diff --git a/deckhand/conf/config.py b/deckhand/conf/config.py index 62086805..b6336fe1 100644 --- a/deckhand/conf/config.py +++ b/deckhand/conf/config.py @@ -12,6 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +from keystoneauth1 import loading as ks_loading from oslo_config import cfg CONF = cfg.CONF @@ -31,38 +32,21 @@ barbican_opts = [ help='URL override for the Barbican API endpoint.'), ] -keystone_auth_group = cfg.OptGroup( - name='keystone_authtoken', - title='Keystone Authentication Options' -) - -keystone_auth_opts = [ - cfg.StrOpt(name='project_domain_name', - default='Default'), - cfg.StrOpt(name='project_name', - default='admin'), - cfg.StrOpt(name='user_domain_name', - default='Default'), - cfg.StrOpt(name='password', - default='devstack'), - cfg.StrOpt(name='username', - default='admin'), - cfg.StrOpt(name='auth_url', - default='http://127.0.0.1/identity/v3') -] - def register_opts(conf): conf.register_group(barbican_group) conf.register_opts(barbican_opts, group=barbican_group) - - conf.register_group(keystone_auth_group) - conf.register_opts(keystone_auth_opts, group=keystone_auth_group) + ks_loading.register_auth_conf_options(conf, group=barbican_group.name) + ks_loading.register_session_conf_options(conf, group=barbican_group.name) def list_opts(): - return {barbican_group: barbican_opts, - keystone_auth_group: keystone_auth_opts} + opts = {barbican_group: barbican_opts + + ks_loading.get_session_conf_options() + + ks_loading.get_auth_common_conf_options() + + ks_loading.get_auth_plugin_conf_options( + 'v3password')} + return opts def parse_args(args=None, usage=None, default_config_files=None): diff --git a/deckhand/conf/opts.py b/deckhand/conf/opts.py index ca0a49c3..d3c0227e 100644 --- a/deckhand/conf/opts.py +++ b/deckhand/conf/opts.py @@ -18,6 +18,7 @@ import os import pkgutil LIST_OPTS_FUNC_NAME = "list_opts" +IGNORED_MODULES = ('opts', 'constants', 'utils') def _tupleize(dct): @@ -50,7 +51,7 @@ def _list_module_names(): module_names = [] package_path = os.path.dirname(os.path.abspath(__file__)) for _, modname, ispkg in pkgutil.iter_modules(path=[package_path]): - if modname == "opts" or ispkg: + if modname in IGNORED_MODULES or ispkg: continue else: module_names.append(modname) diff --git a/deckhand/control/api.py b/deckhand/control/api.py index b6807097..3cb5231f 100644 --- a/deckhand/control/api.py +++ b/deckhand/control/api.py @@ -32,8 +32,6 @@ LOG = None def __setup_logging(): global LOG - LOGGER_NAME = 'deckhand' - LOG = logging.getLogger(__name__, LOGGER_NAME) logging.register_options(CONF) config.parse_args() @@ -50,7 +48,8 @@ def __setup_logging(): os.path.isfile(logging_cfg_path)): CONF.log_config_append = logging_cfg_path - logging.setup(CONF, LOGGER_NAME) + logging.setup(CONF, 'deckhand') + LOG = logging.getLogger(__name__, 'deckhand') LOG.debug('Initiated Deckhand logging.') diff --git a/deckhand/control/base.py b/deckhand/control/base.py index c9907603..89e1ee2a 100644 --- a/deckhand/control/base.py +++ b/deckhand/control/base.py @@ -12,26 +12,20 @@ # See the License for the specific language governing permissions and # limitations under the License. -import uuid import yaml import falcon -from falcon import request +from oslo_context import context from oslo_log import log as logging from oslo_serialization import jsonutils as json import six -from deckhand import errors - LOG = logging.getLogger(__name__) class BaseResource(object): """Base resource class for implementing API resources.""" - def __init__(self): - self.authorized_roles = [] - def on_options(self, req, resp): self_attrs = dir(self) methods = ['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'PATCH'] @@ -44,37 +38,6 @@ class BaseResource(object): resp.headers['Allow'] = ','.join(allowed_methods) resp.status = falcon.HTTP_200 - # For authorizing access at the Resource level. A Resource requiring - # finer-grained authorization at the method or instance level must - # implement that in the request handlers - def authorize_roles(self, role_list): - authorized = set(self.authorized_roles) - applied = set(role_list) - - if authorized.isdisjoint(applied): - return False - else: - return True - - def req_json(self, req): - if req.content_length is None or req.content_length == 0: - return None - - if req.content_type is not None and req.content_type.lower() \ - == 'application/json': - raw_body = req.stream.read(req.content_length or 0) - - if raw_body is None: - return None - - try: - return json.loads(raw_body.decode('utf-8')) - except json.JSONDecodeError as jex: - raise errors.InvalidFormat("%s: Invalid JSON in body: %s" % ( - req.path, jex)) - else: - raise errors.InvalidFormat("Requires application/json payload.") - def return_error(self, resp, status_code, message="", retry=False): resp.body = json.dumps( {'type': 'error', 'message': six.text_type(message), @@ -95,26 +58,23 @@ class BaseResource(object): 'body to YAML format.') -class DeckhandRequestContext(object): +class DeckhandRequest(falcon.Request): - def __init__(self): - self.user = None - self.roles = [] - self.request_id = str(uuid.uuid4()) + def __init__(self, env, options=None): + super(DeckhandRequest, self).