heat moved to policy in code
create a policy.yaml to change the default behavior Change-Id: I84708d64188c2fa6d8555182e024efec85edbe2c
This commit is contained in:
Eyal
parent
0dea4ddcb1
commit
3e03f500b2
@ -56,7 +56,7 @@ notification_driver = messagingv2
|
|||||||
[DEFAULT]
|
[DEFAULT]
|
||||||
notification_topics = notifications,vitrage_notifications
|
notification_topics = notifications,vitrage_notifications
|
||||||
notification_driver = messagingv2
|
notification_driver = messagingv2
|
||||||
policy_file = /etc/heat/policy.json-tempest
|
policy_file = /etc/heat/policy.yaml
|
||||||
|
|
||||||
[[post-config|\$AODH_CONF]]
|
[[post-config|\$AODH_CONF]]
|
||||||
[oslo_messaging_notifications]
|
[oslo_messaging_notifications]
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
# Install and start **Vitrage** service in devstack
|
# Install and start **Vitrage** service in devstack
|
||||||
#
|
#
|
||||||
# To enable vitrage in devstack add an entry to local.conf that
|
# To enable vitragebehaviortack add an entry to local.conf that
|
||||||
# looks like
|
# looks like
|
||||||
#
|
#
|
||||||
# [[local|localrc]]
|
# [[local|localrc]]
|
||||||
@ -342,18 +342,11 @@ function stop_vitrage {
|
|||||||
|
|
||||||
function modify_heat_global_index_policy_rule {
|
function modify_heat_global_index_policy_rule {
|
||||||
if is_service_enabled heat; then
|
if is_service_enabled heat; then
|
||||||
# Allow to list all stacks
|
cat << EOF > /etc/heat/policy.yaml
|
||||||
local policy_file=$HEAT_CONF_DIR/policy.json
|
# List stacks globally.
|
||||||
local rule_to_change='"stacks:global_index": "rule:deny_everybody"'
|
# GET /v1/{tenant_id}/stacks
|
||||||
local rule_to_add='"stacks:global_index": "rule:deny_stack_user"'
|
"stacks:global_index": "rule:deny_stack_user"
|
||||||
|
EOF
|
||||||
# replace only if exists deny_everybody
|
|
||||||
if grep -q "$rule_to_change" $policy_file; then
|
|
||||||
sed -i "s/$rule_to_change/$rule_to_add/" $policy_file
|
|
||||||
# add only if not exists deny_stack_user
|
|
||||||
elif ! grep -q "$rule_to_add" $policy_file; then
|
|
||||||
sed -i "/}/i\\ \\ \\ ,$rule_to_add" $policy_file
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -28,13 +28,15 @@ sudo cp -rf $DEVSTACK_PATH/vitrage/vitrage_tempest_tests/tests/resources/static_
|
|||||||
sudo cp -rf $DEVSTACK_PATH/vitrage/vitrage_tempest_tests/tests/resources/heat/heat_template.yaml /etc/vitrage/
|
sudo cp -rf $DEVSTACK_PATH/vitrage/vitrage_tempest_tests/tests/resources/heat/heat_template.yaml /etc/vitrage/
|
||||||
sudo cp -rf $DEVSTACK_PATH/vitrage/vitrage_tempest_tests/tests/resources/heat/heat_nested_template.yaml /etc/vitrage/
|
sudo cp -rf $DEVSTACK_PATH/vitrage/vitrage_tempest_tests/tests/resources/heat/heat_nested_template.yaml /etc/vitrage/
|
||||||
sudo cp -rf $DEVSTACK_PATH/vitrage/vitrage_tempest_tests/tests/resources/heat/server.yaml /etc/vitrage/
|
sudo cp -rf $DEVSTACK_PATH/vitrage/vitrage_tempest_tests/tests/resources/heat/server.yaml /etc/vitrage/
|
||||||
sudo cp -rf $DEVSTACK_PATH/vitrage/vitrage_tempest_tests/tests/resources/heat/policy.json-tempest /etc/heat/
|
|
||||||
sudo cp -rf $DEVSTACK_PATH/vitrage/vitrage_tempest_tests/tests/resources/templates/api/* /etc/vitrage/templates/
|
sudo cp -rf $DEVSTACK_PATH/vitrage/vitrage_tempest_tests/tests/resources/templates/api/* /etc/vitrage/templates/
|
||||||
sudo cp $DEVSTACK_PATH/tempest/etc/logging.conf.sample $DEVSTACK_PATH/tempest/etc/logging.conf
|
sudo cp $DEVSTACK_PATH/tempest/etc/logging.conf.sample $DEVSTACK_PATH/tempest/etc/logging.conf
|
||||||
|
|
||||||
# copied the templates need to restart
|
# copied the templates need to restart
|
||||||
sudo systemctl restart devstack@vitrage-graph.service
|
sudo systemctl restart devstack@vitrage-graph.service
|
||||||
|
|
||||||
|
# wait for 30 seconds
|
||||||
|
sleep 30
|
||||||
|
|
||||||
if [ "$DEVSTACK_GATE_USE_PYTHON3" == "True" ]; then
|
if [ "$DEVSTACK_GATE_USE_PYTHON3" == "True" ]; then
|
||||||
export PYTHON=python3
|
export PYTHON=python3
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -1,94 +0,0 @@
|
|||||||
{
|
|
||||||
"context_is_admin": "role:admin and is_admin_project:True",
|
|
||||||
"project_admin": "role:admin",
|
|
||||||
"deny_stack_user": "not role:heat_stack_user",
|
|
||||||
"deny_everybody": "!",
|
|
||||||
|
|
||||||
"cloudformation:ListStacks": "rule:deny_stack_user",
|
|
||||||
"cloudformation:CreateStack": "rule:deny_stack_user",
|
|
||||||
"cloudformation:DescribeStacks": "rule:deny_stack_user",
|
