Update Master SHAs - 17 Jan 2016

This patch does the following:
- updates the Master SHAs for new development work.
- includes updates to policy, paste and rootwrap files as required
- moves the Aodh repository to openstack_services as it now has
  implemented a stable branch
- Updated the keystone-wsgi file as it was still running the code from
  liberty
- add 2 package requirements to keystone which must be present for the
  new wsgi file.
- updates tempest.conf.j2 to replace ssh_auth_method with auth_method,
  and change auth_method to 'keypair' (configured is no longer an
  a valid option)

Change-Id: I933c24c03518865d9d40519dafb2ba46769a5453
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

playbooks/defaults/repo_packages/openstack_other.yml

@@ -27,23 +27,17 @@
 
 ## Tempest service
 tempest_git_repo: https://git.openstack.org/openstack/tempest
-tempest_git_install_branch: d289567c278edeac6ddaf0829e4159aef17c1552 # HEAD of "master" as of 24.10.2015
+tempest_git_install_branch: 5cc7ef78b4233444a4dcea1b1eb8f213c1548491 # HEAD of "master" as of 17.01.2016
 tempest_git_dest: "/opt/tempest_{{ tempest_git_install_branch | replace('/', '_') }}"
 
 
-## aodh service
-aodh_git_repo: https://git.openstack.org/openstack/aodh
-aodh_git_install_branch: 8c9d2c8804cfb37f7e064e1c0df4b43590f1a3ee # HEAD of "master" as of 24.10.2015
-aodh_git_dest: "/opt/aodh_{{ aodh_git_install_branch | replace('/', '_') }}"
-
-
 ## NOVNC from source
 novncproxy_git_repo: https://github.com/kanaka/novnc
-novncproxy_git_install_branch: 6a90803feb124791960e3962e328aa3cfb729aeb # HEAD of "master" as of 24.10.2015
+novncproxy_git_install_branch: 670dbddb54264fd0082d0aca1b3acb0f1814b1d2 # HEAD of "master" as of 17.01.2016
 novncproxy_git_dest: "/opt/novnc_{{ novncproxy_git_install_branch | replace('/', '_') }}"
 
 
 ## spice-html5 from source
 spicehtml5_git_repo: https://github.com/SPICE/spice-html5
-spicehtml5_git_install_branch: c1e736b083ff47639ecb73ea9be4d14b5002f93f # HEAD of "master" as of 24.10.2015
+spicehtml5_git_install_branch: ab73d009487c8afd4def39b54a422499b4c13c40 # HEAD of "master" as of 17.01.2016
 spicehtml5_git_dest: "/opt/spicehtml5_{{ spicehtml5_git_install_branch | replace('/', '_') }}"

playbooks/defaults/repo_packages/openstack_services.yml

@@ -31,71 +31,77 @@
 
 ## Global Requirements
 requirements_git_repo: https://git.openstack.org/openstack/requirements
-requirements_git_install_branch: 2854532c8549e82b180e348fd11a43bc13f8af6a # HEAD of "master" as of 24.10.2015
+requirements_git_install_branch: 332278d456e06870150835564342570ec9d5f5a0 # HEAD of "master" as of 17.01.2016
 requirements_git_dest: "/opt/requirements_{{ requirements_git_install_branch | replace('/', '_') }}"
 
 
+## Aodh service
+aodh_git_repo: https://git.openstack.org/openstack/aodh
+aodh_git_install_branch: 239e1f629b26557ceadb92de3d62edcd87489b9d # HEAD of "master" as of 17.01.2016
+aodh_git_dest: "/opt/aodh_{{ aodh_git_install_branch | replace('/', '_') }}"
+
+
 ## Ceilometer service
 ceilometer_git_repo: https://git.openstack.org/openstack/ceilometer
-ceilometer_git_install_branch: b34865f80818165187552e7feca4ead2e61a30d3 # HEAD of "master" as of 24.10.2015
+ceilometer_git_install_branch: 333024b69aa7810e78aef85e5171cfd6dbd6b740 # HEAD of "master" as of 17.01.2016
 ceilometer_git_dest: "/opt/ceilometer_{{ceilometer_git_install_branch | replace('/', '_') }}"
 
 
 ## Cinder service
 cinder_git_repo: https://git.openstack.org/openstack/cinder
-cinder_git_install_branch: 774c8a9dc4cfe559a1d2f3afd2380ea8f9cdd6ee # HEAD of "master" as of 24.10.2015
+cinder_git_install_branch: 94ae8598b96e2f86844fdf0f35a8b83a94c7b4c4 # HEAD of "master" as of 17.01.2016
 cinder_git_dest: "/opt/cinder_{{ cinder_git_install_branch | replace('/', '_') }}"
 
 
 ## Glance service
 glance_git_repo: https://git.openstack.org/openstack/glance
-glance_git_install_branch: b7703a4aab4f4c6315a5f0a12620336f96532108 # HEAD of "master" as of 24.10.2015
+glance_git_install_branch: 7d5c3710ce2739a8ac356208d4e104f2ce3ec9ab # HEAD of "master" as of 17.01.2016
 glance_git_dest: "/opt/glance_{{ glance_git_install_branch | replace('/', '_') }}"
 
 
 ## Heat service
 heat_git_repo: https://git.openstack.org/openstack/heat
-heat_git_install_branch: cd1a61e3d794bd37dd964ba7c37f1d0cb2bb2e81 # HEAD of "master" as of 24.10.2015
+heat_git_install_branch: 7e3e4087f476a0431d1d278730b1736e02e5fd06 # HEAD of "master" as of 17.01.2016
 heat_git_dest: "/opt/heat_{{ heat_git_install_branch | replace('/', '_') }}"
 
 
 ## Horizon service
 horizon_git_repo: https://git.openstack.org/openstack/horizon
-horizon_git_install_branch: aa068eca807885182886b2a2f28591d6ac9e689e # HEAD of "master" as of 24.10.2015
+horizon_git_install_branch: 18f1605bddd428a014d0e43ef52d1af6305e1e03 # HEAD of "master" as of 17.01.2016
 horizon_git_dest: "/opt/horizon_{{ horizon_git_install_branch | replace('/', '_') }}"
 
 
 ## Keystone service
 keystone_git_repo: https://git.openstack.org/openstack/keystone
-keystone_git_install_branch: ebe82fcd21116f4bdae9dc97407e04f5184dc9b0 # HEAD of "master" as of 24.10.2015
+keystone_git_install_branch: a55128044f763f5cfe2fdc57c738eaca97636448 # HEAD of "master" as of 17.01.2016
 keystone_git_dest: "/opt/keystone_{{ keystone_git_install_branch | replace('/', '_') }}"
 
 
 ## Neutron service
 neutron_git_repo: https://git.openstack.org/openstack/neutron
-neutron_git_install_branch: 554b5d96cdb8b0b8987f37b8ae0336e910c5675c # HEAD of "master" as of 24.10.2015
+neutron_git_install_branch: d6d43b32ca825b6c3c2c908f5ff7bc50c736546e # HEAD of "master" as of 17.01.2016
 neutron_git_dest: "/opt/neutron_{{ neutron_git_install_branch | replace('/', '_') }}"
 
 neutron_lbaas_git_repo: https://git.openstack.org/openstack/neutron-lbaas
-neutron_lbaas_git_install_branch: 8427934f76f1c213044a54da60c3b266930efef1 # HEAD of "master" as of 24.10.2015
+neutron_lbaas_git_install_branch: b5d4e5c0fe02a897ad2ab0bc548f695915998831 # HEAD of "master" as of 17.01.2016
 neutron_lbaas_git_dest: "/opt/neutron_lbaas_{{ neutron_lbaas_git_install_branch | replace('/', '_') }}"
 
 neutron_vpnaas_git_repo: https://git.openstack.org/openstack/neutron-vpnaas
-neutron_vpnaas_git_install_branch: d4e477d2c515d80a66cf7e5f60a452edc89219d9 # HEAD of "master" as of 24.10.2015
+neutron_vpnaas_git_install_branch: 832b875b79d801e17a5b997054f30c9d88b36914 # HEAD of "master" as of 17.01.2016
 neutron_vpnaas_git_dest: "/opt/neutron_vpnaas_{{ neutron_vpnaas_git_install_branch | replace('/', '_') }}"
 
 neutron_fwaas_git_repo: https://git.openstack.org/openstack/neutron-fwaas
-neutron_fwaas_git_install_branch: 64c0e6a56cec1021b8af5b76e5da0485e37d5efb # HEAD of "master" as of 24.10.2015
+neutron_fwaas_git_install_branch: cb0093d185a97cafc320bd64d9b45dc737cdfdb2 # HEAD of "master" as of 17.01.2016
 neutron_fwaas_git_dest: "/opt/neutron_fwaas_{{ neutron_fwaas_git_install_branch | replace('/', '_') }}"
 
