Support policy-in-code and deprecated policy
This change adds support for policy-in-code and deprecated policy following the change in horizon. Depends-on: https://review.opendev.org/750134 Change-Id: I0e53dfd653213a78ccca8a20f4e909b5ed798641
This commit is contained in:
Takashi Kajinami
parent
15b787ec6a
commit
8e7914fce2
@ -17,7 +17,8 @@ function install_heat_dashboard {
|
|||||||
function configure_heat_dashboard {
|
function configure_heat_dashboard {
|
||||||
cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/enabled/* ${DEST}/horizon/openstack_dashboard/local/enabled/
|
cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/enabled/* ${DEST}/horizon/openstack_dashboard/local/enabled/
|
||||||
cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/local_settings.d/_1699_orchestration_settings.py ${DEST}/horizon/openstack_dashboard/local/local_settings.d/
|
cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/local_settings.d/_1699_orchestration_settings.py ${DEST}/horizon/openstack_dashboard/local/local_settings.d/
|
||||||
cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/conf/heat_policy.json ${DEST}/horizon/openstack_dashboard/conf/
|
cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/conf/heat_policy.yaml ${DEST}/horizon/openstack_dashboard/conf/
|
||||||
|
cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/conf/default_policies/heat.yaml ${DEST}/horizon/openstack_dashboard/conf/default_policies
|
||||||
# NOTE: If locale directory does not exist, compilemessages will fail,
|
# NOTE: If locale directory does not exist, compilemessages will fail,
|
||||||
# so check for an existence of locale directory is required.
|
# so check for an existence of locale directory is required.
|
||||||
if [ -d ${HEAT_DASHBOARD_DIR}/heat_dashboard/locale ]; then
|
if [ -d ${HEAT_DASHBOARD_DIR}/heat_dashboard/locale ]; then
|
||||||
|
|||||||
1356
heat_dashboard/conf/default_policies/heat.yaml
Normal file
1356
heat_dashboard/conf/default_policies/heat.yaml
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,92 +0,0 @@
|
|||||||
{
|
|
||||||
"context_is_admin": "role:admin",
|
|
||||||
"deny_stack_user": "not role:heat_stack_user",
|
|
||||||
"deny_everybody": "!",
|
|
||||||
|
|
||||||
"cloudformation:ListStacks": "rule:deny_stack_user",
|
|
||||||
"cloudformation:CreateStack": "rule:deny_stack_user",
|
|
||||||
"cloudformation:DescribeStacks": "rule:deny_stack_user",
|
|
||||||
"cloudformation:DeleteStack": "rule:deny_stack_user",
|
|
||||||
"cloudformation:UpdateStack": "rule:deny_stack_user",
|
|
||||||
"cloudformation:CancelUpdateStack": "rule:deny_stack_user",
|
|
||||||
"cloudformation:DescribeStackEvents": "rule:deny_stack_user",
|
|
||||||
"cloudformation:ValidateTemplate": "rule:deny_stack_user",
|
|
||||||
"cloudformation:GetTemplate": "rule:deny_stack_user",
|
|
||||||
"cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
|
|
||||||
"cloudformation:DescribeStackResource": "",
|
|
||||||
"cloudformation:DescribeStackResources": "rule:deny_stack_user",
|
|
||||||
"cloudformation:ListStackResources": "rule:deny_stack_user",
|
|
||||||
|
|
||||||
"cloudwatch:DeleteAlarms": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:DescribeAlarms": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:ListMetrics": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:PutMetricData": "",
|
|
||||||
"cloudwatch:SetAlarmState": "rule:deny_stack_user",
|
|
||||||
|
|
||||||
"actions:action": "rule:deny_stack_user",
|
|
||||||
"build_info:build_info": "rule:deny_stack_user",
|
|
||||||
"events:index": "rule:deny_stack_user",
|
|
||||||