__init__(env, options) + self.context = context.RequestContext.from_environ(self.env) - def set_user(self, user): - self.user = user + @property + def project_id(self): + return self.context.tenant - def add_role(self, role): - self.roles.append(role) + @property + def user_id(self): + return self.context.user - def add_roles(self, roles): - self.roles.extend(roles) + @property + def roles(self): + return self.context.roles - def remove_role(self, role): - if role in self.roles: - self.roles.remove(role) - - -class DeckhandRequest(request.Request): - context_type = DeckhandRequestContext + def __repr__(self): + return '%s, context=%s' % (self.path, self.context) diff --git a/etc/deckhand/config-generator.conf b/etc/deckhand/config-generator.conf index ad0f47ee..854605fe 100644 --- a/etc/deckhand/config-generator.conf +++ b/etc/deckhand/config-generator.conf @@ -3,5 +3,6 @@ output_file = etc/deckhand/deckhand.conf.sample wrap_width = 80 namespace = deckhand.conf namespace = oslo.db -namespace = oslo.db.concurrency namespace = oslo.log +namespace = oslo.middleware +namespace = keystonemiddleware.auth_token diff --git a/etc/deckhand/deckhand.conf.sample b/etc/deckhand/deckhand.conf.sample new file mode 100644 index 00000000..dff7641e --- /dev/null +++ b/etc/deckhand/deckhand.conf.sample @@ -0,0 +1,539 @@ +[DEFAULT] + +# +# From oslo.log +# + +# If set to true, the logging level will be set to DEBUG instead of the default +# INFO level. (boolean value) +# Note: This option can be changed without restarting. +#debug = false + +# The name of a logging configuration file. This file is appended to any +# existing logging configuration files. For details about logging configuration +# files, see the Python logging module documentation. Note that when logging +# configuration files are used then all logging configuration is set in the +# configuration file and other logging configuration options are ignored (for +# example, logging_context_format_string). (string value) +# Note: This option can be changed without restarting. +# Deprecated group/name - [DEFAULT]/log_config +#log_config_append = + +# Defines the format string for %%(asctime)s in log records. Default: +# %(default)s . This option is ignored if log_config_append is set. (string +# value) +#log_date_format = %Y-%m-%d %H:%M:%S + +# (Optional) Name of log file to send logging output to. If no default is set, +# logging will go to stderr as defined by use_stderr. This option is ignored if +# log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logfile +#log_file = + +# (Optional) The base directory used for relative log_file paths. This option +# is ignored if log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logdir +#log_dir = + +# Uses logging handler designed to watch file system. When log file is moved or +# removed this handler will open a new log file with specified path +# instantaneously. It makes sense only if log_file option is specified and Linux +# platform is used. This option is ignored if log_config_append is set. (boolean +# value) +#watch_log_file = false + +# Use syslog for logging. Existing syslog format is DEPRECATED and will be +# changed later to honor RFC5424. This option is ignored if log_config_append is +# set. (boolean value) +#use_syslog = false + +# Enable journald for logging. If running in a systemd environment you may wish +# to enable journal support. Doing so will use the journal native protocol which +# includes structured metadata in addition to log messages.This option is +# ignored if log_config_append is set. (boolean value) +#use_journal = false + +# Syslog facility to receive log lines. This option is ignored if +# log_config_append is set. (string value) +#syslog_log_facility = LOG_USER + +# Log output to standard error. This option is ignored if log_config_append is +# set. (boolean value) +#use_stderr = false + +# Format string to use for log messages with context. (string value) +#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + +# Format string to use for log messages