 
 ## Nova service
 nova_git_repo: https://git.openstack.org/openstack/nova
-nova_git_install_branch: 71d2ed17950edbeb97b479bf04958dbee8f23fc5 # HEAD of "master" as of 24.10.2015
+nova_git_install_branch: deb1ee440923b0b292f3536a2f8bda672c03984a # HEAD of "master" as of 17.01.2016
 nova_git_dest: "/opt/nova_{{ nova_git_install_branch | replace('/', '_') }}"
 
 
 ## Swift service
 swift_git_repo: https://git.openstack.org/openstack/swift
-swift_git_install_branch: a094560f0cef9a51f03b9f72dd516d4df717bec6 # HEAD of "master" as of 24.10.2015
+swift_git_install_branch: 4db7e2e2e4d80757a717485e3b639b16e0a66f68 # HEAD of "master" as of 17.01.2016
 swift_git_dest: "/opt/swift_{{ swift_git_install_branch | replace('/', '_') }}"

playbooks/defaults/repo_packages/python2_lxc.yml

@@ -15,5 +15,5 @@
 
 ## Git Source for python2-lxc library
 git_repo: https://github.com/lxc/python2-lxc
-git_install_branch: 0553f05d23b56b59bf3015fa5e45bfbfab9021ef # HEAD of "master" as of 14.10.2015
+git_install_branch: 0553f05d23b56b59bf3015fa5e45bfbfab9021ef # HEAD of "master" as of 17.01.2016
 git_dest: "/opt/lxc_python2_{{ git_install_branch|replace('/', '_') }}"

playbooks/roles/os_aodh/templates/policy.json.j2

@@ -1,21 +1,20 @@
 {
     "context_is_admin": "role:admin",
-    "context_is_project": "project_id:%(target.project_id)s",
-    "context_is_owner": "user_id:%(target.user_id)s",
     "segregation": "rule:context_is_admin",
-    "service_role": "role:service",
-    "iaas_role": "role:iaas",
+    "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s",
+    "default": "rule:admin_or_owner",
 
-    "telemetry:get_alarm": "rule:context_is_admin",
-    "telemetry:query_alarm": "rule:context_is_admin",
-    "telemetry:get_alarm_state": "rule:context_is_admin",
-    "telemetry:get_alarms": "rule:context_is_admin",
-    "telemetry:create_alarm": "rule:context_is_admin",
-    "telemetry:set_alarm": "rule:context_is_admin",
-    "telemetry:delete_alarm": "rule:context_is_admin",
+    "telemetry:get_alarm": "rule:admin_or_owner",
+    "telemetry:get_alarms": "rule:admin_or_owner",
+    "telemetry:query_alarm": "rule:admin_or_owner",
 
-    "telemetry:alarm_history": "rule:context_is_admin",
-    "telemetry:change_alarm_state": "rule:context_is_admin",
-    "telemetry:query_alarm_history": "rule:context_is_admin"
+    "telemetry:create_alarm": "",
+    "telemetry:change_alarm": "rule:admin_or_owner",
+    "telemetry:delete_alarm": "rule:admin_or_owner",
+
+    "telemetry:get_alarm_state": "rule:admin_or_owner",
+    "telemetry:change_alarm_state": "rule:admin_or_owner",
+
+    "telemetry:alarm_history": "rule:admin_or_owner",
+    "telemetry:query_alarm_history": "rule:admin_or_owner"
 }
-

playbooks/roles/os_ceilometer/defaults/main.yml

@@ -134,8 +134,11 @@ ceilometer_service_names:
 
 ## Tunable overrides
 ceilometer_policy_overrides: {}
+ceilometer_rootwrap_conf_overrides: {}
 ceilometer_ceilometer_conf_overrides: {}
 ceilometer_api_paste_ini_overrides: {}
 ceilometer_event_definitions_yaml_overrides: {}
 ceilometer_event_pipeline_yaml_overrides: {}
 ceilometer_pipeline_yaml_overrides: {}
+ceilometer_gnocci_resources_yaml_overrides: {}
+ceilometer_osprofiler_event_definitions_yaml_overrides: {}

playbooks/roles/os_ceilometer/files/rootwrap.d/ipmi.filters

@@ -0,0 +1,7 @@
+# ceilometer-rootwrap command filters for IPMI capable nodes
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# ceilometer/ipmi/nodemanager/node_manager.py: 'ipmitool'
+ipmitool: CommandFilter, ipmitool, root
+

playbooks/roles/os_ceilometer/tasks/ceilometer_post_install.yml

@@ -31,6 +31,10 @@
       dest: "/etc/ceilometer/api_paste.ini"
       config_overrides: "{{ ceilometer_api_paste_ini_overrides }}"
       config_type: "ini"
+    - src: "rootwrap.conf.j2"
+      dest: "/etc/ceilometer/rootwrap.conf"
+      config_overrides: "{{ ceilometer_rootwrap_conf_overrides }}"
+      config_type: "ini"
     - src: "event_pipeline.yaml.j2"
       dest: "/etc/ceilometer/event_pipeline.yaml"
       config_overrides: "{{ ceilometer_event_pipeline_yaml_overrides }}"
@@ -43,6 +47,14 @@
       dest: "/etc/ceilometer/pipeline.yaml"
       config_overrides: "{{ ceilometer_pipeline_yaml_overrides }}"
       config_type: "yaml"
+    - src: "gnocchi_resources.yaml.j2"
+      dest: "/etc/ceilometer/gnocchi_resources.yaml"
+      config_overrides: "{{ ceilometer_gnocci_resources_yaml_overrides }}"
+      config_type: "yaml"
+    - src: "osprofiler_event_definitions.yaml.j2"
+      dest: "/etc/ceilometer/osprofiler_event_definitions.yaml"
+      config_overrides: "{{ ceilometer_osprofiler_event_definitions_yaml_overrides }}"
+      config_type: "yaml"
     - src: "policy.json.j2"
       dest: "/etc/ceilometer/policy.json"
       config_overrides: "{{ ceilometer_policy_overrides }}"
@@ -52,6 +64,19 @@
     - ceilometer-config
     - ceilometer-post-install
 
