Comment 88 for bug 1599654

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/22536
Committed: http://github.org/Juniper/contrail-controller/commit/761ffd96941cd9ec2f670675fbe553080c4790ec
Submitter: Zuul
Branch: R3.0

commit 761ffd96941cd9ec2f670675fbe553080c4790ec
Author: Megh Bhatt <email address hidden>
Date: Wed Jun 8 18:21:34 2016 -0700

1. Add option for cloud admin access only for analytics REST API

Allow cloud admin role access only for analytics REST API controlled
via --cloud_admin_access_only currently defaulted to False but will default
to True once provisioning changes are done. contrail-analytics-api will
validate role from the X-Auth-Token header via vnc_api/contrail-api. For
debug/administration a localhost bound port 8181 - --admin_port is provided
that requires basic HTTP access authentication.

Clients of analytics REST API - contrail-flows, contrail-logs, contrail-stats,
contrail-topology are changed to use admin port. contrail-svc-monitor is changed
to use auth token.

Conflicts:
 src/opserver/SConscript

Partial-Bug: #1461175
(cherry picked from commit 5492f71383123fea8240ca265e125aee28d9349f)

2. Rename cloud_admin_access_only to multi_tenancy in contrail-analytics-api

Closes-Bug: #1461175
(cherry picked from commit 36df0991a47068bcb6af8cd219e416e2ca60d4cd)

3. for bool option, a conversion from string to bool is required.
Closes-Bug: #1595044

(cherry picked from commit 1d6b81bccf5a7aee39fbb60bd25152e1b8726206)

4. Change cloud admin role name to "cloud-admin" from "admin" for
analytics API access

Closes-Bug: #1600699
(cherry picked from commit 8c131016252a22c52cdfab8042571598818f82c3)

5. Rename multi_tenancy to aaa_mode for analytics API

Handle keystone v2 and v3 token infos returned by
VNC API. Enable cloud-admin-only aaa_mode by default

Change analytics DB and underlay to overlay mapper to
use local admin port when quering opserver

Do not cache auth_token in vnc lib

Closes-Bug: #1599654
(cherry picked from commit a2a7c9248b3d9830d491ab6baf7d21bd9aa64ff6)

6. Changes to bring analytics authenticated access in sync with config

1. Rename aaa_mode value cloud-admin-only to cloud-admin
2. CLOUD_ADMIN_ROLE defaults to admin instead of cloud-admin

Partial-Bug: #1607563
(cherry picked from commit 42db6e38e55bc2410297a99c2af3bea03faa938c)

7. Fix missing import of OpServerUtils in analytics_db.py

Closes-Bug: #1609054
(cherry picked from commit cf5f0567c9bb03e83cd83515b775d2018e668d0c)

8. Remove aaa_mode value cloud-admin-only

Closes-Bug: #1609987

9. Keep on trying to create VNC API client from analytics API

The gevent that creates the VNC API client was exiting due to
authentication failure exception. Changed code to handle all
exceptions and keep on trying to create the API client. The
node status will show the API connection down in case we are
not able to create the VNC API client.

Closes-Bug: #1611158
(cherry picked from commit 8072aa5ffd37e4082d7ae9697020a6160e8d2682)

10. Keystone middleware doesn't like if token is unicode. It must be converted
to string before validation.

Fixes-Bug: #1604773
(cherry picked from commit 18df64367eb5468bbca403aef4f2d22d02be4636)

11. Change the obj-perms API to pass in the user token in HTTP headers

With PKI tokens, when user token was passed in query parameters for
obj-perms API the token was getting truncated. Changed the API
to accept user token in X-USER-TOKEN HTTP header.

Closes-Bug: #1614376

12.
1. Called once check moved from _list_collection to list_bulk_collection_http_post, due to refractoring bug.
2. Removed the local API server teardown for class TestPermissions
3. Project's within class TestPermissions appended with self.id(), to create unique Project for each testcase.
Closes-Bug: 1555323

(cherry picked from commit a8ac59a0c8f08d8fc8e6f33abc52c292753dd1a3)

Change-Id: Ia6bb36b37a86b33d87f304e9c784fa6fd780222b