Add policies for API access control to watcher-dashboard
Co-Authored-By: David TARDIVEL <David.TARDIVEL@b-com.com> Change-Id: I1babb96cbad71b74b6fd5e1ac5f1cfb7b263ba2c blueprint: watcher-policies
This commit is contained in:
parent
8c1687c6e4
commit
5ccab31a64
16
README.rst
16
README.rst
@ -109,6 +109,22 @@ Please note that these commands are also available via ``tox``.
|
|||||||
As of the Mitaka release, the dashboard for watcher is now maintained
|
As of the Mitaka release, the dashboard for watcher is now maintained
|
||||||
outside of the Horizon codebase, in this repository.
|
outside of the Horizon codebase, in this repository.
|
||||||
|
|
||||||
|
|
||||||
|
Policies
|
||||||
|
--------
|
||||||
|
You can enable policies on Watcher ``Optimization`` panel, by updating in the
|
||||||
|
``<HORIZON_DIR>/openstack_dashboard/settings.py`` configuration file the
|
||||||
|
following parameters
|
||||||
|
|
||||||
|
POLICY_FILES = {
|
||||||
|
...
|
||||||
|
'infra-optim': 'watcher_policy.json',
|
||||||
|
}
|
||||||
|
|
||||||
|
You can also update the file ``<HORIZON_DIR>/openstack_dashboard/conf/watcher_policy.conf``
|
||||||
|
to customize your policies.
|
||||||
|
|
||||||
|
|
||||||
Links
|
Links
|
||||||
-----
|
-----
|
||||||
|
|
||||||
|
@ -8,6 +8,7 @@ function install_watcher_dashboard {
|
|||||||
|
|
||||||
function configure_watcher_dashboard {
|
function configure_watcher_dashboard {
|
||||||
cp -a ${WATCHER_DASHBOARD_DIR}/watcher_dashboard/enabled/* ${DEST}/horizon/openstack_dashboard/local/enabled/
|
cp -a ${WATCHER_DASHBOARD_DIR}/watcher_dashboard/enabled/* ${DEST}/horizon/openstack_dashboard/local/enabled/
|
||||||
|
cp -a ${WATCHER_DASHBOARD_DIR}/watcher_dashboard/conf/* ${DEST}/horizon/openstack_dashboard/conf/
|
||||||
}
|
}
|
||||||
|
|
||||||
function init_watcher_dashboard {
|
function init_watcher_dashboard {
|
||||||
@ -42,6 +43,7 @@ if is_service_enabled watcher-dashboard; then
|
|||||||
|
|
||||||
if [[ "$1" == "unstack" ]]; then
|
if [[ "$1" == "unstack" ]]; then
|
||||||
rm -f ${DEST}/horizon/openstack_dashboard/local/enabled/_310*
|
rm -f ${DEST}/horizon/openstack_dashboard/local/enabled/_310*
|
||||||
|
rm -f ${DEST}/horizon/openstack_dashboard/conf/watcher*
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -14,3 +14,9 @@ for filepath in $src_path/watcher_dashboard/enabled/*.py; do
|
|||||||
ln -s $src_filepath $dest_filepath
|
ln -s $src_filepath $dest_filepath
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
policy_file_name='watcher_policy.json'
|
||||||
|
src_policy_filepath=$src_path'/watcher_dashboard/conf/'$policy_file_name
|
||||||
|
dest_policy_file=$dest_path'/openstack_dashboard/conf/'$policy_file_name
|
||||||
|
echo "$src_policy_filepath --> $dest_policy_file"
|
||||||
|
ln -s $src_policy_filepath $dest_policy_file
|
||||||
|
@ -29,6 +29,8 @@ def watcherclient(request, password=None):
|
|||||||
api_version = "1"
|
api_version = "1"
|
||||||
insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
|
insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
|
||||||
ca_file = getattr(settings, 'OPENSTACK_SSL_CACERT', None)
|
ca_file = getattr(settings, 'OPENSTACK_SSL_CACERT', None)
|
||||||
|
insert_watcher_policy_file()
|
||||||
|
|
||||||
endpoint = base.url_for(request, WATCHER_SERVICE)
|
endpoint = base.url_for(request, WATCHER_SERVICE)
|
||||||
|
|
||||||
LOG.debug('watcherclient connection created using token "%s" and url "%s"'
|
LOG.debug('watcherclient connection created using token "%s" and url "%s"'
|
||||||