+- name: Drop rootwrap filters
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "{{ ceilometer_system_user_name }}"
+    group: "{{ ceilometer_system_group_name }}"
+  with_items:
+    - { src: "rootwrap.d/ipmi.filters", dest: "/etc/ceilometer/rootwrap.d/ipmi.filters" }
+  notify:
+    - Restart ceilometer services
+  tags:
+    - ceilometer-config
+
 - name: Get ceilometer command path
   command: which ceilometer
   register: ceilometer_command_path

playbooks/roles/os_ceilometer/tasks/ceilometer_pre_install.yml

@@ -56,6 +56,7 @@
   with_items:
     - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
     - { path: "/etc/ceilometer" }
+    - { path: "/etc/ceilometer/rootwrap.d" }
     - { path: "{{ ceilometer_system_user_home }}" }
     - { path: "{{ ceilometer_system_user_home }}/.ssh", mode: "0700" }
     - { path: "/var/cache/ceilometer", mode: "0700" }

playbooks/roles/os_ceilometer/templates/event_definitions.yaml.j2

@@ -8,15 +8,9 @@
     instance_id:
       fields: payload.instance_id
     host:
-      fields: publisher_id
-      plugin:
-        name: split
-        parameters:
-          segment: 1
-          max_split: 1
+      fields: publisher_id.`split(., 1, 1)`
     service:
-      fields: publisher_id
-      plugin: split
+      fields: publisher_id.`split(., 0, -1)`
     memory_mb:
       type: int
       fields: payload.memory_mb
@@ -96,6 +90,12 @@
       fields: payload.snapshot_id
     volume_id:
       fields: payload.volume_id
+- event_type: ['image_volume_cache.*']
+  traits:
+    image_id:
+      fields: payload.image_id
+    host:
+      fields: payload.host
 - event_type: ['image.update', 'image.upload', 'image.delete']
   traits: &glance_crud
     project_id:
@@ -331,6 +331,10 @@
       fields: ['payload.ipsec_site_connection.id', 'payload.id']
 - event_type: '*http.*'
   traits: &http_audit
+    project_id:
+      fields: payload.initiator.project_id
+    user_id:
+      fields: payload.initiator.id
     typeURI:
       fields: payload.typeURI
     eventType:
@@ -366,4 +370,152 @@
     <<: *http_audit
     reason_code:
       fields: payload.reason.reasonCode
-
+- event_type: ['dns.domain.create', 'dns.domain.update', 'dns.domain.delete']
+  traits: &dns_domain_traits
+    status:
+      fields: payload.status
+    retry:
+      fields: payload.retry
+    description:
+      fields: payload.description
+    expire:
+      fields: payload.expire
+    email:
+      fields: payload.email
+    ttl:
+      fields: payload.ttl
+    action:
+      fields: payload.action
+    name:
+      fields: payload.name
+    resource_id:
+      fields: payload.id
+    created_at:
+      fields: payload.created_at
+    updated_at:
+      fields: payload.updated_at
+    version:
+      fields: payload.version
+    parent_domain_id:
+      fields: parent_domain_id
+    serial:
+      fields: payload.serial
+- event_type: dns.domain.exists
+  traits:
+    <<: *dns_domain_traits
+    audit_period_beginning:
+      type: datetime
+      fields: payload.audit_period_beginning
+    audit_period_ending:
+      type: datetime
+      fields: payload.audit_period_ending
+- event_type: trove.*
+  traits: &trove_base_traits
+    state:
+      fields: payload.state_description
+    instance_type:
+      fields: payload.instance_type
+    user_id:
+      fields: payload.user_id
+    resource_id:
+      fields: payload.instance_id
+    instance_type_id:
+      fields: payload.instance_type_id
+    launched_at:
+      type: datetime
+      fields: payload.launched_at
+    instance_name:
+      fields: payload.instance_name
+    state:
+      fields: payload.state
+    nova_instance_id:
+      fields: payload.nova_instance_id
+    service_id:
+      fields: payload.service_id
+    created_at:
+      type: datetime
+      fields: payload.created_at
+    region:
+      fields: payload.region
+- event_type: ['trove.instance.create', 'trove.instance.modify_volume', 'trove.instance.modify_flavor', 'trove.instance.delete']
+  traits: &trove_common_traits
+    name:
+      fields: payload.name
+    availability_zone:
+      fields: payload.availability_zone
+    instance_size:
+      type: int
+      fields: payload.instance_size
+    volume_size:
+      type: int
+      fields: payload.volume_size
+    nova_volume_id:
+      fields: payload.nova_volume_id
+- event_type: trove.instance.create
+  traits:
+    <<: [*trove_base_traits, *trove_common_traits]
+- event_type: trove.instance.modify_volume
+  traits:
+    <<: [*trove_base_traits, *trove_common_traits]
+    old_volume_size:
+      type: int
+      fields: payload.old_volume_size
+    modify_at:
+      type: datetime
+      fields: payload.modify_at
+- event_type: trove.instance.modify_flavor
+  traits:
+    <<: [*trove_base_traits, *trove_common_traits]
+    old_instance_size:
+      type: int
+      fields: payload.old_instance_size
+    modify_at:
+      type: datetime
+      fields: payload.modify_at
+- event_type: trove.instance.delete
+  traits:
+    <<: [*trove_base_traits, *trove_common_traits]
+    deleted_at:
+      type: datetime
+      fields: payload.deleted_at
+- event_type: trove.instance.exists
+  traits:
+    <<: *trove_base_traits
+    display_name:
+      fields: payload.display_name
+    audit_period_beginning:
+      type: datetime
+      fields: payload.audit_period_beginning
+    audit_period_ending:
+      type: datetime
+      fields: payload.audit_period_ending
+- event_type: profiler.*
+  traits:
+    project:
+      fields: payload.project
+    service:
+      fields: payload.service
+    name:
+      fields: payload.name
+    base_id:
+      fields: payload.base_id
+    trace_id:
+      fields: payload.trace_id
+    parent_id:
+      fields: payload.parent_id
+    timestamp:
+      fields: payload.timestamp
+    host:
+      fields: payload.info.host
+    path:
+      fields: payload.info.request.path
+    query:
+      fields: payload.info.request.query
+    method:
+      fields: payload.info.request.method
+    scheme:
+      fields: payload.info.request.scheme
+    db.statement:
+      fields: payload.info.db.statement
+    db.params:
+      fields: payload.info.db.params

playbooks/roles/os_ceilometer/templates/event_pipeline.yaml.j2

@@ -10,4 +10,4 @@ sinks:
       transformers:
       triggers:
       publishers:
-          - direct://
+          - notifier://

