1. Add option for cloud admin access only for analytics REST API
Allow cloud admin role access only for analytics REST API controlled
via --cloud_admin_access_only currently defaulted to False but will default
to True once provisioning changes are done. contrail-analytics-api will
validate role from the X-Auth-Token header via vnc_api/contrail-api. For
debug/administration a localhost bound port 8181 - --admin_port is provided
that requires basic HTTP access authentication.
Clients of analytics REST API - contrail-flows, contrail-logs, contrail-stats,
contrail-topology are changed to use admin port. contrail-svc-monitor is changed
to use auth token.
Conflicts:
src/opserver/SConscript
Partial-Bug: #1461175
(cherry picked from commit 5492f71383123fea8240ca265e125aee28d9349f)
2. Rename cloud_admin_access_only to multi_tenancy in contrail-analytics-api
Closes-Bug: #1461175
(cherry picked from commit 36df0991a47068bcb6af8cd219e416e2ca60d4cd)
3. for bool option, a conversion from string to bool is required.
Closes-Bug: #1595044
(cherry picked from commit 1d6b81bccf5a7aee39fbb60bd25152e1b8726206)
4. Change cloud admin role name to "cloud-admin" from "admin" for
analytics API access
Closes-Bug: #1600699
(cherry picked from commit 8c131016252a22c52cdfab8042571598818f82c3)
5. Rename multi_tenancy to aaa_mode for analytics API
Handle keystone v2 and v3 token infos returned by
VNC API. Enable cloud-admin-only aaa_mode by default
Change analytics DB and underlay to overlay mapper to
use local admin port when quering opserver
Do not cache auth_token in vnc lib
Closes-Bug: #1599654
(cherry picked from commit a2a7c9248b3d9830d491ab6baf7d21bd9aa64ff6)
6. Changes to bring analytics authenticated access in sync with config
1. Rename aaa_mode value cloud-admin-only to cloud-admin
2. CLOUD_ADMIN_ROLE defaults to admin instead of cloud-admin
Partial-Bug: #1607563
(cherry picked from commit 42db6e38e55bc2410297a99c2af3bea03faa938c)
7. Fix missing import of OpServerUtils in analytics_db.py
Closes-Bug: #1609054
(cherry picked from commit cf5f0567c9bb03e83cd83515b775d2018e668d0c)
8. Remove aaa_mode value cloud-admin-only
Closes-Bug: #1609987
9. Keep on trying to create VNC API client from analytics API
The gevent that creates the VNC API client was exiting due to
authentication failure exception. Changed code to handle all
exceptions and keep on trying to create the API client. The
node status will show the API connection down in case we are
not able to create the VNC API client.
Closes-Bug: #1611158
(cherry picked from commit 8072aa5ffd37e4082d7ae9697020a6160e8d2682)
10. Keystone middleware doesn't like if token is unicode. It must be converted
to string before validation.
Fixes-Bug: #1604773
(cherry picked from commit 18df64367eb5468bbca403aef4f2d22d02be4636)
11. Change the obj-perms API to pass in the user token in HTTP headers
With PKI tokens, when user token was passed in query parameters for
obj-perms API the token was getting truncated. Changed the API
to accept user token in X-USER-TOKEN HTTP header.
Closes-Bug: #1614376
12.
1. Called once check moved from _list_collection to list_bulk_collection_http_post, due to refractoring bug.
2. Removed the local API server teardown for class TestPermissions
3. Project's within class TestPermissions appended with self.id(), to create unique Project for each testcase.
Closes-Bug: 1555323
(cherry picked from commit a8ac59a0c8f08d8fc8e6f33abc52c292753dd1a3)
Reviewed: https:/ /review. opencontrail. org/22536 github. org/Juniper/ contrail- controller/ commit/ 761ffd96941cd9e c2f670675fbe553 080c4790ec
Committed: http://
Submitter: Zuul
Branch: R3.0
commit 761ffd96941cd9e c2f670675fbe553 080c4790ec
Author: Megh Bhatt <email address hidden>
Date: Wed Jun 8 18:21:34 2016 -0700
1. Add option for cloud admin access only for analytics REST API
Allow cloud admin role access only for analytics REST API controlled admin_access_ only currently defaulted to False but will default analytics- api will contrail- api. For ation a localhost bound port 8181 - --admin_port is provided
via --cloud_
to True once provisioning changes are done. contrail-
validate role from the X-Auth-Token header via vnc_api/
debug/administr
that requires basic HTTP access authentication.