|
||||||
"cloudformation:DeleteStack": "rule:deny_stack_user",
|
|
||||||
"cloudformation:UpdateStack": "rule:deny_stack_user",
|
|
||||||
"cloudformation:CancelUpdateStack": "rule:deny_stack_user",
|
|
||||||
"cloudformation:DescribeStackEvents": "rule:deny_stack_user",
|
|
||||||
"cloudformation:ValidateTemplate": "rule:deny_stack_user",
|
|
||||||
"cloudformation:GetTemplate": "rule:deny_stack_user",
|
|
||||||
"cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
|
|
||||||
"cloudformation:DescribeStackResource": "",
|
|
||||||
"cloudformation:DescribeStackResources": "rule:deny_stack_user",
|
|
||||||
"cloudformation:ListStackResources": "rule:deny_stack_user",
|
|
||||||
|
|
||||||
"cloudwatch:DeleteAlarms": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:DescribeAlarms": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:ListMetrics": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:PutMetricData": "",
|
|
||||||
"cloudwatch:SetAlarmState": "rule:deny_stack_user",
|
|
||||||
|
|
||||||
"actions:action": "rule:deny_stack_user",
|
|
||||||
"build_info:build_info": "rule:deny_stack_user",
|
|
||||||
"events:index": "rule:deny_stack_user",
|
|
||||||
"events:show": "rule:deny_stack_user",
|
|
||||||
"resource:index": "rule:deny_stack_user",
|
|
||||||
"resource:metadata": "",
|
|
||||||
"resource:signal": "",
|
|
||||||
"resource:mark_unhealthy": "rule:deny_stack_user",
|
|
||||||
"resource:show": "rule:deny_stack_user",
|
|
||||||
"stacks:abandon": "rule:deny_stack_user",
|
|
||||||
"stacks:create": "rule:deny_stack_user",
|
|
||||||
"stacks:delete": "rule:deny_stack_user",
|
|
||||||
"stacks:detail": "rule:deny_stack_user",
|
|
||||||
"stacks:export": "rule:deny_stack_user",
|
|
||||||
"stacks:generate_template": "rule:deny_stack_user",
|
|
||||||
"stacks:global_index": "rule:deny_stack_user",
|
|
||||||
"stacks:index": "rule:deny_stack_user",
|
|
||||||
"stacks:list_resource_types": "rule:deny_stack_user",
|
|
||||||
"stacks:list_template_versions": "rule:deny_stack_user",
|
|
||||||
"stacks:list_template_functions": "rule:deny_stack_user",
|
|
||||||
"stacks:lookup": "",
|
|
||||||
"stacks:preview": "rule:deny_stack_user",
|
|
||||||
"stacks:resource_schema": "rule:deny_stack_user",
|
|
||||||
"stacks:show": "rule:deny_stack_user",
|
|
||||||
"stacks:template": "rule:deny_stack_user",
|
|
||||||
"stacks:environment": "rule:deny_stack_user",
|
|
||||||
"stacks:files": "rule:deny_stack_user",
|
|
||||||
"stacks:update": "rule:deny_stack_user",
|
|
||||||
"stacks:update_patch": "rule:deny_stack_user",
|
|
||||||
"stacks:preview_update": "rule:deny_stack_user",
|
|
||||||
"stacks:preview_update_patch": "rule:deny_stack_user",
|
|
||||||
"stacks:validate_template": "rule:deny_stack_user",
|
|
||||||
"stacks:snapshot": "rule:deny_stack_user",
|
|
||||||
"stacks:show_snapshot": "rule:deny_stack_user",
|
|
||||||
"stacks:delete_snapshot": "rule:deny_stack_user",
|
|
||||||
"stacks:list_snapshots": "rule:deny_stack_user",
|
|
||||||
"stacks:restore_snapshot": "rule:deny_stack_user",
|
|
||||||
"stacks:list_outputs": "rule:deny_stack_user",
|
|
||||||
"stacks:show_output": "rule:deny_stack_user",
|
|
||||||
|
|
||||||
"software_configs:global_index": "rule:deny_stack_user",
|
|
||||||
"software_configs:index": "rule:deny_stack_user",
|
|
||||||
"software_configs:create": "rule:deny_stack_user",
|
|
||||||
"software_configs:show": "rule:deny_stack_user",
|
|
||||||
"software_configs:delete": "rule:deny_stack_user",
|
|
||||||
"software_deployments:index": "rule:deny_stack_user",
|
|
||||||
"software_deployments:create": "rule:deny_stack_user",
|
|
||||||
"software_deployments:show": "rule:deny_stack_user",
|
|
||||||
"software_deployments:update": "rule:deny_stack_user",
|
|
||||||
"software_deployments:delete": "rule:deny_stack_user",
|
|
||||||
"software_deployments:metadata": "",
|
|
||||||
|
|
||||||
"service:index": "rule:context_is_admin",
|
|
||||||
|
|
||||||
"resource_types:OS::Nova::Flavor": "rule:project_admin",
|
|
||||||
"resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin",
|
|
||||||
"resource_types:OS::Cinder::VolumeType": "rule:project_admin",
|
|
||||||
"resource_types:OS::Manila::ShareType": "rule:project_admin",
|
|
||||||
"resource_types:OS::Neutron::QoSPolicy": "rule:project_admin",
|
|
||||||
"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin",
|
|
||||||
"resource_types:OS::Nova::HostAggregate": "rule:project_admin"
|
|
||||||
}
|
|
||||||
Loading…
Reference in New Issue
Block a user