playbooks/roles/os_ceilometer/templates/gnocchi_resources.yaml.j2

@@ -0,0 +1,176 @@
+---
+
+resources:
+  - resource_type: identity
+    archive_policy: low
+    metrics:
+      - 'identity.authenticate.success'
+      - 'identity.authenticate.pending'
+      - 'identity.authenticate.failure'
+      - 'identity.user.created'
+      - 'identity.user.deleted'
+      - 'identity.user.updated'
+      - 'identity.group.created'
+      - 'identity.group.deleted'
+      - 'identity.group.updated'
+      - 'identity.role.created'
+      - 'identity.role.deleted'
+      - 'identity.role.updated'
+      - 'identity.project.created'
+      - 'identity.project.deleted'
+      - 'identity.project.updated'
+      - 'identity.trust.created'
+      - 'identity.trust.deleted'
+      - 'identity.role_assignment.created'
+      - 'identity.role_assignment.deleted'
+
+  - resource_type: ceph_account
+    metrics:
+      - 'radosgw.objects'
+      - 'radosgw.objects.size'
+      - 'radosgw.objects.containers'
+      - 'radosgw.api.request'
+      - 'radosgw.containers.objects'
+      - 'radosgw.containers.objects.size'
+
+  - resource_type: instance
+    metrics:
+      - 'instance'
+      - 'memory'
+      - 'memory.usage'
+      - 'memory.resident'
+      - 'vcpus'
+      - 'cpu'
+      - 'cpu.delta'
+      - 'cpu_util'
+      - 'disk.root.size'
+      - 'disk.ephemeral.size'
+      - 'disk.read.requests'
+      - 'disk.read.requests.rate'
+      - 'disk.write.requests'
+      - 'disk.write.requests.rate'
+      - 'disk.read.bytes'
+      - 'disk.read.bytes.rate'
+      - 'disk.write.bytes'
+      - 'disk.write.bytes.rate'
+      - 'disk.latency'
+      - 'disk.iops'
+      - 'disk.capacity'
+      - 'disk.allocation'
+      - 'disk.usage'
+    attributes:
+      host: resource_metadata.host
+      image_ref: resource_metadata.image_ref
+      display_name: resource_metadata.display_name
+      flavor_id: resource_metadata.(instance_flavor_id|(flavor.id))
+      server_group: resource_metadata.user_metadata.server_group
+
+  - resource_type: instance_network_interface
+    metrics:
+      - 'network.outgoing.packets.rate'
+      - 'network.incoming.packets.rate'
+      - 'network.outgoing.packets'
+      - 'network.incoming.packets'
+      - 'network.outgoing.bytes.rate'
+      - 'network.incoming.bytes.rate'
+      - 'network.outgoing.bytes'
+      - 'network.incoming.bytes'
+    attributes:
+      name: resource_metadata.vnic_name
+      instance_id: resource_metadata.instance_id
+
+  - resource_type: instance_disk
+    metrics:
+      - 'disk.device.read.requests'
+      - 'disk.device.read.requests.rate'
+      - 'disk.device.write.requests'
+      - 'disk.device.write.requests.rate'
+      - 'disk.device.read.bytes'
+      - 'disk.device.read.bytes.rate'
+      - 'disk.device.write.bytes'
+      - 'disk.device.write.bytes.rate'
+      - 'disk.device.latency'
+      - 'disk.device.iops'
+      - 'disk.device.capacity'
+      - 'disk.device.allocation'
+      - 'disk.device.usage'
+    attributes:
+      name: resource_metadata.disk_name
+      instance_id: resource_metadata.instance_id
+
+  - resource_type: image
+    metrics:
+      - 'image'
+      - 'image.size'
+      - 'image.download'
+      - 'image.serve'
+    attributes:
+      name: resource_metadata.name
+      container_format: resource_metadata.container_format
+      disk_format: resource_metadata.disk_format
+
+  - resource_type: ipmi
+    metrics:
+      - 'hardware.ipmi.node.power'
+      - 'hardware.ipmi.node.temperature'
+      - 'hardware.ipmi.node.inlet_temperature'
+      - 'hardware.ipmi.node.outlet_temperature'
+      - 'hardware.ipmi.node.fan'
+      - 'hardware.ipmi.node.current'
+      - 'hardware.ipmi.node.voltage'
+      - 'hardware.ipmi.node.airflow'
+      - 'hardware.ipmi.node.cups'
+      - 'hardware.ipmi.node.cpu_util'
+      - 'hardware.ipmi.node.mem_util'
+      - 'hardware.ipmi.node.io_util'
+
+  - resource_type: network
+    metrics:
+      - 'bandwidth'
+      - 'network'
+      - 'network.create'
+      - 'network.update'
+      - 'subnet'
+      - 'subnet.create'
+      - 'subnet.update'
+      - 'port'
+      - 'port.create'
+      - 'port.update'
+      - 'router'
+      - 'router.create'
+      - 'router.update'
+      - 'ip.floating'
+      - 'ip.floating.create'
+      - 'ip.floating.update'
+
+  - resource_type: stack
+    metrics:
+      - 'stack.create'
+      - 'stack.update'
+      - 'stack.delete'
+      - 'stack.resume'
+      - 'stack.suspend'
+
+  - resource_type: swift_account
+    metrics:
+      - 'storage.objects.incoming.bytes'
+      - 'storage.objects.outgoing.bytes'
+      - 'storage.api.request'
+      - 'storage.objects.size'
+      - 'storage.objects'
+      - 'storage.objects.containers'
+      - 'storage.containers.objects'
+      - 'storage.containers.objects.size'
+
+  - resource_type: volume
+    metrics:
+      - 'volume'
+      - 'volume.size'
+      - 'volume.create'
+      - 'volume.delete'
+      - 'volume.update'
+      - 'volume.resize'
+      - 'volume.attach'
+      - 'volume.detach'
+    attributes:
+      display_name: resource_metadata.display_name

playbooks/roles/os_ceilometer/templates/osprofiler_event_definitions.yaml.j2

@@ -0,0 +1,31 @@
+---
+- event_type: profiler.*
+  traits:
+    project:
+      fields: payload.project
+    service:
+      fields: payload.service
+    name:
+      fields: payload.name
+    base_id:
+      fields: payload.base_id
+    trace_id:
+      fields: payload.trace_id
+    parent_id:
+      fields: payload.parent_id
+    timestamp:
+      fields: payload.timestamp
+    host:
+      fields: payload.info.host
+    path:
+      fields: payload.info.request.path
+    query:
+      fields: payload.info.request.query
+    method:
+      fields: payload.info.request.method
+    scheme:
+      fields: payload.info.request.scheme
+    db.statement:
+      fields: payload.info.db.statement
+    db.params:
+      fields: payload.info.db.params

playbooks/roles/os_ceilometer/templates/pipeline.yaml.j2

@@ -12,6 +12,7 @@ sources:
           - "cpu"
       sinks:
           - cpu_sink
+          - cpu_delta_sink
     - name: disk_source
       interval: 600
       meters:
@@ -50,6 +51,15 @@ sinks:
                     scale: "100.0 / (10**9 * (resource_metadata.cpu_number or 1))"
       publishers:
           - notifier://
+    - name: cpu_delta_sink
+      transformers:
+          - name: "delta"
+            parameters:
+                target:
+                    name: "cpu.delta"
+                growth_only: True
+      publishers:
+          - notifier://
     - name: disk_sink
       transformers:
           - name: "rate_of_change"
@@ -80,4 +90,3 @@ sinks:
                     type: "gauge"
       publishers:
           - notifier://
-

playbooks/roles/os_ceilometer/templates/rootwrap.conf.j2

@@ -0,0 +1,27 @@
+# Configuration for ceilometer-rootwrap
+# This file should be owned by (and only-writeable by) the root user
+
+[DEFAULT]
+# List of directories to load filter definitions from (separated by ',').
+# These directories MUST all be only writeable by root !
+filters_path=/etc/ceilometer/rootwrap.d,/usr/share/ceilometer/rootwrap
+
+# List of directories to search executables in, in case filters do not
+# explicitely specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writeable by root !
+exec_dirs={{ ceilometer_bin }},/sbin,/usr/sbin,/bin,/usr/bin
+
+# Enable logging to syslog
+# Default value is False
+use_syslog=False
+
+# Which syslog facility to use.
+# Valid values include auth, authpriv, syslog, user0, user1...
+# Default value is 'syslog'
+syslog_log_facility=syslog
+
+# Which messages to log.
+# INFO means log all usage
+# ERROR means only log unsuccessful attempts
+syslog_log_level=ERROR

playbooks/roles/os_cinder/files/rootwrap.d/volume.filters

@@ -27,23 +27,15 @@ lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvdisplay
 # os-brick.filters file instead and clean out stale brick values from
 # this file.
 scsi_id: CommandFilter, /lib/udev/scsi_id, root
-
-# cinder/volumes/drivers/srb.py: 'pvresize', '--setphysicalvolumesize', sizestr, pvname
-pvresize: CommandFilter, pvresize, root
+drbdadm: CommandFilter, drbdadm, root
 
 # cinder/brick/local_dev/lvm.py: 'vgcreate', vg_name, pv_list
 vgcreate: CommandFilter, vgcreate, root
 
-# cinder/volumes/drivers/srb.py: 'vgremove', '-f', vgname
-vgremove: CommandFilter, vgremove, root
-
-# cinder/volumes/drivers/srb.py: 'vgchange', '-an', vgname
-# cinder/volumes/drivers/srb.py: 'vgchange', '-ay', vgname
-vgchange: CommandFilter, vgchange, root
-
-# cinder/volume/driver.py: 'lvcreate', '-L', sizestr, '-n', volume_name,..
-# cinder/volume/driver.py: 'lvcreate', '-L', ...
-lvcreate: CommandFilter, lvcreate, root
+# cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', sizestr, '-n', volume_name,..
+# cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', ...
+lvcreate: EnvFilter, env, root, LC_ALL=C, lvcreate
+lvcreate_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvcreate
 