when context is undefined. (string +# value) +#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + +# Additional data to append to log message when logging level for the message is +# DEBUG. (string value) +#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d + +# Prefix each line of exception output with this format. (string value) +#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s + +# Defines the format string for %(user_identity)s that is used in +# logging_context_format_string. (string value) +#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s + +# List of package logging levels in logger=LEVEL pairs. This option is ignored +# if log_config_append is set. (list value) +#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO + +# Enables or disables publication of error events. (boolean value) +#publish_errors = false + +# The format for an instance that is passed with the log message. (string value) +#instance_format = "[instance: %(uuid)s] " + +# The format for an instance UUID that is passed with the log message. (string +# value) +#instance_uuid_format = "[instance: %(uuid)s] " + +# Interval, number of seconds, of log rate limiting. (integer value) +#rate_limit_interval = 0 + +# Maximum number of logged messages per rate_limit_interval. (integer value) +#rate_limit_burst = 0 + +# Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or +# empty string. Logs with level greater or equal to rate_limit_except_level are +# not filtered. An empty string means that all levels are filtered. (string +# value) +#rate_limit_except_level = CRITICAL + +# Enables or disables fatal status of deprecations. (boolean value) +#fatal_deprecations = false + + +[barbican] +# +# Barbican options for allowing Deckhand to communicate with Barbican. + +# +# From deckhand.conf +# + +# URL override for the Barbican API endpoint. (string value) +#api_endpoint = http://barbican.example.org:9311/ + +# PEM encoded Certificate Authority to use when verifying HTTPs connections. +# (string value) +#cafile = + +# PEM encoded client certificate cert file (string value) +#certfile = + +# PEM encoded client certificate key file (string value) +#keyfile = + +# Verify HTTPS connections. (boolean value) +#insecure = false + +# Timeout value for http requests (integer value) +#timeout = + +# Authentication type to load (string value) +# Deprecated group/name - [barbican]/auth_plugin +#auth_type = + +# Config Section from which to load plugin specific options (string value) +#auth_section = + +# Authentication URL (string value) +#auth_url = + +# Domain ID to scope to (string value) +#domain_id = + +# Domain name to scope to (string value) +#domain_name = + +# Project ID to scope to (string value) +#project_id = + +# Project name to scope to (string value) +#project_name = + +# Domain ID containing project (string value) +#project_domain_id = + +# Domain name containing project (string value) +#project_domain_name = + +# Trust ID (string value) +#trust_id = + +# User ID (string value) +#user_id = + +# Username (string value) +# Deprecated group/name - [barbican]/user_name +#username = + +# User's domain id (string value) +#user_domain_id = + +# User's domain name (string value) +#user_domain_name = + +# User's password (string value) +#password = + + +[cors] + +# +# From oslo.middleware +# + +# Indicate whether this resource may be shared with the domain received in the +# requests "origin" header. Format: "://[:]", no trailing +# slash. Example: https://horizon.example.com (list value) +#allowed_origin = + +# Indicate that the actual request can include user credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple +# Headers. (list value) +#expose_headers = + +# Maximum cache age of CORS preflight requests. (integer value) +#max_age = 3600 + +# Indicate which methods can be used during the actual request. (list value) +#allow_methods = OPTIONS,GET,HEAD,POST,PUT,DELETE,TRACE,PATCH + +# Indicate which header field names may be used during the actual request. (list +# value) +#allow_headers = + + +[database] + +# +# From oslo.db +# + +# If True, SQLite uses synchronous mode. (boolean value) +#sqlite_synchronous = true + +# The back end to use for the database. (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend = sqlalchemy + +# The SQLAlchemy connection string to use to connect to the database. (string +# value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +#connection = + +# The SQLAlchemy connection string to use to connect to the slave database. +# (string value) +#slave_connection = + +# The SQL mode to be used for MySQL sessions. This