This adds the CORS support middleware to Manila, allowing a deployer
to optionally configure rules under which a javascript client may
break the single-origin policy and access the API directly.
For Manila, the paste.ini method of deploying the middleware was
chosen, because it needs to be able to annotate error responses
created by other middlewares. If one such middleware throws an
error - such as an auth error from keystone - that error response
must still have CORS headers in order to be readable by the
user agent.
OpenStack CrossProject Spec:
http://specs.openstack.org/openstack/openstack-specs/specs/cors-support.html
Oslo_Middleware Docs:
http://docs.openstack.org/developer/oslo.middleware/cors.html
OpenStack Cloud Admin Guide:
http://docs.openstack.org/admin-guide-cloud/cross_project_cors.html
Change-Id: I9d4b6d0eb380da3eae3867fcebe30fdd5824978d
Adding GPFS driver back as the third party CI system
for GPFS driver is up and running.
This is a revert of commit 720ec904456594b453cfd220b002bdc8c0d50e08
Change-Id: I86f9b7da21716346f96bae3ce30446589e4c4c37
manila.openstack.common.log.LegacyFormatter no longer exists.
This change removes it from logging_sample.conf.
Change-Id: I67daa0e11458272c0a67bd0754c00902d36e27ef
Closes-Bug: #1499263
This bug, inherited from Cinder, allows a tenant to view share
extra specs using the extra-specs-list CLI command. The Cinder
fix was to check the admin context in the DB layer and filter out
all extra specs for non-admins. This approach doesn't work for
Manila, because some extra specs are required and are effectively
part of the Manila API (DHSS, snapshot_support). So in Manila we
define a set of tenant-visible extra specs and restrict the extra
spec values to that set in the share type view builder. Also, we
add policies for the share type list APIs so that admins can
control access to those if desired.
The separate API to list extra specs already has adequate checking
for non-admin users; the CLI was listing the extra specs returned
by the share type API, which is now filtered as described.
Co-Authored-By: Andrew Kerr <andrew.kerr@netapp.com>
Change-Id: I9b0a8ddc064c246286f26760b703db6e3e1bcd46
Closes-Bug: #1475285
The Manila community set a deadline of 3 Sep 2015 for all drivers
to have reporting CI systems, and there is no CI system for the
IBM GPFS driver. As agreed, the driver will be removed until such
time that a CI system exists.
Change-Id: I76f238a1a6eb039e4ddc1cb189115ab3e686c56b
To prevent a microversioned client from managing a non-microversioned
Manila server, Manila must update its REST endpoints by adding /v2 for
all microversioned APIs.
This commit does the following:
* Add /v2 to the URL map, connected to all the same /v1 API methods
* Renumber the microversion sequence starting from 2.0
* Update the versions API to reflect v2
* Publish the new endpoint to Keystone in the DevStack plug-in
* Update relevant documentation
* Update Tempest tests for microversions
APIImpact
Co-Authored-By: Andrew Kerr <andrew.kerr@netapp.com>
Closes-Bug: 1488624
Change-Id: I56a516b5f81914557dd2465746629431cfd6deac
Share Migration allows a share to be migrated from
one host#pool to another host#pool through the
"manila migrate <share> <host#pool>" command. It first
calls the driver to perform it in an optimized way if
possible. If the driver returns that it did not migrate,
it performs a generic migration.
A new field has been added to "shares" table: task_state,
which tracks migration status.
For driver migration, the method migrate_share in driver
base class should be overridden.
For generic migration, drivers may use new config options
to achieve the necessary configuration:
- migration_mounting_backend_ip: If backend has additional
exports IP for admin network, specify it here.
- migration_data_copy_node_ip: IP of entity performing
migration between backends, such as manila node or
data copy service node. This may not apply for
DHSS = true drivers.
- migration_protocol_mount_command: specify mount command
with protocol and additional parameters. Advisable to restrict
protocols per backend. Defaults to "mount -t <share_proto>".
If additional customization is needed, drivers may override
certain methods:
- _mount_share: return the mount command.
- _umount_share: return the umount command.
- _get_access_rule_for_data_copy: return an access rule with
the IP address which will allow the manila node or data copy node
to mount the share after added permission through
allow-access API command.
Change-Id: I8dde892cb7c0180b2b56d8c7d680dfe2320c2ec7
Implements: blueprint share-migration
This patch adds the /consistency-groups and /cgsnapshots
endpoints as well as AdminActions for both.
