Steven Hardy [Fri, 15 Feb 2013 18:31:13 +0000 (18:31 +0000)]
heat engine : Only create periodic task on CREATE_COMPLETE
Only create the stack periodic watcher task if the stack create
completed successfully, since we don't want a watcher task if
the stack ended up rolling back (or just in CREATE_FAILED state)
Steven Hardy [Thu, 14 Feb 2013 15:41:14 +0000 (15:41 +0000)]
heat tests : delete stacks from DB in parser tests
The tests which store a stack in the DB should delete it
at the end of the test, otherwise any cut/paste test
which uses the same stack name will always fail
Steve Baker [Wed, 13 Feb 2013 21:05:11 +0000 (10:05 +1300)]
Implement Internet Gateway and VPC attachment
Please note that this takes a different approach for
all VPC resources types. Previously the resource_id matched
the underlying quantum resource UUID (or a composite of the
underlying UUIDs)
This had some problems, including:
- it was resource_id abuse
- it required extra quantum _list and _show calls to get enough
data to wire up new resources
- it made the already difficult job of mapping VPC <-> quantum
even harder
The new approach is to store all quantum UUIDs in resource metadata.
The resource id is just the resource name, so resources can easily
fetch other resources from the stack by ref/name then look up
their metadata to find the underlying quantum UUIDs to perform
operations with.
Tomas Sedovic [Wed, 13 Feb 2013 10:10:53 +0000 (11:10 +0100)]
Fix policy checks for users without policies
When the User resource doesn't have the `Policies` property specified,
the policy checking code raised an error because it tried to iterate
over `None`.
Change-Id: I1ad0a051c837744d8ec0a343929918c92fa78437 Signed-off-by: Tomas Sedovic <tomas@sedovic.cz>
Steven Hardy [Tue, 12 Feb 2013 16:02:44 +0000 (16:02 +0000)]
heat templates : allow access to wordpress in example templates
Latest wordpress package in Fedora defaults to deny-all so trying
to access the wordpress site on the instance no longer works,
so sed out the deny all to allow template examples and integration
tests to work again
Steve Baker [Mon, 11 Feb 2013 01:34:32 +0000 (14:34 +1300)]
Catch 404s when deleting quantum resources.
Quantum resources are often automatically deleted when their
dependencies are deleted, so resource deletion needs to tolerate
the resource no longer being there.
Steven Hardy [Tue, 5 Feb 2013 14:07:14 +0000 (14:07 +0000)]
Implement simple AccessPolicy Resource
Implement a simple AccessPolicy resource, which can be used
to restrict in-instance users to specific resources when they
call the DescribeStackResource API action
Steven Hardy [Thu, 7 Feb 2013 15:54:42 +0000 (15:54 +0000)]
heat templates : Remove IAM Policy sections
Some templates have Policies specified for the User
resource in the AWS IAM Policy format, which we do
not yet support, and will confuse users now we have
OS::Heat::AccessPolicy implemented
Steven Hardy [Fri, 8 Feb 2013 11:39:17 +0000 (11:39 +0000)]
heat engine : add option to control instance boto http/https
Currently the heat-jeos code defaults to http only, but we are
about to fix that, so we instead need a way to specify if
instances should connect via http or https - boto provides the
is_secure config file option, so add a new heat option which
controls this setting in the boto config we create in userdata
Steven Hardy [Fri, 8 Feb 2013 11:34:58 +0000 (11:34 +0000)]
heat clients : Make boto client select http/https from configfile
Currently we hardcode is_secure=False, but boto supports configuration
of this option from the config file (either ~/.boto or /etc/boto.cfg)
so better to do that
NOTE - you will need to update your boto config to include is_secure=0
to retain current (non https) behavior, since it defaults to on
Steven Hardy [Thu, 7 Feb 2013 11:16:28 +0000 (11:16 +0000)]
heat scripts : Avoid using lsb_release in tools/openstack
lsb_release is not installed by default on Fedora (or at least
it's not on my F17 box), so we should avoid using it, simple
alternative is just to read /etc/fedora-release instead
Change-Id: I341c151e8560fb971b11d27578934940aeeca1a7 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Wed, 6 Feb 2013 16:32:54 +0000 (16:32 +0000)]
heat api : Add policy.json authorization to cloudwatch API
Adds a basic policy.json to authorize all actions for the CW API -
this will deny access to the in-instance users defined in stack
templates (which are assigned the heat_stack_user role) to all API
actions apart from PutMetricData action, which is used by
cfn-push-stats to provide metric data from the instances
Change-Id: I2bbb885bec98b85828cdb92d7efc0688da7be3c1 Signed-off-by: Steven Hardy <shardy@redhat.com>
Clint Byrum [Thu, 7 Feb 2013 00:27:23 +0000 (16:27 -0800)]
Use yaml.safe_load: full yaml.load isn't needed
The only reason to use yaml.load instead of safe_load is if one wants to
load serialized objects. Heat's use case is purely to load basic data
structures such as maps/lists/strings. Fixes bug #1117820
Steve Baker [Mon, 4 Feb 2013 21:10:11 +0000 (10:10 +1300)]
Refactor loguserdata.py so it can be tested.
- Use distutils.version.LooseVersion for cloud-init version check
- Fix bug 1100287 by setting the following modes:
- 0600 /var/log/heat-provision.log
- 0700 /var/lib/heat
- 0700 /var/lib/cloud/data/cfn-userdata (was 0111!)
