Steve Baker [Mon, 11 Feb 2013 01:34:32 +0000 (14:34 +1300)]
Catch 404s when deleting quantum resources.
Quantum resources are often automatically deleted when their
dependencies are deleted, so resource deletion needs to tolerate
the resource no longer being there.
Steven Hardy [Tue, 5 Feb 2013 14:07:14 +0000 (14:07 +0000)]
Implement simple AccessPolicy Resource
Implement a simple AccessPolicy resource, which can be used
to restrict in-instance users to specific resources when they
call the DescribeStackResource API action
Steven Hardy [Thu, 7 Feb 2013 15:54:42 +0000 (15:54 +0000)]
heat templates : Remove IAM Policy sections
Some templates have Policies specified for the User
resource in the AWS IAM Policy format, which we do
not yet support, and will confuse users now we have
OS::Heat::AccessPolicy implemented
Steven Hardy [Fri, 8 Feb 2013 11:39:17 +0000 (11:39 +0000)]
heat engine : add option to control instance boto http/https
Currently the heat-jeos code defaults to http only, but we are
about to fix that, so we instead need a way to specify if
instances should connect via http or https - boto provides the
is_secure config file option, so add a new heat option which
controls this setting in the boto config we create in userdata
Steven Hardy [Fri, 8 Feb 2013 11:34:58 +0000 (11:34 +0000)]
heat clients : Make boto client select http/https from configfile
Currently we hardcode is_secure=False, but boto supports configuration
of this option from the config file (either ~/.boto or /etc/boto.cfg)
so better to do that
NOTE - you will need to update your boto config to include is_secure=0
to retain current (non https) behavior, since it defaults to on
Steven Hardy [Thu, 7 Feb 2013 11:16:28 +0000 (11:16 +0000)]
heat scripts : Avoid using lsb_release in tools/openstack
lsb_release is not installed by default on Fedora (or at least
it's not on my F17 box), so we should avoid using it, simple
alternative is just to read /etc/fedora-release instead
Change-Id: I341c151e8560fb971b11d27578934940aeeca1a7 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Wed, 6 Feb 2013 16:32:54 +0000 (16:32 +0000)]
heat api : Add policy.json authorization to cloudwatch API
Adds a basic policy.json to authorize all actions for the CW API -
this will deny access to the in-instance users defined in stack
templates (which are assigned the heat_stack_user role) to all API
actions apart from PutMetricData action, which is used by
cfn-push-stats to provide metric data from the instances
Change-Id: I2bbb885bec98b85828cdb92d7efc0688da7be3c1 Signed-off-by: Steven Hardy <shardy@redhat.com>
Clint Byrum [Thu, 7 Feb 2013 00:27:23 +0000 (16:27 -0800)]
Use yaml.safe_load: full yaml.load isn't needed
The only reason to use yaml.load instead of safe_load is if one wants to
load serialized objects. Heat's use case is purely to load basic data
structures such as maps/lists/strings. Fixes bug #1117820
Steve Baker [Mon, 4 Feb 2013 21:10:11 +0000 (10:10 +1300)]
Refactor loguserdata.py so it can be tested.
- Use distutils.version.LooseVersion for cloud-init version check
- Fix bug 1100287 by setting the following modes:
- 0600 /var/log/heat-provision.log
- 0700 /var/lib/heat
- 0700 /var/lib/cloud/data/cfn-userdata (was 0111!)
- Full test coverage except for where __name__ == '__main__'
- File size has gone from 1218 bytes to 1636. If necessary we could reduce size in the future by using short names
This works for me when launching a template. At least if there are any regressions they can have a test written for the fix.
Change-Id: I04e773a743ec210e90394e50d2bb70c70664e80e
Steven Hardy [Tue, 5 Feb 2013 19:23:38 +0000 (19:23 +0000)]
heat api : Add policy.json authorization to CFN API
Adds a basic policy.json to authorize all actions for the CFN API -
this will deny access to the in-instance users defined in stack
templates (which are assigned the heat_stack_user role) to all API
actions apart from DescribeStackResource, which is used for metadata
updates
Steven Hardy [Wed, 6 Feb 2013 11:39:12 +0000 (11:39 +0000)]
heat common : context should split roles from X-Roles
The auth_token code joins roles with a comma delimiter and stores
the result in the X-Roles header, so we need to split X-Roles back
into a list for the context (otherwise the oslo policy code breaks)
Change-Id: I32bd1d6355b6fe0e16e729f35b1d0b5c61346a70 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Wed, 6 Feb 2013 10:05:58 +0000 (10:05 +0000)]
heat tests : fix StackControllerTest name duplication
StackControllerTest appears twice in the run_tests.sh output,
since it's used for both the CFN and ReST API tests, so rename
the CFN testcase to make run_tests output less confusing
Change-Id: Iedf2e21ecd0b511eb93a11c2cf593dbfc1bcaca9 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Tue, 5 Feb 2013 19:21:00 +0000 (19:21 +0000)]
Add initial code to support policy.json implementation
We don't currently support a policy.json file like
other openstack services, so this code (mostly copied
from glance, then modified a bit) will allow us to
add policy-based authorization to out APIs fairly
easily
Change-Id: I5ad9f55b3d0979e2526953bdce8b8227852e4b72 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Mon, 4 Feb 2013 18:03:52 +0000 (18:03 +0000)]
heat engine : AutoScalingGroup UpdateStack support
Adds improved UpdateStack support for AutoScalingGroup,
now the following properties can be updated without
replacement:
'MaxSize', 'MinSize', 'Cooldown', 'DesiredCapacity'
Change-Id: Ic47b4a2456dc19cd91eec7b0381d5d82fcd3f332 Signed-off-by: Steven Hardy <shardy@redhat.com>
Add validation to the Handle property for WaitCondition, so
