Steven Hardy [Fri, 22 Feb 2013 11:00:44 +0000 (11:00 +0000)]
heat loadbalancer : make LB nested template create credentials
Create User/AccessKey resources correctly in the LB nested template
so we can create a cfn-credentials file which will allow cfn-hup
to access the CFN API
Steven Hardy [Thu, 21 Feb 2013 17:12:53 +0000 (17:12 +0000)]
heat api : don't store whole request in ec2Credentials context
The ec2token middleware currently dumps the whole request into the
request context when using AWS Auth, when all we really want are
the credentials (accesskey/signature)
Steven Hardy [Thu, 21 Feb 2013 15:58:38 +0000 (15:58 +0000)]
heat tests : fix run_tests.sh pep checks
run_tests.sh parses tox.ini, which has been changed removing the
pep8 version, so remove this test and specify the version in
test-requires. This allows the pep tests to run via run_tests.sh
again, a subsequent patch can reinstate the version check based
on the test-requires version
Steven Hardy [Thu, 21 Feb 2013 10:35:27 +0000 (10:35 +0000)]
heat : bump oslo-config version to fix import error
New oslo config patch causes services to fail to launch, with
"ImportError: No module named oslo.config", bumping to
oslo-config-2013.1b4.tar appears to fix the problem
Steven Hardy [Wed, 20 Feb 2013 15:16:53 +0000 (15:16 +0000)]
heat engine : Update stack dependencies during update
We need to update the stack dependencies each time we modify the
resources list, otherwise in the event of a failure, the resources
returned from the iterator methods don't match with those found via
getitem/contains (which is important for rollback)
Steven Hardy [Wed, 20 Feb 2013 10:24:06 +0000 (10:24 +0000)]
heat engine : fail update immediately on resource update failure
When doing an update, we want to fail immediately, instead of
collecting the resource update errors and continuing. This is
particularly important for update rollback, where we want to
declare failure ASAP to simplify and speed up the rollback
Clint Byrum [Tue, 19 Feb 2013 20:21:07 +0000 (12:21 -0800)]
Add config for boto https_validate_certificates
Boto does not, by default, validate https ceritificates on endpoints. We
now provide a way to specify it in the heat configuration along side
is_secure. Heat deployers may also need to turn this off if boto ever
does make it default and they want to use self signed certs.
Avoid the possibility of returning an empty string (when Exceptions
have not got a string message), or parser.py will treat the error
as success and the resource operation failure will not be correctly
reflected in the resource state.
Steven Hardy [Fri, 15 Feb 2013 18:31:13 +0000 (18:31 +0000)]
heat engine : Only create periodic task on CREATE_COMPLETE
Only create the stack periodic watcher task if the stack create
completed successfully, since we don't want a watcher task if
the stack ended up rolling back (or just in CREATE_FAILED state)
Steven Hardy [Thu, 14 Feb 2013 15:41:14 +0000 (15:41 +0000)]
heat tests : delete stacks from DB in parser tests
The tests which store a stack in the DB should delete it
at the end of the test, otherwise any cut/paste test
which uses the same stack name will always fail
Mark McLoughlin [Mon, 18 Feb 2013 17:13:52 +0000 (17:13 +0000)]
Use oslo-config-2013.1b3
The cfg API is now available via the oslo-config library, so switch to
it and remove the copied-and-pasted version.
Add the 2013.1b3 tarball to tools/pip-requires - this will be changed
to 'oslo-config>=2013.1' when oslo-config is published to pypi. This
will happen in time for grizzly final.
Add dependency_links to setup.py so that oslo-config can be installed
from the tarball URL specified in pip-requires.
Remove the 'deps = pep8==1.3.4' from tox.ini as it means all the other
deps get installed with easy_install which can't install oslo-config
from the URL.
Excluded code from oslo-incubator in the pep8 check.
Retain dummy cfg.py file until keystoneclient middleware has been
updated (I18c450174277c8e2d15ed93879da6cd92074c27a).
Steve Baker [Wed, 13 Feb 2013 21:05:11 +0000 (10:05 +1300)]
Implement Internet Gateway and VPC attachment
Please note that this takes a different approach for
all VPC resources types. Previously the resource_id matched
the underlying quantum resource UUID (or a composite of the
underlying UUIDs)
This had some problems, including:
- it was resource_id abuse
- it required extra quantum _list and _show calls to get enough
data to wire up new resources
- it made the already difficult job of mapping VPC <-> quantum
even harder
The new approach is to store all quantum UUIDs in resource metadata.
The resource id is just the resource name, so resources can easily
fetch other resources from the stack by ref/name then look up
their metadata to find the underlying quantum UUIDs to perform
operations with.
Tomas Sedovic [Wed, 13 Feb 2013 10:10:53 +0000 (11:10 +0100)]
Fix policy checks for users without policies
When the User resource doesn't have the `Policies` property specified,
the policy checking code raised an error because it tried to iterate
over `None`.
