Upgrade Notes¶

• publicize_image policy now has the same name both for image create andedit features and corresponds to the same one in Glance. If you changed thepolicy name manually to get feature working you have to rollback yourchanges before Horizon update.

Security Issues¶

• An open redirect has been fixed, that could redirect users to arbitraryaddresses from certain views by specifying a “next” parameter in the URL.Now the redirect will only work if the target URL is in the same domain,and uses the same protocol.

Bug Fixes¶

• [bug:1859041]image:publicize_image policy is renamed topublicize_image to be the same as Glance has.

Known Issues¶

• [bug:1746706] When reloading or opening Angular-based detail pagedirectly, the navigation menu and breadcrumb list are not recoveredproperly and the first panel is focused.[bug:1746709] when we try to open non-existing Angular-based detailpage, “Not Found” (404) page is not shown. A blank page only withthe navigation menu will be shown.

Bug Fixes¶

• [bug:1681627] A problem that Angular-based detail page (ngdetail page)cannot be reloaded or opened via direct URL has been fixed. Note thatthere are some known issues described in theKnown Issues section.

New Features¶

• Add support for horizon offering a clouds.yaml file for download along with the openrc files. For more information on clouds.yaml, seeos-client-config documentation.

• Added settings OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN (boolean) andOPENSTACK_KEYSTONE_DOMAIN_CHOICES (tuple of tuples) to support a dropdownlist of keystone domains to choose from at login. This should NOT be enabledfor public clouds, as advertising enabled domains to unauthenticated usersirresponsibly exposes private information. This is useful for private cloudsthat sit behind a corprate firewall and that have a small number of domainsmapped to known corporate structures, such as an LDAP directory, ActiveDirectory domains, geopgraphical regions or business units.

• Thevirtio-forwarder VNIC type has been added to the list of valid types that may be set on a port. This requests a low-latency virtio port inside the instance, likely backed by hardware acceleration and requires a supporting Neutron mechanism driver.

• The configuration documentation forsupported_vnic_types inOPENSTACK_NEUTRON_NETWORK has been updated to help an operator decide which VNIC types should be available for users to choose from.

• Added two charts to show the Number of Volumes and Total Volume Storage quotas on launch instance modal when cinder is enabled.

• [blueprint network-bandwidth-limiting-qos] Add partial support for Network QoS policies. Since the panel is incomplete in Pike, it is disabled by default. It can be enabled in the fileopenstack_dashboard/enabled/_1510_project_network_qos_panel.py. When enabled, this panel allows users to view a list of created network policies. This panel displays a table view of the name, description and shared status of each policy. The details page for each policy also shows information on the associated rules.

• Gives end-users the ability to create and delete ports in their networks. The functionality will be implemented into the project network details table. Following the discussions in the bug discussion. This functionality will be enabled/disabled via policy. Blueprint can be found at [blueprint network-ports-tenant] Bug can be found at [bug 1399252]

• [blueprint neutron-trunk-ui]Add partial support for Neutron Trunks. Since the panel is incompletein Pike, it is disabled by default. It can be enabled in the file‘openstack_dashboard/enabled/_1500_project_trunks_panel.py’. Afterenabling it the Project/Network/Trunks panel turns on if NeutronAPI extension ‘trunk’ is available. It displays information abouttrunks. The details page for each trunk also shows information aboutsubports of that trunk. Currently supported actions: delete.

• [blueprint password-expires-validation] This blueprint provides a configurable setting to allow operators set the threshold days between the current date and the expiration date to show a message to warn users change their password prior the expiration date.

• Most of the documentation has been reorganised and updated, or rewritten entirely, with the aim of promoting discoverability and ensuring all content is relevant and up to date.

• Added a locked status column on admin/project instances table. It willshow a locked or unlocked icon if nova API 2.9 or above is used.The locked status is also available on instance details panel.

• Added a newcreate_volume setting under theLAUNCH_INSTANCE_DEFAULTS dict. This allows you to set the default value of “Create Volume” in “Launch Instance” form, when Cinder is available.

• Added a new setting CREATE_IMAGE_DEFAULTS(dictionary) to configure thedefault options shown on create image modal. By default, the visibilityoption is public on create image modal. Ifimage_visibility in thissetting is set to"private", the default visibility option is private.

• Added a newDEFAULT_SERVICE_REGIONS setting into local_settings.py. If a value of this is specified, it will be the default region to use when logging into the dashboard, instead of the value stored in cookies.

• Now it is possible to enable/disable port security in Horizon, when the port-security extension is available. Note: Neutron allows disabling the port security on a port only when no security groups are associated to it

• Panel group is introduced in the Admin dashboard to organize admin panelsbetter. Panels in “System” group of Admin dashboard are now categorizedinto four groups: “Compute”, “Volume”, “Network” and “System”.

• Security group association per port is now shown in the port detail page.In Neutron different security groups can be associated on different portsof a same server instance, but previously it cannot be referred in Horizon.

• Securtiy group “Add rule” form now allows to specify ‘any’ IP protocoland ‘any’ port number (for TCP and UDP protocols). This feature isavailable when neutron is used as a networking back-end.You can specify ‘any’ IP protocol for ‘Other Protocol’ and-1 means‘any’ IP protocol. You can also seeAllports choice in ‘Open Port’field in case of TCP or UDP protocol is selected.

