Added Keystone and RequestID headers to CORS middleware
CORS middleware's latent configuration feature, new in 3.0.0,
allows adding headers that apply to all valid origins.
This patch adds headers commonly used in openstack to neutron's paste
pipeline, so that operators do not have to be aware of additional
configuration magic to ensure that browsers can talk to the API.
For more information:
http://docs.openstack.org/developer/oslo.middleware/cors.html#configuration-for-pastedeploy
Dustin Lundquist [Wed, 30 Dec 2015 23:59:36 +0000 (15:59 -0800)]
Do not prohibit VXLAN over IPv6
9fc45cee in introduced a regression prohibiting using VXLAN over
IPv6. Relax restriction on local_ip, but validate that both
local_ip and vxlan_group of the same address family. Move existing
validation of vxlan_group into validate_vxlan_group_with_local_ip()
method and refactor existing tests for that validation.
Ihar Hrachyshka [Wed, 13 Jan 2016 12:32:15 +0000 (13:32 +0100)]
tests: stop validating neutronclient in neutron-debug tests
In neutronclient 4.0.0, any command executed triggers DeprecationWarning
on stderr (to be fixed by I77f168af92ae51ce16bed4988bbcaf7c18557727 and
a new client release including it).
The test cases assumed that if command is successful, it never writes to
stderr though. Making the test failing when using the latest client.
Instead of fixing the test class not to assume there is no output on
stderr, remove it because we are not meant to validate neutronclient in
neutron gate at all and should rely on the library as shipped. Client
should already have reasonable coverage for its CLI.
ML2: verify if required extension drivers are loaded
This change ensures extension drivers required by service plugins are loaded
when using ML2 plugin: we check that ML2 loads QoS extension driver when QoS
service plugin is enabled.
We switched to constrained jobs a while back, but these links were
showing the non constrained ones, making these graphs useless.
This patch updates them to reflect the jobs that are currently
running, however the docs job is left for later as right now
switching would make graphite fail with:
'TypeError: reduce() of empty sequence with no initial value'
I suspect that's because the job has never failed so far.
Static routes not added to qrouter namespace for DVR
Today static routes are added to the SNAT namespace
for DVR routers. But they are not added to the qrouter
namespace.
Also while configuring the static routes to SNAT
namespace, the router is not checked for the existence
of the gateway.
When routes are added to a router without a gateway the
routes are only configured in the router namespace, but
when a gateway is set later, those routes have to be
populated in the snat_namespace as well.
chen-li [Wed, 13 Jan 2016 10:31:57 +0000 (18:31 +0800)]
Pass environment variables of proxy to tox
When a development environment is under a proxy, tox is failed
even if environment variables of the proxy are set. This is a
new feature above tox 2.0, you can check it from [1].
This patch fixes quota management APIs in the Pecan framework.
To this aim:
1) an ad-hoc pair of collection/item controllers are introduced
for the quota resource; as the new controllers have been added
in a separate module, the neutron.pecan_wsgi.controllers.utils
module has been added as well for helpers, routines and classes
used by all pecan controllers;
2) the quota API extension is made pecan-aware, meaning that it
simply returns a Pecan controller instance rather than deferring
the task to the startup process that builds controllers using the
home-grown WSGI framework ext manager;
3) the quota resource is now "almost" a standard neutron resource;
unfortunately since it does not yet have its own service plugin a
special provision is made in the attribute population hook in
order to ensure the object is loaded for allowing correct
policy enforcement.
4) Functional tests for the quota controller have been added.
Pecan: Fixes and tests for the policy enforcement hook
As PolicyNotAuthorizedException is raised in a hook, the
ExceptionTranslationHook is not invoked for it; therefore a 500
response is returned whereas a 403 was expected. This patch
explicitly handles the exception in the hook in order to ensure
the appropriate response code is returned.
Moreover, the structure of the 'before' hook prevented checks
on DELETE requests from being performed. As a result the check
was not performed at all (checks on the 'after' hook only pertain
GET requests). This patch changes the logic of the 'before' hook
by ensuring the item to authorize acces to is loaded both on PUT
and DELETE requests.
This patch also adds functional tests specific for the policy
enforcement hook.
Using model_query in the operation for retrieving tenant limits
will spare the need for explicit authorization check in the
quota controller. This is particularly relevant for the pecan
framework where every Neutron API call undergoes authZ checks
in the same pecan hook.
This patch will automatically adapt by eventuals changes
introducing "un-scoped" contexts.
Oleg Bondarev [Tue, 15 Dec 2015 14:58:51 +0000 (17:58 +0300)]
Use admin context when removing DVR router on vm port deletion
In case non-admin tenant removes last VM on a shared network (owned
by admin) connected to a DVR router (also owned by admin) we need
to remove the router from the host where there are no more dvr
serviceable ports. Commit edbade486102a219810137d1c6b916e87475d477
fixed logic that determines routers that should be removed from host.
