From 0c653f0b4a3177f52e81aad10c29145f98cb7e1b Mon Sep 17 00:00:00 2001
From: Andy McCrae <andy.mccrae@gmail.com>
Date: Tue, 15 Aug 2017 09:59:20 +0100
Subject: [PATCH] Update paste, policy and rootwrap configurations 2017-08-15

Change-Id: Idffbe4347cb93880e28803304af99f65fcf9f808
---
 files/rootwrap.d/compute.filters | 20 ++++++++++----------
 templates/api-paste.ini.j2       | 13 ++++++++-----
 2 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/files/rootwrap.d/compute.filters b/files/rootwrap.d/compute.filters
index 86a23f0a..33e0360b 100644
--- a/files/rootwrap.d/compute.filters
+++ b/files/rootwrap.d/compute.filters
@@ -38,15 +38,18 @@ blkid: CommandFilter, blkid, root
 blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
 
 # nova/virt/disk/vfs/localfs.py: 'tee', canonpath
+# nova/virt/libvirt/guest.py: 'tee',
+# nova/virt/libvirt/vif.py: utils.execute('tee',
 tee: CommandFilter, tee, root
 
 # nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath
 mkdir: CommandFilter, mkdir, root
 
 # nova/virt/disk/vfs/localfs.py: 'chown'
-# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
-# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
-# nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk')
+# nova/virt/libvirt/utils.py: def chown(): execute('chown', owner, path,
+# nova/virt/libvirt/driver.py: 'chown', os.getuid( console_log
+# nova/virt/libvirt/driver.py: 'chown', os.getuid( console_log
+# nova/virt/libvirt/driver.py: 'chown', 'root', basepath('disk')
 chown: CommandFilter, chown, root
 
 # nova/virt/disk/vfs/localfs.py: 'chmod'
@@ -100,7 +103,7 @@ mm-ctl: CommandFilter, mm-ctl, root
 # nova/network/linux_net.py: 'ovs-ofctl', ....
 ovs-ofctl: CommandFilter, ovs-ofctl, root
 
-# nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ...
+# nova/virt/libvirt/driver.py: 'dd', if=%s % virsh_output, ...
 dd: CommandFilter, dd, root
 
 # nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ...
@@ -185,7 +188,7 @@ mkfs.ext3: CommandFilter, mkfs.ext3, root
 mkfs.ext4: CommandFilter, mkfs.ext4, root
 mkfs.ntfs: CommandFilter, mkfs.ntfs, root
 
-# nova/virt/libvirt/connection.py:
+# nova/virt/libvirt/driver.py:
 lvremove: CommandFilter, lvremove, root
 
 # nova/virt/libvirt/utils.py:
@@ -197,7 +200,7 @@ lvs: CommandFilter, lvs, root
 # nova/virt/libvirt/utils.py:
 vgs: CommandFilter, vgs, root
 
-# nova/utils.py:read_file_as_root: 'cat', file_path
+# nova/utils.py: read_file_as_root: 'cat', file_path
 # (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file)
 read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd
 read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow
@@ -221,9 +224,6 @@ scsi_id: CommandFilter, /lib/udev/scsi_id, root
 # and (implicitly) the actual python code invoked.
 privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
 
-# nova/storage/linuxscsi.py: sg_scan device
-sg_scan: CommandFilter, sg_scan, root
-
 # nova/virt/libvirt/storage/dmcrypt.py:
 cryptsetup: CommandFilter, cryptsetup, root
 
@@ -236,7 +236,7 @@ rbd: CommandFilter, rbd, root
 # nova/virt/libvirt/utils.py: 'shred', '-n3', '-s%d' % volume_size, path
 shred: CommandFilter, shred, root
 
-# nova/virt/libvirt/volume.py: 'cp', '/dev/stdin', delete_control..
+# nova/virt/libvirt/volume/volume.py: 'cp', '/dev/stdin', delete_control..
 cp: CommandFilter, cp, root
 
 # nova/virt/xenapi/vm_utils.py:
diff --git a/templates/api-paste.ini.j2 b/templates/api-paste.ini.j2
index f180ab31..a0563938 100644
--- a/templates/api-paste.ini.j2
+++ b/templates/api-paste.ini.j2
@@ -28,17 +28,20 @@ use = call:nova.api.openstack.urlmap:urlmap_factory
 
 [composite:openstack_compute_api_v21]
 use = call:nova.api.auth:pipeline_factory_v21
-noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit osprofiler noauth2 osapi_compute_app_v21
-keystone = cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit osprofiler authtoken keystonecontext osapi_compute_app_v21
+noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 osapi_compute_app_v21
+keystone = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler authtoken keystonecontext osapi_compute_app_v21
 
 [composite:openstack_compute_api_v21_legacy_v2_compatible]
 use = call:nova.api.auth:pipeline_factory_v21
-noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit osprofiler noauth2 legacy_v2_compatible osapi_compute_app_v21
-keystone = cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit osprofiler authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
+noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 legacy_v2_compatible osapi_compute_app_v21
+keystone = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
 
 [filter:request_id]
 paste.filter_factory = oslo_middleware:RequestId.factory
 
+[filter:request_log]
+paste.filter_factory = nova.api.openstack.requestlog:RequestLog.factory
+
 [filter:compute_req_id]
 paste.filter_factory = nova.api.compute_req_id:ComputeReqIdMiddleware.factory
 
@@ -64,7 +67,7 @@ paste.filter_factory = nova.api.openstack:LegacyV2CompatibleWrapper.factory
 paste.app_factory = nova.api.openstack.compute:APIRouterV21.factory
 
 [pipeline:oscomputeversions]
-pipeline = cors faultwrap http_proxy_to_wsgi oscomputeversionapp
+pipeline = cors faultwrap request_log http_proxy_to_wsgi oscomputeversionapp
 
 [app:oscomputeversionapp]
 paste.app_factory = nova.api.openstack.compute.versions:Versions.factory