Horizon has switched test runnner from nose to default Django test
runner a while ago[1], and doesn't require logger for nose module
since then.
[1] 1f80d94459856a8c477310cc0fe4b0e165d8c0c1
Change-Id: I51471cfa0db527821296a6198431a6dfe53a0a4a
Unfortunatelly having `horizon_config_overrides` is not sufficient, as
not all options can be defined in HORIZON_CONFIG.
Some are expected to be preset inside local_settings themselves.
We introduce new variable that can be used to extend local_settings file
with arbitrary parameters.
Change-Id: Ic119105189c9158aa3b38c4deb07040110d9d660
RDO is installing Horizon not under site-packages, but under /usr/share
which makes it completely different logic, with default horizon-manage
not working, as it can not import openstack_dashboard now, as
Change-Id: I4c06b4b5a206b087a9fce856f5fec936e058e3f8
django.utils.translation.ugettext_lazy() is deprecated in favor of the
functions that they’re aliases for: django.utils.translationgettext_lazy()
With that MemcachedCache backend was also deprecated in favor of
PyMemcacheCache. MemcachedCache was removed in django 4.1
https: //docs.djangoproject.com/en/4.0/releases/3.0/#id3
Change-Id: I9b77b33fbc4a9560c72504f935bf7f9082fefdd7
neutron_ml2_drivers_type is a string, not a list, while default
value for it is a list. Local settings also assume that it is a list.
So we ensure that the falue is a string by default now and
treat it as string in the code.
Change-Id: Ida72c712153dcda4cd06e0959f98ade4fee8dfbd
To standarize variable name across roles, this change renames
`horizon_enable_ssl` to `horizon_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `horizon_enable_ssl` it's
unclear whether it is about frontend or backend.
Backward compatibility will be kept until 2024.1.
Change-Id: I218d45b7be667732e4204316b8d18fa3e136962b
Current logic does not allow horizon backend to listen on https
(`horizon_enable_ssl`) if external loadblanacer serves TLS
(`horizon_external_ssl`).
It basically forces backend to listen on plain http in this case which
does not make any sense. It should be possible to enable TLS on both
loadbalancer and horizon backend.
Additionally, with this patch, role defines a proper
HTTP_X_FORWARDED_PROTO header value(it's included in
`horizon_secure_proxy_ssl_header` and
`horizon_secure_proxy_ssl_header_django` and can be set to 'http' or
'https') based on whether external load balancer listens on https
(`horizon_external_ssl`)[1].
For example if loadbalancer listens on https and backend on http,
HTTP_X_FORWARDED_PROTO should be set to 'https'. Otherwise horizon will
respond with redirection to http.
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
Change-Id: I7706e52c01b3f0d72ea383a0476045e606078cff
Supported ML2 provided types depends on the ML2 driver
and we should make it configurable in order to reflect dropdown list
that appears for admin panel while creating a network.
Closes-Bug: #2002897
Change-Id: Iceedf6af9559d48c28e0ee782a44f9ceb480119d
This change adds some python config to remove all of the deprecation
warnings horizon is spawning. The warnings are all coming from oslo
components which horizon is just inhereting inheriting and has no
control over. This change makes horizon logs legible.
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: Idae4e42c971f53597ac3cf044ba82d7dd468e4a5
This change adds the ability within horizon to define a list of domains
which are trusted through the CSRF functions of django.
Change-Id: Ib92480e6caa74e050a99b36a54b2032714efb509
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
This variable was added in the Yoga release to permit changes
to how Horizon contacts Keystone in an IDP setup.
Change-Id: I959f0f84b264ffc25481e9becb3059f28a233010
- SECURE_PROXY_ADDR_HEADER is being used to return the clients
remote address to the logs. On a failed login it is REMOTE_ADDR,
which will be the loadbalancer address,
SECURE_PROXY_ADDR_HEADER='HTTP_X_FORWARDED_FOR' makes sure the
real client IP makes it into the logfiles.
