exclusive with min_version and -# max_version (string value) -#version = - - -[keystone_authtoken] - -# -# From keystonemiddleware.auth_token -# - -# Complete "public" Identity API endpoint. This endpoint should not be -# an "admin" endpoint, as it should be accessible by all end users. -# Unauthenticated clients are redirected to this endpoint to -# authenticate. Although this endpoint should ideally be unversioned, -# client support in the wild varies. If you're using a versioned v2 -# endpoint here, then this should *not* be the same endpoint the -# service user utilizes for validating tokens, because normal end -# users may not be able to reach that endpoint. (string value) -# Deprecated group/name - [keystone_authtoken]/auth_uri -#www_authenticate_uri = - -# DEPRECATED: Complete "public" Identity API endpoint. This endpoint -# should not be an "admin" endpoint, as it should be accessible by all -# end users. Unauthenticated clients are redirected to this endpoint -# to authenticate. Although this endpoint should ideally be -# unversioned, client support in the wild varies. If you're using a -# versioned v2 endpoint here, then this should *not* be the same -# endpoint the service user utilizes for validating tokens, because -# normal end users may not be able to reach that endpoint. This option -# is deprecated in favor of www_authenticate_uri and will be removed -# in the S release. (string value) -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: The auth_uri option is deprecated in favor of -# www_authenticate_uri and will be removed in the S release. -#auth_uri = - -# API version of the admin Identity API endpoint. (string value) -#auth_version = - -# Do not handle authorization requests within the middleware, but -# delegate the authorization decision to downstream WSGI components. -# (boolean value) -#delay_auth_decision = false - -# Request timeout value for communicating with Identity API server. -# (integer value) -#http_connect_timeout = - -# How many times are we trying to reconnect when communicating with -# Identity API Server. (integer value) -#http_request_max_retries = 3 - -# Request environment key where the Swift cache object is stored. When -# auth_token middleware is deployed with a Swift cache, use this -# option to have the middleware share a caching backend with swift. -# Otherwise, use the ``memcached_servers`` option instead. (string -# value) -#cache = - -# Required if identity server requires client certificate (string -# value) -#certfile = - -# Required if identity server requires client certificate (string -# value) -#keyfile = - -# A PEM encoded Certificate Authority to use when verifying HTTPs -# connections. Defaults to system CAs. (string value) -#cafile = - -# Verify HTTPS connections. (boolean value) -#insecure = false - -# The region in which the identity server can be found. (string value) -#region_name = - -# DEPRECATED: Directory used to cache files related to PKI tokens. -# This option has been deprecated in the Ocata release and will be -# removed in the P release. (string value) -# This option is deprecated for removal since Ocata. -# Its value may be silently ignored in the future. -# Reason: PKI token format is no longer supported. -#signing_dir = - -# Optionally specify a list of memcached server(s) to use for caching. -# If left undefined, tokens will instead be cached in-process. (list -# value) -# Deprecated group/name - [keystone_authtoken]/memcache_servers -#memcached_servers = - -# In order to prevent excessive effort spent validating tokens, the -# middleware caches previously-seen tokens for a configurable duration -# (in seconds). Set to -1 to disable caching completely. (integer -# value) -#token_cache_time = 300 - -# DEPRECATED: Determines the frequency at which the list of revoked -# tokens is retrieved from the Identity service (in seconds). A high -# number of revocation events combined with a low cache duration may -# significantly reduce performance. Only valid for PKI tokens. This -# option has been deprecated in the Ocata release and will be removed -# in the P release. (integer value) -# This option is deprecated for removal since Ocata. -# Its value may be silently ignored in the future. -# Reason: PKI token format is no longer supported. -#revocation_cache_time = 10 - -# (Optional) If defined, indicate whether token data should be -# authenticated or authenticated and encrypted. If MAC, token data is -# authenticated (with HMAC) in the cache. If ENCRYPT, token data is -# encrypted and authenticated in the cache. If the value is not one of -# these options or empty, auth_token will raise an exception on -# initialization. (string value) -# Possible values: -# None - -# MAC - -# ENCRYPT - -#memcache_security_strategy = None - -# (Optional, mandatory if memcache_security_strategy is defined) This -# string is used for key derivation. (string value) -#memcache_secret_key = - -# (Optional) Number of seconds memcached server is considered dead -# before it is tried again. (integer value) -#memcache_pool_dead_retry = 300 - -# (Optional) Maximum total number of open connections to every -# memcached