Partially implements bp manila-consistency-groups
APIImpact
Change-Id: I5fd0d3341766fdba4d92f4a43c3d1186e7a4b38e
Add admin API which allows:
- Get share instances of given share
- Get all share instances
- Get share instance details by id
- Reset share instance state
- Force-delete share instance
Add appropriate unit and tempest tests.
APIImpact
Change-Id: Ie96dfc18b491cb4d9705da4eaca5bc4ce43225ea
Partially-Implements: blueprint share-instances
Rework availability zones support which was inherited from Cinder:
- Add public API extension
- Preserve AZ if creating a share from a snapshot
- Always set AZ in Share API or Share Manager
- Update db schema and create db migration
- Update appropriate unit tests
APIImpact
Partially-Implements: blueprint availability-zones
Change-Id: Iea9fbc3fea5c0128772115c028989121f397e0c5
The OpenStack API working group recommends all projects adopt
Nova-style microversions for versioning their REST APIs. This
commit ports the Nova microversion code and docs to Manila.
With this patch, the API version is bumped to 1.1, and the
versions API (which has always returned horribly outdated
values) is the first API that is versioned. The 1.1 version
of the versions API includes the minimum and current API
version values.
Implements bp: manila-rest-api-microversions
Change-Id: Ifa8e394335a4eb3ad21f53a873530aee241c00e8
The Manila API does not behave properly if it is behind an SSL
termination proxy. If this is the case, the host_url in version
resource are build using http protocol instead of https.
To handle to correct host_url with proxy, first, we should enable
X-Forwarded-Host in proxy so that Manila can get the right client
ip. Second, we should enable X-Forwarded-Proto, with the new SSL
middleware, Manila will get original protocol.
Change-Id: I2dac983481718e6d639453e3f03f41baf8cea56d
Closes-Bug: #1384379
With GlusterFS 3.7.x versions, the delete share operation fails when
deleting the contents of a GlusterFS volume, a share. This is because
two directories are auto-created within a GlusterFS volume when it's
started and GlusterFS refuses to unlink their paths. Fix this issue, by
not trying to remove the two directory paths, but remove their contents
and the rest of the contents of the volume.
Change-Id: I1675bbf593bf578301d6899ee3f9860320080956
Closes-Bug: #1473324
Implement optional API for shrinking shares:
"manila shrink <share-id> <new-size>"
- Implement tenant-facing API for shrinking shares
- Add appropriate unit tests
Partially implements bp share-shrink-api
Change-Id: I48f8e05793a992b11fb180b0b4dbf43bcffb4229
Implement API for extending shares similar to Cinder:
"manila extend <share-id> <new-size>"
- Implement tenant-facing API for extending shares
- Add appropriate unit tests
Partially implements bp share-extend-api
Change-Id: Ic63ecb1c2881ac9c8b59010efe3a37413f18f28d
This patch moves Manila to using olso.middleware, updates it to
use the sizelimit middleware in oslo_middleware namespace.
Change-Id: I10c3cbeb9d43b504f14375df4dac87b323fab5bf
Signed-off-by: Lin Yang <lin.a.yang@intel.com>
New style policy language is much more human readable and the prefered
way to describe policies.
Change-Id: Ib741e2222ad36fa481ca8003387ecc1d9e8231e6
Implements: blueprint switch-to-new-style-policy-lang
The scheduler API 'get_pools' was copied from Cinder and has several
problems. The REST endpoint, /scheduler-stats/get_pools, is not a
REST-appropriate name. The API allows filtering but filters are not
currently supported by the Manila scheduler. The API was added as an
extension, not part of the v1 API as it should be. After restarting
the scheduler service, the API doesn't return any data until a share
has been created (Cinder was used as a model for fixing this one).
This patch fixes all of these issues.
Closes-Bug: #1422042
Change-Id: I7e32efb5390fd4b0a62f644ca5a12dcad14d8a9b
Manage share functionality adds possibility to add existing
shares to manila. On other hand unmanage functionality adds
possibility to remove shares from manila, but without physical
removal from share backend.
Due to high implementation complexity and risks it was
decided to implement manage/unmanage methods only for
driver_manage_share_servers=False driver's and implement
this functionality for other cases in future. Also administrator
can't unmanage shares that were created with a share_server.
- Add manage() and unmanage() methods in admin API
- Add manage_share() and unmanage_share() methods to share rpcapi
and share manager
- Update share rpcapi version to 1.1
- Add manage_existing(), unmanage() methods
to share driver
- Add appropriate unit tests.