- https://docs.openstack.org/horizon/latest/configuration/settings.html#secure-proxy-addr-header
Change-Id: I0d68cd4ba7882eb4296a2e4df59afa6582c0303a
In order to avoid conflicts with other applications running Apache,
like keystone, we avoid using ports.conf for Listen and using VHost files
for this purpose.
We place same dummy template as keystone does for upgrade purposes.
Change-Id: I8a5ef5234b8aee1e7b3517e9543d2af0a84e90ce
Instead of hardcoding lib directory for distro installs, we can
retrieve it dynamically based on the horizon.__file__ output
Change-Id: I8e87f9a9945b7526c90ca8c4dc09e43a86ab62e0
Closes-Bug: #1950798
We're missing comma at the end of set, which leads to error.
We additionally define condition when choices will be added to config.
Change-Id: I6b1c24fae22e9adb9e16fade4229d5761ac0b520
Closes-Bug: #1958645
This adds a new variable to manage TLS v1.3 cipher suites.
The old variable for TLS v1.2 and below ciphers is renamed for
consistency, but is still supported as a default where overridden
by deployments.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823943
Change-Id: Ib43d465c8fa24ec7d14174ecc17bce0b3e8bd7a4
If an operator would like a different display name
on the horizon Identity Provider dropdown to the one used
for their IDP in the backend they may specify a display_name
in their entry within the keystone_sp.trusted_idp_list.
Otherwise this continues to default to the IDPs name as usual.
Change-Id: Iba8c6e6b66480cdd575f75162c9be80e84ec868b
When running in apache 2.4(Debian 10), the following error was observed
when acessing the openstack dasboard:
AH01626: authorization result of Require all denied: denied.
This change allow to use the correct wsgi file and apply the correct
permissions based on Apache version
Change-Id: I57cdc73b3c3e466e77f6ed2d21671acb8157df84
When activating multidomain support, the following error was observed:
ValueError: not enough values to unpack (expected 2, got 1)
This change allows for the WSGI file to correctly read the boolean
dropdown and list of tuples in domain choices.
Change-Id: I195ac2089baf3ba76c2201cc8b7e6abef1be4b54
The only difference between our and native wsgi app
were adding extra path [1] to sys.path.
However, nowadays this path is already part of syspath
[1] /openstack/venvs/horizon-20.1.1.dev7/lib/python3.6
Change-Id: I90a502fbdeb0040832b66e9df389ab3517b951f4
An openstack-ansible deployment does not have options to set the local_settings.py params
for Horizon to support Keystone V3 multiple domains dropdown menu and its variants to choose.
These options in local_settings.py are:
OPENSTACK_KEYSTONE_DOMAIN_CHOICES - default value to "(('Default', 'Default'))"
Change-Id: I9f1b8e4c6f5b4fe2601e5ee1dacf90bded60f93d
Closes-Bug: 1795788
Added support for templating out LOGIN_URL, LOGOUT_URL and
WEBSSO_KEYSTONE_URL Horizon configuration options.
Change-Id: I5152e2484ea2a22b74774a763180b03a44a64e9c
Previously we were using cached_db session backend by default.
However with django version update, it requires more recent
mysqlclient module which is not part of requirements.
Moreover usage of cached_db makes us to carry and maintain
extra stuff, which can be dropped with memcached backend.
Change-Id: I8df7ee967d8dcbeb09a42fd568f98acc3e88adad
Seeing <VirtualHost 0.0.0.0:horizon_listen_ports.http> in
openstack-dashboard.conf instead of the port number.
Removed unnecessary quotes in the ternary so the variable works.
Change-Id: I126c03267361abfe894b17dc97c76a19a6b090dc
Added variable horizon_bind_address which allows to define address
on which horizon will be listening.
horizon_listen_ports variable was converted to dict()
and used in apache vhost template.
