Merge "Update Horizon configuration for Liberty"

2015-10-18 16:18:04 +00:00 · 2015-10-18 16:18:04 +00:00 · 3ff4f5bc37
commit 3ff4f5bc37
parent e7ce7cec51 364b50944f
1 changed files with 131 additions and 80 deletions
--- a/templates/horizon_local_settings.py.j2
+++ b/templates/horizon_local_settings.py.j2
@ -1,10 +1,17 @@
 import os
+
 from django.utils.translation import ugettext_lazy as _

+from horizon.utils import secret_key
+
 from openstack_dashboard import exceptions
+from openstack_dashboard.settings import HORIZON_CONFIG

 DEBUG = {{ debug }}
 TEMPLATE_DEBUG = DEBUG
+
+# Django Compressor Settings. For more information, see:
+# http://django-compressor.readthedocs.org/en/latest/settings/
 COMPRESS_OFFLINE = True
 COMPRESS_ENABLED = True
 COMPRESS_ROOT = '{{ horizon_lib_dir }}/static'
@ -12,13 +19,13 @@ COMPRESS_ROOT = '{{ horizon_lib_dir }}/static'
 # WEBROOT is the location relative to Webserver root
 # should end with a slash.
 WEBROOT = '{{ horizon_webroot }}'
-# LOGIN_URL = WEBROOT + 'auth/login/'
-# LOGOUT_URL = WEBROOT + 'auth/logout/'
+#LOGIN_URL = WEBROOT + 'auth/login/'
+#LOGOUT_URL = WEBROOT + 'auth/logout/'
 #
 # LOGIN_REDIRECT_URL can be used as an alternative for
 # HORIZON_CONFIG.user_home, if user_home is not set.
 # Do not set it to '/home/', as this will cause circular redirect loop
-# LOGIN_REDIRECT_URL = WEBROOT
+#LOGIN_REDIRECT_URL = WEBROOT

 # Required for Django 1.5.
 # If horizon is running in production (DEBUG is False), set this
@ -32,7 +39,8 @@ ALLOWED_HOSTS = ['*']
 # and don't forget to strip it from the client's request.
 # For more information see:
 # https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
-# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
+#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
+#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

 # If Horizon is being served through SSL, then uncomment the following two
 # settings to better secure the cookies from security exploits
@ -45,11 +53,14 @@ SESSION_TIMEOUT = {{ horizon_session_timeout }}
 {% if horizon_keystone_endpoint.endswith('v3') %}
 # Overrides for OpenStack API versions. Use this setting to force the
 # OpenStack dashboard to use a specific API version for a given service API.
+# Versions specified here should be integers or floats, not strings.
 # NOTE: The version should be formatted as it appears in the URL for the
 # service API. For example, The identity service APIs have inconsistent
-# use of the decimal point, so valid options would be "2.0" or "3".
+# use of the decimal point, so valid options would be 2.0 or 3.
 OPENSTACK_API_VERSIONS = {
-    "identity": 3,
+#    "data-processing": 1.1,
+     "identity": 3,
+#    "volume": 2,
 }

 # Set this to True if running on multi-domain model. When this is enabled, it
@ -62,42 +73,27 @@ OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "{{ horizon_keystone_default_domain }}"
 {% endif %}

 # Set Console type:
-# valid options would be "AUTO"(default), "VNC", "SPICE", "RDP", "SERIAL" or None
+# valid options are "AUTO"(default), "VNC", "SPICE", "RDP", "SERIAL" or None
 # Set to None explicitly if you want to deactivate the console.
-# CONSOLE_TYPE = "AUTO"
+#CONSOLE_TYPE = "AUTO"

-# Default OpenStack Dashboard configuration.
-HORIZON_CONFIG = {
-    'user_home': 'openstack_dashboard.views.get_user_home',
-    'ajax_queue_limit': 10,
-    'auto_fade_alerts': {
-        'delay': 3000,
-        'fade_duration': 1500,
-        'types': ['alert-success', 'alert-info']
-    },
-    'help_url': "{{ horizon_help_url|default('http://docs.openstack.org') }}",
-    'exceptions': {'recoverable': exceptions.RECOVERABLE,
-                   'not_found': exceptions.NOT_FOUND,
-                   'unauthorized': exceptions.UNAUTHORIZED},
-    'modal_backdrop': 'static',
-    'angular_modules': [],
-    'js_files': [],
-    'js_spec_files': [],
-}
+# Show backdrop element outside the modal, do not close the modal
+# after clicking on backdrop.
+#HORIZON_CONFIG["modal_backdrop"] = "static"