"events:show": "rule:deny_stack_user",
|
|
||||||
"resource:index": "rule:deny_stack_user",
|
|
||||||
"resource:metadata": "",
|
|
||||||
"resource:signal": "",
|
|
||||||
"resource:mark_unhealthy": "rule:deny_stack_user",
|
|
||||||
"resource:show": "rule:deny_stack_user",
|
|
||||||
"stacks:abandon": "rule:deny_stack_user",
|
|
||||||
"stacks:create": "rule:deny_stack_user",
|
|
||||||
"stacks:delete": "rule:deny_stack_user",
|
|
||||||
"stacks:detail": "rule:deny_stack_user",
|
|
||||||
"stacks:export": "rule:deny_stack_user",
|
|
||||||
"stacks:generate_template": "rule:deny_stack_user",
|
|
||||||
"stacks:global_index": "rule:deny_everybody",
|
|
||||||
"stacks:index": "rule:deny_stack_user",
|
|
||||||
"stacks:list_resource_types": "rule:deny_stack_user",
|
|
||||||
"stacks:list_template_versions": "rule:deny_stack_user",
|
|
||||||
"stacks:list_template_functions": "rule:deny_stack_user",
|
|
||||||
"stacks:lookup": "",
|
|
||||||
"stacks:preview": "rule:deny_stack_user",
|
|
||||||
"stacks:resource_schema": "rule:deny_stack_user",
|
|
||||||
"stacks:show": "rule:deny_stack_user",
|
|
||||||
"stacks:template": "rule:deny_stack_user",
|
|
||||||
"stacks:environment": "rule:deny_stack_user",
|
|
||||||
"stacks:update": "rule:deny_stack_user",
|
|
||||||
"stacks:update_patch": "rule:deny_stack_user",
|
|
||||||
"stacks:preview_update": "rule:deny_stack_user",
|
|
||||||
"stacks:preview_update_patch": "rule:deny_stack_user",
|
|
||||||
"stacks:validate_template": "rule:deny_stack_user",
|
|
||||||
"stacks:snapshot": "rule:deny_stack_user",
|
|
||||||
"stacks:show_snapshot": "rule:deny_stack_user",
|
|
||||||
"stacks:delete_snapshot": "rule:deny_stack_user",
|
|
||||||
"stacks:list_snapshots": "rule:deny_stack_user",
|
|
||||||
"stacks:restore_snapshot": "rule:deny_stack_user",
|
|
||||||
"stacks:list_outputs": "rule:deny_stack_user",
|
|
||||||
"stacks:show_output": "rule:deny_stack_user",
|
|
||||||
|
|
||||||
"software_configs:global_index": "rule:deny_everybody",
|
|
||||||
"software_configs:index": "rule:deny_stack_user",
|
|
||||||
"software_configs:create": "rule:deny_stack_user",
|
|
||||||
"software_configs:show": "rule:deny_stack_user",
|
|
||||||
"software_configs:delete": "rule:deny_stack_user",
|
|
||||||
"software_deployments:index": "rule:deny_stack_user",
|
|
||||||
"software_deployments:create": "rule:deny_stack_user",
|
|
||||||
"software_deployments:show": "rule:deny_stack_user",
|
|
||||||
"software_deployments:update": "rule:deny_stack_user",
|
|
||||||
"software_deployments:delete": "rule:deny_stack_user",
|
|
||||||
"software_deployments:metadata": "",
|
|
||||||
|
|
||||||
"service:index": "rule:context_is_admin",
|
|
||||||
|
|
||||||
"resource_types:OS::Nova::Flavor": "rule:context_is_admin",
|
|
||||||
"resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin",
|
|
||||||
"resource_types:OS::Cinder::VolumeType": "rule:context_is_admin",
|
|
||||||
"resource_types:OS::Manila::ShareType": "rule:context_is_admin",
|
|
||||||
"resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin",
|
|
||||||
"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin",
|
|
||||||
"resource_types:OS::Nova::HostAggregate": "rule:context_is_admin"
|
|
||||||
}
|
|
||||||
96
heat_dashboard/conf/heat_policy.yaml
Normal file
96
heat_dashboard/conf/heat_policy.yaml
Normal file
@ -0,0 +1,96 @@
|
|||||||
|
#"context_is_admin": "(role:admin and is_admin_project:True) OR (role:admin and system_scope:all)"
|
||||||
|
#"project_admin": "role:admin"
|
||||||
|
#"deny_stack_user": "not role:heat_stack_user"
|
||||||
|
#"deny_everybody": "!"