As an addition metal jobs were added for horizon CI.
Depends-On: https://review.opendev.org/681722
Change-Id: I11c3edec6d58e39da8de5e214fab9731eb5df9e2
Because of global retirement process of neutron-lbaas we stop providing
neutron-lbaas-ui plugin installation for horizon.
Change-Id: Ic39a4d1cc03df72a4080abd6513bf8f4036da456
* Remove horizon_python_lib_dir, this is not used anywhere
* Autodetect the horizon_lib_dir for source installs
* Remove hardcoded python2.7 path from uwsgi template
Change-Id: I0747ad5c50c0c007385b4756f1b386363bafcf93
In order to allow usage of non-latin symbols inside local_settings.py
magic comment is required according to PEP263[1]
While this can be overriden on master with config_template (since [2]),
this might be easily backported to earlier releases.
[1] https://www.python.org/dev/peps/pep-0263/
[2] https://review.opendev.org/#/c/672170/
Change-Id: I9b07cf4a1ffdffab752f59e1510796c29a259b45
Beginning in the Stein release, Ubuntu distro packages are now using
Python3. Conflicting packages have been removed or updated to their
Python3 equivalents. The 'horizon_manage' variable has been updated to
ensure that python3 is used to run manage.py commands.
Values for STATIC_ROOT and LOCALE_PATHS have also been added to the
local_settings.py template. Defaults for these settings are defined
in the setting.py provided by Ubuntu packages, but those defaults
required the 'Collect and compress static files' and 'Compile messages'
tasks be run by the root user, instead of horizon. STATIC_ROOT also
needed to correlate to the folder apache is configured to serve.
Change-Id: Iaa41593e3a91640bd9c5d531da8238c04d7e747b
The horizon_keystone_host is only used as interpolation
for OPENSTACK_KEYSTONE_URL, which we define manually. So
horizon_keystone_hosts server no purpose.
Change-Id: I693bdb30e3d812592f023c00fbbbd62f069320bf
Since Pike it's possible to set domains dropdown on horizon login screen
It might be usefull for private clouds, which allow users to see
full list of domains, which are present in openstack. As a pros it
simplifies login process for the customer, as they may select
corresponding domain from dropdown menu instead of regular input.
By default it is set to False, as this exposes list of domains
for unathorized users, which may not be good thing for public clouds.
Change-Id: I049489a552d99278c273feb6ae3cf5a4a7d4b8a1
Horizon has, since OSA's inception, been deployed with HTTPS
access enabled, and has had no way to turn it off. Some use-cases
may want to access via HTTP instead, so this patch enables
the following:
1. Listen via HTTPS on a load balancer, but via HTTP on the
horizon host and have the load balancer forward the correct
headers. It will do this by default in the integrated build
due to the presence of the load balancer, so the current
behaviour is retained.
2. Enable HTTPS on the horizon host without a load balancer.
This is the role's default behaviour which matches what it
always has been.
3. Disable HTTPS entirely by setting ``haproxy_ssl: no`` (which
will also disable https on haproxy. This setting is inherited
by the new ``horizon_enable_ssl`` variable by default. This
is a new option.
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Change-Id: I823f2f949258157e306dbf80570abe53373da0c3
Closes-Bug: 1794337
The SUSE builds are failing due to a change in the galera_client
role causing the trove role's vars file to be found before the
galera_client vars file. We therefore rename the trove vars file
for SUSE. This also makes transitions between versions easier.
The mysql-python package is no longer maintained. We are using
pymysql instead, so this package does not need to be installed.
This resolves current build failures due to the mysql-python
package not being installable due to the new version of MariaDB
being used.
With this, we also switch django to use pymysql and ensure that
the appropriate distribution package is installed when doing
distro builds.
Depends-On: https://review.openstack.org/602924
Change-Id: I020678e0beb131836e3006e46eec22c02977f8ec