option, including the +# default, overrides any server-set SQL mode. To use whatever SQL mode is set by +# the server configuration, set this to no value. Example: mysql_sql_mode= +# (string value) +#mysql_sql_mode = TRADITIONAL + +# If True, transparently enables support for handling MySQL Cluster (NDB). +# (boolean value) +#mysql_enable_ndb = false + +# Timeout before idle SQL connections are reaped. (integer value) +# Deprecated group/name - [DEFAULT]/sql_idle_timeout +# Deprecated group/name - [DATABASE]/sql_idle_timeout +# Deprecated group/name - [sql]/idle_timeout +#idle_timeout = 3600 + +# Minimum number of SQL connections to keep open in a pool. (integer value) +# Deprecated group/name - [DEFAULT]/sql_min_pool_size +# Deprecated group/name - [DATABASE]/sql_min_pool_size +#min_pool_size = 1 + +# Maximum number of SQL connections to keep open in a pool. Setting a value of 0 +# indicates no limit. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_pool_size +# Deprecated group/name - [DATABASE]/sql_max_pool_size +#max_pool_size = 5 + +# Maximum number of database connection retries during startup. Set to -1 to +# specify an infinite retry count. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries = 10 + +# Interval between retries of opening a SQL connection. (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval = 10 + +# If set, use this value for max_overflow with SQLAlchemy. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow = 50 + +# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer +# value) +# Minimum value: 0 +# Maximum value: 100 +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug = 0 + +# Add Python stack traces to SQL as comment strings. (boolean value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace = false + +# If set, use this value for pool_timeout with SQLAlchemy. (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout = + +# Enable the experimental use of database reconnect on connection lost. (boolean +# value) +#use_db_reconnect = false + +# Seconds between retries of a database transaction. (integer value) +#db_retry_interval = 1 + +# If True, increases the interval between retries of a database operation up to +# db_max_retry_interval. (boolean value) +#db_inc_retry_interval = true + +# If db_inc_retry_interval is set, the maximum seconds between retries of a +# database operation. (integer value) +#db_max_retry_interval = 10 + +# Maximum retries in case of connection error or deadlock error before error is +# raised. Set to -1 to specify an infinite retry count. (integer value) +#db_max_retries = 20 + + +[healthcheck] + +# +# From oslo.middleware +# + +# DEPRECATED: The path to respond to healtcheck requests on. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#path = /healthcheck + +# Show more detailed information as part of the response (boolean value) +#detailed = false + +# Additional backends that can perform health checks and report that information +# back as part of a request. (list value) +#backends = + +# Check the presence of a file to determine if an application is running on a +# port. Used by DisableByFileHealthcheck plugin. (string value) +#disable_by_file_path = + +# Check the presence of a file based on a port to determine if an application is +# running on a port. Expects a "port:path" list of strings. Used by +# DisableByFilesPortsHealthcheck plugin. (list value) +#disable_by_file_paths = + + +[keystone_authtoken] + +# +# From keystonemiddleware.auth_token +# + +# Complete "public" Identity API endpoint. This endpoint should not be an +# "admin" endpoint, as it should be accessible by all end users. Unauthenticated +# clients are redirected to this endpoint to authenticate. Although this +# endpoint should ideally be unversioned, client support in the wild varies. If +# you're using a versioned v2 endpoint here, then this should *not* be the same +# endpoint the service user utilizes for validating tokens, because normal end +# users may not be able to reach that endpoint. (string value) +#auth_uri = + +# API version of the admin Identity API endpoint. (string value) +#auth_version = + +# Do not handle authorization requests within the middleware, but delegate the +# authorization decision to downstream WSGI components. (boolean value) +#delay_auth_decision = false + +# Request timeout value for communicating with Identity API server. (integer +# value) +#http_connect_timeout = + +# How many times are we trying to reconnect when communicating with Identity API +# Server. (integer value) +#http_request_max_retries = 3 + +# Request environment key