 # Specify a regular expression to validate user passwords.
-# HORIZON_CONFIG["password_validator"] = {
-#     "regex": '.*',
-#     "help_text": _("Your password does not meet the requirements.")
-# }
+#HORIZON_CONFIG["password_validator"] = {
+#    "regex": '.*',
+#    "help_text": _("Your password does not meet the requirements."),
+#}

 # Disable simplified floating IP address management for deployments with
 # multiple floating IP pools or complex network requirements.
-# HORIZON_CONFIG["simple_ip_management"] = False
+#HORIZON_CONFIG["simple_ip_management"] = False

 # Turn off browser autocompletion for forms including the login form and
 # the database creation workflow if so desired.
-# HORIZON_CONFIG["password_autocomplete"] = "off"
+#HORIZON_CONFIG["password_autocomplete"] = "off"

 # Setting this to True will disable the reveal button for password fields,
 # including on the login form.
@ -108,17 +104,17 @@ LOCAL_PATH = os.path.dirname(os.path.abspath(__file__))
 # Set custom secret key:
 # You can either set it to a specific value or you can let horizon generate a
 # default secret key that is unique on this machine, e.i. regardless of the
-# amount of Python WSGI workers (if used behind Apache+mod_wsgi): However, there
-# may be situations where you would want to set this explicitly, e.g. when
-# multiple dashboard instances are distributed on different machines (usually
-# behind a load-balancer). Either you have to make sure that a session gets all
-# requests routed to the same dashboard instance or you set the same SECRET_KEY
-# for all of them.
+# amount of Python WSGI workers (if used behind Apache+mod_wsgi): However,
+# there may be situations where you would want to set this explicitly, e.g.
+# when multiple dashboard instances are distributed on different machines
+# (usually behind a load-balancer). Either you have to make sure that a session
+# gets all requests routed to the same dashboard instance or you set the same
+# SECRET_KEY for all of them.
 {% if horizon_secret_key %}
 SECRET_KEY = "{{ horizon_secret_key }}"
 {% else %}
-from horizon.utils import secret_key
-SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/horizon/.secret_key_store')
+SECRET_KEY = secret_key.generate_or_read_from_file(
+    os.path.join(LOCAL_PATH, '.secret_key_store'))
 {% endif %}

 # We recommend you use memcached for development; otherwise after every reload
@ -131,8 +127,8 @@ CACHES = {
    }
 }

+# Set the session engine configuration:
 SESSION_ENGINE = "django.contrib.sessions.backends.cached_db"
-
 DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
@ -150,13 +146,13 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
 #EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend'

 # Configure these for your outgoing email host
-# EMAIL_HOST = 'smtp.my-company.com'
-# EMAIL_PORT = 25
-# EMAIL_HOST_USER = 'djangomail'
-# EMAIL_HOST_PASSWORD = 'top-secret!'
+#EMAIL_HOST = 'smtp.my-company.com'
+#EMAIL_PORT = 25
+#EMAIL_HOST_USER = 'djangomail'
+#EMAIL_HOST_PASSWORD = 'top-secret!'

 {% if horizon_available_regions is defined %}
-# Set Horizon to provide a selection of Keystone endpoints
+# For multiple regions uncomment this configuration, and add (endpoint, title).
 AVAILABLE_REGIONS = [
 {% for item in horizon_available_regions %}
  ('{{ item.url }}', '{{ item.name }}'),
@ -172,16 +168,17 @@ OPENSTACK_KEYSTONE_URL = "{{ horizon_keystone_endpoint }}"
 OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ horizon_default_role_name }}"

 {% if keystone_sp is defined %}
-# Enables keystone web single-sign-on
+# Enables keystone web single-sign-on if set to True.
 WEBSSO_ENABLED = True

 # Determines which authentication choice to show as default.
 WEBSSO_INITIAL_CHOICE = "credentials"

-# The list of authentication mechanisms
-# which include keystone federation protocols.
-# Current supported protocol IDs are 'saml2' and 'oidc'
-# which represent SAML 2.0, OpenID Connect respectively.
+# The list of authentication mechanisms which include keystone
+# federation protocols and identity provider/federation protocol
+# mapping keys (WEBSSO_IDP_MAPPING). Current supported protocol
+# IDs are 'saml2' and 'oidc'  which represent SAML 2.0, OpenID
+# Connect respectively.
 # Do not remove the mandatory credentials mechanism.
 WEBSSO_CHOICES = (
    ("credentials", _("Keystone Credentials")),
@ -191,6 +188,18 @@ WEBSSO_CHOICES = (
 {% endfor %}
 {% endfor %}
 )
+
+# A dictionary of specific identity provider and federation protocol
+# combinations. From the selected authentication mechanism, the value
+# will be looked up as keys in the dictionary. If a match is found,
+# it will redirect the user to a identity provider and federation protocol
+# specific WebSSO endpoint in keystone, otherwise it will use the value
+# as the protocol_id when redirecting to the WebSSO by protocol endpoint.
+# NOTE: The value is expected to be a tuple formatted as: (<idp_id>, <protocol_id>).
+#WEBSSO_IDP_MAPPING = {
+#    "acme_oidc": ("acme", "oidc"),
+#    "acme_saml2": ("acme", "saml2")
+#}
 {% endif %}

