Add policies for API access control to watcher-dashboard

Co-Authored-By: David TARDIVEL <David.TARDIVEL@b-com.com>

Change-Id: I1babb96cbad71b74b6fd5e1ac5f1cfb7b263ba2c
blueprint: watcher-policies
This commit is contained in:
zte-hanrong 2016-07-07 23:33:42 +08:00 committed by Rong Han
parent 8c1687c6e4
commit 5ccab31a64
10 changed files with 82 additions and 3 deletions

View File

@ -109,6 +109,22 @@ Please note that these commands are also available via ``tox``.
As of the Mitaka release, the dashboard for watcher is now maintained As of the Mitaka release, the dashboard for watcher is now maintained
outside of the Horizon codebase, in this repository. outside of the Horizon codebase, in this repository.
Policies
--------
You can enable policies on Watcher ``Optimization`` panel, by updating in the
``<HORIZON_DIR>/openstack_dashboard/settings.py`` configuration file the
following parameters
POLICY_FILES = {
...
'infra-optim': 'watcher_policy.json',
}
You can also update the file ``<HORIZON_DIR>/openstack_dashboard/conf/watcher_policy.conf``
to customize your policies.
Links Links
----- -----

View File

@ -8,6 +8,7 @@ function install_watcher_dashboard {
function configure_watcher_dashboard { function configure_watcher_dashboard {
cp -a ${WATCHER_DASHBOARD_DIR}/watcher_dashboard/enabled/* ${DEST}/horizon/openstack_dashboard/local/enabled/ cp -a ${WATCHER_DASHBOARD_DIR}/watcher_dashboard/enabled/* ${DEST}/horizon/openstack_dashboard/local/enabled/
cp -a ${WATCHER_DASHBOARD_DIR}/watcher_dashboard/conf/* ${DEST}/horizon/openstack_dashboard/conf/
} }
function init_watcher_dashboard { function init_watcher_dashboard {
@ -42,6 +43,7 @@ if is_service_enabled watcher-dashboard; then
if [[ "$1" == "unstack" ]]; then if [[ "$1" == "unstack" ]]; then
rm -f ${DEST}/horizon/openstack_dashboard/local/enabled/_310* rm -f ${DEST}/horizon/openstack_dashboard/local/enabled/_310*
rm -f ${DEST}/horizon/openstack_dashboard/conf/watcher*
fi fi

View File

@ -14,3 +14,9 @@ for filepath in $src_path/watcher_dashboard/enabled/*.py; do
ln -s $src_filepath $dest_filepath ln -s $src_filepath $dest_filepath
fi fi
done done
policy_file_name='watcher_policy.json'
src_policy_filepath=$src_path'/watcher_dashboard/conf/'$policy_file_name
dest_policy_file=$dest_path'/openstack_dashboard/conf/'$policy_file_name
echo "$src_policy_filepath --> $dest_policy_file"
ln -s $src_policy_filepath $dest_policy_file

View File

@ -29,6 +29,8 @@ def watcherclient(request, password=None):
api_version = "1" api_version = "1"
insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False) insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
ca_file = getattr(settings, 'OPENSTACK_SSL_CACERT', None) ca_file = getattr(settings, 'OPENSTACK_SSL_CACERT', None)
insert_watcher_policy_file()
endpoint = base.url_for(request, WATCHER_SERVICE) endpoint = base.url_for(request, WATCHER_SERVICE)
LOG.debug('watcherclient connection created using token "%s" and url "%s"' LOG.debug('watcherclient connection created using token "%s" and url "%s"'
@ -46,6 +48,12 @@ def watcherclient(request, password=None):
return client return client
def insert_watcher_policy_file():
policy_files = getattr(settings, 'POLICY_FILES', {})
policy_files['infra-optim'] = 'watcher_policy.json'
setattr(settings, 'POLICY_FILES', policy_files)
class Audit(base.APIDictWrapper): class Audit(base.APIDictWrapper):
_attrs = ('uuid', 'created_at', 'modified_at', 'deleted_at', _attrs = ('uuid', 'created_at', 'modified_at', 'deleted_at',
'deadline', 'state', 'audit_type', 'audit_template_uuid', 'deadline', 'state', 'audit_type', 'audit_template_uuid',

View File

@ -0,0 +1,37 @@
{
"admin_api": "role:admin or role:administrator",
"show_password": "!",
"default": "rule:admin_api",
"action:detail": "rule:default",
"action:get": "rule:default",
"action:get_all": "rule:default",
"action_plan:create": "rule:default",
"action_plan:detail": "rule:default",
"action_plan:get": "rule:default",
"action_plan:get_all": "rule:default",
"action_plan:update": "rule:default",
"audit:create": "rule:default",
"audit:delete": "rule:default",
"audit:detail": "rule:default",
"audit:get": "rule:default",
"audit:get_all": "rule:default",
"audit:update": "rule:default",
"audit_template:create": "rule:default",
"audit_template:delete": "rule:default",
"audit_template:detail": "rule:default",
"audit_template:get": "rule:default",
"audit_template:get_all": "rule:default",
"audit_template:update": "rule:default",
"goal:detail": "rule:default",
"goal:get": "rule:default",
"goal:get_all": "rule:default",
"strategy:detail": "rule:default",
"strategy:get": "rule:default",
"strategy:get_all": "rule:default"
}