Clients of analytics REST API - contrail-flows, contrail-logs, contrail-stats, svc-monitor is changed
contrail-topology are changed to use admin port. contrail-
to use auth token.
Conflicts: SConscript
src/opserver/
Partial-Bug: #1461175 a8240ca265e125a ee28d9349f)
(cherry picked from commit 5492f71383123fe
2. Rename cloud_admin_ access_ only to multi_tenancy in contrail- analytics- api
Closes-Bug: #1461175 cb6af8cd219e416 e2ca60d4cd)
(cherry picked from commit 36df0991a47068b
3. for bool option, a conversion from string to bool is required.
Closes-Bug: #1595044
(cherry picked from commit 1d6b81bccf5a7ae e39fbb60bd25152 e1b8726206)
4. Change cloud admin role name to "cloud-admin" from "admin" for
analytics API access
Closes-Bug: #1600699 52cdfab80425715 98818f82c3)
(cherry picked from commit 8c131016252a22c
5. Rename multi_tenancy to aaa_mode for analytics API
Handle keystone v2 and v3 token infos returned by
VNC API. Enable cloud-admin-only aaa_mode by default
Change analytics DB and underlay to overlay mapper to
use local admin port when quering opserver
Do not cache auth_token in vnc lib
Closes-Bug: #1599654 0d491ab6baf7d21 bd9aa64ff6)
(cherry picked from commit a2a7c9248b3d983
6. Changes to bring analytics authenticated access in sync with config
1. Rename aaa_mode value cloud-admin-only to cloud-admin
2. CLOUD_ADMIN_ROLE defaults to admin instead of cloud-admin
Partial-Bug: #1607563 10297a99c2af3be a03faa938c)
(cherry picked from commit 42db6e38e55bc24
7. Fix missing import of OpServerUtils in analytics_db.py
Closes-Bug: #1609054 83cd83515b775d2 018e668d0c)
(cherry picked from commit cf5f0567c9bb03e
8. Remove aaa_mode value cloud-admin-only
Closes-Bug: #1609987
9. Keep on trying to create VNC API client from analytics API
The gevent that creates the VNC API client was exiting due to
authentication failure exception. Changed code to handle all
exceptions and keep on trying to create the API client. The
node status will show the API connection down in case we are
not able to create the VNC API client.
Closes-Bug: #1611158 82d7ae9697020a6 160e8d2682)
(cherry picked from commit 8072aa5ffd37e40
10. Keystone middleware doesn't like if token is unicode. It must be converted
to string before validation.
Fixes-Bug: #1604773 bbca403aef4f2d2 2d02be4636)
(cherry picked from commit 18df64367eb5468
11. Change the obj-perms API to pass in the user token in HTTP headers
With PKI tokens, when user token was passed in query parameters for
obj-perms API the token was getting truncated. Changed the API
to accept user token in X-USER-TOKEN HTTP header.
Closes-Bug: #1614376
12. collection_ http_post, due to refractoring bug.
1. Called once check moved from _list_collection to list_bulk_
2. Removed the local API server teardown for class TestPermissions
3. Project's within class TestPermissions appended with self.id(), to create unique Project for each testcase.
Closes-Bug: 1555323
(cherry picked from commit a8ac59a0c8f08d8 fc8e6f33abc52c2 92753dd1a3)
Change-Id: Ia6bb36b37a86b3 3d87f304e9c784f a6fd780222b