Merge "Refresh Glance example configs for Wallaby milestone 3"22.0.0.0b321.0.0.0b3

3 files changed, 173 insertions, 50 deletions

diff --git a/etc/glance-api.conf b/etc/glance-api.conf
index 1cee9b815..ee6ed798a 100644
--- a/etc/glance-api.conf
+++ b/etc/glance-api.conf
@@ -4,38 +4,6 @@
 # From glance.api
 #
 
-# DEPRECATED:
-# Role used to identify an authenticated user as administrator.
-#
-# Provide a string value representing a Keystone role to identify an
-# administrative user. Users with this role will be granted
-# administrative privileges.
-#
-# NOTE: The default value for this option has changed in this release.
-#
-# Possible values:
-#     * A string value which is a valid Keystone role
-#
-# Related options:
-#     * None
-#
-#  (string value)
-# This option is deprecated for removal since Ussuri.
-# Its value may be silently ignored in the future.
-# Reason:
-# This option is redundant as its goal can be achieved via policy file
-# configuration.  Additionally, it can override any configured policies,
-# leading to unexpected behavior and difficulty in policy configuration.
-# The option will be removed early in the Victoria development cycle,
-# following the standard OpenStack deprecation policy.
-#
-# Because this can be a security issue, the default value of this
-# configuration option has been changed in this release.
-#
-# Please see the 'Deprecation Notes' section of the Ussuri Glance
-# Release Notes for more information.
-#admin_role = __NOT_A_ROLE_07697c71e6174332989d3d5f2a7d2e7c_NOT_A_ROLE__
-
 #
 # Allow limited access to unauthenticated users.
 #
@@ -502,6 +470,53 @@
 #         * [DEFAULT]/node_staging_uri (list value)
 #enabled_import_methods = [glance-direct,web-download,copy-image]
 
+# DEPRECATED:
+# Enforce API access based on common persona definitions used across OpenStack.
+# Enabling this option formalizes project-specific read/write operations, like
+# creating private images or updating the status of shared image, behind the
+# `member` role. It also formalizes a read-only variant useful for
+# project-specific API operations, like listing private images in a project,
+# behind the `reader` role.
+#
+# Operators should take an opportunity to understand glance's new image
+# policies,
+# audit assignments in their deployment, and update permissions using the
+# default
+# roles in keystone (e.g., `admin`, `member`, and `reader`).
+#
+# Related options:
+#     * [oslo_policy]/enforce_new_defaults
+#  (boolean value)
+# This option is deprecated for removal since Wallaby.
+# Its value may be silently ignored in the future.
+# Reason:
+# This option has been introduced to require operators to opt into enforcing
+# authorization based on common RBAC personas, which is EXPERIMENTAL as of the
+# Wallaby release. This behavior will be the default and STABLE in a future
+# release, allowing this option to be removed.
+#enforce_secure_rbac = false
+
+#
+# The URL to this worker.
+#
+# If this is set, other glance workers will know how to contact this one
+# directly if needed. For image import, a single worker stages the image
+# and other workers need to be able to proxy the import request to the
+# right one.
+#
+# If unset, this will be considered to be `public_endpoint`, which
+# normally would be set to the same value on all workers, effectively
+# disabling the proxying behavior.
+#
+# Possible values:
+#     * A URL by which this worker is reachable from other workers
+#
+# Related options:
+#     * public_endpoint
+#
+#  (string value)
+#worker_self_reference_url = <None>
+
 #
 # Strategy to determine the preference order of image locations.
 #
@@ -568,7 +583,7 @@
 # contain a comma separated list of user roles indicating
 # permissions for each of the CRUD operations on each property
 # being protected. If set to ``policies``, a policy defined in
-# policy.json is used to express property protections for each
+# policy.yaml is used to express property protections for each
 # of the CRUD operations. Examples of how property protections
 # are enforced based on ``roles`` or ``policies`` can be found at:
 # https://docs.openstack.org/glance/latest/admin/property-
@@ -1190,6 +1205,7 @@
 #
 
 # Size of RPC connection pool. (integer value)
+# Minimum value: 1
 #rpc_conn_pool_size = 30
 
 # The pool size limit for connections expiration policy (integer value)
@@ -1223,6 +1239,10 @@
 # exchange name specified in the transport_url option. (string value)
 #control_exchange = openstack
 