we check that the identifier in the provided URL maps to
a WaitConditionHandle resource in the same stack as the
WaitCondition
Steven Hardy [Thu, 31 Jan 2013 11:44:40 +0000 (11:44 +0000)]
heat tests : test_waitcondition move cleanup out of teardown
Move stack delete and mox VerifyAll out of the teardown function
so if either fails the stubs are unset, meaning all subsequent
tests won't fail due to being unable to setup their stubs
stack delete is now performed via the stack_delete_after decorator
Change-Id: I636af84dd66ba4923f068c56ec13e7990d8edc03 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Fri, 1 Feb 2013 11:23:33 +0000 (11:23 +0000)]
heat tests : Add utility decorator for deleting stacks
Add decorator function which allows test functions to be wrapped
such that if they create a stack (and it is stored in the testcase
class as self.stack) it is always deleted on test exit, regardless
of test success/failure
Change-Id: Ibde9a2cee08448e3f24c6b7efbfe756a01f9eccc Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Thu, 31 Jan 2013 15:41:16 +0000 (15:41 +0000)]
heat api : add register_api_opts to init.py
Add register_api_opts to api/__init__.py, slightly simplifying
the api executables, and also solving an issue with some tests
which were not working via nosetests -s due to the required
options not being registered in cfg.CONF
Change-Id: I70b16aae1f73f72518013dbcda37defa79fc5649 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Tue, 29 Jan 2013 18:20:04 +0000 (18:20 +0000)]
heat engine : WaitConditionHandle use creation time for timestamp
Use the resource creation time for the pre-signed URL timestamp,
otherwise you get a different timestamp/signature every time you
refer to the resource, which makes things like comparing templates
for update more difficult.
Change-Id: Ieb4a6269cfcaf1214c08442db03772fdd7570d59 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Tue, 29 Jan 2013 15:58:08 +0000 (15:58 +0000)]
heat engine : pass fully resolved template to update
We need to pass the fully resolved (static and runtime)
resource template into the resource update(), so the
resource can compare pre/post update templates properly
Change-Id: I2fba2fef9c9f9ccb9b7cde9bd24bd06af7659240 Signed-off-by: Steven Hardy <shardy@redhat.com>
Add method to top-level Resource class update_template_diff()
which allows us to determine the difference between old/new
templates for a resource update, and also raise an error
if the changed keys are not in the list of those defined
as supported for update by the resource
ref blueprint instance-update-stack
Change-Id: Ibef07a0cecbc15f7f1d6c2c663743e3af8023057 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Mon, 28 Jan 2013 14:45:24 +0000 (14:45 +0000)]
heat engine : pass json snippet into resource handle_update
Change handle_update to accept the resource json_snippet,
needed to decide if a non-replacement update is possible
by comparing pre and post update resource definitions
ref blueprint instance-update-stack
Change-Id: I7eedce41eae232330f6fce4f098183cbd7fd6768 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Mon, 28 Jan 2013 14:38:20 +0000 (14:38 +0000)]
heat engine : don't replace resource template before update
We want to validate the pre-update properties without touching
the existing template, because the resource implementation will
need to compare old/new json snippets to decide if a and update
can be performed or not.
ref blueprint instance-update-stack
Change-Id: I37ce6e799242819de6104a53f8458d8bbc3abf1c Signed-off-by: Steven Hardy <shardy@redhat.com>
Jeff Peeler [Wed, 30 Jan 2013 19:26:34 +0000 (14:26 -0500)]
Hardcode provision-finished file path
A recent change removed the use of the cloudinit module, so write this
log to /var/lib/heat. Functional test paths updated as well.
(User data injection was removed, so that has been deleted as well.)
Change-Id: Ibcaf310a5e4ff9a9ed8b1065bdd411e1b95d4de5 Signed-off-by: Jeff Peeler <jpeeler@redhat.com>
Zane Bitter [Tue, 29 Jan 2013 20:54:07 +0000 (21:54 +0100)]
Wait for deletion of Instances during creation
When an Instance was still in the BUILD state when it was deleted, the
resource was not waiting for the instance to be deleted before declaring
success and moving on.
Steven Hardy [Fri, 25 Jan 2013 14:37:26 +0000 (14:37 +0000)]
heat engine : error on resource update with invalid properties
If properties validation fails, raise an error so the resource is
marked as UPDATE_FAILED, we don't want to go ahead and try running
handle_update anyway
Change-Id: I5f748b9de6a2b02d26421a5b6e0b1b5f0db25d0c Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Wed, 23 Jan 2013 16:56:09 +0000 (16:56 +0000)]
heat tests : autoscaling test add missing VerifyAll
Add logic to verify stubbed calls to loadbalancer reload,
also break up the tests a bit into functionally related
chunks instead of having two mega-tests
Change-Id: I94897b6ec23cae92bc464b4b3ef2a7b634bfdb0c Signed-off-by: Steven Hardy <shardy@redhat.com>
Clint Byrum [Thu, 24 Jan 2013 05:59:58 +0000 (21:59 -0800)]
Use pkg_resources to detect version of cloud-init
Previously the present of an API call only present in cloud-init 0.6.x
was used to determine whether or not cfn-userdata would have been executed
or not. The API call was removed in 0.7.x. This Fixes bug #1103793
Steven Hardy [Tue, 22 Jan 2013 16:30:18 +0000 (16:30 +0000)]
heat api paste.ini auth_uri should use auth_port
For token based auth to work, the auth_uri needs to use
auth_port, which points at the internalURL of the keystone
service, the current config uses publicURL which causes
token auth requests to keystone to fail
Code Review / openstack-build / heat-build.git / log