 # cinder/volume/driver.py: 'dd', 'if=%s' % srcstr, 'of=%s' % deststr,...
 dd: CommandFilter, dd, root
@@ -54,13 +46,17 @@ lvremove: CommandFilter, lvremove, root
 # cinder/volume/driver.py: 'lvrename', '%(vg)s', '%(orig)s' '(new)s'...
 lvrename: CommandFilter, lvrename, root
 
-# cinder/volume/driver.py: 'lvextend', '-L' '%(new_size)s', '%(lv_name)s' ...
-# cinder/volume/driver.py: 'lvextend', '-L' '%(new_size)s', '%(thin_pool)s' ...
-lvextend: CommandFilter, lvextend, root
+# cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(lv_name)s' ...
+# cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(thin_pool)s' ...
+lvextend: EnvFilter, env, root, LC_ALL=C, lvextend
+lvextend_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvextend
 
 # cinder/brick/local_dev/lvm.py: 'lvchange -a y -K <lv>'
 lvchange: CommandFilter, lvchange, root
 
+# cinder/brick/local_dev/lvm.py: 'lvconvert', '--merge', snapshot_name
+lvconvert: CommandFilter, lvconvert, root
+
 # cinder/volume/driver.py: 'iscsiadm', '-m', 'discovery', '-t',...
 # cinder/volume/driver.py: 'iscsiadm', '-m', 'node', '-T', ...
 iscsiadm: CommandFilter, iscsiadm, root

playbooks/roles/os_cinder/templates/api-paste.ini.j2

@@ -10,32 +10,34 @@ use = call:cinder.api:root_app_factory
 
 [composite:openstack_volume_api_v1]
 use = call:cinder.api.middleware.auth:pipeline_factory
-noauth = request_id faultwrap sizelimit osprofiler noauth apiv1
-keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
-keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+noauth = cors request_id faultwrap sizelimit osprofiler noauth apiv1
+keystone = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+keystone_nolimit = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
 
 [composite:openstack_volume_api_v2]
 use = call:cinder.api.middleware.auth:pipeline_factory
-noauth = request_id faultwrap sizelimit osprofiler noauth apiv2
-keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
-keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+noauth = cors request_id faultwrap sizelimit osprofiler noauth apiv2
+keystone = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+keystone_nolimit = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
 
 [filter:request_id]
 paste.filter_factory = oslo_middleware.request_id:RequestId.factory
 
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = cinder
+
 [filter:faultwrap]
 paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
 
 [filter:osprofiler]
 paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
-hmac_keys = {{ cinder_profiler_hmac_key }}
-enabled = yes
 
 [filter:noauth]
 paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
 
 [filter:sizelimit]
-paste.filter_factory = oslo_middleware:RequestBodySizeLimiter.factory
+paste.filter_factory = cinder.api.middleware.sizelimit:RequestBodySizeLimiter.factory
 
 [app:apiv1]
 paste.app_factory = cinder.api.v1.router:APIRouter.factory
@@ -44,7 +46,7 @@ paste.app_factory = cinder.api.v1.router:APIRouter.factory
 paste.app_factory = cinder.api.v2.router:APIRouter.factory
 
 [pipeline:apiversions]
-pipeline = faultwrap osvolumeversionapp
+pipeline = cors faultwrap osvolumeversionapp
 
 [app:osvolumeversionapp]
 paste.app_factory = cinder.api.versions:Versions.factory

playbooks/roles/os_cinder/templates/policy.json.j2

@@ -25,6 +25,7 @@
 
     "volume_extension:types_manage": "rule:admin_api",
     "volume_extension:types_extra_specs": "rule:admin_api",
+    "volume_extension:access_types_extra_specs": "rule:admin_api",
     "volume_extension:volume_type_access": "rule:admin_or_owner",
     "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api",
     "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
@@ -35,6 +36,7 @@
 
     "volume_extension:quotas:show": "",
     "volume_extension:quotas:update": "rule:admin_api",
+    "volume_extension:quotas:delete": "rule:admin_api",
     "volume_extension:quota_classes": "rule:admin_api",
 
     "volume_extension:volume_admin_actions:reset_status": "rule:admin_api",

playbooks/roles/os_glance/templates/glance-api-paste.ini.j2

@@ -1,38 +1,38 @@
 # Use this pipeline for no auth or image caching - DEFAULT
 [pipeline:glance-api]
-pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context rootapp
 
 # Use this pipeline for image caching and no auth
 [pipeline:glance-api-caching]
-pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context cache rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context cache rootapp
 
 # Use this pipeline for caching w/ management interface but no auth
 [pipeline:glance-api-cachemanagement]
-pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
 
 # Use this pipeline for keystone auth
 [pipeline:glance-api-keystone]
-pipeline = healthcheck versionnegotiation osprofiler authtoken context  rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler authtoken context  rootapp
 
 # Use this pipeline for keystone auth with image caching
 [pipeline:glance-api-keystone+caching]
-pipeline = healthcheck versionnegotiation osprofiler authtoken context cache rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler authtoken context cache rootapp
 
 # Use this pipeline for keystone auth with caching and cache management
 [pipeline:glance-api-keystone+cachemanagement]
-pipeline = healthcheck versionnegotiation osprofiler authtoken context cache cachemanage rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler authtoken context cache cachemanage rootapp
 
 # Use this pipeline for authZ only. This means that the registry will treat a
 # user as authenticated without making requests to keystone to reauthenticate
 # the user.
 [pipeline:glance-api-trusted-auth]
-pipeline = healthcheck versionnegotiation osprofiler context rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler context rootapp
 
 # Use this pipeline for authZ only. This means that the registry will treat a
 # user as authenticated without making requests to keystone to reauthenticate
 # the user and uses cache management
 [pipeline:glance-api-trusted-auth+cachemanagement]
-pipeline = healthcheck versionnegotiation osprofiler context cache cachemanage rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler context cache cachemanage rootapp
 
 [composite:rootapp]
 paste.composite_factory = glance.api:root_app_factory
@@ -82,5 +82,27 @@ paste.filter_factory = glance.api.middleware.gzip:GzipMiddleware.factory
 
 [filter:osprofiler]
 paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
-hmac_keys = {{ glance_profiler_hmac_key }}
-enabled = yes
+hmac_keys = {{ glance_profiler_hmac_key }}  #DEPRECATED
+enabled = yes  #DEPRECATED
+
+[filter:cors]
+paste.filter_factory =  oslo_middleware.cors:filter_factory
+oslo_config_project = glance
+oslo_config_program = glance-api
+# Basic Headers (Automatic)
+# Accept = Origin, Accept, Accept-Language, Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma
+# Expose = Origin, Accept, Accept-Language, Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma
+
+# Glance Headers
+# Accept = Content-MD5, X-Image-Meta-Checksum, X-Storage-Token, Accept-Encoding
+# Expose = X-Image-Meta-Checksum
+
+# Keystone Headers
+# Accept = X-Auth-Token, X-Identity-Status, X-Roles, X-Service-Catalog, X-User-Id, X-Tenant-Id
+# Expose = X-Auth-Token, X-Subject-Token, X-Service-Token
+
+# Request ID Middleware Headers
+# Accept = X-OpenStack-Request-ID
+# Expose = X-OpenStack-Request-ID
+latent_allow_headers = Content-MD5, X-Image-Meta-Checksum, X-Storage-Token, Accept-Encoding, X-Auth-Token, X-Identity-Status, X-Roles, X-Service-Catalog, X-User-Id, X-Tenant-Id, X-OpenStack-Request-ID
+latent_expose_headers = X-Image-Meta-Checksum, X-Auth-Token, X-Subject-Token, X-Service-Token, X-OpenStack-Request-ID

playbooks/roles/os_glance/templates/glance-registry-paste.ini.j2

@@ -31,5 +31,5 @@ paste.filter_factory = keystonemiddleware.auth_token:filter_factory
 