where the Swift cache object is stored. When +# auth_token middleware is deployed with a Swift cache, use this option to have +# the middleware share a caching backend with swift. Otherwise, use the +# ``memcached_servers`` option instead. (string value) +#cache = + +# Required if identity server requires client certificate (string value) +#certfile = + +# Required if identity server requires client certificate (string value) +#keyfile = + +# A PEM encoded Certificate Authority to use when verifying HTTPs connections. +# Defaults to system CAs. (string value) +#cafile = + +# Verify HTTPS connections. (boolean value) +#insecure = false + +# The region in which the identity server can be found. (string value) +#region_name = + +# DEPRECATED: Directory used to cache files related to PKI tokens. This option +# has been deprecated in the Ocata release and will be removed in the P release. +# (string value) +# This option is deprecated for removal since Ocata. +# Its value may be silently ignored in the future. +# Reason: PKI token format is no longer supported. +#signing_dir = + +# Optionally specify a list of memcached server(s) to use for caching. If left +# undefined, tokens will instead be cached in-process. (list value) +# Deprecated group/name - [keystone_authtoken]/memcache_servers +#memcached_servers = + +# In order to prevent excessive effort spent validating tokens, the middleware +# caches previously-seen tokens for a configurable duration (in seconds). Set to +# -1 to disable caching completely. (integer value) +#token_cache_time = 300 + +# DEPRECATED: Determines the frequency at which the list of revoked tokens is +# retrieved from the Identity service (in seconds). A high number of revocation +# events combined with a low cache duration may significantly reduce +# performance. Only valid for PKI tokens. This option has been deprecated in the +# Ocata release and will be removed in the P release. (integer value) +# This option is deprecated for removal since Ocata. +# Its value may be silently ignored in the future. +# Reason: PKI token format is no longer supported. +#revocation_cache_time = 10 + +# (Optional) If defined, indicate whether token data should be authenticated or +# authenticated and encrypted. If MAC, token data is authenticated (with HMAC) +# in the cache. If ENCRYPT, token data is encrypted and authenticated in the +# cache. If the value is not one of these options or empty, auth_token will +# raise an exception on initialization. (string value) +# Allowed values: None, MAC, ENCRYPT +#memcache_security_strategy = None + +# (Optional, mandatory if memcache_security_strategy is defined) This string is +# used for key derivation. (string value) +#memcache_secret_key = + +# (Optional) Number of seconds memcached server is considered dead before it is +# tried again. (integer value) +#memcache_pool_dead_retry = 300 + +# (Optional) Maximum total number of open connections to every memcached server. +# (integer value) +#memcache_pool_maxsize = 10 + +# (Optional) Socket timeout in seconds for communicating with a memcached +# server. (integer value) +#memcache_pool_socket_timeout = 3 + +# (Optional) Number of seconds a connection to memcached is held unused in the +# pool before it is closed. (integer value) +#memcache_pool_unused_timeout = 60 + +# (Optional) Number of seconds that an operation will wait to get a memcached +# client connection from the pool. (integer value) +#memcache_pool_conn_get_timeout = 10 + +# (Optional) Use the advanced (eventlet safe) memcached client pool. The +# advanced pool will only work under python 2.x. (boolean value) +#memcache_use_advanced_pool = false + +# (Optional) Indicate whether to set the X-Service-Catalog header. If False, +# middleware will not ask for service catalog on token validation and will not +# set the X-Service-Catalog header. (boolean value) +#include_service_catalog = true + +# Used to control the use and type of token binding. Can be set to: "disabled" +# to not check token binding. "permissive" (default) to validate binding +# information if the bind type is of a form known to the server and ignore it if +# not. "strict" like "permissive" but if the bind type is unknown the token will +# be rejected. "required" any form of token binding is needed to be allowed. +# Finally the name of a binding method that must be present in tokens. (string +# value) +#enforce_token_bind = permissive + +# DEPRECATED: If true, the revocation list will be checked for cached tokens. +# This requires that PKI tokens are configured on the identity server. (boolean +# value) +# This