Browse Source

Support policy-in-code and deprecated policy

This change adds support for policy-in-code and deprecated policy
following the change in horizon.

Depends-on: https://review.opendev.org/750134
Change-Id: I0e53dfd653213a78ccca8a20f4e909b5ed798641
changes/27/780427/3 5.0.0
Takashi Kajinami 4 months ago
parent
commit
8e7914fce2
  1. 3
      devstack/plugin.sh
  2. 1356
      heat_dashboard/conf/default_policies/heat.yaml
  3. 92
      heat_dashboard/conf/heat_policy.json
  4. 96
      heat_dashboard/conf/heat_policy.yaml
  5. 6
      heat_dashboard/local_settings.d/_1699_orchestration_settings.py
  6. 8
      releasenotes/notes/policy-in-code-support-42c02d6b73e770ff.yaml

3
devstack/plugin.sh

@ -17,7 +17,8 @@ function install_heat_dashboard {
function configure_heat_dashboard {
cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/enabled/* ${DEST}/horizon/openstack_dashboard/local/enabled/
cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/local_settings.d/_1699_orchestration_settings.py ${DEST}/horizon/openstack_dashboard/local/local_settings.d/
cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/conf/heat_policy.json ${DEST}/horizon/openstack_dashboard/conf/
cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/conf/heat_policy.yaml ${DEST}/horizon/openstack_dashboard/conf/
cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/conf/default_policies/heat.yaml ${DEST}/horizon/openstack_dashboard/conf/default_policies
# NOTE: If locale directory does not exist, compilemessages will fail,
# so check for an existence of locale directory is required.
if [ -d ${HEAT_DASHBOARD_DIR}/heat_dashboard/locale ]; then

1356
heat_dashboard/conf/default_policies/heat.yaml
File diff suppressed because it is too large
View File

92
heat_dashboard/conf/heat_policy.json

@ -1,92 +0,0 @@
{
"context_is_admin": "role:admin",
"deny_stack_user": "not role:heat_stack_user",
"deny_everybody": "!",
"cloudformation:ListStacks": "rule:deny_stack_user",
"cloudformation:CreateStack": "rule:deny_stack_user",
"cloudformation:DescribeStacks": "rule:deny_stack_user",
"cloudformation:DeleteStack": "rule:deny_stack_user",
"cloudformation:UpdateStack": "rule:deny_stack_user",
"cloudformation:CancelUpdateStack": "rule:deny_stack_user",
"cloudformation:DescribeStackEvents": "rule:deny_stack_user",
"cloudformation:ValidateTemplate": "rule:deny_stack_user",
"cloudformation:GetTemplate": "rule:deny_stack_user",
"cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
"cloudformation:DescribeStackResource": "",
"cloudformation:DescribeStackResources": "rule:deny_stack_user",
"cloudformation:ListStackResources": "rule:deny_stack_user",
"cloudwatch:DeleteAlarms": "rule:deny_stack_user",
"cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
"cloudwatch:DescribeAlarms": "rule:deny_stack_user",
"cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
"cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
"cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
"cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
"cloudwatch:ListMetrics": "rule:deny_stack_user",
"cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
"cloudwatch:PutMetricData": "",
"cloudwatch:SetAlarmState": "rule:deny_stack_user",
"actions:action": "rule:deny_stack_user",
"build_info:build_info": "rule:deny_stack_user",
"events:index": "rule:deny_stack_user",
"events:show": "rule:deny_stack_user",
"resource:index": "rule:deny_stack_user",
"resource:metadata": "",
"resource:signal": "",
"resource:mark_unhealthy": "rule:deny_stack_user",
"resource:show": "rule:deny_stack_user",
"stacks:abandon": "rule:deny_stack_user",
"stacks:create": "rule:deny_stack_user",
"stacks:delete": "rule:deny_stack_user",
"stacks:detail": "rule:deny_stack_user",
"stacks:export": "rule:deny_stack_user",
"stacks:generate_template": "rule:deny_stack_user",
"stacks:global_index": "rule:deny_everybody",
"stacks:index": "rule:deny_stack_user",
"stacks:list_resource_types": "rule:deny_stack_user",
"stacks:list_template_versions": "rule:deny_stack_user",
"stacks:list_template_functions": "rule:deny_stack_user",
"stacks:lookup": "",
"stacks:preview": "rule:deny_stack_user",
"stacks:resource_schema": "rule:deny_stack_user",
"stacks:show": "rule:deny_stack_user",
"stacks:template": "rule:deny_stack_user",
"stacks:environment": "rule:deny_stack_user",
"stacks:update": "rule:deny_stack_user",
"stacks:update_patch": "rule:deny_stack_user",
"stacks:preview_update": "rule:deny_stack_user",
"stacks:preview_update_patch": "rule:deny_stack_user",
"stacks:validate_template": "rule:deny_stack_user",
"stacks:snapshot": "rule:deny_stack_user",
"stacks:show_snapshot": "rule:deny_stack_user",
"stacks:delete_snapshot": "rule:deny_stack_user",
"stacks:list_snapshots": "rule:deny_stack_user",
"stacks:restore_snapshot": "rule:deny_stack_user",
"stacks:list_outputs": "rule:deny_stack_user",
"stacks:show_output": "rule:deny_stack_user",
"software_configs:global_index": "rule:deny_everybody",
"software_configs:index": "rule:deny_stack_user",
"software_configs:create": "rule:deny_stack_user",
"software_configs:show": "rule:deny_stack_user",
"software_configs:delete": "rule:deny_stack_user",
"software_deployments:index": "rule:deny_stack_user",
"software_deployments:create": "rule:deny_stack_user",
"software_deployments:show": "rule:deny_stack_user",
"software_deployments:update": "rule:deny_stack_user",
"software_deployments:delete": "rule:deny_stack_user",
"software_deployments:metadata": "",
"service:index": "rule:context_is_admin",
"resource_types:OS::Nova::Flavor": "rule:context_is_admin",
"resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin",
"resource_types:OS::Cinder::VolumeType": "rule:context_is_admin",
"resource_types:OS::Manila::ShareType": "rule:context_is_admin",
"resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin",
"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin",
"resource_types:OS::Nova::HostAggregate": "rule:context_is_admin"
}

