Update Horizon configuration for Liberty

Update Horizon local settings to include changes in Liberty. Some of
the configuration changes have been made to bring the comments into
line with the upstream configuration file to make comparing them
simpler in the future.

DocImpact
UpgradeImpact
Implements: blueprint liberty-release
Change-Id: Ib9546e6c8542981691348c23f7c475535efeb6da

templates/horizon_local_settings.py.j2

@@ -1,10 +1,17 @@
 import os
+
 from django.utils.translation import ugettext_lazy as _
 
+from horizon.utils import secret_key
+
 from openstack_dashboard import exceptions
+from openstack_dashboard.settings import HORIZON_CONFIG
 
 DEBUG = {{ debug }}
 TEMPLATE_DEBUG = DEBUG
+
+# Django Compressor Settings. For more information, see:
+# http://django-compressor.readthedocs.org/en/latest/settings/
 COMPRESS_OFFLINE = True
 COMPRESS_ENABLED = True
 COMPRESS_ROOT = '{{ horizon_lib_dir }}/static'
@@ -12,13 +19,13 @@ COMPRESS_ROOT = '{{ horizon_lib_dir }}/static'
 # WEBROOT is the location relative to Webserver root
 # should end with a slash.
 WEBROOT = '{{ horizon_webroot }}'
-# LOGIN_URL = WEBROOT + 'auth/login/'
-# LOGOUT_URL = WEBROOT + 'auth/logout/'
+#LOGIN_URL = WEBROOT + 'auth/login/'
+#LOGOUT_URL = WEBROOT + 'auth/logout/'
 #
 # LOGIN_REDIRECT_URL can be used as an alternative for
 # HORIZON_CONFIG.user_home, if user_home is not set.
 # Do not set it to '/home/', as this will cause circular redirect loop
-# LOGIN_REDIRECT_URL = WEBROOT
+#LOGIN_REDIRECT_URL = WEBROOT
 
 # Required for Django 1.5.
 # If horizon is running in production (DEBUG is False), set this
@@ -32,7 +39,8 @@ ALLOWED_HOSTS = ['*']
 # and don't forget to strip it from the client's request.
 # For more information see:
 # https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
-# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
+#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
+#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
 
 # If Horizon is being served through SSL, then uncomment the following two
 # settings to better secure the cookies from security exploits
@@ -45,11 +53,14 @@ SESSION_TIMEOUT = {{ horizon_session_timeout }}
 {% if horizon_keystone_endpoint.endswith('v3') %}
 # Overrides for OpenStack API versions. Use this setting to force the
 # OpenStack dashboard to use a specific API version for a given service API.
+# Versions specified here should be integers or floats, not strings.
 # NOTE: The version should be formatted as it appears in the URL for the
 # service API. For example, The identity service APIs have inconsistent
-# use of the decimal point, so valid options would be "2.0" or "3".
+# use of the decimal point, so valid options would be 2.0 or 3.
 OPENSTACK_API_VERSIONS = {
-    "identity": 3,
+#    "data-processing": 1.1,
+     "identity": 3,
+#    "volume": 2,
 }
 
 # Set this to True if running on multi-domain model. When this is enabled, it
@@ -62,42 +73,27 @@ OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "{{ horizon_keystone_default_domain }}"
 {% endif %}
 
 # Set Console type:
-# valid options would be "AUTO"(default), "VNC", "SPICE", "RDP", "SERIAL" or None
+# valid options are "AUTO"(default), "VNC", "SPICE", "RDP", "SERIAL" or None
 # Set to None explicitly if you want to deactivate the console.
-# CONSOLE_TYPE = "AUTO"
+#CONSOLE_TYPE = "AUTO"
 
-# Default OpenStack Dashboard configuration.
-HORIZON_CONFIG = {
-    'user_home': 'openstack_dashboard.views.get_user_home',
-    'ajax_queue_limit': 10,
-    'auto_fade_alerts': {
-        'delay': 3000,
-        'fade_duration': 1500,
-        'types': ['alert-success', 'alert-info']
-    },
-    'help_url': "{{ horizon_help_url|default('http://docs.openstack.org') }}",
-    'exceptions': {'recoverable': exceptions.RECOVERABLE,
-                   'not_found': exceptions.NOT_FOUND,
-                   'unauthorized': exceptions.UNAUTHORIZED},
-    'modal_backdrop': 'static',
-    'angular_modules': [],
-    'js_files': [],
-    'js_spec_files': [],
-}
+# Show backdrop element outside the modal, do not close the modal
+# after clicking on backdrop.
+#HORIZON_CONFIG["modal_backdrop"] = "static"
 