+# Add an endpoint to answer to ping calls. Endpoint is named
+# oslo_rpc_server_ping (boolean value)
+#rpc_ping_enabled = false
+
 
 [cinder]
 
@@ -1257,7 +1277,7 @@
 #     * cinder_store_password
 #
 #  (string value)
-#cinder_catalog_info = volumev2::publicURL
+#cinder_catalog_info = volumev3::publicURL
 
 #
 # Override service catalog lookup with template for cinder endpoint.
@@ -3097,7 +3117,7 @@
 #     * cinder_store_password
 #
 #  (string value)
-#cinder_catalog_info = volumev2::publicURL
+#cinder_catalog_info = volumev3::publicURL
 
 #
 # Override service catalog lookup with template for cinder endpoint.
@@ -5131,12 +5151,15 @@
 # Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_ca_certs
 #ssl_ca_file =
 
-# EXPERIMENTAL: Run the health check heartbeat thread through a native python
-# thread. By default if this option isn't provided the  health check heartbeat
-# will inherit the execution model from the parent process. By example if the
-# parent process have monkey patched the stdlib by using eventlet/greenlet then
-# the heartbeat will be run through a green thread. (boolean value)
-#heartbeat_in_pthread = false
+# DEPRECATED: Run the health check heartbeat thread through a native python
+# thread by default. If this option is equal to False then the health check
+# heartbeat will inherit the execution model from the parent process. For
+# example if the parent process has monkey patched the stdlib by using
+# eventlet/greenlet then the heartbeat will be run through a green thread.
+# (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#heartbeat_in_pthread = true
 
 # How long to wait before reconnecting in response to an AMQP consumer cancel
 # notification. (floating point value)
@@ -5203,10 +5226,16 @@
 # (integer value)
 #heartbeat_rate = 2
 
-# Enable/Disable the RabbitMQ mandatory flag for direct send. The direct send is
-# used as reply, so the MessageUndeliverable exception is raised in case the
-# client queue does not exist. (integer value)
-#direct_mandatory_flag = True
+# DEPRECATED: (DEPRECATED) Enable/Disable the RabbitMQ mandatory flag for direct
+# send. The direct send is used as reply, so the MessageUndeliverable exception
+# is raised in case the client queue does not exist.MessageUndeliverable
+# exception will be used to loop for a timeout to lets a chance to sender to
+# recover.This flag is deprecated and it will not be possible to deactivate this
+# functionality anymore (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Mandatory flag no longer deactivable.
+#direct_mandatory_flag = true
 
 # Enable x-cancel-on-ha-failover flag so that rabbitmq server will cancel and
 # notify consumerswhen queue is down (boolean value)
@@ -5249,7 +5278,7 @@
 # The relative or absolute path of a file that maps roles to permissions for a
 # given service. Relative paths must be specified in relation to the
 # configuration file setting this option. (string value)
-#policy_file = policy.json
+#policy_file = policy.yaml
 
 # Default rule. Enforced when a requested rule is not found. (string value)
 #policy_default_rule = default
diff --git a/etc/glance-cache.conf b/etc/glance-cache.conf
index 6fde03916..b32124072 100644
--- a/etc/glance-cache.conf
+++ b/etc/glance-cache.conf
@@ -412,6 +412,53 @@
 #         * [DEFAULT]/node_staging_uri (list value)
 #enabled_import_methods = [glance-direct,web-download,copy-image]
 
