Steven Hardy [Thu, 7 Feb 2013 11:16:28 +0000 (11:16 +0000)]
heat scripts : Avoid using lsb_release in tools/openstack
lsb_release is not installed by default on Fedora (or at least
it's not on my F17 box), so we should avoid using it, simple
alternative is just to read /etc/fedora-release instead
Change-Id: I341c151e8560fb971b11d27578934940aeeca1a7 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Wed, 6 Feb 2013 16:32:54 +0000 (16:32 +0000)]
heat api : Add policy.json authorization to cloudwatch API
Adds a basic policy.json to authorize all actions for the CW API -
this will deny access to the in-instance users defined in stack
templates (which are assigned the heat_stack_user role) to all API
actions apart from PutMetricData action, which is used by
cfn-push-stats to provide metric data from the instances
Change-Id: I2bbb885bec98b85828cdb92d7efc0688da7be3c1 Signed-off-by: Steven Hardy <shardy@redhat.com>
Clint Byrum [Thu, 7 Feb 2013 00:27:23 +0000 (16:27 -0800)]
Use yaml.safe_load: full yaml.load isn't needed
The only reason to use yaml.load instead of safe_load is if one wants to
load serialized objects. Heat's use case is purely to load basic data
structures such as maps/lists/strings. Fixes bug #1117820
Steven Hardy [Tue, 5 Feb 2013 19:23:38 +0000 (19:23 +0000)]
heat api : Add policy.json authorization to CFN API
Adds a basic policy.json to authorize all actions for the CFN API -
this will deny access to the in-instance users defined in stack
templates (which are assigned the heat_stack_user role) to all API
actions apart from DescribeStackResource, which is used for metadata
updates
Steven Hardy [Wed, 6 Feb 2013 11:39:12 +0000 (11:39 +0000)]
heat common : context should split roles from X-Roles
The auth_token code joins roles with a comma delimiter and stores
the result in the X-Roles header, so we need to split X-Roles back
into a list for the context (otherwise the oslo policy code breaks)
Change-Id: I32bd1d6355b6fe0e16e729f35b1d0b5c61346a70 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Wed, 6 Feb 2013 10:05:58 +0000 (10:05 +0000)]
heat tests : fix StackControllerTest name duplication
StackControllerTest appears twice in the run_tests.sh output,
since it's used for both the CFN and ReST API tests, so rename
the CFN testcase to make run_tests output less confusing
Change-Id: Iedf2e21ecd0b511eb93a11c2cf593dbfc1bcaca9 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Tue, 5 Feb 2013 19:21:00 +0000 (19:21 +0000)]
Add initial code to support policy.json implementation
We don't currently support a policy.json file like
other openstack services, so this code (mostly copied
from glance, then modified a bit) will allow us to
add policy-based authorization to out APIs fairly
easily
Change-Id: I5ad9f55b3d0979e2526953bdce8b8227852e4b72 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Mon, 4 Feb 2013 18:03:52 +0000 (18:03 +0000)]
heat engine : AutoScalingGroup UpdateStack support
Adds improved UpdateStack support for AutoScalingGroup,
now the following properties can be updated without
replacement:
'MaxSize', 'MinSize', 'Cooldown', 'DesiredCapacity'
Change-Id: Ic47b4a2456dc19cd91eec7b0381d5d82fcd3f332 Signed-off-by: Steven Hardy <shardy@redhat.com>
Add validation to the Handle property for WaitCondition, so
we check that the identifier in the provided URL maps to
a WaitConditionHandle resource in the same stack as the
WaitCondition
Steven Hardy [Thu, 31 Jan 2013 11:44:40 +0000 (11:44 +0000)]
heat tests : test_waitcondition move cleanup out of teardown
Move stack delete and mox VerifyAll out of the teardown function
so if either fails the stubs are unset, meaning all subsequent
tests won't fail due to being unable to setup their stubs
stack delete is now performed via the stack_delete_after decorator
Change-Id: I636af84dd66ba4923f068c56ec13e7990d8edc03 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Fri, 1 Feb 2013 11:23:33 +0000 (11:23 +0000)]
heat tests : Add utility decorator for deleting stacks
Add decorator function which allows test functions to be wrapped
such that if they create a stack (and it is stored in the testcase
class as self.stack) it is always deleted on test exit, regardless
of test success/failure
Change-Id: Ibde9a2cee08448e3f24c6b7efbfe756a01f9eccc Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Thu, 31 Jan 2013 15:41:16 +0000 (15:41 +0000)]
heat api : add register_api_opts to init.py
Add register_api_opts to api/__init__.py, slightly simplifying
the api executables, and also solving an issue with some tests
which were not working via nosetests -s due to the required
options not being registered in cfg.CONF
Change-Id: I70b16aae1f73f72518013dbcda37defa79fc5649 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Tue, 29 Jan 2013 18:20:04 +0000 (18:20 +0000)]
heat engine : WaitConditionHandle use creation time for timestamp
Use the resource creation time for the pre-signed URL timestamp,
otherwise you get a different timestamp/signature every time you
refer to the resource, which makes things like comparing templates
for update more difficult.