 # Disable SSL certificate checks (useful for self-signed certificates):
@ -213,11 +222,11 @@ OPENSTACK_KEYSTONE_BACKEND = {
    'can_edit_group': True,
    'can_edit_project': True,
    'can_edit_domain': True,
-    'can_edit_role': True
+    'can_edit_role': True,
 }

-#Setting this to True, will add a new "Retrieve Password" action on instance,
-#allowing Admin session password retrieval/decryption.
+# Setting this to True, will add a new "Retrieve Password" action on instance,
+# allowing Admin session password retrieval/decryption.
 OPENSTACK_ENABLE_PASSWORD_RETRIEVE = {{ horizon_enable_password_retrieve }}

 # The Launch Instance user experience has been significantly enhanced.
@ -241,6 +250,7 @@ LAUNCH_INSTANCE_NG_ENABLED = {{ horizon_launch_instance_ng }}
 OPENSTACK_HYPERVISOR_FEATURES = {
    'can_set_mount_point': False,
    'can_set_password': {{ horizon_can_set_password }},
+    'requires_keypair': False,
 }

 # The OPENSTACK_CINDER_FEATURES settings can be used to enable optional
@ -261,11 +271,26 @@ OPENSTACK_NEUTRON_NETWORK = {
    'enable_lb': False,
    'enable_firewall': False,
    'enable_vpn': False,
+    'enable_fip_topology_check': True,
+
+    # Neutron can be configured with a default Subnet Pool to be used for IPv4
+    # subnet-allocation. Specify the label you wish to display in the Address
+    # pool selector on the create subnet step if you want to use this feature.
+    'default_ipv4_subnet_pool_label': None,
+
+    # Neutron can be configured with a default Subnet Pool to be used for IPv6
+    # subnet-allocation. Specify the label you wish to display in the Address
+    # pool selector on the create subnet step if you want to use this feature.
+    # You must set this to enable IPv6 Prefix Delegation in a PD-capable
+    # environment.
+    'default_ipv6_subnet_pool_label': None,
+
    # The profile_support option is used to detect if an external router can be
    # configured via the dashboard. When using specific plugins the
    # profile_support can be turned on if needed.
    'profile_support': None,
    #'profile_support': 'cisco',
+
    # Set which provider network types are supported. Only the network types
    # in this list will be available to choose from when creating a network.
    # Network types include local, flat, vlan, gre, and vxlan.
@ -275,26 +300,29 @@ OPENSTACK_NEUTRON_NETWORK = {
    # types in this list will be available to choose from when creating a
    # port.
    # VNIC types include 'normal', 'macvtap' and 'direct'.
+    # Set to empty list or None to disable VNIC type selection.
    'supported_vnic_types': ['*']
 }

 # The OPENSTACK_IMAGE_BACKEND settings can be used to customize features
 # in the OpenStack Dashboard related to the Image service, such as the list
 # of supported image formats.
-OPENSTACK_IMAGE_BACKEND = {
-    'image_formats': [
-        ('', ''),
-        ('aki', _('AKI - Amazon Kernel Image')),
-        ('ami', _('AMI - Amazon Machine Image')),
-        ('ari', _('ARI - Amazon Ramdisk Image')),
-        ('iso', _('ISO - Optical Disk Image')),
-        ('qcow2', _('QCOW2 - QEMU Emulator')),
-        ('raw', _('Raw')),
-        ('vdi', _('VDI')),
-        ('vhd', _('VHD')),
-        ('vmdk', _('VMDK'))
-    ]
-}
+#OPENSTACK_IMAGE_BACKEND = {
+#    'image_formats': [
+#        ('', _('Select format')),
+#        ('aki', _('AKI - Amazon Kernel Image')),
+#        ('ami', _('AMI - Amazon Machine Image')),
+#        ('ari', _('ARI - Amazon Ramdisk Image')),
+#        ('docker', _('Docker')),
+#        ('iso', _('ISO - Optical Disk Image')),
+#        ('ova', _('OVA - Open Virtual Appliance')),
+#        ('qcow2', _('QCOW2 - QEMU Emulator')),
+#        ('raw', _('Raw')),
+#        ('vdi', _('VDI - Virtual Disk Image')),
+#        ('vhd', ('VHD - Virtual Hard Disk')),
+#        ('vmdk', _('VMDK - Virtual Machine Disk')),
+#    ]
+#}