option is deprecated for removal since Ocata. +# Its value may be silently ignored in the future. +# Reason: PKI token format is no longer supported. +#check_revocations_for_cached = false + +# DEPRECATED: Hash algorithms to use for hashing PKI tokens. This may be a +# single algorithm or multiple. The algorithms are those supported by Python +# standard hashlib.new(). The hashes will be tried in the order given, so put +# the preferred one first for performance. The result of the first hash will be +# stored in the cache. This will typically be set to multiple values only while +# migrating from a less secure algorithm to a more secure one. Once all the old +# tokens are expired this option should be set to a single value for better +# performance. (list value) +# This option is deprecated for removal since Ocata. +# Its value may be silently ignored in the future. +# Reason: PKI token format is no longer supported. +#hash_algorithms = md5 + +# A choice of roles that must be present in a service token. Service tokens are +# allowed to request that an expired token can be used and so this check should +# tightly control that only actual services should be sending this token. Roles +# here are applied as an ANY check so any role in this list must be present. For +# backwards compatibility reasons this currently only affects the allow_expired +# check. (list value) +#service_token_roles = service + +# For backwards compatibility reasons we must let valid service tokens pass that +# don't pass the service_token_roles check as valid. Setting this true will +# become the default in a future release and should be enabled if possible. +# (boolean value) +#service_token_roles_required = false + +# Authentication type to load (string value) +# Deprecated group/name - [keystone_authtoken]/auth_plugin +#auth_type = + +# Config Section from which to load plugin specific options (string value) +#auth_section = + + +[oslo_middleware] + +# +# From oslo.middleware +# + +# The maximum body size for each request, in bytes. (integer value) +# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size +# Deprecated group/name - [DEFAULT]/max_request_body_size +#max_request_body_size = 114688 + +# DEPRECATED: The HTTP Header that will be used to determine what the original +# request protocol scheme was, even if it was hidden by a SSL termination proxy. +# (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#secure_proxy_ssl_header = X-Forwarded-Proto + +# Whether the application is behind a proxy or not. This determines if the +# middleware should parse the headers or not. (boolean value) +#enable_proxy_headers_parsing = false diff --git a/requirements.txt b/requirements.txt index 76e705ed..5456d36c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -5,7 +5,11 @@ # Hacking already pins down pep8, pyflakes and flake8 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 -falcon==1.1.0 +falcon>=1.0.0 # Apache-2.0 +pbr!=2.1.0,>=2.0.0 # Apache-2.0 +PasteDeploy>=1.5.0 # MIT +Paste # MIT +Routes>=2.3.1 # MIT jsonschema!=2.5.0,<3.0.0,>=2.0.0 # MIT pbr!=2.1.0,>=2.0.0 # Apache-2.0 @@ -13,15 +17,21 @@ six>=1.9.0 # MIT oslo.concurrency>=3.8.0 # Apache-2.0 stevedore>=1.20.0 # Apache-2.0 jsonschema!=2.5.0,<3.0.0,>=2.0.0 # MIT -keystoneauth1>=2.21.0 # Apache-2.0 -oslo.config>=3.22.0 # Apache-2.0 +python-keystoneclient>=3.8.0 # Apache-2.0 +keystonemiddleware>=4.12.0 # Apache-2.0 +falcon>=1.0.0 # Apache-2.0 + +oslo.cache>=1.5.0 # Apache-2.0 +oslo.concurrency>=3.8.0 # Apache-2.0 +oslo.config!=4.3.0,!=4.4.0,>=4.0.0 # Apache-2.0 oslo.context>=2.14.0 # Apache-2.0 -oslo.utils>=3.20.0 # Apache-2.0 -oslo.db>=4.21.1 # Apache-2.0 -oslo.log>=3.22.0 # Apache-2.0 oslo.messaging!=5.25.0,>=5.24.2 # Apache-2.0 -oslo.serialization>=1.10.0 # Apache-2.0 -oslo.utils>=3.20.0 # Apache-2.0 -oslo.versionedobjects>=1.23.0 +oslo.db>=4.24.0 # Apache-2.0 oslo.i18n!=3.15.2,>=2.1.0 # Apache-2.0 +oslo.log>=3.22.0 # Apache-2.0 +oslo.middleware>=3.27.0 # Apache-2.0 +oslo.policy>=1.23.0 # Apache-2.0 +oslo.serialization!=2.19.1,>=1.10.0 # Apache-2.0 +oslo.utils>=3.20.0 # Apache-2.0 + python-barbicanclient>=4.0.0 # Apache-2.0 diff --git a/test-requirements.txt b/test-requirements.txt index fc557a75..844a5861 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -5,11 +5,7 @@ # Hacking already pins down pep8, pyflakes and flake8 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 -falcon==1.1.0 - -hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 coverage!=4.4,>=4.0 # Apache-2.0 -mock>=2.0 fixtures>=3.0.0 # Apache-2.0/BSD mox3!=0.19.0,>=0.7.0 # Apache-2.0 python-subunit>=0.0.18 # Apache-2.0/BSD