Update Master SHAs - 17 Jan 2016

This patch does the following:
- updates the Master SHAs for new development work.
- includes updates to policy, paste and rootwrap files as required
- moves the Aodh repository to openstack_services as it now has
  implemented a stable branch
- Updated the keystone-wsgi file as it was still running the code from
  liberty
- add 2 package requirements to keystone which must be present for the
  new wsgi file.
- updates tempest.conf.j2 to replace ssh_auth_method with auth_method,
  and change auth_method to 'keypair' (configured is no longer an
  a valid option)

Change-Id: I933c24c03518865d9d40519dafb2ba46769a5453
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

templates/glance-api-paste.ini.j2

@@ -1,38 +1,38 @@
 # Use this pipeline for no auth or image caching - DEFAULT
 [pipeline:glance-api]
-pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context rootapp
 
 # Use this pipeline for image caching and no auth
 [pipeline:glance-api-caching]
-pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context cache rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context cache rootapp
 
 # Use this pipeline for caching w/ management interface but no auth
 [pipeline:glance-api-cachemanagement]
-pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
 
 # Use this pipeline for keystone auth
 [pipeline:glance-api-keystone]
-pipeline = healthcheck versionnegotiation osprofiler authtoken context  rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler authtoken context  rootapp
 
 # Use this pipeline for keystone auth with image caching
 [pipeline:glance-api-keystone+caching]
-pipeline = healthcheck versionnegotiation osprofiler authtoken context cache rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler authtoken context cache rootapp
 
 # Use this pipeline for keystone auth with caching and cache management
 [pipeline:glance-api-keystone+cachemanagement]
-pipeline = healthcheck versionnegotiation osprofiler authtoken context cache cachemanage rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler authtoken context cache cachemanage rootapp
 
 # Use this pipeline for authZ only. This means that the registry will treat a
 # user as authenticated without making requests to keystone to reauthenticate
 # the user.
 [pipeline:glance-api-trusted-auth]
-pipeline = healthcheck versionnegotiation osprofiler context rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler context rootapp
 
 # Use this pipeline for authZ only. This means that the registry will treat a
 # user as authenticated without making requests to keystone to reauthenticate
 # the user and uses cache management
 [pipeline:glance-api-trusted-auth+cachemanagement]
-pipeline = healthcheck versionnegotiation osprofiler context cache cachemanage rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler context cache cachemanage rootapp
 
 [composite:rootapp]
 paste.composite_factory = glance.api:root_app_factory
@@ -82,5 +82,27 @@ paste.filter_factory = glance.api.middleware.gzip:GzipMiddleware.factory
 
 [filter:osprofiler]
 paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
-hmac_keys = {{ glance_profiler_hmac_key }}
-enabled = yes
+hmac_keys = {{ glance_profiler_hmac_key }}  #DEPRECATED
+enabled = yes  #DEPRECATED
+
+[filter:cors]
+paste.filter_factory =  oslo_middleware.cors:filter_factory
+oslo_config_project = glance
+oslo_config_program = glance-api
+# Basic Headers (Automatic)
+# Accept = Origin, Accept, Accept-Language, Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma
+# Expose = Origin, Accept, Accept-Language, Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma
+
+# Glance Headers
+# Accept = Content-MD5, X-Image-Meta-Checksum, X-Storage-Token, Accept-Encoding
+# Expose = X-Image-Meta-Checksum
+
+# Keystone Headers
+# Accept = X-Auth-Token, X-Identity-Status, X-Roles, X-Service-Catalog, X-User-Id, X-Tenant-Id
+# Expose = X-Auth-Token, X-Subject-Token, X-Service-Token
+
+# Request ID Middleware Headers
+# Accept = X-OpenStack-Request-ID
+# Expose = X-OpenStack-Request-ID
+latent_allow_headers = Content-MD5, X-Image-Meta-Checksum, X-Storage-Token, Accept-Encoding, X-Auth-Token, X-Identity-Status, X-Roles, X-Service-Catalog, X-User-Id, X-Tenant-Id, X-OpenStack-Request-ID
+latent_expose_headers = X-Image-Meta-Checksum, X-Auth-Token, X-Subject-Token, X-Service-Token, X-OpenStack-Request-ID

templates/glance-registry-paste.ini.j2

@@ -31,5 +31,5 @@ paste.filter_factory = keystonemiddleware.auth_token:filter_factory
 
 [filter:osprofiler]
 paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
-hmac_keys = {{ glance_profiler_hmac_key }}
-enabled = yes
+hmac_keys = {{ glance_profiler_hmac_key }}  #DEPRECATED
+enabled = yes  #DEPRECATED

templates/policy.json.j2

@@ -1,7 +1,5 @@
 {
     "context_is_admin":  "role:admin",
-    "tenant_is_owner": "tenant:%(owner)s",
-    "admin_or_owner": "role:admin OR rule:tenant_is_owner",
     "default": "",
 
     "add_image": "",
@@ -9,7 +7,7 @@
     "get_image": "",
     "get_images": "",
     "modify_image": "",
-    "publicize_image": "rule:admin_or_owner",
+    "publicize_image": "role:admin",
     "copy_from": "",
 
     "download_image": "",
@@ -19,11 +17,11 @@
     "get_image_location": "",
     "set_image_location": "",
 
-    "add_member": "rule:admin_or_owner",
-    "delete_member": "rule:admin_or_owner",
+    "add_member": "",
+    "delete_member": "",
     "get_member": "",
     "get_members": "",
-    "modify_member": "rule:admin_or_owner",
+    "modify_member": "",
 
     "manage_image_cache": "role:admin",