+# DEPRECATED:
+# Enforce API access based on common persona definitions used across OpenStack.
+# Enabling this option formalizes project-specific read/write operations, like
+# creating private images or updating the status of shared image, behind the
+# `member` role. It also formalizes a read-only variant useful for
+# project-specific API operations, like listing private images in a project,
+# behind the `reader` role.
+#
+# Operators should take an opportunity to understand glance's new image
+# policies,
+# audit assignments in their deployment, and update permissions using the
+# default
+# roles in keystone (e.g., `admin`, `member`, and `reader`).
+#
+# Related options:
+#     * [oslo_policy]/enforce_new_defaults
+#  (boolean value)
+# This option is deprecated for removal since Wallaby.
+# Its value may be silently ignored in the future.
+# Reason:
+# This option has been introduced to require operators to opt into enforcing
+# authorization based on common RBAC personas, which is EXPERIMENTAL as of the
+# Wallaby release. This behavior will be the default and STABLE in a future
+# release, allowing this option to be removed.
+#enforce_secure_rbac = false
+
+#
+# The URL to this worker.
+#
+# If this is set, other glance workers will know how to contact this one
+# directly if needed. For image import, a single worker stages the image
+# and other workers need to be able to proxy the import request to the
+# right one.
+#
+# If unset, this will be considered to be `public_endpoint`, which
+# normally would be set to the same value on all workers, effectively
+# disabling the proxying behavior.
+#
+# Possible values:
+#     * A URL by which this worker is reachable from other workers
+#
+# Related options:
+#     * public_endpoint
+#
+#  (string value)
+#worker_self_reference_url = <None>
+
 #
 # The relative path to sqlite file database that will be used for image cache
 # management.
@@ -818,7 +865,7 @@
 #     * cinder_store_password
 #
 #  (string value)
-#cinder_catalog_info = volumev2::publicURL
+#cinder_catalog_info = volumev3::publicURL
 
 #
 # Override service catalog lookup with template for cinder endpoint.
@@ -2356,7 +2403,7 @@
 # The relative or absolute path of a file that maps roles to permissions for a
 # given service. Relative paths must be specified in relation to the
 # configuration file setting this option. (string value)
-#policy_file = policy.json
+#policy_file = policy.yaml
 
 # Default rule. Enforced when a requested rule is not found. (string value)
 #policy_default_rule = default
diff --git a/etc/glance-scrubber.conf b/etc/glance-scrubber.conf
index 72849e5ba..d460c8367 100644
--- a/etc/glance-scrubber.conf
+++ b/etc/glance-scrubber.conf
@@ -412,6 +412,53 @@
 #         * [DEFAULT]/node_staging_uri (list value)
 #enabled_import_methods = [glance-direct,web-download,copy-image]
 
+# DEPRECATED:
+# Enforce API access based on common persona definitions used across OpenStack.
+# Enabling this option formalizes project-specific read/write operations, like
+# creating private images or updating the status of shared image, behind the
+# `member` role. It also formalizes a read-only variant useful for
+# project-specific API operations, like listing private images in a project,
+# behind the `reader` role.
+#
+# Operators should take an opportunity to understand glance's new image
+# policies,
+# audit assignments in their deployment, and update permissions using the
+# default
+# roles in keystone (e.g., `admin`, `member`, and `reader`).
+#
+# Related options:
+#     * [oslo_policy]/enforce_new_defaults
+#  (boolean value)
+# This option is deprecated for removal since Wallaby.
+# Its value may be silently ignored in the future.
+# Reason:
+# This option has been introduced to require operators to opt into enforcing
+# authorization based on common RBAC personas, which is EXPERIMENTAL as of the
+# Wallaby release. This behavior will be the default and STABLE in a future
+# release, allowing this option to be removed.
+#enforce_secure_rbac = false
+
+#
+# The URL to this worker.
+#
+# If this is set, other glance workers will know how to contact this one
+# directly if needed. For image import, a single worker stages the image
+# and other workers need to be able to proxy the import request to the
+# right one.
+#
+# If unset, this will be considered to be `public_endpoint`, which
+# normally would be set to the same value on all workers, effectively
+# disabling the proxying behavior.
+#
+# Possible values:
+#     * A URL by which this worker is reachable from other workers
+#
+# Related options:
+#     * public_endpoint
+#
+#  (string value)
+#worker_self_reference_url = <None>
+
 #
 # The amount of time, in seconds, to delay image scrubbing.
 #
@@ -927,7 +974,7 @@
 #     * cinder_store_password
 #
 #  (string value)
-#cinder_catalog_info = volumev2::publicURL
+#cinder_catalog_info = volumev3::publicURL
 
 #
 # Override service catalog lookup with template for cinder endpoint.
@@ -2481,7 +2528,7 @@
 # The relative or absolute path of a file that maps roles to permissions for a
 # given service. Relative paths must be specified in relation to the
 # configuration file setting this option. (string value)
-#policy_file = policy.json
+#policy_file = policy.yaml
 
 # Default rule. Enforced when a requested rule is not found. (string value)
 #policy_default_rule = default