• Horizon workflow Step now support allowed() method to determine the step should be displayed conditionally. The workflow Step class already support policy check and permission mechanism to decide the step should be displayed, but allowed() is used to support more complex or dynamic condition.

Upgrade Notes¶

• Horizon is updated to use the same API policy target rules with Nova, if you made any changes to Horizon’s old nova policy file before, make sure to apply your specific policy changes to the new Nova policy file used by Horizon.

• Theprofile_support setting has been removed from theOPENSTACK_NEUTRON_NETWORK dict, and any usages have been removed from the Horizon code base. If you were relying on this being set by default, you will now need to manually set the value in your plugin/customisation.

• The ability to edit flavors is disabled by default. SeeENABLE_FLAVOR_EDIT in the settings documentation for more information.

• String attributesaction_present andaction_past were droppedfromhorizon.tables.BatchAction.action_present andaction_pastmethods are the recommended way to define action labels for BatchAction.The offical way allows us to define more complete strings for action labelsand this also allows translators to translate more flexibily.

• [blueprint:drop-nova-network]Horizon nova-network floating IP and security groups supports have beendropped in Pike release. nova-network has been marked as deprecatedin Nova in Newton release and horizon support was dropped in favor of it.Neutron now becomes a requirement for floating IP and security groups.Other operations on instances which created with nova-network shouldwork same as before.

• The settingsenable_firewall andenable_vpn which have beendeprecated since Juno release are now actually dropped.If you are using these settings to disable FWaaS v1 and VPNaaS dashboards,useREMOVE_PANEL ofthe Pluggable Panel mechanismto disable these panels. Note that Horizon checks the availability ofFWaaS v1 and/or VPNaaS in your Neutron deploymennt and disablescorresponding panels if not available, so in most cases you do not need totake care of the change.

• FWaaS dashboard is now split out into a separate projectneutron-fwaas-dashboard. All new features and maintenances areprovided from the new project from now on. The new project providesall features available in Horizon in the past release.To continue to use FWaaS dashboard, installneutron-fwaas-dashboardand set up the horizon plugin configuration file inenabled directory.For more information, seeneutron-fwaas-dashboard documentation.

• [bug:1700325] Horizon now allows to override an embeded default pluginenabled file by specifying an enabled plguin file with a same filename.If there are plugin enabled files with a same name both inenabled andlocal/enabled directories, the file inlocal/enabled will be usedand the file inenabled will be ignored now.Previously, both files are processed in the order ofenabled and thenlocal/enabled in this case, but this made operators difficult to changethe order of panels from the default order.

  This is useful when you would like to disable some default panel.You can do it by specifyingDISABLED=True in a plugin enabled fileinlocal/enabled directory with a same name.

  This works in most cases, but there is a case where you need to be carefulwhen upgrading horizon. If you useREMOVE_PANEL to remove some defaultpanel by putting a plugin enabled file with a same name inlocal/enabled directory, you now need to useDISABLED=True orchange the filename.

• As a result of Admin dashboard reorganization, panel groups of many Adminpanels have been changed. Operators who customize Admin panels (for example,disable some Admin panels) throughenabled directory need to updatepanel groups inenabled files. Horizon plugin developers and deployersmay also need to update panel configurations underenabled directoryto adapt the new Admin menus.

• OPENSTACK_ENDPOINT_TYPE setting now has a consistent default valueand it defaults topublicURL. If you use the default value,previously (at least Ocata release) Horizon usedinternalURL forkeystone andpublicURL for other services. The default value isnowpublicURL, so if you want horizon to useinternalURL totalk with back-end services, ensure to setOPENSTACK_ENDPOINT_TYPEtointernalURL.

• VPNaaS dashboard is now split out into a separate projectneutron-vpnaas-dashboard. All new features and maintenances areprovided from the new project from now on. The new project providesall features available in Horizon in the past release.To continue to use VPNaaS dashboard, installneutron-vpnaas-dashboardand set up the horizon plugin configuration file inenabled directory.For more information, seeneutron-vpnaas-dashboard documentationhttp://git.openstack.org/cgit/openstack/neutron-vpnaas-dashboard/tree/doc/source

Deprecation Notes¶

• Editing flavors is deprecated and may be removed from the ‘R’ cycle onwards.

Bug Fixes¶

• [bug:1564543]AVAILABLE_THEMES was used to determine whethera theme was selectable via the user facing widget, however it was notedthat sometimes a parent theme is desired for inheritance, and needs tobe hidden from the widget entirely.SELECTABLE_THEMES wasadded as a setting that can be used to collect a theme for inheritance,but hide it from the user’s view.Seethe settings documentationfor usage specifics.

• Unnecessary API calls to back-end services are eliminated when checkingthe quota and usage in individual panels. Each panel checks a resourcecan be created by retrieving the current quota and usage for the resource.However, the previous implementation retrieves quota and usage of unrelatedresources (For example, Nova usage is retrieved when checking a networkusage). It can be a performance problem in large deployments.This behavior is now fixed to load quota and usage only for resourceswhich are really required.