Browse Source

Support policy-in-code and deprecated policy

This change adds support for policy-in-code and deprecated policy
following the change in horizon.

Depends-on: https://review.opendev.org/750134
Change-Id: I0e53dfd653213a78ccca8a20f4e909b5ed798641
changes/27/780427/3 5.0.0
Takashi Kajinami 2 months ago
parent
commit
8e7914fce2
6 changed files with 1467 additions and 94 deletions
  1. +2
    -1
      devstack/plugin.sh
  2. +1356
    -0
      heat_dashboard/conf/default_policies/heat.yaml
  3. +0
    -92
      heat_dashboard/conf/heat_policy.json
  4. +96
    -0
      heat_dashboard/conf/heat_policy.yaml
  5. +5
    -1
      heat_dashboard/local_settings.d/_1699_orchestration_settings.py
  6. +8
    -0
      releasenotes/notes/policy-in-code-support-42c02d6b73e770ff.yaml

+ 2
- 1
devstack/plugin.sh View File

@ -17,7 +17,8 @@ function install_heat_dashboard {
function configure_heat_dashboard {
cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/enabled/* ${DEST}/horizon/openstack_dashboard/local/enabled/
cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/local_settings.d/_1699_orchestration_settings.py ${DEST}/horizon/openstack_dashboard/local/local_settings.d/
cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/conf/heat_policy.json ${DEST}/horizon/openstack_dashboard/conf/
cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/conf/heat_policy.yaml ${DEST}/horizon/openstack_dashboard/conf/
cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/conf/default_policies/heat.yaml ${DEST}/horizon/openstack_dashboard/conf/default_policies
# NOTE: If locale directory does not exist, compilemessages will fail,
# so check for an existence of locale directory is required.
if [ -d ${HEAT_DASHBOARD_DIR}/heat_dashboard/locale ]; then


+ 1356
- 0
heat_dashboard/conf/default_policies/heat.yaml
File diff suppressed because it is too large
View File


+ 0
- 92
heat_dashboard/conf/heat_policy.json View File

@ -1,92 +0,0 @@
{
"context_is_admin": "role:admin",
"deny_stack_user": "not role:heat_stack_user",
"deny_everybody": "!",
"cloudformation:ListStacks": "rule:deny_stack_user",
"cloudformation:CreateStack": "rule:deny_stack_user",
"cloudformation:DescribeStacks": "rule:deny_stack_user",
"cloudformation:DeleteStack": "rule:deny_stack_user",
"cloudformation:UpdateStack": "rule:deny_stack_user",
"cloudformation:CancelUpdateStack": "rule:deny_stack_user",
"cloudformation:DescribeStackEvents": "rule:deny_stack_user",
"cloudformation:ValidateTemplate": "rule:deny_stack_user",
"cloudformation:GetTemplate": "rule:deny_stack_user",
"cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
"cloudformation:DescribeStackResource": "",
"cloudformation:DescribeStackResources": "rule:deny_stack_user",
"cloudformation:ListStackResources": "rule:deny_stack_user",
"cloudwatch:DeleteAlarms": "rule:deny_stack_user",
"cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
"cloudwatch:DescribeAlarms": "rule:deny_stack_user",
"cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
"cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
"cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
"cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
"cloudwatch:ListMetrics": "rule:deny_stack_user",
"cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
"cloudwatch:PutMetricData": "",
"cloudwatch:SetAlarmState": "rule:deny_stack_user",
"actions:action": "rule:deny_stack_user",
"build_info:build_info": "rule:deny_stack_user",
"events:index": "rule:deny_stack_user",
"events:show": "rule:deny_stack_user",
"resource:index": "rule:deny_stack_user",
"resource:metadata": "",
"resource:signal": "",
"resource:mark_unhealthy": "rule:deny_stack_user",
"resource:show": "rule:deny_stack_user",
"stacks:abandon": "rule:deny_stack_user",
"stacks:create": "rule:deny_stack_user",
"stacks:delete": "rule:deny_stack_user",
"stacks:detail": "rule:deny_stack_user",
"stacks:export": "rule:deny_stack_user",
"stacks:generate_template": "rule:deny_stack_user",
"stacks:global_index": "rule:deny_everybody",
"stacks:index": "rule:deny_stack_user",
"stacks:list_resource_types": "rule:deny_stack_user",
"stacks:list_template_versions": "rule:deny_stack_user",
"stacks:list_template_functions": "rule:deny_stack_user",
"stacks:lookup": "",
"stacks:preview": "rule:deny_stack_user",
"stacks:resource_schema": "rule:deny_stack_user",
"stacks:show": "rule:deny_stack_user",
"stacks:template": "rule:deny_stack_user",
"stacks:environment": "rule:deny_stack_user",
"stacks:update": "rule:deny_stack_user",
"stacks:update_patch": "rule:deny_stack_user",
"stacks:preview_update": "rule:deny_stack_user",
"stacks:preview_update_patch": "rule:deny_stack_user",
"stacks:validate_template": "rule:deny_stack_user",
"stacks:snapshot": "rule:deny_stack_user",
"stacks:show_snapshot": "rule:deny_stack_user",
"stacks:delete_snapshot": "rule:deny_stack_user",
"stacks:list_snapshots": "rule:deny_stack_user",
"stacks:restore_snapshot": "rule:deny_stack_user",
"stacks:list_outputs": "rule:deny_stack_user",
"stacks:show_output": "rule:deny_stack_user",
"software_configs:global_index": "rule:deny_everybody",
"software_configs:index": "rule:deny_stack_user",
"software_configs:create": "rule:deny_stack_user",
"software_configs:show": "rule:deny_stack_user",
"software_configs:delete": "rule:deny_stack_user",
"software_deployments:index": "rule:deny_stack_user",
"software_deployments:create": "rule:deny_stack_user",
"software_deployments:show": "rule:deny_stack_user",
"software_deployments:update": "rule:deny_stack_user",
"software_deployments:delete": "rule:deny_stack_user",
"software_deployments:metadata": "",
"service:index": "rule:context_is_admin",
"resource_types:OS::Nova::Flavor": "rule:context_is_admin",
"resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin",
"resource_types:OS::Cinder::VolumeType": "rule:context_is_admin",
"resource_types:OS::Manila::ShareType": "rule:context_is_admin",
"resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin",
"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin",
"resource_types:OS::Nova::HostAggregate": "rule:context_is_admin"
}