Partially implements bp manage-shares
Change-Id: Iedfd85cb6bdfade67c04f62c04756ac192db6b66
Add share_type_access extension which introduces
the ability to manage share type access:
* Share types are public by default
* Private share types can be created by setting
the is_public boolean field to False at creation time.
* Access to a private share type can be controlled
by adding or removing a project from it.
* Private share types without projects are only visible
by users with the admin role/context.
Implementation details and unit tests were mostly adapted
from Cinder and Nova access extensions.
Implements bp private-share-types
Change-Id: I83ee57c6a516b5382d074c0082525ad7feadd59c
An execute call in the ganesha manager module that writes ganesha
export config files is made with 'process_input' argument. This
argument is invalid for processutils's ssh_execute() method which is
used by the execute call to write config files to a remote ganesha
server node. Fix this by not using the 'process_input' argument instead
use other arguments that would still enable the execute call to write
ganesha config files.
Change-Id: I58369468ac7be1de38364a1c1bf6cbf8695b9a1d
Closes-Bug: #1422235
This change introduces pool-aware scheduler to address the need for
supporting multiple pools from one storage controller.
Derived from the Cinder Implementation of Pool-aware Scheduler -
https://review.openstack.org/#/c/98715/ and
https://review.openstack.org/#/c/119938
Implements blueprint: dynamic-storage-pools
Change-Id: I3aee5ed1f96f972f7d40fbd981393559587c1a23
When resetting exports, i.e., remove files present in the ganesha
export directory, during manager service initalization, ignore if the
directory is already empty. This allows ganesha manage service to
initialize even if the ganesha export directory is empty.
Change-Id: Iabe3f36d4f05b0fc451695b261a538b2e87be7a5
Closes-Bug: #1416958
The rootwrap filters for commands 'df' and 'stat', which were part
of the volume.filters before, were recently removed considering those
to be unused. But, GPFS manila driver uses those and fails while
performing certain operations, in their absence.
Hence, adding those back.
Change-Id: Ib736385f15058028b2bc0e38d325d0c256f6dd93
Closes-Bug: #1413544
There is no need to keep rootwrap filters in separate files
with 'volume' and 'share' prefixes.
So, merge it and remove unused filters.
Change-Id: I2fbea254faed5d8fc668cba58211d1df0e0e82f3
Rootwrap supports for a configurable set of trusted
directories to search executables in (exec_dirs),
which defaults to system PATH.
Make the rootwrap filters more portable by removing
the explicit exec_dirs prefix from them. This allows
a binary to be installed in any of the exec_dirs and
still be used by rootwrap, which improves cross-distro
portability.
Change-Id: I9a346c0fcddc7ac8af50f72df6d401b5079e4d58
Closes-Bug: #1405068
Introduce the ganesha share driver helper module
which provides the GaneshaNASHelper class from which
share drivers can derive NFS-Ganesha backed protocol
helpers.
Some utility functions are also added to ease
integration.
Partially implements blueprint gateway-mediated-with-ganesha
Change-Id: I8683ea5eb43d7a8eaf0dfa6af3791782d32b944a
Supporing GPFS exports over kernel NFS and Ganesha NFS
Supporting following Manila functionality:
1. Create, List, Delete Shares
2. Create, List, Delete Share Snapshots
3. Create Share from a Share Snapshot
4. Allow, Deny access to a share based on IP
Supports, local and remote GPFS nodes to the Manila service node,
in a GPFS cluster
Limitation:
1. While using remote GPFS node, with Ganesha NFS, 'gpfs_private_key'
for remote login to the GPFS node must be specified and there must be
a passwordless authentication already setup between the Manila and the
remote GPFS node.
DocImpact
Implements: blueprint gpfs-driver
Change-Id: I6664054ba52d03814cea846cb0d79cd853632814
Fixed two nit picks:
1) in service_instance module was improper statement about amount of
external methods.
2) After commit merge
https://github.com/openstack/manila/commit/883e02f2
part of etc/manila/README.manila.conf info became outdated.
Change-Id: I68b9efc9bc1f701cb4ea8dbecf69ec58f7cb5df3
Switch to keystonemiddleware so a full keystoneclient installation is no
longer required.
Also move the configuration parameters for auth_token from api-paste.ini
to manila.conf. api-paste.ini configuration can still be used and take
priority over parameters from manila.conf.
Finally adjust devstack lib and use manila.conf to configure auth_token.
Related-Bug: #1240753
Change-Id: I4317ffca174a0f73dddc7030b367d49130040c77
Add filtering share-network list by creation date, associated security
service ID, project ID (for admin context only).