 [filter:osprofiler]
 paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
-hmac_keys = {{ glance_profiler_hmac_key }}
-enabled = yes
+hmac_keys = {{ glance_profiler_hmac_key }}  #DEPRECATED
+enabled = yes  #DEPRECATED

playbooks/roles/os_glance/templates/policy.json.j2

@@ -1,7 +1,5 @@
 {
     "context_is_admin":  "role:admin",
-    "tenant_is_owner": "tenant:%(owner)s",
-    "admin_or_owner": "role:admin OR rule:tenant_is_owner",
     "default": "",
 
     "add_image": "",
@@ -9,7 +7,7 @@
     "get_image": "",
     "get_images": "",
     "modify_image": "",
-    "publicize_image": "rule:admin_or_owner",
+    "publicize_image": "role:admin",
     "copy_from": "",
 
     "download_image": "",
@@ -19,11 +17,11 @@
     "get_image_location": "",
     "set_image_location": "",
 
-    "add_member": "rule:admin_or_owner",
-    "delete_member": "rule:admin_or_owner",
+    "add_member": "",
+    "delete_member": "",
     "get_member": "",
     "get_members": "",
-    "modify_member": "rule:admin_or_owner",
+    "modify_member": "",
 
     "manage_image_cache": "role:admin",
 

playbooks/roles/os_heat/templates/api-paste.ini.j2

@@ -1,7 +1,7 @@
 
 # heat-api pipeline
 [pipeline:heat-api]
-pipeline = request_id faultwrap ssl versionnegotiation osprofiler authurl authtoken context apiv1app
+pipeline = cors request_id faultwrap ssl versionnegotiation osprofiler authurl authtoken context apiv1app
 
 # heat-api pipeline for standalone heat
 # ie. uses alternative auth backend that authenticates users against keystone
@@ -12,7 +12,7 @@ pipeline = request_id faultwrap ssl versionnegotiation osprofiler authurl authto
 #   flavor = standalone
 #
 [pipeline:heat-api-standalone]
-pipeline = request_id faultwrap ssl versionnegotiation authurl authpassword context apiv1app
+pipeline = cors request_id faultwrap ssl versionnegotiation authurl authpassword context apiv1app
 
 # heat-api pipeline for custom cloud backends
 # i.e. in heat.conf:
@@ -20,25 +20,25 @@ pipeline = request_id faultwrap ssl versionnegotiation authurl authpassword cont
 #   flavor = custombackend
 #
 [pipeline:heat-api-custombackend]
-pipeline = request_id faultwrap versionnegotiation context custombackendauth apiv1app
+pipeline = cors request_id faultwrap versionnegotiation context custombackendauth apiv1app
 
 # heat-api-cfn pipeline
 [pipeline:heat-api-cfn]
-pipeline = cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app
+pipeline = cors cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app
 
 # heat-api-cfn pipeline for standalone heat
 # relies exclusively on authenticating with ec2 signed requests
 [pipeline:heat-api-cfn-standalone]
-pipeline = cfnversionnegotiation ec2authtoken context apicfnv1app
+pipeline = cors cfnversionnegotiation ec2authtoken context apicfnv1app
 
 # heat-api-cloudwatch pipeline
 [pipeline:heat-api-cloudwatch]
-pipeline = versionnegotiation osprofiler ec2authtoken authtoken context apicwapp
+pipeline = cors versionnegotiation osprofiler ec2authtoken authtoken context apicwapp
 
 # heat-api-cloudwatch pipeline for standalone heat
 # relies exclusively on authenticating with ec2 signed requests
 [pipeline:heat-api-cloudwatch-standalone]
-pipeline = versionnegotiation ec2authtoken context apicwapp
+pipeline = cors versionnegotiation ec2authtoken context apicwapp
 
 [app:apiv1app]
 paste.app_factory = heat.common.wsgi:app_factory
@@ -56,6 +56,10 @@ heat.app_factory = heat.api.cloudwatch:API
 paste.filter_factory = heat.common.wsgi:filter_factory
 heat.filter_factory = heat.api.openstack:version_negotiation_filter
 
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = heat
+
 [filter:faultwrap]
 paste.filter_factory = heat.common.wsgi:filter_factory
 heat.filter_factory = heat.api.openstack:faultwrap_filter
@@ -100,5 +104,3 @@ paste.filter_factory = oslo_middleware.request_id:RequestId.factory
 
 [filter:osprofiler]
 paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
-hmac_keys = {{ heat_profiler_hmac_key }}
-enabled = {{ heat_profiler_enabled }}

playbooks/roles/os_heat/templates/policy.json.j2

@@ -62,6 +62,8 @@
     "stacks:delete_snapshot": "rule:deny_stack_user",
     "stacks:list_snapshots": "rule:deny_stack_user",
     "stacks:restore_snapshot": "rule:deny_stack_user",
+    "stacks:list_outputs": "rule:deny_stack_user",
+    "stacks:show_output": "rule:deny_stack_user",
 
     "software_configs:global_index": "rule:deny_everybody",
     "software_configs:index": "rule:deny_stack_user",

playbooks/roles/os_heat/templates/templates/AWS_RDS_DBInstance.yaml.j2

@@ -95,8 +95,8 @@ Resources:
             MasterUserPassword: {Ref: MasterUserPassword}
             WaitHandle: {Ref: WaitHandle}
           - |
-            #!/usr/bin/env bash
-            set -v
+            #!/bin/bash -v
+            #
             iptables -F
 
             # Helper function

playbooks/roles/os_keystone/defaults/main.yml

@@ -356,11 +356,13 @@ keystone_requires_pip_packages:
 
 # Common pip packages
 keystone_pip_packages:
+  - argparse
   - keystone
   - keystonemiddleware
   - ldappool
   - lxml
   - PyMySQL
+  - oslo.log
   - oslo.middleware
   - pbr
   - pycrypto

playbooks/roles/os_keystone/templates/keystone-paste.ini.j2

@@ -1,10 +1,10 @@
 # Keystone PasteDeploy configuration file.
 
 [filter:debug]
-use = egg:keystone#debug
+use = egg:oslo.middleware#debug
 
 [filter:request_id]
-use = egg:keystone#request_id
+use = egg:oslo.middleware#request_id
 
 [filter:build_auth_context]
 use = egg:keystone#build_auth_context
@@ -30,29 +30,17 @@ use = egg:keystone#ec2_extension
 [filter:ec2_extension_v3]
 use = egg:keystone#ec2_extension_v3
 
-[filter:federation_extension]
-use = egg:keystone#federation_extension
-
-[filter:oauth1_extension]
-use = egg:keystone#oauth1_extension
-
 [filter:s3_extension]
 use = egg:keystone#s3_extension
 
-[filter:endpoint_filter_extension]
-use = egg:keystone#endpoint_filter_extension
-
 [filter:simple_cert_extension]
 use = egg:keystone#simple_cert_extension
 
-[filter:revoke_extension]
-use = egg:keystone#revoke_extension
-
 [filter:url_normalize]
 use = egg:keystone#url_normalize
 
 [filter:sizelimit]
-use = egg:keystone#sizelimit
+use = egg:oslo.middleware#sizelimit
 