Change-Id: Ieb4a6269cfcaf1214c08442db03772fdd7570d59 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Tue, 29 Jan 2013 15:58:08 +0000 (15:58 +0000)]
heat engine : pass fully resolved template to update
We need to pass the fully resolved (static and runtime)
resource template into the resource update(), so the
resource can compare pre/post update templates properly
Change-Id: I2fba2fef9c9f9ccb9b7cde9bd24bd06af7659240 Signed-off-by: Steven Hardy <shardy@redhat.com>
Add method to top-level Resource class update_template_diff()
which allows us to determine the difference between old/new
templates for a resource update, and also raise an error
if the changed keys are not in the list of those defined
as supported for update by the resource
ref blueprint instance-update-stack
Change-Id: Ibef07a0cecbc15f7f1d6c2c663743e3af8023057 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Mon, 28 Jan 2013 14:45:24 +0000 (14:45 +0000)]
heat engine : pass json snippet into resource handle_update
Change handle_update to accept the resource json_snippet,
needed to decide if a non-replacement update is possible
by comparing pre and post update resource definitions
ref blueprint instance-update-stack
Change-Id: I7eedce41eae232330f6fce4f098183cbd7fd6768 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Mon, 28 Jan 2013 14:38:20 +0000 (14:38 +0000)]
heat engine : don't replace resource template before update
We want to validate the pre-update properties without touching
the existing template, because the resource implementation will
need to compare old/new json snippets to decide if a and update
can be performed or not.
ref blueprint instance-update-stack
Change-Id: I37ce6e799242819de6104a53f8458d8bbc3abf1c Signed-off-by: Steven Hardy <shardy@redhat.com>
Jeff Peeler [Wed, 30 Jan 2013 19:26:34 +0000 (14:26 -0500)]
Hardcode provision-finished file path
A recent change removed the use of the cloudinit module, so write this
log to /var/lib/heat. Functional test paths updated as well.
(User data injection was removed, so that has been deleted as well.)
Change-Id: Ibcaf310a5e4ff9a9ed8b1065bdd411e1b95d4de5 Signed-off-by: Jeff Peeler <jpeeler@redhat.com>
Zane Bitter [Tue, 29 Jan 2013 20:54:07 +0000 (21:54 +0100)]
Wait for deletion of Instances during creation
When an Instance was still in the BUILD state when it was deleted, the
resource was not waiting for the instance to be deleted before declaring
success and moving on.
Steven Hardy [Fri, 25 Jan 2013 14:37:26 +0000 (14:37 +0000)]
heat engine : error on resource update with invalid properties
If properties validation fails, raise an error so the resource is
marked as UPDATE_FAILED, we don't want to go ahead and try running
handle_update anyway
Change-Id: I5f748b9de6a2b02d26421a5b6e0b1b5f0db25d0c Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Wed, 23 Jan 2013 16:56:09 +0000 (16:56 +0000)]
heat tests : autoscaling test add missing VerifyAll
Add logic to verify stubbed calls to loadbalancer reload,
also break up the tests a bit into functionally related
chunks instead of having two mega-tests
Change-Id: I94897b6ec23cae92bc464b4b3ef2a7b634bfdb0c Signed-off-by: Steven Hardy <shardy@redhat.com>
Clint Byrum [Thu, 24 Jan 2013 05:59:58 +0000 (21:59 -0800)]
Use pkg_resources to detect version of cloud-init
Previously the present of an API call only present in cloud-init 0.6.x
was used to determine whether or not cfn-userdata would have been executed
or not. The API call was removed in 0.7.x. This Fixes bug #1103793
Steven Hardy [Tue, 22 Jan 2013 16:30:18 +0000 (16:30 +0000)]
heat api paste.ini auth_uri should use auth_port
For token based auth to work, the auth_uri needs to use
auth_port, which points at the internalURL of the keystone
service, the current config uses publicURL which causes
token auth requests to keystone to fail
Steven Hardy [Tue, 22 Jan 2013 13:15:20 +0000 (13:15 +0000)]
heat tests : test_watch add create_watch_data test
Add test for create_watch_data, note there are some limitations
on what we can test here due to weird sqlite behavior with the
relationships defined in the sqlalchemy model
Change-Id: I2616b6dcf163914619321e9ff08e37f3f365d7db Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Wed, 16 Jan 2013 16:21:16 +0000 (16:21 +0000)]
heat engine : make watchrule actions run in stack ThreadGroup
Make watchrule alarm actions run via greenthreads in the stack
ThreadGroup - this allows them to be correctly cancelled if the
stack is deleted whilst an alarm action is in progress.
Zane Bitter [Mon, 21 Jan 2013 15:36:21 +0000 (16:36 +0100)]
ReST API: Return 400 for malformed JSON input
Previously we had an unhandled exception that resulted in a 500 (Internal
Server Error) result and a stack trace when an invalid JSON file was
submitted in a POST/PUT request. Change to catching the exception and
returning a 400 (Bad Request) result.
Steven Hardy [Thu, 17 Jan 2013 17:32:25 +0000 (17:32 +0000)]
heat engine : watchrule don't run rule for every SampleCount
We should not be triggering a run_rule (which is an alarm action)
for every datapoint when the SampleCount statistic is specified,
otherwise e.g IHA instances get replaced every heartbeat signal!
run_rule should only be called in response to a rule evaluate(),
or an explicit override via set_watch_state()
Steven Hardy [Thu, 17 Jan 2013 11:22:09 +0000 (11:22 +0000)]
heat templates : fix IHA HeartbeatFailureAlarm during instance build
The HeartbeatFailureAlarm triggers prematurely while the instance is
building, because cfn-init doesn't create the files (hence the
heartbeat cron-job) until after the packges are all installed.
If we make the HeartbeatFailureAlarm depend on the WaitCondition, it
won't be created until the instance is fully built.
Steven Hardy [Thu, 17 Jan 2013 11:19:05 +0000 (11:19 +0000)]
heat templates : IHA HeartbeatFailureAlarm should be Ref
cfn-push-stats reference to HeartbeatFailureAlarm should be a
Ref not a hard-coded string, or the engine fails to find the
watch because the name lacks the stack prefix
Code Review / openstack-build / heat-build.git / log