Remove calls to policy.enforce from plugin and db logic
Blueprint make-authz-orthogonal
This patch implementes item #2 of the blueprint
Remove calls to policy.enforce when the policy check can be performed
safely at the API level, and modify policy.json to this aim.
This patch does not address enforce calls in the agent scheduler
extension, as that extension is currently not defined as a quantum.v2.api
resource class.
This patch also adds an API-level test case for the provider networks
extension, which was missing in Quantum and was necessary to validate
the API behaviour with the default policy settings.
Roman Podolyaka [Thu, 25 Apr 2013 13:15:59 +0000 (16:15 +0300)]
Use Query instances as iterables when possible
A Query.all() call creates a list of a DB query results.
We can actually use a Query instance as an iterable and
thus avoid creation of a list if we just need to iterate
over those values only once.
This patch replacest the nvp_controller_connection configuration option
with a set of options more intutitive to user which also avoid
repetitions in ini files.
In order to simplify the configuration of the plugin, this patch also
removes named clusters. As the plugin supports a single cluster at
the moment, this can be simply specified in the [DEFAULT] configuration
section.
Also, this patch restrucures nvp_cluster.NvpCluster so that per-cluster
configuration options are not store anymore multiple times.
* Update veth pair creation to set the namespace of the peer
device on creation rather than subsequently adding it to the
namespace.
* This change supports kernels with limited namespace support
(e.g. RHEL 6.5) so long as ovs_use_veth is set to True.
* Addresses bug 1171727
This patch simply enhances the validator for the 'devices' attribute
by verifying each element in the device list does not contain
unexpected attributes.
This patch adds a new policy named 'context_is_admin' which defines
an admin user as a collection of roles or else. The quantum context
has been updated to check for this policy when setting the is_admin
flag.
This patch also adds a method for gathering 'admin' roles from policy
rules as current logic requires the context to be always populate with
the correct roles for admin rules, even when the context is implicitly
generated with get_admin_context or context.elevated.
Backward compatibility is ensuring by preserving the old behavior if
the 'context_is_admin' policy is not found in policy.json
Roman Podolyaka [Mon, 15 Apr 2013 15:10:07 +0000 (18:10 +0300)]
Simplify delete_health_monitor() using cascades
Currently delete_health_monitor() emulates behaviour of
cascade deletion: when a HealthMonitor instance is deleted,
all corresponding PoolMonitorAssociations are queried and
deleted one by one. This can be done automatically by means
of SQLAlchemy if we set proper cascade flags on the relationship
between HealthMonitor and PoolMonitorAssociations models.
Aaron Rosen [Thu, 21 Feb 2013 23:31:31 +0000 (15:31 -0800)]
Add string 'quantum'/ version to scope/tag in NVP
This patch adds scope='quantum', tag=QUANTUM_VERSION to each element
created in NVP via quantum. This patch also removes the function
set_tenant_id_tag() as it was only used in one place and wasn't very useful.
Enable automatic validation of many HACKING rules.
* Add hacking to the tox build - a set of flake8 plugins that
perform automatic validation of many HACKING.rst rules.
* This patch configures hacking in the tox build and performs
the mechanical cleanup required to allow the checks to pass.
* See https://pypi.python.org/pypi/hacking
* s+[/.]nicira_nvp_plugin++
* Backwards compatibility is maintained by importing the
nicira package as nicira_nvp_plugin in the plugins package.
* It may be necessary to remove stale .pyc/.pyo files under the
nicira path after applying this patch.
* DocImpact
* Addresses bug 1166307
Make "shared" filter more compatible with diff DBs
For the type BOOLEAN, in sqlalchemy,
it's mapped to BOOLEAN type if the backend database supports it,
otherwise, it's mapped to one of the Integer types, like SMALLINT,
and restrict the values to 1(True) and 0(False).
query_filter = (... | model.shared))
The above filter will generate a SQL where clause like:
where ... OR xxx.shared
This is not supported in databases which don't support BOOLEAN type.
Change it as below to make it more compatible:
query_filter = (... | model.shared == True))
It will generate a SQL where clause as below:
where ... OR xxx.shared = ?
In Python, True == 1, so this change is compatible
with both databases supporting BOOLEAN and those not supporting it.
* The old behavior required setting environment variables to
disable capture of stdout and stderr to allow debugging via pdb.
The new behavior requires enabling capture of stdout/stderr
instead. This is already the case in nova.
* testr behavior is unmodified.
* Tip 'o the hat to Robert Collins (lifeless)
The router.interface.{create|delete} notifications are intended to be
consumed by ceilometer, but did not include the router or tenant IDs
in the RPC message payload. Ceilometer requires both these data for
metering purposes.
The missing UUIDs are now provided in the notifications.
* flake8 supports more checks than pep8 (e.g. detection of
unused imports and variables), and has an extension mechanism.
A plugin to support automatic HACKING validation is planned.
* See: http://flake8.readthedocs.org/
Roman Podolyaka [Wed, 20 Mar 2013 16:50:50 +0000 (18:50 +0200)]
Use wrappers instead of direct calls to ip route.
- extract the logic of ip route wrapper into a separate
class to drop dependency on a specific network device
- add route wrapper to IPWrapper class
- use IPWrapper instead of direct calls to ip route in l3 agent
- update tests
EmilienM [Tue, 26 Mar 2013 13:43:12 +0000 (14:43 +0100)]
Add RabbitMQ and QPID HA support flags to quantum.conf
Since Quantum supports HA queues with RabbitMQ (https://review.openstack.org/#/c/13760/),
quantum.conf should provide new flags for explain how to configure multiple RabbitMQ servers and enable HA.
New flags :
rabbit_hosts=$rabbit_host:$rabbit_port
rabbit_ha_queues=false
qpid_hosts = localhost:5672
Rich Curran [Tue, 5 Feb 2013 20:55:28 +0000 (15:55 -0500)]
blueprint cisco-single-config
Scope: Unification of all the various plugin files for the Cisco plugin into a single file.
Use Cases: Quantum with the Cisco plugin.
Implementation Overview: All the config values contained in the various files in
etc/quantum/plugins/cisco will be unified into a single file
etc/quantum/plugins/cisco/cisco_plugin.ini. The plugins needs to be modified to
read from a single file instead of multiple.
Added quantum.openstack.common.cfg support.
Code Review / openstack-build / neutron-build.git / log