 [app:public_service]
 use = egg:keystone#public_service
@@ -76,7 +64,7 @@ pipeline = sizelimit url_normalize request_id build_auth_context token_auth admi
 [pipeline:api_v3]
 # The last item in this pipeline must be service_v3 or an equivalent
 # application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3
+pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension service_v3
 
 [app:public_version_service]
 use = egg:keystone#public_version_service

playbooks/roles/os_keystone/templates/keystone-wsgi.py.j2

@@ -19,12 +19,30 @@ activate_this = os.path.expanduser("{{ keystone_venv_bin }}/activate_this.py")
 execfile(activate_this, dict(__file__=activate_this))
 {% endif %}
 
+import os
+
+from oslo_log import log
+from oslo_log import versionutils
+
+from keystone.i18n import _LW
 from keystone.server import wsgi as wsgi_server
 
 
 name = os.path.basename(__file__)
+LOG = log.getLogger(__name__)
+
+
+def deprecation_warning():
+    versionutils.report_deprecated_feature(
+        LOG,
+        _LW('httpd/keystone.py is deprecated as of Mitaka'
+            ' in favor of keystone-wsgi-admin and keystone-wsgi-public'
+            ' and may be removed in O.')
+    )
 
 # NOTE(ldbragst): 'application' is required in this context by WSGI spec.
 # The following is a reference to Python Paste Deploy documentation
 # http://pythonpaste.org/deploy/
-application = wsgi_server.initialize_application(name)
+application = wsgi_server.initialize_application(
+    name,
+    post_log_configured_function=deprecation_warning)

playbooks/roles/os_keystone/templates/policy.json.j2

@@ -82,6 +82,7 @@
     "identity:revoke_grant": "rule:admin_required",
 
     "identity:list_role_assignments": "rule:admin_required",
+    "identity:list_role_assignments_for_tree": "rule:admin_required",
 
     "identity:get_policy": "rule:admin_required",
     "identity:list_policies": "rule:admin_required",
@@ -180,5 +181,6 @@
     "identity:create_domain_config": "rule:admin_required",
     "identity:get_domain_config": "rule:admin_required",
     "identity:update_domain_config": "rule:admin_required",
-    "identity:delete_domain_config": "rule:admin_required"
+    "identity:delete_domain_config": "rule:admin_required",
+    "identity:get_domain_config_default": "rule:admin_required"
 }

playbooks/roles/os_neutron/files/rootwrap.d/functional-testing.filters

@@ -0,0 +1,35 @@
+# neutron-rootwrap command filters to support functional testing.  It
+# is NOT intended to be used outside of a test environment.
+#
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# enable ping from namespace
+ping_filter: CommandFilter, ping, root
+ping6_filter: CommandFilter, ping6, root
+
+# enable curl from namespace
+curl_filter: RegExpFilter, /usr/bin/curl, root, curl, --max-time, \d+, -D-, http://[0-9a-z:./-]+
+nc_filter: CommandFilter, nc, root
+# netcat has different binaries depending on linux distribution
+nc_kill: KillFilter, root, nc, -9
+ncbsd_kill: KillFilter, root, nc.openbsd, -9
+ncat_kill: KillFilter, root, ncat, -9
+ss_filter: CommandFilter, ss, root
+
+# enable neutron-linuxbridge-cleanup from namespace
+lb_cleanup_filter: RegExpFilter, neutron-linuxbridge-cleanup, root, neutron-linuxbridge-cleanup, --config-file, .*
+
+# enable dhclient from namespace
+dhclient_filter: CommandFilter, dhclient, root
+dhclient_kill: KillFilter, root, dhclient, -9
+
+# Actually, dhclient is used for test dhcp-agent and runs
+# in dhcp-agent namespace. If in that namespace resolv.conf file not exist
+# dhclient will override system /etc/resolv.conf
+# Filters below are limit functions mkdir, rm and touch
+# only to create and delete file resolv.conf in the that namespace
+mkdir_filter: RegExpFilter, /bin/mkdir, root, mkdir, -p, /etc/netns/qdhcp-[0-9a-z./-]+
+rm_filter: RegExpFilter, /bin/rm, root, rm, -r, /etc/netns/qdhcp-[0-9a-z./-]+
+touch_filter: RegExpFilter, /bin/touch, root, touch, /etc/netns/qdhcp-[0-9a-z./-]+/resolv.conf
+touch_filter2: RegExpFilter, /usr/bin/touch, root, touch, /etc/netns/qdhcp-[0-9a-z./-]+/resolv.conf

playbooks/roles/os_neutron/files/rootwrap.d/iptables-firewall.filters

@@ -19,3 +19,10 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root
 #   "iptables", "-A", ...
 iptables: CommandFilter, iptables, root
 ip6tables: CommandFilter, ip6tables, root
+
+# neutron/agent/linux/iptables_manager.py
+#   "sysctl", "-w", ...
+sysctl: CommandFilter, sysctl, root
+
+# neutron/agent/linux/ip_conntrack.py
+conntrack: CommandFilter, conntrack, root

playbooks/roles/os_neutron/files/rootwrap.d/l3.filters

@@ -50,3 +50,8 @@ conntrack: CommandFilter, conntrack, root
 
 # keepalived state change monitor
 keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
+
+# For creating namespace local /etc
+rt_tables_mkdir: RegExpFilter, mkdir, root, mkdir, -p, /etc/netns/qrouter-[^/].*
+rt_tables_chown: RegExpFilter, chown, root, chown, [1-9][0-9].*, /etc/netns/qrouter-[^/].*
+rt_tables_rmdir: RegExpFilter, rm, root, rm, -r, -f, /etc/netns/qrouter-[^/].*

playbooks/roles/os_neutron/tasks/neutron_post_install.yml

@@ -93,12 +93,13 @@
   with_items:
     - { src: "rootwrap.d/debug.filters", dest: "/etc/neutron/rootwrap.d/debug.filters" }
     - { src: "rootwrap.d/dibbler.filters", dest: "/etc/neutron/rootwrap.d/dibbler.filters" }
+    - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
+    - { src: "rootwrap.d/functional-testing.filters", dest: "/etc/neutron/rootwrap.d/functional-testing.filters" }
     - { src: "rootwrap.d/ipset-firewall.filters", dest: "/etc/neutron/rootwrap.d/ipset-firewall.filters" }
     - { src: "rootwrap.d/iptables-firewall.filters", dest: "/etc/neutron/rootwrap.d/iptables-firewall.filters" }
     - { src: "rootwrap.d/openvswitch-plugin.filters", dest: "/etc/neutron/rootwrap.d/openvswitch-plugin.filters" }
     - { src: "rootwrap.d/lbaas-haproxy.filters", dest: "/etc/neutron/rootwrap.d/lbaas-haproxy.filters" }
     - { src: "rootwrap.d/vpnaas.filters", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" }
-    - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
   notify:
     - Restart neutron services
   tags:

playbooks/roles/os_neutron/templates/api-paste.ini.j2

@@ -5,8 +5,8 @@ use = egg:Paste#urlmap
 
 [composite:neutronapi_v2_0]
 use = call:neutron.auth:pipeline_factory
-noauth = request_id catch_errors extensions neutronapiapp_v2_0
-keystone = request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
+noauth = cors request_id catch_errors extensions neutronapiapp_v2_0
+keystone = cors request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
 
 [filter:request_id]
 paste.filter_factory = oslo_middleware:RequestId.factory
@@ -14,6 +14,13 @@ paste.filter_factory = oslo_middleware:RequestId.factory
 [filter:catch_errors]
 paste.filter_factory = oslo_middleware:CatchErrors.factory
 