@ -46,6 +48,12 @@ def watcherclient(request, password=None):
|
|||||||
return client
|
return client
|
||||||
|
|
||||||
|
|
||||||
|
def insert_watcher_policy_file():
|
||||||
|
policy_files = getattr(settings, 'POLICY_FILES', {})
|
||||||
|
policy_files['infra-optim'] = 'watcher_policy.json'
|
||||||
|
setattr(settings, 'POLICY_FILES', policy_files)
|
||||||
|
|
||||||
|
|
||||||
class Audit(base.APIDictWrapper):
|
class Audit(base.APIDictWrapper):
|
||||||
_attrs = ('uuid', 'created_at', 'modified_at', 'deleted_at',
|
_attrs = ('uuid', 'created_at', 'modified_at', 'deleted_at',
|
||||||
'deadline', 'state', 'audit_type', 'audit_template_uuid',
|
'deadline', 'state', 'audit_type', 'audit_template_uuid',
|
||||||
|
37
watcher_dashboard/conf/watcher_policy.json
Normal file
37
watcher_dashboard/conf/watcher_policy.json
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
{
|
||||||
|
"admin_api": "role:admin or role:administrator",
|
||||||
|
"show_password": "!",
|
||||||
|
"default": "rule:admin_api",
|
||||||
|
|
||||||
|
"action:detail": "rule:default",
|
||||||
|
"action:get": "rule:default",
|
||||||
|
"action:get_all": "rule:default",
|
||||||
|
|
||||||
|
"action_plan:create": "rule:default",
|
||||||
|
"action_plan:detail": "rule:default",
|
||||||
|
"action_plan:get": "rule:default",
|
||||||
|
"action_plan:get_all": "rule:default",
|
||||||
|
"action_plan:update": "rule:default",
|
||||||
|
|
||||||
|
"audit:create": "rule:default",
|
||||||
|
"audit:delete": "rule:default",
|
||||||
|
"audit:detail": "rule:default",
|
||||||
|
"audit:get": "rule:default",
|
||||||
|
"audit:get_all": "rule:default",
|
||||||
|
"audit:update": "rule:default",
|
||||||
|
|
||||||
|
"audit_template:create": "rule:default",
|
||||||
|
"audit_template:delete": "rule:default",
|
||||||
|
"audit_template:detail": "rule:default",
|
||||||
|
"audit_template:get": "rule:default",
|
||||||
|
"audit_template:get_all": "rule:default",
|
||||||
|
"audit_template:update": "rule:default",
|
||||||
|
|
||||||
|
"goal:detail": "rule:default",
|
||||||
|
"goal:get": "rule:default",
|
||||||
|
"goal:get_all": "rule:default",
|
||||||
|
|
||||||
|
"strategy:detail": "rule:default",
|
||||||
|
"strategy:get": "rule:default",
|
||||||
|
"strategy:get_all": "rule:default"
|
||||||
|
}
|
@ -46,11 +46,12 @@ class ActionPlansFilterAction(horizon.tables.FilterAction):
|
|||||||
filter_choices = (
|
filter_choices = (
|
||||||
('audit', _("Audit ="), True),
|
('audit', _("Audit ="), True),
|
||||||
)
|
)
|
||||||
|
policy_rules = (("infra-optim", "action_plan:detail"),)
|
||||||
|
|
||||||
|
|
||||||
class ArchiveActionPlan(horizon.tables.BatchAction):
|
class ArchiveActionPlan(horizon.tables.BatchAction):
|
||||||
name = "archive_action_plans"
|
name = "archive_action_plans"
|
||||||
# policy_rules = (("compute", "compute:delete"),)
|
policy_rules = (("infra-optim", "action_plan:delete"),)
|
||||||
help_text = _("Archive an action plan.")
|
help_text = _("Archive an action plan.")
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
@ -76,7 +77,7 @@ class ArchiveActionPlan(horizon.tables.BatchAction):
|
|||||||
class StartActionPlan(horizon.tables.BatchAction):
|
class StartActionPlan(horizon.tables.BatchAction):
|
||||||
name = "start_action_plan"
|
name = "start_action_plan"
|
||||||
classes = ('btn-confirm',)
|
classes = ('btn-confirm',)
|
||||||
# policy_rules = (("compute", "compute:delete"),)
|
policy_rules = (("infra-optim", "action_plan:update"),)
|
||||||
help_text = _("Execute an action plan.")
|
help_text = _("Execute an action plan.")