- Full test coverage except for where __name__ == '__main__'
- File size has gone from 1218 bytes to 1636. If necessary we could reduce size in the future by using short names
This works for me when launching a template. At least if there are any regressions they can have a test written for the fix.
Change-Id: I04e773a743ec210e90394e50d2bb70c70664e80e
Steven Hardy [Tue, 5 Feb 2013 19:23:38 +0000 (19:23 +0000)]
heat api : Add policy.json authorization to CFN API
Adds a basic policy.json to authorize all actions for the CFN API -
this will deny access to the in-instance users defined in stack
templates (which are assigned the heat_stack_user role) to all API
actions apart from DescribeStackResource, which is used for metadata
updates
Steven Hardy [Wed, 6 Feb 2013 11:39:12 +0000 (11:39 +0000)]
heat common : context should split roles from X-Roles
The auth_token code joins roles with a comma delimiter and stores
the result in the X-Roles header, so we need to split X-Roles back
into a list for the context (otherwise the oslo policy code breaks)
Change-Id: I32bd1d6355b6fe0e16e729f35b1d0b5c61346a70 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Wed, 6 Feb 2013 10:05:58 +0000 (10:05 +0000)]
heat tests : fix StackControllerTest name duplication
StackControllerTest appears twice in the run_tests.sh output,
since it's used for both the CFN and ReST API tests, so rename
the CFN testcase to make run_tests output less confusing
Change-Id: Iedf2e21ecd0b511eb93a11c2cf593dbfc1bcaca9 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Tue, 5 Feb 2013 19:21:00 +0000 (19:21 +0000)]
Add initial code to support policy.json implementation
We don't currently support a policy.json file like
other openstack services, so this code (mostly copied
from glance, then modified a bit) will allow us to
add policy-based authorization to out APIs fairly
easily
Change-Id: I5ad9f55b3d0979e2526953bdce8b8227852e4b72 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Mon, 4 Feb 2013 18:03:52 +0000 (18:03 +0000)]
heat engine : AutoScalingGroup UpdateStack support
Adds improved UpdateStack support for AutoScalingGroup,
now the following properties can be updated without
replacement:
'MaxSize', 'MinSize', 'Cooldown', 'DesiredCapacity'
Change-Id: Ic47b4a2456dc19cd91eec7b0381d5d82fcd3f332 Signed-off-by: Steven Hardy <shardy@redhat.com>
Add validation to the Handle property for WaitCondition, so
we check that the identifier in the provided URL maps to
a WaitConditionHandle resource in the same stack as the
WaitCondition
Steven Hardy [Thu, 31 Jan 2013 11:44:40 +0000 (11:44 +0000)]
heat tests : test_waitcondition move cleanup out of teardown
Move stack delete and mox VerifyAll out of the teardown function
so if either fails the stubs are unset, meaning all subsequent
tests won't fail due to being unable to setup their stubs
stack delete is now performed via the stack_delete_after decorator
Change-Id: I636af84dd66ba4923f068c56ec13e7990d8edc03 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Fri, 1 Feb 2013 11:23:33 +0000 (11:23 +0000)]
heat tests : Add utility decorator for deleting stacks
Add decorator function which allows test functions to be wrapped
such that if they create a stack (and it is stored in the testcase
class as self.stack) it is always deleted on test exit, regardless
of test success/failure
Change-Id: Ibde9a2cee08448e3f24c6b7efbfe756a01f9eccc Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Thu, 31 Jan 2013 15:41:16 +0000 (15:41 +0000)]
heat api : add register_api_opts to init.py
Add register_api_opts to api/__init__.py, slightly simplifying
the api executables, and also solving an issue with some tests
which were not working via nosetests -s due to the required
options not being registered in cfg.CONF
Change-Id: I70b16aae1f73f72518013dbcda37defa79fc5649 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Tue, 29 Jan 2013 18:20:04 +0000 (18:20 +0000)]
heat engine : WaitConditionHandle use creation time for timestamp
Use the resource creation time for the pre-signed URL timestamp,
otherwise you get a different timestamp/signature every time you
refer to the resource, which makes things like comparing templates
for update more difficult.
Change-Id: Ieb4a6269cfcaf1214c08442db03772fdd7570d59 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Tue, 29 Jan 2013 15:58:08 +0000 (15:58 +0000)]
heat engine : pass fully resolved template to update
We need to pass the fully resolved (static and runtime)
resource template into the resource update(), so the
resource can compare pre/post update templates properly
Change-Id: I2fba2fef9c9f9ccb9b7cde9bd24bd06af7659240 Signed-off-by: Steven Hardy <shardy@redhat.com>
Add method to top-level Resource class update_template_diff()
which allows us to determine the difference between old/new
templates for a resource update, and also raise an error
if the changed keys are not in the list of those defined
as supported for update by the resource
ref blueprint instance-update-stack
Change-Id: Ibef07a0cecbc15f7f1d6c2c663743e3af8023057 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Mon, 28 Jan 2013 14:45:24 +0000 (14:45 +0000)]
heat engine : pass json snippet into resource handle_update
Change handle_update to accept the resource json_snippet,
needed to decide if a non-replacement update is possible
by comparing pre and post update resource definitions
ref blueprint instance-update-stack
Change-Id: I7eedce41eae232330f6fce4f098183cbd7fd6768 Signed-off-by: Steven Hardy <shardy@redhat.com>
Code Review / openstack-build / heat-build.git / log