Steven Hardy [Thu, 25 Oct 2012 10:33:20 +0000 (11:33 +0100)]
heat engine : add template-defined users to keystone role
Add all keystone users created by the User resource type
to a special keystone role, which can be used later for
defining RBAC policy for these users, and also works around
a keystone bug (1060959) on Folsom
Fixes #279
Change-Id: I94931e427ed51f4332bcb506220925b7ce8097bc Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Tue, 23 Oct 2012 20:59:38 +0000 (21:59 +0100)]
heat engine : Allow instance users to view their own details
So that cfn-hup can read instance metadata via the DescribeStackResource
API call, we need non-admin "instance users" to be allowed to read their
own AccessKey resource details (since it can-be/is referenced in the
instance resource metadata). The change in this patch should allow non-admin
users to read *only their own* secret AccessKey, and leave existing admin-user
visibility of the AccessKey resources unchanged.
Change-Id: Ic26d614d8e30104fbb354a67d3376b5d995ae8cc Signed-off-by: Steven Hardy <shardy@redhat.com>
Keystone user-role-add syntax is not the same on essex
and folsom, so try both formats so we can work with either
Removes potentially unreliable approach to detecting keystone
version, and also avoids error on folsom when the user already
has the specified role
Fixes #272
Change-Id: Iece52223a29069a1fd517018cc49613be6fac318 Signed-off-by: Steven Hardy <shardy@redhat.com>
Folsom version of keystoneclient orders the columns for
keystone user-list differently, so we need to detect the
new format to extract the correct field
Fixes #273
Change-Id: I46f653dd3a8f7b5a68648fbd72671f95b386a547 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Thu, 18 Oct 2012 16:13:02 +0000 (17:13 +0100)]
heat engine : kill running greenthreads on stack_delete
Add logic to track running eventlet greenthreads and kill
them when we start a stack_delete. This should avoid errors
where long-running greenthreads end up referencing stacks which
have subsequently been deleted.
Fixes #261
Ref #223
Change-Id: I0d10b6f2dad0efa1caec18a67a3cc66cc693ea24 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Wed, 17 Oct 2012 13:38:08 +0000 (14:38 +0100)]
heat engine : Store all resource states to DB
Resources should be committed to the DB on transisiton
to CREATE_IN_PROGRESS state, otherwise resources
which take a long time to go from CREATE_IN_PROGRESS to
CREATE_COMPLETE (e.g WaitConditions) are invisible while
in the CREATE_IN_PROGRESS state to all except the thread
creating them.
Change-Id: If1563505e854c216c0f6a5ce84b613e1ccb74386 Signed-off-by: Steven Hardy <shardy@redhat.com>
Zane Bitter [Mon, 22 Oct 2012 09:24:59 +0000 (11:24 +0200)]
Change the service user to match devstack
The user which authenticates keystone tokens should be the "heat" user in
the "service" tenant. This changes the default configuration to do this, as
devstack already does.
Zane Bitter [Mon, 22 Oct 2012 09:20:07 +0000 (11:20 +0200)]
Pass the correct tenant for the service user
Previously, the service user (which authenticates tokens passes to the
engine by the APIs) was paired with the tenant of the end user to do
authentication, which worked only when they were in the same tenant. This
should not be the case, since the service user should only have an admin
role in the "service" tenant.
Steven Hardy [Fri, 19 Oct 2012 15:12:15 +0000 (16:12 +0100)]
heat engine : remove unused EC2 style auth from engine
We handle EC2 style auth at the heat-api-cfn level, so EC2
style authenticated requests simply pass us an auth_token in
the context, so remove this duplicate/dead code.
Ref #268
Change-Id: I17708cb6ef4b0eb4989d47c116b6211f0d419dcb Signed-off-by: Steven Hardy <shardy@redhat.com>
Zane Bitter [Fri, 19 Oct 2012 14:15:13 +0000 (16:15 +0200)]
Identify stacks using tenant UUIDs
Tenant names may come and go, but UUIDs are universally unique. Therefore,
ownership of the stack should be keyed on the tenant_id, not the tenant
name.
Steven Hardy [Wed, 17 Oct 2012 12:37:57 +0000 (13:37 +0100)]
heat engine : Make wait-condition poll interval better
Remove rising-rate sleep-time logic and replace with a bounded
poll interval derived from the timeout - this should avoid ramping
up to a really long interval and delaying stack complete status
Fixes #264
Change-Id: Id53b87a988299708c29fc853f2801f527fd825dd Signed-off-by: Steven Hardy <shardy@redhat.com>
Zane Bitter [Tue, 16 Oct 2012 14:31:59 +0000 (16:31 +0200)]
Handle upgrades in heat-keystone-setup
Handle upgrades of Heat by removing any outdated endpoints that exist in
keystone and adding any existing "heat" service user to an admin role in
the service tenant.
Zane Bitter [Mon, 15 Oct 2012 09:57:11 +0000 (11:57 +0200)]
Getting Started: Fix IP address determination on F17
The format of the output of ifconfig has changed between Fedora 16 and
Fedora 17, so starting the metadata server failed on the latter due to a
missing IP address.
The change makes the script work with either format, and also now fails
with an error if it breaks again.
Steven Hardy [Fri, 12 Oct 2012 16:18:11 +0000 (17:18 +0100)]
heat : db API add watch_rule_get_by_name
Add watch_rule_get_by_name, and move the previous
watch_rule_get to look up rule by ID, which is consistent
with the other api calls. Lookup by id is required for
WatchRule rework
Ref #217
Change-Id: I4b5d08ffcd31b6b522c65edd0a202e8cf5a367b8 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Fri, 12 Oct 2012 12:45:11 +0000 (13:45 +0100)]
heat : Remove cloudwatch functionalty from metadata server
Remove the cloudwatch metric functionality from the heat-metadata
service, since all stats should now be sent via the CloudWatch
api via the PutMetricData action (ref cfn-push-stats update)
Note that after this change you will need to rebuild your jeos
images to get the new version of cfn-push-stats from heat-jeos
Signed-off-by: Steven Hardy <shardy@redhat.com>
Change-Id: I5eec60d3dd0abfb32e2b4777635f1b0e2714a2c2
Zane Bitter [Wed, 10 Oct 2012 13:38:04 +0000 (15:38 +0200)]
ReST API: Fix template validation
Also move the URL to be local to a tenant. This is because keystone will
automatically fill in the tenant id in the endpoint, so all requests will
use this as a base URL.
Jeff Peeler [Sat, 29 Sep 2012 00:00:34 +0000 (20:00 -0400)]
Fix versioning code
Removed cruft from OpenStack common versioning code that was removed.
Added optional git SHA information if module is available. The
intent is to have the additional git revision reported only when FINAL
is set to False.
Change-Id: Iae94b84027e7428cd394726e07845d2bad631586 Signed-off-by: Jeff Peeler <jpeeler@redhat.com>
Previously, all APIs used single versioning definition. Since these are
likely to change at different rates (AWS APIs are unlikely to change at
all, but OpenStack APIs probably will), give each their own version
definition.
Steven Hardy [Thu, 27 Sep 2012 13:43:34 +0000 (14:43 +0100)]
heat API : return ResourceProperties as JSON
For boto to correctly parse the API DescribeStackEvents
action, the ResourceProperties key in the response
must be a string, as per the AWS spec, so we encode the
properties in a JSON blob
Fixes #245
Change-Id: Icd38984836a941ed4a012b06382933bb46f43c4f Signed-off-by: Steven Hardy <shardy@redhat.com>
Code Review / openstack-build / heat-build.git / log