 # Specify a regular expression to validate user passwords.
-# HORIZON_CONFIG["password_validator"] = {
-#     "regex": '.*',
-#     "help_text": _("Your password does not meet the requirements.")
-# }
+#HORIZON_CONFIG["password_validator"] = {
+#    "regex": '.*',
+#    "help_text": _("Your password does not meet the requirements."),
+#}
 
 # Disable simplified floating IP address management for deployments with
 # multiple floating IP pools or complex network requirements.
-# HORIZON_CONFIG["simple_ip_management"] = False
+#HORIZON_CONFIG["simple_ip_management"] = False
 
 # Turn off browser autocompletion for forms including the login form and
 # the database creation workflow if so desired.
-# HORIZON_CONFIG["password_autocomplete"] = "off"
+#HORIZON_CONFIG["password_autocomplete"] = "off"
 
 # Setting this to True will disable the reveal button for password fields,
 # including on the login form.
@@ -108,17 +104,17 @@ LOCAL_PATH = os.path.dirname(os.path.abspath(__file__))
 # Set custom secret key:
 # You can either set it to a specific value or you can let horizon generate a
 # default secret key that is unique on this machine, e.i. regardless of the
-# amount of Python WSGI workers (if used behind Apache+mod_wsgi): However, there
-# may be situations where you would want to set this explicitly, e.g. when
-# multiple dashboard instances are distributed on different machines (usually
-# behind a load-balancer). Either you have to make sure that a session gets all
-# requests routed to the same dashboard instance or you set the same SECRET_KEY
-# for all of them.
+# amount of Python WSGI workers (if used behind Apache+mod_wsgi): However,
+# there may be situations where you would want to set this explicitly, e.g.
+# when multiple dashboard instances are distributed on different machines
+# (usually behind a load-balancer). Either you have to make sure that a session
+# gets all requests routed to the same dashboard instance or you set the same
+# SECRET_KEY for all of them.
 {% if horizon_secret_key %}
 SECRET_KEY = "{{ horizon_secret_key }}"
 {% else %}
-from horizon.utils import secret_key
-SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/horizon/.secret_key_store')
+SECRET_KEY = secret_key.generate_or_read_from_file(
+    os.path.join(LOCAL_PATH, '.secret_key_store'))
 {% endif %}
 
 # We recommend you use memcached for development; otherwise after every reload
@@ -131,8 +127,8 @@ CACHES = {
     }
 }
 
+# Set the session engine configuration:
 SESSION_ENGINE = "django.contrib.sessions.backends.cached_db"
-
 DATABASES = {
     'default': {
         'ENGINE': 'django.db.backends.mysql',
@@ -150,13 +146,13 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
 #EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend'
 
 # Configure these for your outgoing email host
-# EMAIL_HOST = 'smtp.my-company.com'
-# EMAIL_PORT = 25
-# EMAIL_HOST_USER = 'djangomail'
-# EMAIL_HOST_PASSWORD = 'top-secret!'
+#EMAIL_HOST = 'smtp.my-company.com'
+#EMAIL_PORT = 25
+#EMAIL_HOST_USER = 'djangomail'
+#EMAIL_HOST_PASSWORD = 'top-secret!'
 
 {% if horizon_available_regions is defined %}
-# Set Horizon to provide a selection of Keystone endpoints
+# For multiple regions uncomment this configuration, and add (endpoint, title).
 AVAILABLE_REGIONS = [
 {% for item in horizon_available_regions %}
   ('{{ item.url }}', '{{ item.name }}'),
@@ -172,16 +168,17 @@ OPENSTACK_KEYSTONE_URL = "{{ horizon_keystone_endpoint }}"
 OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ horizon_default_role_name }}"
 
 {% if keystone_sp is defined %}
-# Enables keystone web single-sign-on
+# Enables keystone web single-sign-on if set to True.
 WEBSSO_ENABLED = True
 
 # Determines which authentication choice to show as default.
 WEBSSO_INITIAL_CHOICE = "credentials"
 
-# The list of authentication mechanisms
-# which include keystone federation protocols.
-# Current supported protocol IDs are 'saml2' and 'oidc'
-# which represent SAML 2.0, OpenID Connect respectively.
+# The list of authentication mechanisms which include keystone
+# federation protocols and identity provider/federation protocol
+# mapping keys (WEBSSO_IDP_MAPPING). Current supported protocol
+# IDs are 'saml2' and 'oidc'  which represent SAML 2.0, OpenID
+# Connect respectively.
 # Do not remove the mandatory credentials mechanism.
 WEBSSO_CHOICES = (
     ("credentials", _("Keystone Credentials")),
@@ -191,6 +188,18 @@ WEBSSO_CHOICES = (
 {% endfor %}
 {% endfor %}
 )
+
+# A dictionary of specific identity provider and federation protocol
+# combinations. From the selected authentication mechanism, the value
+# will be looked up as keys in the dictionary. If a match is found,
+# it will redirect the user to a identity provider and federation protocol
+# specific WebSSO endpoint in keystone, otherwise it will use the value
+# as the protocol_id when redirecting to the WebSSO by protocol endpoint.
+# NOTE: The value is expected to be a tuple formatted as: (<idp_id>, <protocol_id>).
+#WEBSSO_IDP_MAPPING = {
+#    "acme_oidc": ("acme", "oidc"),
+#    "acme_saml2": ("acme", "saml2")
+#}
 {% endif %}
 
