Updating heat policy file

The heat policy is out of date. This patch updates the policy file
to match heat master.

There have been several modifications to the heat policy rules
checked in the heat views. The previously used policies were a
mix of fantasy, out-dated policy rules and just error. After
instrumenting the heat code to verify policy usage, the new
rule checks align with heat master policy use.

Change-Id: I17eb7d2945924167f3a62440b7e12b9b313d0f5d

openstack_dashboard/conf/heat_policy.json

@@ -1,13 +1,14 @@
 {
-    "context_is_admin": "role:admin",
+    "context_is_admin":  "role:admin",
     "deny_stack_user": "not role:heat_stack_user",
+    "deny_everybody": "!",
 
     "cloudformation:ListStacks": "rule:deny_stack_user",
     "cloudformation:CreateStack": "rule:deny_stack_user",
-    "cloudformation:PreviewStack": "rule:deny_stack_user",
     "cloudformation:DescribeStacks": "rule:deny_stack_user",
     "cloudformation:DeleteStack": "rule:deny_stack_user",
     "cloudformation:UpdateStack": "rule:deny_stack_user",
+    "cloudformation:CancelUpdateStack": "rule:deny_stack_user",
     "cloudformation:DescribeStackEvents": "rule:deny_stack_user",
     "cloudformation:ValidateTemplate": "rule:deny_stack_user",
     "cloudformation:GetTemplate": "rule:deny_stack_user",
@@ -15,9 +16,6 @@
     "cloudformation:DescribeStackResource": "",
     "cloudformation:DescribeStackResources": "rule:deny_stack_user",
     "cloudformation:ListStackResources": "rule:deny_stack_user",
-    "cloudformation:CheckStack": "rule:deny_stack_user",
-    "cloudformation:SuspendStack": "rule:deny_stack_user",
-    "cloudformation:ResumeStack": "rule:deny_stack_user",
 
     "cloudwatch:DeleteAlarms": "rule:deny_stack_user",
     "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
@@ -37,20 +35,58 @@
     "events:show": "rule:deny_stack_user",
     "resource:index": "rule:deny_stack_user",
     "resource:metadata": "",
+    "resource:signal": "",
+    "resource:mark_unhealthy": "rule:deny_stack_user",
     "resource:show": "rule:deny_stack_user",
     "stacks:abandon": "rule:deny_stack_user",
     "stacks:create": "rule:deny_stack_user",
     "stacks:delete": "rule:deny_stack_user",
     "stacks:detail": "rule:deny_stack_user",
+    "stacks:export": "rule:deny_stack_user",
     "stacks:generate_template": "rule:deny_stack_user",
+    "stacks:global_index": "rule:deny_everybody",
     "stacks:index": "rule:deny_stack_user",
     "stacks:list_resource_types": "rule:deny_stack_user",
     "stacks:list_template_versions": "rule:deny_stack_user",
     "stacks:list_template_functions": "rule:deny_stack_user",
-    "stacks:lookup": "rule:deny_stack_user",
+    "stacks:lookup": "",
+    "stacks:preview": "rule:deny_stack_user",
     "stacks:resource_schema": "rule:deny_stack_user",
     "stacks:show": "rule:deny_stack_user",
     "stacks:template": "rule:deny_stack_user",
+    "stacks:environment": "rule:deny_stack_user",
     "stacks:update": "rule:deny_stack_user",
-    "stacks:validate_template": "rule:deny_stack_user"
-}
+    "stacks:update_patch": "rule:deny_stack_user",
+    "stacks:preview_update": "rule:deny_stack_user",
+    "stacks:preview_update_patch": "rule:deny_stack_user",
+    "stacks:validate_template": "rule:deny_stack_user",
+    "stacks:snapshot": "rule:deny_stack_user",
+    "stacks:show_snapshot": "rule:deny_stack_user",
+    "stacks:delete_snapshot": "rule:deny_stack_user",
+    "stacks:list_snapshots": "rule:deny_stack_user",
+    "stacks:restore_snapshot": "rule:deny_stack_user",
+    "stacks:list_outputs": "rule:deny_stack_user",
+    "stacks:show_output": "rule:deny_stack_user",
+
+    "software_configs:global_index": "rule:deny_everybody",
+    "software_configs:index": "rule:deny_stack_user",
+    "software_configs:create": "rule:deny_stack_user",
+    "software_configs:show": "rule:deny_stack_user",
+    "software_configs:delete": "rule:deny_stack_user",
+    "software_deployments:index": "rule:deny_stack_user",
+    "software_deployments:create": "rule:deny_stack_user",
+    "software_deployments:show": "rule:deny_stack_user",
+    "software_deployments:update": "rule:deny_stack_user",
+    "software_deployments:delete": "rule:deny_stack_user",
+    "software_deployments:metadata": "",
+
+    "service:index": "rule:context_is_admin",
+
+    "resource_types:OS::Nova::Flavor": "rule:context_is_admin",
+    "resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin",
+    "resource_types:OS::Cinder::VolumeType": "rule:context_is_admin",
+    "resource_types:OS::Manila::ShareType": "rule:context_is_admin",
+    "resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin",
+    "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin",
+    "resource_types:OS::Nova::HostAggregate": "rule:context_is_admin"
+}

