From af627907d59c210d8ea015c6f5e8a0c33339b456 Mon Sep 17 00:00:00 2001 From: David Lyle Date: Fri, 3 Jun 2016 15:30:04 -0600 Subject: [PATCH] Updating heat policy file The heat policy is out of date. This patch updates the policy file to match heat master. There have been several modifications to the heat policy rules checked in the heat views. The previously used policies were a mix of fantasy, out-dated policy rules and just error. After instrumenting the heat code to verify policy usage, the new rule checks align with heat master policy use. Change-Id: I17eb7d2945924167f3a62440b7e12b9b313d0f5d --- openstack_dashboard/conf/heat_policy.json | 52 ++++++++++++++++--- .../dashboards/project/stacks/tables.py | 14 ++--- .../dashboards/project/stacks/tabs.py | 29 +++++++---- .../project/stacks/template_versions/panel.py | 1 + 4 files changed, 71 insertions(+), 25 deletions(-) diff --git a/openstack_dashboard/conf/heat_policy.json b/openstack_dashboard/conf/heat_policy.json index eb5fab695..b40b1eef2 100644 --- a/openstack_dashboard/conf/heat_policy.json +++ b/openstack_dashboard/conf/heat_policy.json @@ -1,13 +1,14 @@ { - "context_is_admin": "role:admin", + "context_is_admin": "role:admin", "deny_stack_user": "not role:heat_stack_user", + "deny_everybody": "!", "cloudformation:ListStacks": "rule:deny_stack_user", "cloudformation:CreateStack": "rule:deny_stack_user", - "cloudformation:PreviewStack": "rule:deny_stack_user", "cloudformation:DescribeStacks": "rule:deny_stack_user", "cloudformation:DeleteStack": "rule:deny_stack_user", "cloudformation:UpdateStack": "rule:deny_stack_user", + "cloudformation:CancelUpdateStack": "rule:deny_stack_user", "cloudformation:DescribeStackEvents": "rule:deny_stack_user", "cloudformation:ValidateTemplate": "rule:deny_stack_user", "cloudformation:GetTemplate": "rule:deny_stack_user", @@ -15,9 +16,6 @@ "cloudformation:DescribeStackResource": "", "cloudformation:DescribeStackResources": "rule:deny_stack_user", "cloudformation:ListStackResources": "rule:deny_stack_user", - "cloudformation:CheckStack": "rule:deny_stack_user", - "cloudformation:SuspendStack": "rule:deny_stack_user", - "cloudformation:ResumeStack": "rule:deny_stack_user", "cloudwatch:DeleteAlarms": "rule:deny_stack_user", "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user", @@ -37,20 +35,58 @@ "events:show": "rule:deny_stack_user", "resource:index": "rule:deny_stack_user", "resource:metadata": "", + "resource:signal": "", + "resource:mark_unhealthy": "rule:deny_stack_user", "resource:show": "rule:deny_stack_user", "stacks:abandon": "rule:deny_stack_user", "stacks:create": "rule:deny_stack_user", "stacks:delete": "rule:deny_stack_user", "stacks:detail": "rule:deny_stack_user", + "stacks:export": "rule:deny_stack_user", "stacks:generate_template": "rule:deny_stack_user", + "stacks:global_index": "rule:deny_everybody", "stacks:index": "rule:deny_stack_user", "stacks:list_resource_types": "rule:deny_stack_user", "stacks:list_template_versions": "rule:deny_stack_user", "stacks:list_template_functions": "rule:deny_stack_user", - "stacks:lookup": "rule:deny_stack_user", + "stacks:lookup": "", + "stacks:preview": "rule:deny_stack_user", "stacks:resource_schema": "rule:deny_stack_user", "stacks:show": "rule:deny_stack_user", "stacks:template": "rule:deny_stack_user", + "stacks:environment": "rule:deny_stack_user", "stacks:update": "rule:deny_stack_user", - "stacks:validate_template": "rule:deny_stack_user" -} \ No newline at end of file + "stacks:update_patch": "rule:deny_stack_user", + "stacks:preview_update": "rule:deny_stack_user", + "stacks:preview_update_patch": "rule:deny_stack_user", + "stacks:validate_template": "rule:deny_stack_user", + "stacks:snapshot": "rule:deny_stack_user", + "stacks:show_snapshot": "rule:deny_stack_user", + "stacks:delete_snapshot": "rule:deny_stack_user", + "stacks:list_snapshots": "rule:deny_stack_user", + "stacks:restore_snapshot": "rule:deny_stack_user", + "stacks:list_outputs": "rule:deny_stack_user", + "stacks:show_output": "rule:deny_stack_user", + + "software_configs:global_index": "rule:deny_everybody", + "software_configs:index": "rule:deny_stack_user", + "software_configs:create": "rule:deny_stack_user", + "software_configs:show": "rule:deny_stack_user", + "software_configs:delete": "rule:deny_stack_user", + "software_deployments:index": "rule:deny_stack_user", + "software_deployments:create": "rule:deny_stack_user", + "software_deployments:show": "rule:deny_stack_user", + "software_deployments:update": "rule:deny_stack_user", + "software_deployments:delete": "rule:deny_stack_user", + "software_deployments:metadata": "", + + "service:index": "rule:context_is_admin", + + "resource_types:OS::Nova::Flavor": "rule:context_is_admin", + "resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin", + "resource_types:OS::Cinder::VolumeType": "rule:context_is_admin", + "resource_types:OS::Manila::ShareType": "rule:context_is_admin", + "resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin", + "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin", + "resource_types:OS::Nova::HostAggregate": "rule:context_is_admin" +} diff --git a/openstack_dashboard/dashboards/project/stacks/tables.py b/openstack_dashboard/dashboards/project/stacks/tables.py index 5301cc8b1..7202a0ec1 100644 --- a/openstack_dashboard/dashboards/project/stacks/tables.py +++ b/openstack_dashboard/dashboards/project/stacks/tables.py @@ -33,7 +33,8 @@ class LaunchStack(tables.LinkAction): url = "horizon:project:stacks:select_template" classes = ("ajax-modal",) icon = "plus" - policy_rules = (("orchestration", "cloudformation:CreateStack"),) + policy_rules = (("orchestration", "stacks:validate_template"), + ("orchestration", "stacks:create"),) class PreviewStack(tables.LinkAction): @@ -42,13 +43,14 @@ class PreviewStack(tables.LinkAction): url = "horizon:project:stacks:preview_template" classes = ("ajax-modal",) icon = "eye" - policy_rules = (("orchestration", "cloudformation:PreviewStack"),) + policy_rules = (("orchestration", "stacks:validate_template"), + ("orchestration", "stacks:preview"),) class CheckStack(tables.BatchAction): name = "check" verbose_name = _("Check Stack") - policy_rules = (("orchestration", "cloudformation:CheckStack"),) + policy_rules = (("orchestration", "actions:action"),) icon = "check-square" @staticmethod @@ -74,7 +76,7 @@ class CheckStack(tables.BatchAction): class SuspendStack(tables.BatchAction): name = "suspend" verbose_name = _("Suspend Stack") - policy_rules = (("orchestration", "cloudformation:SuspendStack"),) + policy_rules = (("orchestration", "actions:action"),) icon = "pause" @staticmethod @@ -100,7 +102,7 @@ class SuspendStack(tables.BatchAction): class ResumeStack(tables.BatchAction): name = "resume" verbose_name = _("Resume Stack") - policy_rules = (("orchestration", "cloudformation:ResumeStack"),) + policy_rules = (("orchestration", "actions:action"),) icon = "play" @staticmethod @@ -151,7 +153,7 @@ class DeleteStack(tables.DeleteAction): count ) - policy_rules = (("orchestration", "cloudformation:DeleteStack"),) + policy_rules = (("orchestration", "stacks:delete"),) def delete(self, request, stack_id): api.heat.stack_delete(request, stack_id) diff --git a/openstack_dashboard/dashboards/project/stacks/tabs.py b/openstack_dashboard/dashboards/project/stacks/tabs.py index f21ff12bd..01e548180 100644 --- a/openstack_dashboard/dashboards/project/stacks/tabs.py +++ b/openstack_dashboard/dashboards/project/stacks/tabs.py @@ -37,8 +37,10 @@ class StackTopologyTab(tabs.Tab): def allowed(self, request): return policy.check( - (("orchestration", "cloudformation:DescribeStacks"), - ("orchestration", "cloudformation:ListStackResources"),), + (("orchestration", "stacks:template"), + ("orchestration", "stacks:lookup"), + ("orchestration", "stacks:show"), + ("orchestration", "resources:index"),), request) def get_context_data(self, request): @@ -56,7 +58,9 @@ class StackOverviewTab(tabs.Tab): def allowed(self, request): return policy.check( - (("orchestration", "cloudformation:DescribeStacks"),), + (("orchestration", "stacks:template"), + ("orchestration", "stacks:lookup"), + ("orchestration", "stacks:show"),), request) def get_context_data(self, request): @@ -68,11 +72,6 @@ class ResourceOverviewTab(tabs.Tab): slug = "resource_overview" template_name = "project/stacks/_resource_overview.html" - def allowed(self, request): - return policy.check( - (("orchestration", "cloudformation:DescribeStackResource"),), - request) - def get_context_data(self, request): resource = self.tab_group.kwargs['resource'] resource_url = mappings.resource_to_url(resource) @@ -90,7 +89,10 @@ class StackEventsTab(tabs.Tab): def allowed(self, request): return policy.check( - (("orchestration", "cloudformation:DescribeStackEvents"),), + (("orchestration", "stacks:template"), + ("orchestration", "stacks:lookup"), + ("orchestration", "stacks:show"), + ("orchestration", "events:index"),), request) def get_context_data(self, request): @@ -118,7 +120,10 @@ class StackResourcesTab(tabs.Tab): def allowed(self, request): return policy.check( - (("orchestration", "cloudformation:ListStackResources"),), + (("orchestration", "stacks:template"), + ("orchestration", "stacks:lookup"), + ("orchestration", "stacks:show"), + ("orchestration", "resource:index"),), request) def get_context_data(self, request): @@ -146,7 +151,9 @@ class StackTemplateTab(tabs.Tab): def allowed(self, request): return policy.check( - (("orchestration", "cloudformation:DescribeStacks"),), + (("orchestration", "stacks:template"), + ("orchestration", "stacks:lookup"), + ("orchestration", "stacks:show"),), request) def get_context_data(self, request): diff --git a/openstack_dashboard/dashboards/project/stacks/template_versions/panel.py b/openstack_dashboard/dashboards/project/stacks/template_versions/panel.py index 193da6e48..3492d59a2 100644 --- a/openstack_dashboard/dashboards/project/stacks/template_versions/panel.py +++ b/openstack_dashboard/dashboards/project/stacks/template_versions/panel.py @@ -20,3 +20,4 @@ class TemplateVersions(horizon.Panel): name = _("Template Versions") slug = "stacks.template_versions" permissions = ('openstack.services.orchestration',) + policy_rules = (("orchestration", "stacks:list_template_versions"),)