View File

@ -46,11 +46,12 @@ class ActionPlansFilterAction(horizon.tables.FilterAction):
filter_choices = ( filter_choices = (
('audit', _("Audit ="), True), ('audit', _("Audit ="), True),
) )
policy_rules = (("infra-optim", "action_plan:detail"),)
class ArchiveActionPlan(horizon.tables.BatchAction): class ArchiveActionPlan(horizon.tables.BatchAction):
name = "archive_action_plans" name = "archive_action_plans"
# policy_rules = (("compute", "compute:delete"),) policy_rules = (("infra-optim", "action_plan:delete"),)
help_text = _("Archive an action plan.") help_text = _("Archive an action plan.")
@staticmethod @staticmethod
@ -76,7 +77,7 @@ class ArchiveActionPlan(horizon.tables.BatchAction):
class StartActionPlan(horizon.tables.BatchAction): class StartActionPlan(horizon.tables.BatchAction):
name = "start_action_plan" name = "start_action_plan"
classes = ('btn-confirm',) classes = ('btn-confirm',)
# policy_rules = (("compute", "compute:delete"),) policy_rules = (("infra-optim", "action_plan:update"),)
help_text = _("Execute an action plan.") help_text = _("Execute an action plan.")
@staticmethod @staticmethod

View File

@ -58,6 +58,7 @@ class UpdateRow(horizon.tables.Row):
class ActionsFilterAction(horizon.tables.FilterAction): class ActionsFilterAction(horizon.tables.FilterAction):
filter_type = "server" filter_type = "server"
filter_choices = (('action_plan', _("Action Plan ID ="), True),) filter_choices = (('action_plan', _("Action Plan ID ="), True),)
policy_rules = (("infra-optim", "action:detail"),)
class ActionsTable(horizon.tables.DataTable): class ActionsTable(horizon.tables.DataTable):

View File

@ -30,6 +30,7 @@ class CreateAuditTemplates(horizon.tables.LinkAction):
verbose_name = _("Create Template") verbose_name = _("Create Template")
url = "horizon:admin:audit_templates:create" url = "horizon:admin:audit_templates:create"
classes = ("ajax-modal", "btn-launch") classes = ("ajax-modal", "btn-launch")
policy_rules = (("infra-optim", "audit_templates:create"),)
class AuditTemplatesFilterAction(horizon.tables.FilterAction): class AuditTemplatesFilterAction(horizon.tables.FilterAction):
@ -38,6 +39,7 @@ class AuditTemplatesFilterAction(horizon.tables.FilterAction):
('goal', _("Goal ="), True), ('goal', _("Goal ="), True),
('strategy', _("Strategy ="), True), ('strategy', _("Strategy ="), True),
) )
policy_rules = (("infra-optim", "audit_templates:detail"),)
class LaunchAudit(horizon.tables.BatchAction): class LaunchAudit(horizon.tables.BatchAction):
@ -46,6 +48,7 @@ class LaunchAudit(horizon.tables.BatchAction):
data_type_singular = _("Launch Audit") data_type_singular = _("Launch Audit")
data_type_plural = _("Launch Audits") data_type_plural = _("Launch Audits")
success_url = "horizon:admin:audits:index" success_url = "horizon:admin:audits:index"
policy_rules = (("infra-optim", "audit:create"),)
@staticmethod @staticmethod
def action_present(count): def action_present(count):
@ -72,6 +75,7 @@ class LaunchAudit(horizon.tables.BatchAction):
class DeleteAuditTemplates(horizon.tables.DeleteAction): class DeleteAuditTemplates(horizon.tables.DeleteAction):
verbose_name = _("Delete Templates") verbose_name = _("Delete Templates")
policy_rules = (("infra-optim", "audit_template:delete"),)
@staticmethod @staticmethod
def action_present(count): def action_present(count):

View File

@ -47,6 +47,7 @@ class AuditsFilterAction(horizon.tables.FilterAction):
filter_choices = ( filter_choices = (
('audit_template', _("Audit Template ="), True), ('audit_template', _("Audit Template ="), True),
) )
policy_rules = (("infra-optim", "audit:detail"),)
class CreateAudit(horizon.tables.LinkAction): class CreateAudit(horizon.tables.LinkAction):
@ -54,13 +55,14 @@ class CreateAudit(horizon.tables.LinkAction):
verbose_name = _("Launch Audit") verbose_name = _("Launch Audit")
url = "horizon:admin:audits:create" url = "horizon:admin:audits:create"
classes = ("ajax-modal", "btn-launch") classes = ("ajax-modal", "btn-launch")
# policy_rules = (("compute", "compute:create"),) policy_rules = (("infra-optim", "audit:create"),)
class GoToActionPlan(horizon.tables.Action): class GoToActionPlan(horizon.tables.Action):
name = "go_to_action_plan" name = "go_to_action_plan"
verbose_name = _("Go to Action Plan") verbose_name = _("Go to Action Plan")
url = "horizon:admin:action_plans:detail" url = "horizon:admin:action_plans:detail"
policy_rules = (("infra-optim", "action_plan:detail"),)
def allowed(self, request, audit): def allowed(self, request, audit):
return audit or audit.state in ("SUCCEEEDED", ) return audit or audit.state in ("SUCCEEEDED", )
@ -85,6 +87,7 @@ class GoToAuditTemplate(horizon.tables.Action):
name = "go_to_audit_template" name = "go_to_audit_template"
verbose_name = _("Go to Audit Template") verbose_name = _("Go to Audit Template")
url = "horizon:admin:audit_templates:detail" url = "horizon:admin:audit_templates:detail"
policy_rules = (("infra-optim", "audit:get_one"),)
# classes = ("ajax-modal", "btn-launch") # classes = ("ajax-modal", "btn-launch")
# icon = "send" # icon = "send"

View File

@ -26,6 +26,7 @@ class StrategiesFilterAction(horizon.tables.FilterAction):
filter_choices = ( filter_choices = (
('goal', _("Goal ="), True), ('goal', _("Goal ="), True),
) )
policy_rules = (("infra-optim", "strategy:detail"),)
class StrategiesTable(horizon.tables.DataTable): class StrategiesTable(horizon.tables.DataTable):