openstack_dashboard/dashboards/project/stacks/tables.py

@@ -33,7 +33,8 @@ class LaunchStack(tables.LinkAction):
     url = "horizon:project:stacks:select_template"
     classes = ("ajax-modal",)
     icon = "plus"
-    policy_rules = (("orchestration", "cloudformation:CreateStack"),)
+    policy_rules = (("orchestration", "stacks:validate_template"),
+                    ("orchestration", "stacks:create"),)
 
 
 class PreviewStack(tables.LinkAction):
@@ -42,13 +43,14 @@ class PreviewStack(tables.LinkAction):
     url = "horizon:project:stacks:preview_template"
     classes = ("ajax-modal",)
     icon = "eye"
-    policy_rules = (("orchestration", "cloudformation:PreviewStack"),)
+    policy_rules = (("orchestration", "stacks:validate_template"),
+                    ("orchestration", "stacks:preview"),)
 
 
 class CheckStack(tables.BatchAction):
     name = "check"
     verbose_name = _("Check Stack")
-    policy_rules = (("orchestration", "cloudformation:CheckStack"),)
+    policy_rules = (("orchestration", "actions:action"),)
     icon = "check-square"
 
     @staticmethod
@@ -74,7 +76,7 @@ class CheckStack(tables.BatchAction):
 class SuspendStack(tables.BatchAction):
     name = "suspend"
     verbose_name = _("Suspend Stack")
-    policy_rules = (("orchestration", "cloudformation:SuspendStack"),)
+    policy_rules = (("orchestration", "actions:action"),)
     icon = "pause"
 
     @staticmethod
@@ -100,7 +102,7 @@ class SuspendStack(tables.BatchAction):
 class ResumeStack(tables.BatchAction):
     name = "resume"
     verbose_name = _("Resume Stack")
-    policy_rules = (("orchestration", "cloudformation:ResumeStack"),)
+    policy_rules = (("orchestration", "actions:action"),)
     icon = "play"
 
     @staticmethod
@@ -151,7 +153,7 @@ class DeleteStack(tables.DeleteAction):
             count
         )
 
-    policy_rules = (("orchestration", "cloudformation:DeleteStack"),)
+    policy_rules = (("orchestration", "stacks:delete"),)
 
     def delete(self, request, stack_id):
         api.heat.stack_delete(request, stack_id)

openstack_dashboard/dashboards/project/stacks/tabs.py

@@ -37,8 +37,10 @@ class StackTopologyTab(tabs.Tab):
 
     def allowed(self, request):
         return policy.check(
-            (("orchestration", "cloudformation:DescribeStacks"),
-             ("orchestration", "cloudformation:ListStackResources"),),
+            (("orchestration", "stacks:template"),
+             ("orchestration", "stacks:lookup"),
+             ("orchestration", "stacks:show"),
+             ("orchestration", "resources:index"),),
             request)
 
     def get_context_data(self, request):
@@ -56,7 +58,9 @@ class StackOverviewTab(tabs.Tab):
 
     def allowed(self, request):
         return policy.check(
-            (("orchestration", "cloudformation:DescribeStacks"),),
+            (("orchestration", "stacks:template"),
+             ("orchestration", "stacks:lookup"),
+             ("orchestration", "stacks:show"),),
             request)
 
     def get_context_data(self, request):
@@ -68,11 +72,6 @@ class ResourceOverviewTab(tabs.Tab):
     slug = "resource_overview"
     template_name = "project/stacks/_resource_overview.html"
 
-    def allowed(self, request):
-        return policy.check(
-            (("orchestration", "cloudformation:DescribeStackResource"),),
-            request)
-
     def get_context_data(self, request):
         resource = self.tab_group.kwargs['resource']
         resource_url = mappings.resource_to_url(resource)
@@ -90,7 +89,10 @@ class StackEventsTab(tabs.Tab):
 
     def allowed(self, request):
         return policy.check(
-            (("orchestration", "cloudformation:DescribeStackEvents"),),
+            (("orchestration", "stacks:template"),
+             ("orchestration", "stacks:lookup"),
+             ("orchestration", "stacks:show"),
+             ("orchestration", "events:index"),),
             request)
 
     def get_context_data(self, request):
@@ -118,7 +120,10 @@ class StackResourcesTab(tabs.Tab):
 
     def allowed(self, request):
         return policy.check(
-            (("orchestration", "cloudformation:ListStackResources"),),
+            (("orchestration", "stacks:template"),
+             ("orchestration", "stacks:lookup"),
+             ("orchestration", "stacks:show"),
+             ("orchestration", "resource:index"),),
             request)
 
     def get_context_data(self, request):
@@ -146,7 +151,9 @@ class StackTemplateTab(tabs.Tab):
 
     def allowed(self, request):
         return policy.check(
-            (("orchestration", "cloudformation:DescribeStacks"),),
+            (("orchestration", "stacks:template"),
+             ("orchestration", "stacks:lookup"),
+             ("orchestration", "stacks:show"),),
             request)
 
     def get_context_data(self, request):

openstack_dashboard/dashboards/project/stacks/template_versions/panel.py

@@ -20,3 +20,4 @@ class TemplateVersions(horizon.Panel):
     name = _("Template Versions")
     slug = "stacks.template_versions"
     permissions = ('openstack.services.orchestration',)
+    policy_rules = (("orchestration", "stacks:list_template_versions"),)