0d0cd6e001
This patch includes the following updates based on the updated source in Glance's Liberty release: - glance-api-paste.ini - glance-api.conf - glance-registry-paste.ini - glance-registry.conf - glance-cache.conf - glance-manage.conf - glance-scrubber.conf The following defaults have their values changed based on new defaults for the Liberty release. Note that any user_variables.yml values that have been set to customise these will need to be reviewed and adjusted accordingly for liberty. - glance_digest_algorithm Note also that the glance_swift_store_auth_version has been set to use '3' as the default, meaning that it will use Keystone's v3 API as the default. New configurable options: - glance_swift_store_auth_version This is the Keystone API auth version to use. The previous default was 2, but this patch changes it to 3. - glance_swift_store_user_domain This is the Domain ID for the user used to authenticate to Swift. - glance_swift_store_project_domain This is the Domain ID for the project used to authenticate to Swift. Note that the policy.json file included is not the same as the upstream default. Changes have been included which improve the security of image publication and image group membership. DocImpact UpgradeImpact Closes-Bug: #1479131 Implements: blueprint liberty-release Co-Authored-By: Ian Cordasco <graffatcolmingov@gmail.com> Change-Id: I2f58c0dbdb3ee55c0a4792df6e7b5b15aa8f0b01
36 lines
1.2 KiB
Django/Jinja
36 lines
1.2 KiB
Django/Jinja
# Use this pipeline for no auth - DEFAULT
|
|
[pipeline:glance-registry]
|
|
pipeline = healthcheck osprofiler unauthenticated-context registryapp
|
|
|
|
# Use this pipeline for keystone auth
|
|
[pipeline:glance-registry-keystone]
|
|
pipeline = healthcheck osprofiler authtoken context registryapp
|
|
|
|
# Use this pipeline for authZ only. This means that the registry will treat a
|
|
# user as authenticated without making requests to keystone to reauthenticate
|
|
# the user.
|
|
[pipeline:glance-registry-trusted-auth]
|
|
pipeline = healthcheck osprofiler context registryapp
|
|
|
|
[app:registryapp]
|
|
paste.app_factory = glance.registry.api:API.factory
|
|
|
|
[filter:healthcheck]
|
|
paste.filter_factory = oslo_middleware:Healthcheck.factory
|
|
backends = disable_by_file
|
|
disable_by_file_path = /etc/glance/healthcheck_disable
|
|
|
|
[filter:context]
|
|
paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory
|
|
|
|
[filter:unauthenticated-context]
|
|
paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
|
|
|
|
[filter:authtoken]
|
|
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
|
|
|
|
[filter:osprofiler]
|
|
paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
|
|
hmac_keys = {{ glance_profiler_hmac_key }}
|
|
enabled = yes
|