Stein Series Release Notes¶
15.3.2¶
Security Issues¶
An open redirect has been fixed, that could redirect users to arbitrary addresses from certain views by specifying a “next” parameter in the URL. Now the redirect will only work if the target URL is in the same domain, and uses the same protocol.
15.3.0¶
Upgrade Notes¶
pyScss 1.3.7 is now required due to the incompatibility that pyScss 1.3.4 used before in horizon does not work with setuptools 46.
Along with the upgrade of pyScss to 1.3.7, a workaround for the material design theme is added to make it work properly. See [bug:1771559] for detail.
15.2.0¶
Upgrade Notes¶
publicize_image
policy now has the same name both for image create and edit features and corresponds to the same one in Glance. If you changed the policy name manually to get feature working you have to rollback your changes before Horizon update.
Bug Fixes¶
[bug:1859041]
image:publicize_image
policy is renamed topublicize_image
to be the same as Glance has.
15.1.1¶
Bug Fixes¶
[bug:1840465] Fixed a bug where listing security groups did not work if one or more security groups had no rules in them.
15.1.0¶
Upgrade Notes¶
python-cinderclient
>=4.0.1
is now required to fix bug:1824017. Cinder API 3.55 or later does not accept additional properties but python-cinderclient older than 4.0.0 sends additional properties like used_id, status and so on. Horizon uses Cinder API 3.58 to create a volume, and this means the volume creation fails if python-cinderclient <4.0.0 is used. To handle this, the minimum requirement of python-cinderclient was bumped to 4.0.1.
15.0.0¶
New Features¶
Add “Create Router” button to Admin/Network/Routers panel.
With the fixes in Rocky that allow using Django’s recursive template inheritance we have added new blocks in our
base.html
template to allow a better means of customising through your themes. For details see thecustomizing
docs.
[blueprint:mitigate-breach-attacks] Adding Django-debreach module to mitigate breach attacks. Enabling the RandomCommentMiddleware to counter breach attack by randomising the content length of each response.
[blueprint neutron-rbac-policies] This blueprint adds RBAC policies panel to the Admin Network group. This panel will be enabled by default when the RBAC extension is enabled. Remove this panel by setting “‘enable_rbac_policy’: False” in ‘local_settings.py’. RBAC policy supports the control of two resources: networks and QoS policies, because QoS policies is an extension function of neutron, need to enable this extension if wants to use it.
[blueprint:instance-rescue-horizon-support] Support instance rescue feature
[bug:1785263] Modify the project detail view in a multi tabbed view, composed of:
Overview
tab displaying general information about the project.Users
tab displaying all users which have roles on the project (and their roles on it), including users which have roles on the project through their membership to a group.Group
tab displaying all groups which have roles on the project (and their roles on it).
[bug:1792524] Modify the user detail view in a multi tabbed view, composed of:
Overview
tab displaying general information about the user.Roles assignments
tab displaying all the roles that the users have on project or domain, directly or through their membership to a group. When the role comes from a membership to a group this will be indicated into the role column.Groups
tab displaying all groups where the user is a membership to.
[blueprint:cinder-generic-volume-groups] Cinder generic groups is now supported for admin panel. Admin is now able to view all groups and group snapshots for different users. Also group-type and group-type-spec support added to admin panel. Admin is able to create group-type and group-type-spec now.
New setting
SESSION_REFRESH
(defaults toTrue
) that allows the user session expiry to be refreshed for every request until the token itself expires.SESSION_TIMEOUT
acts as an idle timeout value now.
Added a new
hide_create_volume
setting under theLAUNCH_INSTANCE_DEFAULTS
dict. This allows you to hide the “Create New Volume” option in the “Launch Instance” form and instead rely on the default value you select withcreate_volume
is the best suitable option for your users.
[bug:1795851] Operators now can control whether the links of “Download OpenRC” and “Download clouds.yaml” are displayed or not via new settings
SHOW_OPENRC_FILE
andSHOW_OPENSTACK_CLOUDS_YAML
.openrc
andclouds.yaml
files provided by Horizon now assume the basic simple deployment and do not cover Keystone authentication like saml2, openid and so on. The defaultopenrc
andclouds.yaml
from Horizon do not make sense for such environments.Custom templates for
clouds.yaml
andopenrc
files can be configured now viaOPENSTACK_CLOUDS_YAML_CUSTOM_TEMPLATE
andOPENRC_CUSTOM_TEMPLATE
settings. For more detail, see the Settings Reference.ADD_TEMPLATE_DIRS
setting is also added so that operators can place custom templates forclouds.yaml
at deployment-specific paths.