|
||||||
|
#"allow_everybody": ""
|
||||||
|
#"actions:action": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"actions:snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"actions:suspend": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"actions:resume": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"actions:check": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"actions:cancel_update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"actions:cancel_without_rollback": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"build_info:build_info": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"cloudformation:ListStacks": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"cloudformation:CreateStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"cloudformation:DescribeStacks": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"cloudformation:DeleteStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"cloudformation:UpdateStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"cloudformation:CancelUpdateStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"cloudformation:DescribeStackEvents": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"cloudformation:ValidateTemplate": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"cloudformation:GetTemplate": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"cloudformation:EstimateTemplateCost": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"cloudformation:DescribeStackResource": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
|
||||||
|
#"cloudformation:DescribeStackResources": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"cloudformation:ListStackResources": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"events:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"events:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"resource:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"resource:metadata": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
|
||||||
|
#"resource:signal": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
|
||||||
|
#"resource:mark_unhealthy": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"resource:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"resource_types:OS::Nova::Flavor": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Cinder::VolumeType": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Cinder::Quota": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Neutron::Quota": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Nova::Quota": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Octavia::Quota": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Manila::ShareType": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Neutron::ProviderNet": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Neutron::QoSPolicy": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Neutron::QoSDscpMarkingRule": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Neutron::QoSMinimumBandwidthRule": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Neutron::Segment": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Nova::HostAggregate": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Cinder::QoSSpecs": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Cinder::QoSAssociation": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Keystone::*": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Blazar::Host": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Octavia::Flavor": "rule:project_admin"
|
||||||
|
#"resource_types:OS::Octavia::FlavorProfile": "rule:project_admin"
|
||||||
|
#"service:index": "role:reader and system_scope:all"
|
||||||
|
#"software_configs:global_index": "role:reader and system_scope:all"
|
||||||
|
#"software_configs:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"software_configs:create": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"software_configs:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"software_configs:delete": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"software_deployments:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"software_deployments:create": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"software_deployments:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"software_deployments:update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"software_deployments:delete": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"software_deployments:metadata": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
|
||||||
|
#"stacks:abandon": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"stacks:create": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"stacks:delete": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"stacks:detail": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"stacks:export": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"stacks:generate_template": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"stacks:global_index": "role:reader and system_scope:all"
|
||||||
|
#"stacks:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"stacks:list_resource_types": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"stacks:list_template_versions": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"stacks:list_template_functions": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"stacks:lookup": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
|
||||||
|
#"stacks:preview": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"stacks:resource_schema": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"stacks:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"stacks:template": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"stacks:environment": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"stacks:files": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"stacks:update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"stacks:update_patch": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"stacks:preview_update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"stacks:preview_update_patch": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"stacks:validate_template": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"stacks:snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"stacks:show_snapshot": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"stacks:delete_snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"stacks:list_snapshots": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"stacks:restore_snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||||
|
#"stacks:list_outputs": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
|
#"stacks:show_output": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||||
@ -21,7 +21,11 @@ OPENSTACK_HEAT_STACK = {
|
|||||||
}
|
}
|
||||||
|
|
||||||
settings.POLICY_FILES.update({
|
settings.POLICY_FILES.update({
|
||||||
'orchestration': 'heat_policy.json',
|
'orchestration': 'heat_policy.yaml',
|
||||||
|
})
|
||||||
|
|
||||||
|
settings.DEFAULT_POLICY_FILES.update({
|
||||||
|
'orchestration': 'default_policies/heat.yaml',
|
||||||
})
|
})
|
||||||
|
|
||||||
# Sample
|
# Sample
|
||||||
|
|||||||
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
The default configuration file has been updated and now includes
|
||||||
|
the required parameters to use the new policy-in-code feature in Horizon.
|
||||||
|
Because of this change, the defualt policy.json is no longer included in
|
||||||
|
this repo but replaced with policy.yaml. Please refer to the release note
|
||||||
|
and documentation of Horizon to find details about this feature.
|
||||||
Loading…
Reference in New Issue
Block a user