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
|
@ -58,6 +58,7 @@ class UpdateRow(horizon.tables.Row):
|
|||||||
class ActionsFilterAction(horizon.tables.FilterAction):
|
class ActionsFilterAction(horizon.tables.FilterAction):
|
||||||
filter_type = "server"
|
filter_type = "server"
|
||||||
filter_choices = (('action_plan', _("Action Plan ID ="), True),)
|
filter_choices = (('action_plan', _("Action Plan ID ="), True),)
|
||||||
|
policy_rules = (("infra-optim", "action:detail"),)
|
||||||
|
|
||||||
|
|
||||||
class ActionsTable(horizon.tables.DataTable):
|
class ActionsTable(horizon.tables.DataTable):
|
||||||
|
@ -30,6 +30,7 @@ class CreateAuditTemplates(horizon.tables.LinkAction):
|
|||||||
verbose_name = _("Create Template")
|
verbose_name = _("Create Template")
|
||||||
url = "horizon:admin:audit_templates:create"
|
url = "horizon:admin:audit_templates:create"
|
||||||
classes = ("ajax-modal", "btn-launch")
|
classes = ("ajax-modal", "btn-launch")
|
||||||
|
policy_rules = (("infra-optim", "audit_templates:create"),)
|
||||||
|
|
||||||
|
|
||||||
class AuditTemplatesFilterAction(horizon.tables.FilterAction):
|
class AuditTemplatesFilterAction(horizon.tables.FilterAction):
|
||||||
@ -38,6 +39,7 @@ class AuditTemplatesFilterAction(horizon.tables.FilterAction):
|
|||||||
('goal', _("Goal ="), True),
|
('goal', _("Goal ="), True),
|
||||||
('strategy', _("Strategy ="), True),
|
('strategy', _("Strategy ="), True),
|
||||||
)
|
)
|
||||||
|
policy_rules = (("infra-optim", "audit_templates:detail"),)
|
||||||
|
|
||||||
|
|
||||||
class LaunchAudit(horizon.tables.BatchAction):
|
class LaunchAudit(horizon.tables.BatchAction):
|
||||||
@ -46,6 +48,7 @@ class LaunchAudit(horizon.tables.BatchAction):
|
|||||||
data_type_singular = _("Launch Audit")
|
data_type_singular = _("Launch Audit")
|
||||||
data_type_plural = _("Launch Audits")
|
data_type_plural = _("Launch Audits")
|
||||||
success_url = "horizon:admin:audits:index"
|
success_url = "horizon:admin:audits:index"
|
||||||
|
policy_rules = (("infra-optim", "audit:create"),)
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def action_present(count):
|
def action_present(count):
|
||||||
@ -72,6 +75,7 @@ class LaunchAudit(horizon.tables.BatchAction):
|
|||||||
|
|
||||||
class DeleteAuditTemplates(horizon.tables.DeleteAction):
|
class DeleteAuditTemplates(horizon.tables.DeleteAction):
|
||||||
verbose_name = _("Delete Templates")
|
verbose_name = _("Delete Templates")
|
||||||
|
policy_rules = (("infra-optim", "audit_template:delete"),)
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def action_present(count):
|
def action_present(count):
|
||||||
|
@ -47,6 +47,7 @@ class AuditsFilterAction(horizon.tables.FilterAction):
|
|||||||
filter_choices = (
|
filter_choices = (
|
||||||
('audit_template', _("Audit Template ="), True),
|
('audit_template', _("Audit Template ="), True),
|
||||||
)
|
)
|
||||||
|
policy_rules = (("infra-optim", "audit:detail"),)
|
||||||
|
|
||||||
|
|
||||||
class CreateAudit(horizon.tables.LinkAction):
|
class CreateAudit(horizon.tables.LinkAction):
|
||||||
@ -54,13 +55,14 @@ class CreateAudit(horizon.tables.LinkAction):
|
|||||||
verbose_name = _("Launch Audit")
|
verbose_name = _("Launch Audit")
|
||||||
url = "horizon:admin:audits:create"
|
url = "horizon:admin:audits:create"
|
||||||
classes = ("ajax-modal", "btn-launch")
|
classes = ("ajax-modal", "btn-launch")
|
||||||
# policy_rules = (("compute", "compute:create"),)
|
policy_rules = (("infra-optim", "audit:create"),)
|
||||||
|
|
||||||
|
|
||||||
class GoToActionPlan(horizon.tables.Action):
|
class GoToActionPlan(horizon.tables.Action):
|
||||||
name = "go_to_action_plan"
|
name = "go_to_action_plan"
|
||||||
verbose_name = _("Go to Action Plan")
|
verbose_name = _("Go to Action Plan")
|
||||||
url = "horizon:admin:action_plans:detail"
|
url = "horizon:admin:action_plans:detail"
|
||||||
|
policy_rules = (("infra-optim", "action_plan:detail"),)
|
||||||
|
|
||||||
def allowed(self, request, audit):
|
def allowed(self, request, audit):
|
||||||
return audit or audit.state in ("SUCCEEEDED", )
|
return audit or audit.state in ("SUCCEEEDED", )
|
||||||
@ -85,6 +87,7 @@ class GoToAuditTemplate(horizon.tables.Action):
|
|||||||
name = "go_to_audit_template"
|
name = "go_to_audit_template"
|
||||||
verbose_name = _("Go to Audit Template")
|
verbose_name = _("Go to Audit Template")
|
||||||
url = "horizon:admin:audit_templates:detail"
|
url = "horizon:admin:audit_templates:detail"
|
||||||
|
policy_rules = (("infra-optim", "audit:get_one"),)
|
||||||
# classes = ("ajax-modal", "btn-launch")
|
# classes = ("ajax-modal", "btn-launch")
|
||||||
# icon = "send"
|
# icon = "send"
|
||||||
|
|
||||||
|
@ -26,6 +26,7 @@ class StrategiesFilterAction(horizon.tables.FilterAction):
|
|||||||
filter_choices = (
|
filter_choices = (
|
||||||
('goal', _("Goal ="), True),
|
('goal', _("Goal ="), True),
|
||||||
)
|
)
|
||||||
|
policy_rules = (("infra-optim", "strategy:detail"),)
|
||||||
|
|
||||||
|
|
||||||
class StrategiesTable(horizon.tables.DataTable):
|
class StrategiesTable(horizon.tables.DataTable):
|
||||||
|
Loading…
x
Reference in New Issue
Block a user