Limit share network list using 'offset' and 'limit' options.
Add policy rule for 'get_all_share_networks' action.
Remove 'status' field from returned share nerwork's view,
as share_network model doesn't have such attribute. So, None was always
returned as a status.
Fix DB api function share_network_get_all_by_security_service - second param
should be named 'security_service_id' instead of 'share_network_id'.
Add unit and tempest tests.
Implements bp improve-share-network-list-filtering
Change-Id: I7c3e44068fb39672d1d6c9e06527fde2604672a9
The config module in oslo-incubator has been replaced by oslo.config.
Projects need to switch completely to oslo.config for kilo.
This patch does:
* Register options with oslo.config (new file manila/opts.py)
* Generate the config file using oslo-config-generator
* Remove obsoleted entries for this from openstack-common.conf
* Remove oslo-incubator config files
Change-Id: I30b594423c08782e13a1f615099ae65f997a8551
Closes-Bug: #1382183
We can filter security services only by status, name, id and type now.
Add new search options:
user,
server,
dns_ip,
domain
to _get_security_services in SecurityServiceController to be able to filter
security services by these fields.
Allow filtering security services by share network id.
Add information about share networks to result if 'detailed' mode enabled.
Add unit and tempest tests for filtering security services.
Implements bp improve-security-service-list-filtering
Change-Id: I8b3845c2d705188ec1dc0db33c1e20c8e6c5e559
This patch adds support for working with multiple glusterfs volumes
for the GlusterFS native protocol driver. Since the semantics and
mapping for native driver is different compared to GlusterFS NFS
driver, this patch refactors the native driver as a standalone
driver and fixes some flows to fit the native driver with the
Manila share flows.
A more recent version of glusterfs having SSL support is needed.
Change-Id: I567c7602e97c9d55551baa29f121c05da2985007
Closes-Bug: #1368669
Support of LVM driver is planned to be dropped as it is duplicates
functionality from Cinder. Default driver is Generic driver, that uses Cinder.
Changes:
- removed LVM driver
- removed related stuff to LVM driver
Partially implements blueprint remove-lvm-driver
Change-Id: If2df592db082fdc5d609a5ce644106fee7d0583d
Delete Manila's implementation located in tools/conf and replace
it with common config generator located in tools/config. The new config
generator include config options from other modules (olso.messaging,
oslo.db, oslo.db.concurrency) which improves the generated sample config.
Change-Id: I553e1a8ec414383e2d79d445ebd10e0e1ffa1ae4
Added one more filter option - 'share_server_id' to 'get_all' method,
by default only admin can list shares with it.
Also made little refactor for this method and covered with unittests.
Added tempest tests to cover changes.
Partially-implements blueprint add-admin-api-list-shares-for-share-server
Change-Id: I54f5458d3bb365c7a6fd0c8c7dce664cc7d01fc2
Some policies for specific actions exist in Manila but are not documented in
etc/manila/policy.json. This makes someone have to dig to see what is available
when looking quickly.
The fix adds all actions from the APIs to policy.json, with default policy for
most of the newly added actions, and rule:admin_api for the rest. The fix
changes the share_network and security_service actions to default. The fix also
removes four actions no longer in the API. The actions quotas:update_for_user
and quotas:update_for_project are replaced with quotas:update. The actions
share_network:activate and share:network:deactivate have been removed.
Change-Id: I2e9510d59d0d3b70974f1a851ee5d2246154caf4
Closes-Bug: #1326797
This API is useful when share-server autodeletion is disabled, which is default behaviour.
Changes:
- added new api method with deletion of share server
- added db method, that takes list of shares by share server id
- changed logic of share manager, that is related to concurrency issues
- added unit and tempest tests to cover changes
Partially-implements blueprint add-admin-api-delete-share-server
Change-Id: I03b452de2cd4fe34c648b2434dab1b9244b1b005
force-delete action will be available
for shares and snapshots with admin creds.
Partially implements: blueprint manila-client-enhancements
Change-Id: I896e8a83109879b96f0d7ef2ca2e52fcb7528bb3
After making multitenant generic driver default driver
for devstack, tempest should be able to create share-networks
depending on networks of tenant to be able to create shares.
Change-Id: I43a744eb42442c8d6367d894773adc05a5f3f600
Removed restrictions for security-services and
share-networks, because it should be available
for all users.
Change-Id: I4ec3ee40b9afe91ac451e8b0a4136176a7976609