+ 96
- 0
heat_dashboard/conf/heat_policy.yaml View File

@ -0,0 +1,96 @@
#"context_is_admin": "(role:admin and is_admin_project:True) OR (role:admin and system_scope:all)"
#"project_admin": "role:admin"
#"deny_stack_user": "not role:heat_stack_user"
#"deny_everybody": "!"
#"allow_everybody": ""
#"actions:action": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"actions:snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"actions:suspend": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"actions:resume": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"actions:check": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"actions:cancel_update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"actions:cancel_without_rollback": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"build_info:build_info": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"cloudformation:ListStacks": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"cloudformation:CreateStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"cloudformation:DescribeStacks": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"cloudformation:DeleteStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"cloudformation:UpdateStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"cloudformation:CancelUpdateStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"cloudformation:DescribeStackEvents": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"cloudformation:ValidateTemplate": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"cloudformation:GetTemplate": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"cloudformation:EstimateTemplateCost": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"cloudformation:DescribeStackResource": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
#"cloudformation:DescribeStackResources": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"cloudformation:ListStackResources": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"events:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"events:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"resource:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"resource:metadata": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
#"resource:signal": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
#"resource:mark_unhealthy": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"resource:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"resource_types:OS::Nova::Flavor": "rule:project_admin"
#"resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin"
#"resource_types:OS::Cinder::VolumeType": "rule:project_admin"
#"resource_types:OS::Cinder::Quota": "rule:project_admin"
#"resource_types:OS::Neutron::Quota": "rule:project_admin"
#"resource_types:OS::Nova::Quota": "rule:project_admin"
#"resource_types:OS::Octavia::Quota": "rule:project_admin"
#"resource_types:OS::Manila::ShareType": "rule:project_admin"
#"resource_types:OS::Neutron::ProviderNet": "rule:project_admin"
#"resource_types:OS::Neutron::QoSPolicy": "rule:project_admin"
#"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin"
#"resource_types:OS::Neutron::QoSDscpMarkingRule": "rule:project_admin"
#"resource_types:OS::Neutron::QoSMinimumBandwidthRule": "rule:project_admin"
#"resource_types:OS::Neutron::Segment": "rule:project_admin"
#"resource_types:OS::Nova::HostAggregate": "rule:project_admin"
#"resource_types:OS::Cinder::QoSSpecs": "rule:project_admin"
#"resource_types:OS::Cinder::QoSAssociation": "rule:project_admin"
#"resource_types:OS::Keystone::*": "rule:project_admin"
#"resource_types:OS::Blazar::Host": "rule:project_admin"
#"resource_types:OS::Octavia::Flavor": "rule:project_admin"
#"resource_types:OS::Octavia::FlavorProfile": "rule:project_admin"
#"service:index": "role:reader and system_scope:all"
#"software_configs:global_index": "role:reader and system_scope:all"
#"software_configs:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"software_configs:create": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"software_configs:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"software_configs:delete": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"software_deployments:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"software_deployments:create": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"software_deployments:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"software_deployments:update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"software_deployments:delete": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"software_deployments:metadata": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
#"stacks:abandon": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:create": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:delete": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:detail": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:export": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:generate_template": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:global_index": "role:reader and system_scope:all"
#"stacks:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:list_resource_types": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:list_template_versions": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:list_template_functions": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:lookup": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
#"stacks:preview": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:resource_schema": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:template": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:environment": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:files": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:update_patch": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:preview_update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:preview_update_patch": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:validate_template": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:show_snapshot": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:delete_snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:list_snapshots": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:restore_snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:list_outputs": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:show_output": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

+ 5
- 1
heat_dashboard/local_settings.d/_1699_orchestration_settings.py View File

@ -21,7 +21,11 @@ OPENSTACK_HEAT_STACK = {
}
settings.POLICY_FILES.update({
'orchestration': 'heat_policy.json',
'orchestration': 'heat_policy.yaml',
})
settings.DEFAULT_POLICY_FILES.update({
'orchestration': 'default_policies/heat.yaml',
})
# Sample


+ 8
- 0
releasenotes/notes/policy-in-code-support-42c02d6b73e770ff.yaml View File

@ -0,0 +1,8 @@
---
upgrade:
- |
The default configuration file has been updated and now includes
the required parameters to use the new policy-in-code feature in Horizon.
Because of this change, the defualt policy.json is no longer included in
this repo but replaced with policy.yaml. Please refer to the release note
and documentation of Horizon to find details about this feature.

Loading…
Cancel
Save