Change-Id: I1ad0a051c837744d8ec0a343929918c92fa78437 Signed-off-by: Tomas Sedovic <tomas@sedovic.cz>
Steven Hardy [Tue, 12 Feb 2013 16:02:44 +0000 (16:02 +0000)]
heat templates : allow access to wordpress in example templates
Latest wordpress package in Fedora defaults to deny-all so trying
to access the wordpress site on the instance no longer works,
so sed out the deny all to allow template examples and integration
tests to work again
Steve Baker [Mon, 11 Feb 2013 01:34:32 +0000 (14:34 +1300)]
Catch 404s when deleting quantum resources.
Quantum resources are often automatically deleted when their
dependencies are deleted, so resource deletion needs to tolerate
the resource no longer being there.
Steven Hardy [Tue, 5 Feb 2013 14:07:14 +0000 (14:07 +0000)]
Implement simple AccessPolicy Resource
Implement a simple AccessPolicy resource, which can be used
to restrict in-instance users to specific resources when they
call the DescribeStackResource API action
Steven Hardy [Thu, 7 Feb 2013 15:54:42 +0000 (15:54 +0000)]
heat templates : Remove IAM Policy sections
Some templates have Policies specified for the User
resource in the AWS IAM Policy format, which we do
not yet support, and will confuse users now we have
OS::Heat::AccessPolicy implemented
Steven Hardy [Fri, 8 Feb 2013 11:39:17 +0000 (11:39 +0000)]
heat engine : add option to control instance boto http/https
Currently the heat-jeos code defaults to http only, but we are
about to fix that, so we instead need a way to specify if
instances should connect via http or https - boto provides the
is_secure config file option, so add a new heat option which
controls this setting in the boto config we create in userdata
Steven Hardy [Fri, 8 Feb 2013 11:34:58 +0000 (11:34 +0000)]
heat clients : Make boto client select http/https from configfile
Currently we hardcode is_secure=False, but boto supports configuration
of this option from the config file (either ~/.boto or /etc/boto.cfg)
so better to do that
NOTE - you will need to update your boto config to include is_secure=0
to retain current (non https) behavior, since it defaults to on
Steven Hardy [Thu, 7 Feb 2013 11:16:28 +0000 (11:16 +0000)]
heat scripts : Avoid using lsb_release in tools/openstack
lsb_release is not installed by default on Fedora (or at least
it's not on my F17 box), so we should avoid using it, simple
alternative is just to read /etc/fedora-release instead
Change-Id: I341c151e8560fb971b11d27578934940aeeca1a7 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Wed, 6 Feb 2013 16:32:54 +0000 (16:32 +0000)]
heat api : Add policy.json authorization to cloudwatch API
Adds a basic policy.json to authorize all actions for the CW API -
this will deny access to the in-instance users defined in stack
templates (which are assigned the heat_stack_user role) to all API
actions apart from PutMetricData action, which is used by
cfn-push-stats to provide metric data from the instances
Change-Id: I2bbb885bec98b85828cdb92d7efc0688da7be3c1 Signed-off-by: Steven Hardy <shardy@redhat.com>
Clint Byrum [Thu, 7 Feb 2013 00:27:23 +0000 (16:27 -0800)]
Use yaml.safe_load: full yaml.load isn't needed
The only reason to use yaml.load instead of safe_load is if one wants to
load serialized objects. Heat's use case is purely to load basic data
structures such as maps/lists/strings. Fixes bug #1117820
Steve Baker [Mon, 4 Feb 2013 21:10:11 +0000 (10:10 +1300)]
Refactor loguserdata.py so it can be tested.
- Use distutils.version.LooseVersion for cloud-init version check
- Fix bug 1100287 by setting the following modes:
- 0600 /var/log/heat-provision.log
- 0700 /var/lib/heat
- 0700 /var/lib/cloud/data/cfn-userdata (was 0111!)
- Full test coverage except for where __name__ == '__main__'
- File size has gone from 1218 bytes to 1636. If necessary we could reduce size in the future by using short names
This works for me when launching a template. At least if there are any regressions they can have a test written for the fix.
Change-Id: I04e773a743ec210e90394e50d2bb70c70664e80e
Steven Hardy [Tue, 5 Feb 2013 19:23:38 +0000 (19:23 +0000)]
heat api : Add policy.json authorization to CFN API
Adds a basic policy.json to authorize all actions for the CFN API -
this will deny access to the in-instance users defined in stack
templates (which are assigned the heat_stack_user role) to all API
actions apart from DescribeStackResource, which is used for metadata
updates
Steven Hardy [Wed, 6 Feb 2013 11:39:12 +0000 (11:39 +0000)]
heat common : context should split roles from X-Roles
The auth_token code joins roles with a comma delimiter and stores
the result in the X-Roles header, so we need to split X-Roles back
into a list for the context (otherwise the oslo policy code breaks)
Change-Id: I32bd1d6355b6fe0e16e729f35b1d0b5c61346a70 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Wed, 6 Feb 2013 10:05:58 +0000 (10:05 +0000)]
heat tests : fix StackControllerTest name duplication
StackControllerTest appears twice in the run_tests.sh output,
since it's used for both the CFN and ReST API tests, so rename
the CFN testcase to make run_tests output less confusing
Change-Id: Iedf2e21ecd0b511eb93a11c2cf593dbfc1bcaca9 Signed-off-by: Steven Hardy <shardy@redhat.com>
Code Review / openstack-build / heat-build.git / log