Added an upgrade_check management command, that checks the configuration files for any settings that may potentially be problematic in the next version. The command is available as
./manage.py upgrade_check
.
Adds the possibility to redirect the login to an identity provider by default. For that purpose the following variables have been added,
WEBSSO_DEFAULT_REDIRECT
,WEBSSO_DEFAULT_REDIRECT_PROTOCOL
,WEBSSO_DEFAULT_REDIRECT_REGION
andWEBSSO_DEFAULT_REDIRECT_LOGOUT
.
Upgrade Notes¶
To allow certain views to optionally disable analytics tracking when handling sensitive data, don’t use the
custom_head_js
block, or the now deprecated templatehorizon/_custom_head_js.html
for analytics tracking. Please read thecustomizing
docs and instead use the dedicatedcustom_analytics
block so Horizon or its plugins can when needed disable tracking on a given view.
PKI token support has been dropped from Horizon. PKI token was removed from Keystone in Ocata release which was released two years ago. It is a good timing to drop its support.
OPENSTACK_TOKEN_HASH_ALGORITHM
setting was removed because it was used only for PKI token check. Unless you use PKI token before upgrading, there is no affect and you can safely drop it from your local_settings.py.
SESSION_TIMEOUT
now by default acts as an idle timeout rather than a hard timeout limit. If you wish to retain the old hard timeout functionality setSESSION_REFRESH
toFalse
.
policy.json files for Cinder, Keystone Neutron and Nova are generated according to Policy file maintenance. Keystone changes to policy rules <https://docs.openstack.org/releasenotes/keystone/stein.html#prelude>__, are not compatible with the Horizon so we keystone_policy.json is not updated. Please, be sure that new Keystone policies are compatible with your deployment before syncing them.
The default value of
SESSION_ENGINE
is changed todjango.contrib.sessions.backends.cache
so that a cache-based session backend is used.The default cache back-end is set to the memcached backend
django.core.cache.backends.memcached.MemcachedCache
from the local-memory backend considering multi-process web server deployments.They are settings which horizon recommends for a long time but we have not use them by default.
If your deployment uses the signed-cookies as a session engine, ensure that
SESSION_ENGINE
is configured todjango.contrib.sessions.backends.signed_cookies
before upgrading horizon to Stein release. If your deployment uses the cached session engine and your cache backend depends on Horizon default setting, ensure toCACHES
setting to use the local-memory backend.
The default value of
SHOW_KEYSTONE_V2_RC
setting is changed toFalse
in favour of the deprecation of Keystone v2 API support in Horizon.
Deprecation Notes¶
The customisation override templates have been deprecated in favour of using recursive inheritance in your themes. The following templates have been deprecated and are slated for removal in the U release: *
_footer.html'
*_login_footer.html
*_login_form_footer.html
*horizon/_custom_head_js.html
*horizon/_custom_meta.html
Keystone v2 API support in Horizon will be dropped in Train release. It was was removed from Keystone in Queens release.
Cinder consistency group support in Horizon will be dropped in the Train release or later; it was deprecated in the Pike release in Cinder and was superseded by the generic group feature. Horizon supports the generic group since Rocky release.
Volume v2 API support is now deprecated. The API has been marked as deprecated in Cinder in favour of volume v3 API. Horizon will drop volume v2 API support in a same release where Cinder drops it.
Glance v1 API support is now deprecated and will be dropped in Train release at earliest. It was removed from glance in Rocky release.
Nova-network support will be dropped in Train release completely. Horizon dropped nova-network floating IP and security group supports in Queens release, but we still supports operations on server instances created with nova-network. This deprecation means such support will be dropped in the near future and Horizon will assume Neutron is deployed.
SHOW_KEYSTONE_V2_RC
setting is deprecated in favour of the deprecation of Keystone v2 API support in Horizon.
Bug Fixes¶
Fixed a bug where non-admin users would be shown the “Change Password” button for users listed under the Identity panel.
[bug:1544703] Add a new optional WEBSSO_KEYSTONE_URL property to facilitate WEBSSO deployments where network segmentation is used per security requirement. In this case, the controllers are not reachable from public network. Therefore, user’s browser will not be able to access OPENSTACK_KEYSTONE_URL if it is set to the internal endpoint.