 # Disable SSL certificate checks (useful for self-signed certificates):
@@ -213,11 +222,11 @@ OPENSTACK_KEYSTONE_BACKEND = {
     'can_edit_group': True,
     'can_edit_project': True,
     'can_edit_domain': True,
-    'can_edit_role': True
+    'can_edit_role': True,
 }
 
-#Setting this to True, will add a new "Retrieve Password" action on instance,
-#allowing Admin session password retrieval/decryption.
+# Setting this to True, will add a new "Retrieve Password" action on instance,
+# allowing Admin session password retrieval/decryption.
 OPENSTACK_ENABLE_PASSWORD_RETRIEVE = {{ horizon_enable_password_retrieve }}
 
 # The Launch Instance user experience has been significantly enhanced.
@@ -241,6 +250,7 @@ LAUNCH_INSTANCE_NG_ENABLED = {{ horizon_launch_instance_ng }}
 OPENSTACK_HYPERVISOR_FEATURES = {
     'can_set_mount_point': False,
     'can_set_password': {{ horizon_can_set_password }},
+    'requires_keypair': False,
 }
 
 # The OPENSTACK_CINDER_FEATURES settings can be used to enable optional
@@ -261,11 +271,26 @@ OPENSTACK_NEUTRON_NETWORK = {
     'enable_lb': False,
     'enable_firewall': False,
     'enable_vpn': False,
+    'enable_fip_topology_check': True,
+
+    # Neutron can be configured with a default Subnet Pool to be used for IPv4
+    # subnet-allocation. Specify the label you wish to display in the Address
+    # pool selector on the create subnet step if you want to use this feature.
+    'default_ipv4_subnet_pool_label': None,
+
+    # Neutron can be configured with a default Subnet Pool to be used for IPv6
+    # subnet-allocation. Specify the label you wish to display in the Address
+    # pool selector on the create subnet step if you want to use this feature.
+    # You must set this to enable IPv6 Prefix Delegation in a PD-capable
+    # environment.
+    'default_ipv6_subnet_pool_label': None,
+
     # The profile_support option is used to detect if an external router can be
     # configured via the dashboard. When using specific plugins the
     # profile_support can be turned on if needed.
     'profile_support': None,
     #'profile_support': 'cisco',
+
     # Set which provider network types are supported. Only the network types
     # in this list will be available to choose from when creating a network.
     # Network types include local, flat, vlan, gre, and vxlan.
@@ -275,26 +300,29 @@ OPENSTACK_NEUTRON_NETWORK = {
     # types in this list will be available to choose from when creating a
     # port.
     # VNIC types include 'normal', 'macvtap' and 'direct'.
+    # Set to empty list or None to disable VNIC type selection.
     'supported_vnic_types': ['*']
 }
 
 # The OPENSTACK_IMAGE_BACKEND settings can be used to customize features
 # in the OpenStack Dashboard related to the Image service, such as the list
 # of supported image formats.
-OPENSTACK_IMAGE_BACKEND = {
-    'image_formats': [
-        ('', ''),
-        ('aki', _('AKI - Amazon Kernel Image')),
-        ('ami', _('AMI - Amazon Machine Image')),
-        ('ari', _('ARI - Amazon Ramdisk Image')),
-        ('iso', _('ISO - Optical Disk Image')),
-        ('qcow2', _('QCOW2 - QEMU Emulator')),
-        ('raw', _('Raw')),
-        ('vdi', _('VDI')),
-        ('vhd', _('VHD')),
-        ('vmdk', _('VMDK'))
-    ]
-}
+#OPENSTACK_IMAGE_BACKEND = {
+#    'image_formats': [
+#        ('', _('Select format')),
+#        ('aki', _('AKI - Amazon Kernel Image')),
+#        ('ami', _('AMI - Amazon Machine Image')),
+#        ('ari', _('ARI - Amazon Ramdisk Image')),
+#        ('docker', _('Docker')),
+#        ('iso', _('ISO - Optical Disk Image')),
+#        ('ova', _('OVA - Open Virtual Appliance')),
+#        ('qcow2', _('QCOW2 - QEMU Emulator')),
+#        ('raw', _('Raw')),
+#        ('vdi', _('VDI - Virtual Disk Image')),
+#        ('vhd', ('VHD - Virtual Hard Disk')),
+#        ('vmdk', _('VMDK - Virtual Machine Disk')),
+#    ]
+#}
 