96
heat_dashboard/conf/heat_policy.yaml

@ -0,0 +1,96 @@
#"context_is_admin": "(role:admin and is_admin_project:True) OR (role:admin and system_scope:all)"
#"project_admin": "role:admin"
#"deny_stack_user": "not role:heat_stack_user"
#"deny_everybody": "!"
#"allow_everybody": ""
#"actions:action": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"actions:snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"actions:suspend": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"actions:resume": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"actions:check": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"actions:cancel_update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"actions:cancel_without_rollback": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"build_info:build_info": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"cloudformation:ListStacks": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"cloudformation:CreateStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"cloudformation:DescribeStacks": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"cloudformation:DeleteStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"cloudformation:UpdateStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"cloudformation:CancelUpdateStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"cloudformation:DescribeStackEvents": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"cloudformation:ValidateTemplate": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"cloudformation:GetTemplate": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"cloudformation:EstimateTemplateCost": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"cloudformation:DescribeStackResource": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
#"cloudformation:DescribeStackResources": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"cloudformation:ListStackResources": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"events:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"events:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"resource:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"resource:metadata": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
#"resource:signal": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
#"resource:mark_unhealthy": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"resource:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"resource_types:OS::Nova::Flavor": "rule:project_admin"
#"resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin"
#"resource_types:OS::Cinder::VolumeType": "rule:project_admin"
#"resource_types:OS::Cinder::Quota": "rule:project_admin"
#"resource_types:OS::Neutron::Quota": "rule:project_admin"
#"resource_types:OS::Nova::Quota": "rule:project_admin"
#"resource_types:OS::Octavia::Quota": "rule:project_admin"
#"resource_types:OS::Manila::ShareType": "rule:project_admin"
#"resource_types:OS::Neutron::ProviderNet": "rule:project_admin"
#"resource_types:OS::Neutron::QoSPolicy": "rule:project_admin"
#"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin"
#"resource_types:OS::Neutron::QoSDscpMarkingRule": "rule:project_admin"
#"resource_types:OS::Neutron::QoSMinimumBandwidthRule": "rule:project_admin"
#"resource_types:OS::Neutron::Segment": "rule:project_admin"
#"resource_types:OS::Nova::HostAggregate": "rule:project_admin"
#"resource_types:OS::Cinder::QoSSpecs": "rule:project_admin"
#"resource_types:OS::Cinder::QoSAssociation": "rule:project_admin"
#"resource_types:OS::Keystone::*": "rule:project_admin"
#"resource_types:OS::Blazar::Host": "rule:project_admin"
#"resource_types:OS::Octavia::Flavor": "rule:project_admin"
#"resource_types:OS::Octavia::FlavorProfile": "rule:project_admin"
#"service:index": "role:reader and system_scope:all"
#"software_configs:global_index": "role:reader and system_scope:all"
#"software_configs:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"software_configs:create": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"software_configs:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"software_configs:delete": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"software_deployments:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"software_deployments:create": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"software_deployments:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"software_deployments:update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"software_deployments:delete": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"software_deployments:metadata": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
#"stacks:abandon": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:create": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:delete": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:detail": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:export": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:generate_template": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:global_index": "role:reader and system_scope:all"
#"stacks:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:list_resource_types": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:list_template_versions": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:list_template_functions": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:lookup": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
#"stacks:preview": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:resource_schema": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:template": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:environment": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:files": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:update_patch": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:preview_update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:preview_update_patch": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:validate_template": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:show_snapshot": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:delete_snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:list_snapshots": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:restore_snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
#"stacks:list_outputs": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
#"stacks:show_output": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

6
heat_dashboard/local_settings.d/_1699_orchestration_settings.py

@ -21,7 +21,11 @@ OPENSTACK_HEAT_STACK = {
}
settings.POLICY_FILES.update({
'orchestration': 'heat_policy.json',
'orchestration': 'heat_policy.yaml',
})
settings.DEFAULT_POLICY_FILES.update({
'orchestration': 'default_policies/heat.yaml',
})
# Sample

8
releasenotes/notes/policy-in-code-support-42c02d6b73e770ff.yaml

@ -0,0 +1,8 @@
---
upgrade:
- |
The default configuration file has been updated and now includes
the required parameters to use the new policy-in-code feature in Horizon.
Because of this change, the defualt policy.json is no longer included in
this repo but replaced with policy.yaml. Please refer to the release note
and documentation of Horizon to find details about this feature.
Loading…
Cancel
Save