server. (integer value) -#memcache_pool_maxsize = 10 - -# (Optional) Socket timeout in seconds for communicating with a -# memcached server. (integer value) -#memcache_pool_socket_timeout = 3 - -# (Optional) Number of seconds a connection to memcached is held -# unused in the pool before it is closed. (integer value) -#memcache_pool_unused_timeout = 60 - -# (Optional) Number of seconds that an operation will wait to get a -# memcached client connection from the pool. (integer value) -#memcache_pool_conn_get_timeout = 10 - -# (Optional) Use the advanced (eventlet safe) memcached client pool. -# The advanced pool will only work under python 2.x. (boolean value) -#memcache_use_advanced_pool = false - -# (Optional) Indicate whether to set the X-Service-Catalog header. If -# False, middleware will not ask for service catalog on token -# validation and will not set the X-Service-Catalog header. (boolean -# value) -#include_service_catalog = true - -# Used to control the use and type of token binding. Can be set to: -# "disabled" to not check token binding. "permissive" (default) to -# validate binding information if the bind type is of a form known to -# the server and ignore it if not. "strict" like "permissive" but if -# the bind type is unknown the token will be rejected. "required" any -# form of token binding is needed to be allowed. Finally the name of a -# binding method that must be present in tokens. (string value) -#enforce_token_bind = permissive - -# DEPRECATED: If true, the revocation list will be checked for cached -# tokens. This requires that PKI tokens are configured on the identity -# server. (boolean value) -# This option is deprecated for removal since Ocata. -# Its value may be silently ignored in the future. -# Reason: PKI token format is no longer supported. -#check_revocations_for_cached = false - -# DEPRECATED: Hash algorithms to use for hashing PKI tokens. This may -# be a single algorithm or multiple. The algorithms are those -# supported by Python standard hashlib.new(). The hashes will be tried -# in the order given, so put the preferred one first for performance. -# The result of the first hash will be stored in the cache. This will -# typically be set to multiple values only while migrating from a less -# secure algorithm to a more secure one. Once all the old tokens are -# expired this option should be set to a single value for better -# performance. (list value) -# This option is deprecated for removal since Ocata. -# Its value may be silently ignored in the future. -# Reason: PKI token format is no longer supported. -#hash_algorithms = md5 - -# A choice of roles that must be present in a service token. Service -# tokens are allowed to request that an expired token can be used and -# so this check should tightly control that only actual services -# should be sending this token. Roles here are applied as an ANY check -# so any role in this list must be present. For backwards -# compatibility reasons this currently only affects the allow_expired -# check. (list value) -#service_token_roles = service - -# For backwards compatibility reasons we must let valid service tokens -# pass that don't pass the service_token_roles check as valid. Setting -# this true will become the default in a future release and should be -# enabled if possible. (boolean value) -#service_token_roles_required = false - -# Authentication type to load (string value) -# Deprecated group/name - [keystone_authtoken]/auth_plugin -#auth_type = - -# Config Section from which to load plugin specific options (string -# value) -#auth_section = - - -[oslo_policy] - -# -# From oslo.policy -# - -# This option controls whether or not to enforce scope when evaluating -# policies. If ``True``, the scope of the token used in the request is -# compared to the ``scope_types`` of the policy being enforced. If the -# scopes do not match, an ``InvalidScope`` exception will be raised. -# If ``False``, a message will be logged informing operators that -# policies are being invoked with mismatching scope. (boolean value) -#enforce_scope = false - -# The file that defines policies. (string value) -#policy_file = policy.json - -# Default rule. Enforced when a requested rule is not found. (string -# value) -#policy_default_rule = default - -# Directories where policy configuration files are stored. They can be -# relative to any directory in the search path defined by the -# config_dir option, or absolute paths. The file defined by -# policy_file must exist for these directories to be searched. -# Missing or empty directories are ignored. (multi valued) -#policy_dirs = policy.d - -# Content Type to send and receive data for REST based policy check -# (string value) -# Possible values: -# application/x-www-form-urlencoded - -# application/json - -#remote_content_type = application/x-www-form-urlencoded - -# server identity verification for REST based policy check (boolean -# value) -#remote_ssl_verify_server_crt = false - -# Absolute path to ca cert file for REST based policy check (string -# value) -#remote_ssl_ca_crt_file = - -# Absolute path to client cert for REST based policy check (string -# value) -#remote_ssl_client_crt_file = - -# Absolute path client key file REST based policy check (string value) -#remote_ssl_client_key_file = - - -[pci_devices] - -# -# From ironic_inspector -# - -# An alias for PCI device identified by 'vendor_id' and 'product_id' -# fields. Format: {"vendor_id": "1234", "product_id": "5678", "name": -# "pci_dev1"} (multi valued) -#alias = - - -[processing] - -# -# From ironic_inspector -# - -# Which MAC addresses to add as ports during introspection. Possible -# values: all (all MAC addresses), active (MAC addresses of NIC with -# IP addresses), pxe (only MAC address of NIC node PXE booted from, -# falls back to "active" if PXE MAC is not supplied by the ramdisk). -# (string value) -# Possible values: -# all - -# active - -# pxe - -# disabled - -#add_ports = pxe - -# Which ports (already present on a node) to keep after introspection. -# Possible values: all (do not delete anything), present (keep ports -# which MACs were present in introspection data), added (keep only -# MACs that we added during introspection). (string value) -# Possible values: -# all - -# present - -# added - -#keep_ports = all - -# Whether to overwrite existing values in node database. Disable this -# option to make introspection a non-destructive operation. (boolean -# value) -#overwrite_existing = true - -# Comma-separated list of default hooks for processing pipeline. Hook -# 'scheduler' updates the node with the minimum properties required by -# the Nova scheduler. Hook 'validate_interfaces' ensures that valid -# NIC data was provided by the ramdisk. Do not exclude these two -# unless you really know what you're doing. (string value) -#default_processing_hooks = ramdisk_error,root_disk_selection,scheduler,validate_interfaces,capabilities,pci_devices - -# Comma-separated list of enabled hooks for processing pipeline. The -# default for this is $default_processing_hooks, hooks can be added -# before or after the defaults like this: -# "prehook,$default_processing_hooks,posthook". (string value) -#processing_hooks = $default_processing_hooks - -# If set, logs from ramdisk will be stored in this directory. (string -# value) -#ramdisk_logs_dir = - -# Whether to store ramdisk logs even if it did not return an error -# message (dependent upon "ramdisk_logs_dir" option being set). -# (boolean value) -#always_store_ramdisk_logs = false - -# The name of the hook to run when inspector receives inspection -# information from a node it isn't already aware of. This hook is -# ignored by default. (string value) -#node_not_found_hook = - -# Method for storing introspection data. If set to 'none', -# introspection data will not be stored. (string value) -# Possible values: -# none - -# swift - -#store_data = none - -# Name of the key to store the location of stored data in the extra -# column of the Ironic database. (string value) -#store_data_location = - -# Whether to leave 1 GiB of disk size untouched for partitioning. Only -# has effect when used with the IPA as a ramdisk, for older ramdisk -# local_gb is calculated on the ramdisk side. (boolean value) -#disk_partitioning_spacing = true - -# File name template for storing ramdisk logs. The following -# replacements can be used: {uuid} - node UUID or "unknown", {bmc} - -# node BMC address or "unknown", {dt} - current UTC date and time, -# {mac} - PXE booting MAC or "unknown". (string value) -#ramdisk_logs_filename_format = {uuid}_{dt:%Y%m%d-%H%M%S.%f}.tar.gz - -# Whether to power off a node after introspection. (boolean value) -#power_off = true - - -[pxe_filter] - -# -# From ironic_inspector -# - -# PXE boot filter driver to use, such as iptables (string value) -#driver = iptables - -# Amount of time in seconds, after which repeat periodic update of the -# filter. (integer value) -# Minimum value: 0 -# Deprecated group/name - [firewall]/firewall_update_period -#sync_period = 15 - - -[swift] - -# -# From ironic_inspector -# - -# Authentication URL (string value) -#auth_url = - -# Authentication type to load (string value) -# Deprecated group/name - [swift]/auth_plugin -#auth_type = - -# PEM encoded Certificate Authority to use when verifying HTTPs -# connections. (string value) -#cafile = - -# PEM encoded client certificate cert file (string value) -#certfile = - -# Default Swift container to use when creating objects. (string value) -#container = ironic-inspector - -# Optional domain ID to use with v3 and v2 parameters. It will be used -# for both the user and project domain in v3 and ignored in v2 -# authentication. (string value) -#default_domain_id = - -# Optional domain name to use with v3 API and v2 parameters. It will -# be used for both the user and project domain in v3 and ignored in v2 -# authentication. (string value) -#default_domain_name = - -# Number of seconds that the Swift object will last before being -# deleted. (set to 0 to never delete the object). (integer value) -#delete_after = 0 - -# Domain ID to scope to (string value) -#domain_id = - -# Domain name to scope to (string value) -#domain_name = - -# Always use this endpoint URL for requests for this client. NOTE: The -# unversioned