 # The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for
 # image custom property attributes that appear on image detail pages.
@@ -304,7 +332,7 @@ IMAGE_CUSTOM_PROPERTY_TITLES = {
     "ramdisk_id": _("Ramdisk ID"),
     "image_state": _("Euca2ools state"),
     "project_id": _("Project ID"),
-    "image_type": _("Image Type")
+    "image_type": _("Image Type"),
 }
 
 # The IMAGE_RESERVED_CUSTOM_PROPERTIES setting is used to specify which image
@@ -346,12 +374,12 @@ TIME_ZONE = "{{ horizon_time_zone }}"
 # can provide a custom callback method to use for sorting. You can also provide
 # a flag for reverse sort. For more info, see
 # http://docs.python.org/2/library/functions.html#sorted
-# CREATE_INSTANCE_FLAVOR_SORT = {
-#     'key': 'name',
-#      # or
-#     'key': my_awesome_callback_method,
-#     'reverse': False,
-# }
+#CREATE_INSTANCE_FLAVOR_SORT = {
+#    'key': 'name',
+#     # or
+#    'key': my_awesome_callback_method,
+#    'reverse': False,
+#}
 
 # Set this to True to display an 'Admin Password' field on the Change Password
 # form to verify that it is indeed the admin logged-in who wants to change
@@ -372,7 +400,16 @@ ENFORCE_PASSWORD_CHECK = {{ horizon_enforce_password_check }}
 
 # Path to directory containing policy.json files
 #POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf")
-# Map of local copy of service policy files
+# Map of local copy of service policy files.
+# Please insure that your identity policy file matches the one being used on
+# your keystone servers. There is an alternate policy file that may be used
+# in the Keystone v3 multi-domain case, policy.v3cloudsample.json.
+# This file is not included in the Horizon repository by default but can be
+# found at
+# http://git.openstack.org/cgit/openstack/keystone/tree/etc/ \
+# policy.v3cloudsample.json
+# Having matching policy files on the Horizon and Keystone servers is essential
+# for normal operation. This holds true for all services and their policy files.
 #POLICY_FILES = {
 #    'identity': 'keystone_policy.json',
 #    'compute': 'nova_policy.json',
@@ -387,12 +424,12 @@ ENFORCE_PASSWORD_CHECK = {{ horizon_enforce_password_check }}
 # creating users and databases on database instances is turned on.
 # To disable these extensions set the permission here to something
 # unusable such as ["!"].
-# TROVE_ADD_USER_PERMS = []
-# TROVE_ADD_DATABASE_PERMS = []
+#TROVE_ADD_USER_PERMS = []
+#TROVE_ADD_DATABASE_PERMS = []
 
 # Change this patch to the appropriate static directory containing
 # two files: _variables.scss and _styles.scss
-#CUSTOM_THEME_PATH = 'static/themes/default'
+#CUSTOM_THEME_PATH = 'themes/default'
 
 LOGGING = {
     'version': 1,
@@ -631,7 +668,7 @@ SECURITY_GROUP_RULES = {
 # pool for use in their cluster.  False by default.  You would want
 # to set this to True if you were running Nova Networking with
 # auto_assign_floating_ip = True.
-# SAHARA_AUTO_IP_ALLOCATION_ENABLED = False
+#SAHARA_AUTO_IP_ALLOCATION_ENABLED = False
 
 # The hash algorithm to use for authentication tokens. This must
 # match the hash algorithm that the identity server and the
@@ -639,6 +676,12 @@ SECURITY_GROUP_RULES = {
 # algorithms supported by Python's hashlib library.
 #OPENSTACK_TOKEN_HASH_ALGORITHM = 'md5'
 
+# Hashing tokens from Keystone keeps the Horizon session data smaller, but it
+# doesn't work in some cases when using PKI tokens.  Uncomment this value and
+# set it to False if using PKI tokens and there are 401 errors due to token
+# hashing.
+#OPENSTACK_TOKEN_HASH_ENABLED = True
+
 # AngularJS requires some settings to be made available to
 # the client side. Some settings are required by in-tree / built-in horizon
 # features. These settings must be added to REST_API_REQUIRED_SETTINGS in the
@@ -659,3 +702,11 @@ REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES']
 # and are not encrypted on the browser. This is an experimental API and
 # may be deprecated in the future without notice.
 #REST_API_ADDITIONAL_SETTINGS = []
+
+# DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
+# within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
+# Scripting (XFS) vulnerability, so this option allows extra security hardening
+# where iframes are not used in deployment. Default setting is True.
+# For more information see:
+# http://tinyurl.com/anticlickjack
+#DISALLOW_IFRAME_EMBED = True