However in order to actually remove the router we also need admin
context.
This was not caught by unit tests and one reason for that is so called
'mock everything' approach which is evil and generally useless.
This patch replaces unit tests with functional tests that we able
to catch the bug.
Paul Michali [Tue, 12 Jan 2016 21:44:47 +0000 (21:44 +0000)]
Provide kwargs for callback abort
The callback mechanism allows notifiers to provide keyword args in
the notification. If this is a create callback, and there is an
exception, then the notifier will call an abort callback.
However, currently, the keyword arguments are not provided to the
abort callback. This information could be useful for the callbacks,
and would make the mechanism consistent. This commit provides that
information.
Brandon Logan [Tue, 29 Dec 2015 08:41:48 +0000 (02:41 -0600)]
Pecan controller loads service plugins
The pecan controllers were not parsing out the case when a service
plugin is being used that changes the URI to
/v2.0/service_plugin/resource
This will check to see if the first resource after v2.0 is an
extension to a service plugin, and if it is it'll check the next
resource for a controller.
Hynek Mlnarik [Tue, 12 Jan 2016 08:10:25 +0000 (09:10 +0100)]
Log INFO message when setting admin state up flag to False for OVS port
Disabling admin state can cause confusion in OVS agent logs as to why
VLAN 4095 is set to a particular port. This commit adds an extra INFO
log message when admin state is disabled. There is no log emitted
upon enabling admin state as there is already a detailed log entry
logged in treat_devices_added_or_updated() function.
Oleg Bondarev [Wed, 9 Dec 2015 14:58:14 +0000 (17:58 +0300)]
Remove duplicate for check_ports_exist_on_l3agent
This removes check_ports_on_host_and_subnet which mostly duplicates what
check_ports_exist_on_l3agent is doing.
Also rename check_ports_exist_on_l3agent to check_dvr_serviceable_ports_on_host
for more clarity.
Currently 'flows' is being checked for empty list in
a non standard way 'if flows == []:'. This patch
simplifies logic so that above check is unnecessary.
This patch simplifies the process for validating the request body for
POST and PUT requests and preparing it for dispatching to plugins.
In particular it removes the need for parsing the URL to find the
resource identifier, and instead leverages Pecan's routing engine
to extract it. As a result the attribute population hook now simply
deals with request body validation, and has been renamed accordingly.
The logic for loading the current state of the object from the plugin
in order to enforce authZ policy on PUT requests has been moved to
the appropriate hook, PolicyEnforcementHook.
The logic for managing plural/singular names for resource has also been
improved, and two helper functions to retrieve a resource's attributes
have been added to neutron.api.v2.attributes
The logic for aborting requests with unsupported HTTP methods has also
been moved to the REST controllers. It used to be in PolicyEnforcementHook,
which was probably not the right thing to do.
This patch also unskips a functional test concerning ownership checks,
and add functional tests for verifying correct request processing.
Unit tests for the newly added helper functions are also provided.
Kevin Benton [Thu, 7 Jan 2016 23:40:27 +0000 (15:40 -0800)]
make floating IP specification test robust to races
The get_unused_ip function returns an address that isn't in use on
the network at the time it's called. However, by the time the caller
uses it, it may have been allocated to another concurrent test if
the network is shared or external.
The test_create_floatingip_with_specified_ip_address test creates
a floating IP with an unused IP on the external network, which has
lots of activity on it from other tests so it would occasionally
have its address taken by another test.
This patch just catches the in use error and tries again with a
new IP.
Kevin Benton [Thu, 24 Dec 2015 08:29:08 +0000 (00:29 -0800)]
Ensure agent binding modules are loaded
This patch ensures that models_v2 and the router db module
import the agent binding modules so their models are defined
in the sqlalchemy metadata. Otherwise, using an agentless
core/L3 plugin may result in a failure to initialize if nothing
imported the agent module.
Akihiro Motoki [Fri, 8 Jan 2016 18:35:05 +0000 (03:35 +0900)]
Make neutron-debug command follow cliff command convention
In the guideline of cliff command, developers implementing
commands should override take_action() rather than run().
The similar effort is being done in neutronclient side and
this fix is required to complete the effort.
Logger definition in each command class is no longer needed.
This commit also drops them.
Rename _get_vm_port_hostid in dvr to reflect the right functionality
_get_vm_port_hostid returns the host id associated with the
dvr service ports. It not only returns the VM port hostid, but
also returns the host id associated with LBaaS vip port and
dhcp.
So to be in sync with other function names let us rename the
function to _get_dvr_service_port_hostid.