 # The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for
 # image custom property attributes that appear on image detail pages.
@ -304,7 +332,7 @@ IMAGE_CUSTOM_PROPERTY_TITLES = {
    "ramdisk_id": _("Ramdisk ID"),
    "image_state": _("Euca2ools state"),
    "project_id": _("Project ID"),
-    "image_type": _("Image Type")
+    "image_type": _("Image Type"),
 }

 # The IMAGE_RESERVED_CUSTOM_PROPERTIES setting is used to specify which image
@ -346,12 +374,12 @@ TIME_ZONE = "{{ horizon_time_zone }}"
 # can provide a custom callback method to use for sorting. You can also provide
 # a flag for reverse sort. For more info, see
 # http://docs.python.org/2/library/functions.html#sorted
-# CREATE_INSTANCE_FLAVOR_SORT = {
-#     'key': 'name',
-#      # or
-#     'key': my_awesome_callback_method,
-#     'reverse': False,
-# }
+#CREATE_INSTANCE_FLAVOR_SORT = {
+#    'key': 'name',
+#     # or
+#    'key': my_awesome_callback_method,
+#    'reverse': False,
+#}

 # Set this to True to display an 'Admin Password' field on the Change Password
 # form to verify that it is indeed the admin logged-in who wants to change
@ -372,7 +400,16 @@ ENFORCE_PASSWORD_CHECK = {{ horizon_enforce_password_check }}

 # Path to directory containing policy.json files
 #POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf")
-# Map of local copy of service policy files
+# Map of local copy of service policy files.
+# Please insure that your identity policy file matches the one being used on
+# your keystone servers. There is an alternate policy file that may be used
+# in the Keystone v3 multi-domain case, policy.v3cloudsample.json.
+# This file is not included in the Horizon repository by default but can be
+# found at
+# http://git.openstack.org/cgit/openstack/keystone/tree/etc/ \
+# policy.v3cloudsample.json
+# Having matching policy files on the Horizon and Keystone servers is essential
+# for normal operation. This holds true for all services and their policy files.
 #POLICY_FILES = {
 #    'identity': 'keystone_policy.json',
 #    'compute': 'nova_policy.json',
@ -387,12 +424,12 @@ ENFORCE_PASSWORD_CHECK = {{ horizon_enforce_password_check }}
 # creating users and databases on database instances is turned on.
 # To disable these extensions set the permission here to something
 # unusable such as ["!"].
-# TROVE_ADD_USER_PERMS = []
-# TROVE_ADD_DATABASE_PERMS = []
+#TROVE_ADD_USER_PERMS = []
+#TROVE_ADD_DATABASE_PERMS = []

 # Change this patch to the appropriate static directory containing
 # two files: _variables.scss and _styles.scss
-#CUSTOM_THEME_PATH = 'static/themes/default'
+#CUSTOM_THEME_PATH = 'themes/default'

 LOGGING = {
    'version': 1,
@ -631,7 +668,7 @@ SECURITY_GROUP_RULES = {
 # pool for use in their cluster.  False by default.  You would want
 # to set this to True if you were running Nova Networking with
 # auto_assign_floating_ip = True.
-# SAHARA_AUTO_IP_ALLOCATION_ENABLED = False
+#SAHARA_AUTO_IP_ALLOCATION_ENABLED = False

 # The hash algorithm to use for authentication tokens. This must
 # match the hash algorithm that the identity server and the
@ -639,6 +676,12 @@ SECURITY_GROUP_RULES = {
 # algorithms supported by Python's hashlib library.
 #OPENSTACK_TOKEN_HASH_ALGORITHM = 'md5'

+# Hashing tokens from Keystone keeps the Horizon session data smaller, but it
+# doesn't work in some cases when using PKI tokens.  Uncomment this value and
+# set it to False if using PKI tokens and there are 401 errors due to token
+# hashing.
+#OPENSTACK_TOKEN_HASH_ENABLED = True
+
 # AngularJS requires some settings to be made available to
 # the client side. Some settings are required by in-tree / built-in horizon
 # features. These settings must be added to REST_API_REQUIRED_SETTINGS in the
@ -659,3 +702,11 @@ REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES']
 # and are not encrypted on the browser. This is an experimental API and
 # may be deprecated in the future without notice.
 #REST_API_ADDITIONAL_SETTINGS = []
+
+# DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
+# within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
+# Scripting (XFS) vulnerability, so this option allows extra security hardening
+# where iframes are not used in deployment. Default setting is True.
+# For more information see:
+# http://tinyurl.com/anticlickjack
+#DISALLOW_IFRAME_EMBED = True