endpoint should be specified here; to request a -# particular API version, use the `version`, `min-version`, and/or -# `max-version` options. (string value) -#endpoint_override = - -# Verify HTTPS connections. (boolean value) -#insecure = false - -# PEM encoded client certificate key file (string value) -#keyfile = - -# The maximum major version of a given API, intended to be used as the -# upper bound of a range with min_version. Mutually exclusive with -# version. (string value) -#max_version = - -# Maximum number of times to retry a Swift request, before failing. -# (integer value) -#max_retries = 2 - -# The minimum major version of a given API, intended to be used as the -# lower bound of a range with max_version. Mutually exclusive with -# version. If min_version is given with no max_version it is as if max -# version is "latest". (string value) -#min_version = - -# DEPRECATED: Swift endpoint type. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use [swift]/valid_interfaces option to specify endpoint -# interfaces. -#os_endpoint_type = internalURL - -# DEPRECATED: Keystone region to get endpoint for. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use [swift]/region_name option to configure region. -#os_region = - -# DEPRECATED: Swift service type. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use [swift]/service_type option to set specific service type -#os_service_type = object-store - -# User's password (string value) -#password = - -# Domain ID containing project (string value) -#project_domain_id = - -# Domain name containing project (string value) -#project_domain_name = - -# Project ID to scope to (string value) -# Deprecated group/name - [swift]/tenant_id -#project_id = - -# Project name to scope to (string value) -# Deprecated group/name - [swift]/tenant_name -#project_name = - -# The default region_name for endpoint URL discovery. (string value) -#region_name = - -# The default service_name for endpoint URL discovery. (string value) -#service_name = - -# The default service_type for endpoint URL discovery. (string value) -#service_type = object-store - -# Tenant ID (string value) -#tenant_id = - -# Tenant Name (string value) -#tenant_name = - -# Timeout value for http requests (integer value) -#timeout = - -# Trust ID (string value) -#trust_id = - -# User's domain id (string value) -#user_domain_id = - -# User's domain name (string value) -#user_domain_name = - -# User id (string value) -#user_id = - -# Username (string value) -# Deprecated group/name - [swift]/user_name -#username = - -# List of interfaces, in order of preference, for endpoint URL. (list -# value) -#valid_interfaces = internal,public - -# Minimum Major API version within a given Major API version for -# endpoint URL discovery. Mutually exclusive with min_version and -# max_version (string value) -#version = diff --git a/policy.yaml.sample b/policy.yaml.sample deleted file mode 100644 index b94c2e7fd..000000000 --- a/policy.yaml.sample +++ /dev/null @@ -1,59 +0,0 @@ -# Full read/write API access -#"is_admin": "role:admin or role:administrator or role:baremetal_admin" - -# Read-only API access -#"is_observer": "role:baremetal_observer" - -# Internal flag for public API routes -#"public_api": "is_public_api:True" - -# Default API access policy -#"default": "!" - -# Access the API root for available versions information -# GET / -#"introspection": "rule:public_api" - -# Access the versioned API root for version information -# GET /{version} -#"introspection:version": "rule:public_api" - -# Ramdisk callback to continue introspection -# POST /continue -#"introspection:continue": "rule:public_api" - -# Get introspection status -# GET /introspection -# GET /introspection/{node_id} -#"introspection:status": "rule:is_admin or rule:is_observer" - -# Start introspection -# POST /introspection/{node_id} -#"introspection:start": "rule:is_admin" - -# Abort introspection -# POST /introspection/{node_id}/abort -#"introspection:abort": "rule:is_admin" - -# Get introspection data -# GET /introspection/{node_id}/data -#"introspection:data": "rule:is_admin" - -# Reapply introspection on stored data -# POST /introspection/{node_id}/data/unprocessed -#"introspection:reapply": "rule:is_admin" - -# Get introspection rule(s) -# GET /rules -# GET /rules/{rule_id} -#"introspection:rule:get": "rule:is_admin" - -# Delete introspection rule(s) -# DELETE /rules -# DELETE /rules/{rule_id} -#"introspection:rule:delete": "rule:is_admin" - -# Create introspection rule -# POST /rules -#"introspection:rule:create": "rule:is_admin" - diff --git a/releasenotes/notes/remove-policy-json-b4746d64c1511023.yaml b/releasenotes/notes/remove-policy-json-b4746d64c1511023.yaml new file mode 100644 index 000000000..8cbca4f70 --- /dev/null +++ b/releasenotes/notes/remove-policy-json-b4746d64c1511023.yaml @@ -0,0 +1,10 @@ +--- +other: + - | + The sample configuration file located at ``example.conf`` + and the sample policy file located at ``policy.yaml.sample`` + were removed in this release, as they are now published with documentation. + See `the sample configuration file + `_ + and `the sample policy file + `_.