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = neutron
+latent_allow_headers = X-Auth-Token, X-Identity-Status, X-Roles, X-Service-Catalog, X-User-Id, X-Tenant-Id, X-OpenStack-Request-ID
+latent_expose_headers = X-Auth-Token, X-Subject-Token, X-Service-Token, X-OpenStack-Request-ID
+latent_allow_methods = GET, PUT, POST, DELETE, PATCH
+
 [filter:keystonecontext]
 paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory
 

playbooks/roles/os_neutron/templates/policy.json.j2

@@ -22,8 +22,10 @@
 
     "create_subnetpool": "",
     "create_subnetpool:shared": "rule:admin_only",
+    "create_subnetpool:is_default": "rule:admin_only",
     "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
     "update_subnetpool": "rule:admin_or_owner",
+    "update_subnetpool:is_default": "rule:admin_only",
     "delete_subnetpool": "rule:admin_or_owner",
 
     "create_address_scope": "",
@@ -197,5 +199,9 @@
     "update_rbac_policy": "rule:admin_or_owner",
     "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
     "get_rbac_policy": "rule:admin_or_owner",
-    "delete_rbac_policy": "rule:admin_or_owner"
+    "delete_rbac_policy": "rule:admin_or_owner",
+
+    "create_flavor_service_profile": "rule:admin_only",
+    "delete_flavor_service_profile": "rule:admin_only",
+    "get_flavor_service_profile": "rule:regular_user"
 }

playbooks/roles/os_neutron/templates/rootwrap.conf.j2

@@ -10,7 +10,7 @@ filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap
 # explicitely specify a full path (separated by ',')
 # If not specified, defaults to system PATH environment variable.
 # These directories MUST all be only writeable by root !
-exec_dirs={{ neutron_bin }},/sbin,/usr/sbin,/bin,/usr/bin
+exec_dirs={{ neutron_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin
 
 # Enable logging to syslog
 # Default value is False

playbooks/roles/os_nova/files/rootwrap.d/compute.filters

@@ -203,7 +203,6 @@ multipath: CommandFilter, multipath, root
 # multipathd show status
 multipathd: CommandFilter, multipathd, root
 systool: CommandFilter, systool, root
-sginfo: CommandFilter, sginfo, root
 vgc-cluster: CommandFilter, vgc-cluster, root
 # os_brick/initiator/connector.py
 drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid

playbooks/roles/os_nova/templates/api-paste.ini.j2

@@ -6,7 +6,7 @@ use = egg:Paste#urlmap
 /: meta
 
 [pipeline:meta]
-pipeline = metaapp
+pipeline = cors metaapp
 
 [app:metaapp]
 paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory
@@ -23,7 +23,6 @@ use = call:nova.api.openstack.urlmap:urlmap_factory
 # this causes issues with your clients you can rollback to the
 # *frozen* v2 api by commenting out the above stanza and using the
 # following instead::
-# /v1.1: openstack_compute_api_legacy_v2
 # /v2: openstack_compute_api_legacy_v2
 # if rolling back to v2 fixes your issue please file a critical bug
 # at - https://bugs.launchpad.net/nova/+bugs
@@ -33,26 +32,25 @@ use = call:nova.api.openstack.urlmap:urlmap_factory
 # API). It also provides new features via API microversions which are
 # opt into for clients. Unaware clients will receive the same frozen
 # v2 API feature set, but with some relaxed validation
-/v1.1: openstack_compute_api_v21_legacy_v2_compatible
 /v2: openstack_compute_api_v21_legacy_v2_compatible
 /v2.1: openstack_compute_api_v21
 
 # NOTE: this is deprecated in favor of openstack_compute_api_v21_legacy_v2_compatible
 [composite:openstack_compute_api_legacy_v2]
 use = call:nova.api.auth:pipeline_factory
-noauth2 = compute_req_id faultwrap sizelimit noauth2 legacy_ratelimit osapi_compute_app_legacy_v2
-keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_ratelimit osapi_compute_app_legacy_v2
-keystone_nolimit = compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_legacy_v2
+noauth2 = cors compute_req_id faultwrap sizelimit noauth2 legacy_ratelimit osapi_compute_app_legacy_v2
+keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_ratelimit osapi_compute_app_legacy_v2
+keystone_nolimit = cors compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_legacy_v2
 
 [composite:openstack_compute_api_v21]
 use = call:nova.api.auth:pipeline_factory_v21
-noauth2 = compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
-keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v21
+noauth2 = cors compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
+keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v21
 
 [composite:openstack_compute_api_v21_legacy_v2_compatible]
 use = call:nova.api.auth:pipeline_factory_v21
-noauth2 = compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21
-keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
+noauth2 = cors compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21
+keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
 
 [filter:request_id]
 paste.filter_factory = oslo_middleware:RequestId.factory
@@ -91,6 +89,10 @@ paste.app_factory = nova.api.openstack.compute.versions:Versions.factory
 # Shared #
 ##########
 
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = nova
+
 [filter:keystonecontext]
 paste.filter_factory = nova.api.auth:NovaKeystoneContext.factory
 

playbooks/roles/os_nova/templates/policy.json.j2

@@ -22,16 +22,14 @@
     "compute:update_instance_metadata": "",
     "compute:delete_instance_metadata": "",
 
-    "compute:get_instance_faults": "",
     "compute:get_diagnostics": "",
     "compute:get_instance_diagnostics": "",
 
     "compute:start": "rule:admin_or_owner",
     "compute:stop": "rule:admin_or_owner",
 
-    "compute:get_lock": "",
-    "compute:lock": "",
-    "compute:unlock": "",
+    "compute:lock": "rule:admin_or_owner",
+    "compute:unlock": "rule:admin_or_owner",
     "compute:unlock_override": "rule:admin_api",
 
     "compute:get_vnc_console": "",
@@ -85,9 +83,6 @@
     "compute:security_groups:add_to_instance": "",
     "compute:security_groups:remove_from_instance": "",
 
-    "compute:delete": "",
-    "compute:soft_delete": "",
-    "compute:force_delete": "",
     "compute:restore": "",
 
     "compute:volume_snapshot_create": "",
@@ -334,6 +329,7 @@
     "os_compute_api:os-extended-availability-zone": "",
     "os_compute_api:os-extended-availability-zone:discoverable": "",
     "os_compute_api:extensions": "",
+    "os_compute_api:extensions:discoverable": "",
     "os_compute_api:extension_info:discoverable": "",
     "os_compute_api:os-extended-volumes": "",
     "os_compute_api:os-extended-volumes:discoverable": "",
@@ -345,6 +341,7 @@
     "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api",
     "os_compute_api:os-flavor-rxtx": "",
     "os_compute_api:os-flavor-rxtx:discoverable": "",
+    "os_compute_api:flavors": "",
     "os_compute_api:flavors:discoverable": "",
     "os_compute_api:os-flavor-extra-specs:discoverable": "",
     "os_compute_api:os-flavor-extra-specs:index": "",

playbooks/roles/os_nova/templates/rootwrap.conf.j2

@@ -7,10 +7,10 @@
 filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap
 
 # List of directories to search executables in, in case filters do not
-# explicitely specify a full path (separated by ',')
+# explicitly specify a full path (separated by ',')
 # If not specified, defaults to system PATH environment variable.
 # These directories MUST all be only writeable by root !
-exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,{{ nova_bin }}
+exec_dirs={{ nova_bin }},/sbin,/usr/sbin,/bin,/usr/bin
 
 # Enable logging to syslog
 # Default value is False

playbooks/roles/os_tempest/templates/tempest.conf.j2

@@ -42,7 +42,7 @@ image_ssh_user = {{ tempest_compute_image_ssh_user }}
 image_ssh_password = {{ tempest_compute_image_ssh_password }}
 image_alt_ssh_user = {{ tempest_compute_image_alt_ssh_user }}
 ssh_user = {{ tempest_compute_ssh_user }}
-ssh_auth_method = configured
+auth_method = keypair
 fixed_network_name = private
 endpoint_type = internalURL
 floating_ip_range = 10.0.0.0/29