From 8e7914fce24d2c9d94a83795983aaa0fb05f020c Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sun, 14 Mar 2021 21:55:58 +0900 Subject: [PATCH] Support policy-in-code and deprecated policy This change adds support for policy-in-code and deprecated policy following the change in horizon. Depends-on: https://review.opendev.org/750134 Change-Id: I0e53dfd653213a78ccca8a20f4e909b5ed798641 --- devstack/plugin.sh | 3 +- .../conf/default_policies/heat.yaml | 1356 +++++++++++++++++ heat_dashboard/conf/heat_policy.json | 92 -- heat_dashboard/conf/heat_policy.yaml | 96 ++ .../_1699_orchestration_settings.py | 6 +- ...licy-in-code-support-42c02d6b73e770ff.yaml | 8 + 6 files changed, 1467 insertions(+), 94 deletions(-) create mode 100644 heat_dashboard/conf/default_policies/heat.yaml delete mode 100644 heat_dashboard/conf/heat_policy.json create mode 100644 heat_dashboard/conf/heat_policy.yaml create mode 100644 releasenotes/notes/policy-in-code-support-42c02d6b73e770ff.yaml diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 119e244..f961554 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -17,7 +17,8 @@ function install_heat_dashboard { function configure_heat_dashboard { cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/enabled/* ${DEST}/horizon/openstack_dashboard/local/enabled/ cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/local_settings.d/_1699_orchestration_settings.py ${DEST}/horizon/openstack_dashboard/local/local_settings.d/ - cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/conf/heat_policy.json ${DEST}/horizon/openstack_dashboard/conf/ + cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/conf/heat_policy.yaml ${DEST}/horizon/openstack_dashboard/conf/ + cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/conf/default_policies/heat.yaml ${DEST}/horizon/openstack_dashboard/conf/default_policies # NOTE: If locale directory does not exist, compilemessages will fail, # so check for an existence of locale directory is required. if [ -d ${HEAT_DASHBOARD_DIR}/heat_dashboard/locale ]; then diff --git a/heat_dashboard/conf/default_policies/heat.yaml b/heat_dashboard/conf/default_policies/heat.yaml new file mode 100644 index 0000000..3556f77 --- /dev/null +++ b/heat_dashboard/conf/default_policies/heat.yaml @@ -0,0 +1,1356 @@ +- check_str: (role:admin and is_admin_project:True) OR (role:admin and system_scope:all) + description: Decides what is required for the 'is_admin:True' check to succeed. + name: context_is_admin + operations: [] + scope_types: null +- check_str: role:admin + description: Default rule for project admin. + name: project_admin + operations: [] + scope_types: null +- check_str: not role:heat_stack_user + description: Default rule for deny stack user. + name: deny_stack_user + operations: [] + scope_types: null +- check_str: '!' + description: Default rule for deny everybody. + name: deny_everybody + operations: [] + scope_types: null +- check_str: '' + description: Default rule for allow everybody. + name: allow_everybody + operations: [] + scope_types: null +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The actions API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: actions:action + deprecated_since: W + description: Performs non-lifecycle operations on the stack (Snapshot, Resume, Cancel + update, or check stack resources). This is the default for all actions but can + be overridden by more specific policies for individual actions. + name: actions:action + operations: + - method: POST + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions + scope_types: null +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The actions API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: actions:snapshot + deprecated_since: W + description: Create stack snapshot + name: actions:snapshot + operations: + - method: POST + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The actions API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: actions:suspend + deprecated_since: W + description: Suspend a stack. + name: actions:suspend + operations: + - method: POST + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The actions API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: actions:resume + deprecated_since: W + description: Resume a suspended stack. + name: actions:resume + operations: + - method: POST + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The actions API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: actions:check + deprecated_since: W + description: Check stack resources. + name: actions:check + operations: + - method: POST + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The actions API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: actions:cancel_update + deprecated_since: W + description: Cancel stack operation and roll back. + name: actions:cancel_update + operations: + - method: POST + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The actions API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: actions:cancel_without_rollback + deprecated_since: W + description: Cancel stack operation without rolling back. + name: actions:cancel_without_rollback + operations: + - method: POST + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The build API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: build_info:build_info + deprecated_since: W + description: Show build information. + name: build_info:build_info + operations: + - method: GET + path: /v1/{tenant_id}/build_info + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The cloud formation API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: cloudformation:ListStacks + deprecated_since: W + description: null + name: cloudformation:ListStacks + operations: [] + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The cloud formation API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: cloudformation:CreateStack + deprecated_since: W + description: null + name: cloudformation:CreateStack + operations: [] + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The cloud formation API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: cloudformation:DescribeStacks + deprecated_since: W + description: null + name: cloudformation:DescribeStacks + operations: [] + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The cloud formation API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: cloudformation:DeleteStack + deprecated_since: W + description: null + name: cloudformation:DeleteStack + operations: [] + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The cloud formation API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: cloudformation:UpdateStack + deprecated_since: W + description: null + name: cloudformation:UpdateStack + operations: [] + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The cloud formation API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: cloudformation:CancelUpdateStack + deprecated_since: W + description: null + name: cloudformation:CancelUpdateStack + operations: [] + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The cloud formation API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: cloudformation:DescribeStackEvents + deprecated_since: W + description: null + name: cloudformation:DescribeStackEvents + operations: [] + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The cloud formation API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: cloudformation:ValidateTemplate + deprecated_since: W + description: null + name: cloudformation:ValidateTemplate + operations: [] + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The cloud formation API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: cloudformation:GetTemplate + deprecated_since: W + description: null + name: cloudformation:GetTemplate + operations: [] + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The cloud formation API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: cloudformation:EstimateTemplateCost + deprecated_since: W + description: null + name: cloudformation:EstimateTemplateCost + operations: [] + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + or (role:heat_stack_user and project_id:%(project_id)s) + deprecated_reason: ' + + The cloud formation API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:allow_everybody + name: cloudformation:DescribeStackResource + deprecated_since: W + description: null + name: cloudformation:DescribeStackResource + operations: [] + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The cloud formation API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: cloudformation:DescribeStackResources + deprecated_since: W + description: null + name: cloudformation:DescribeStackResources + operations: [] + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The cloud formation API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: cloudformation:ListStackResources + deprecated_since: W + description: null + name: cloudformation:ListStackResources + operations: [] + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The events API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: events:index + deprecated_since: W + description: List events. + name: events:index + operations: + - method: GET + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/events + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The events API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: events:show + deprecated_since: W + description: Show event. + name: events:show + operations: + - method: GET + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The resources API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: resource:index + deprecated_since: W + description: List resources. + name: resource:index + operations: + - method: GET + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + or (role:heat_stack_user and project_id:%(project_id)s) + deprecated_reason: ' + + The resources API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:allow_everybody + name: resource:metadata + deprecated_since: W + description: Show resource metadata. + name: resource:metadata + operations: + - method: GET + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/metadata + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + or (role:heat_stack_user and project_id:%(project_id)s) + deprecated_reason: ' + + The resources API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:allow_everybody + name: resource:signal + deprecated_since: W + description: Signal resource. + name: resource:signal + operations: + - method: POST + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/signal + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The resources API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: resource:mark_unhealthy + deprecated_since: W + description: Mark resource as unhealthy. + name: resource:mark_unhealthy + operations: + - method: PATCH + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The resources API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: resource:show + deprecated_since: W + description: Show resource. + name: resource:show + operations: + - method: GET + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name} + scope_types: + - system + - project +- check_str: rule:project_admin + description: null + name: resource_types:OS::Nova::Flavor + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Cinder::EncryptedVolumeType + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Cinder::VolumeType + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Cinder::Quota + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Neutron::Quota + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Nova::Quota + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Octavia::Quota + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Manila::ShareType + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Neutron::ProviderNet + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Neutron::QoSPolicy + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Neutron::QoSBandwidthLimitRule + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Neutron::QoSDscpMarkingRule + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Neutron::QoSMinimumBandwidthRule + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Neutron::Segment + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Nova::HostAggregate + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Cinder::QoSSpecs + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Cinder::QoSAssociation + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Keystone::* + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Blazar::Host + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Octavia::Flavor + operations: [] + scope_types: null +- check_str: rule:project_admin + description: null + name: resource_types:OS::Octavia::FlavorProfile + operations: [] + scope_types: null +- check_str: role:reader and system_scope:all + deprecated_reason: ' + + The service API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:context_is_admin + name: service:index + deprecated_since: W + description: null + name: service:index + operations: [] + scope_types: null +- check_str: role:reader and system_scope:all + deprecated_reason: ' + + The software configuration API now support system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_everybody + name: software_configs:global_index + deprecated_since: W + description: List configs globally. + name: software_configs:global_index + operations: + - method: GET + path: /v1/{tenant_id}/software_configs + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The software configuration API now support system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: software_configs:index + deprecated_since: W + description: List configs. + name: software_configs:index + operations: + - method: GET + path: /v1/{tenant_id}/software_configs + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The software configuration API now support system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: software_configs:create + deprecated_since: W + description: Create config. + name: software_configs:create + operations: + - method: POST + path: /v1/{tenant_id}/software_configs + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The software configuration API now support system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: software_configs:show + deprecated_since: W + description: Show config details. + name: software_configs:show + operations: + - method: GET + path: /v1/{tenant_id}/software_configs/{config_id} + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The software configuration API now support system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: software_configs:delete + deprecated_since: W + description: Delete config. + name: software_configs:delete + operations: + - method: DELETE + path: /v1/{tenant_id}/software_configs/{config_id} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The software deployment API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: software_deployments:index + deprecated_since: W + description: List deployments. + name: software_deployments:index + operations: + - method: GET + path: /v1/{tenant_id}/software_deployments + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The software deployment API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: software_deployments:create + deprecated_since: W + description: Create deployment. + name: software_deployments:create + operations: + - method: POST + path: /v1/{tenant_id}/software_deployments + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The software deployment API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: software_deployments:show + deprecated_since: W + description: Show deployment details. + name: software_deployments:show + operations: + - method: GET + path: /v1/{tenant_id}/software_deployments/{deployment_id} + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The software deployment API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: software_deployments:update + deprecated_since: W + description: Update deployment. + name: software_deployments:update + operations: + - method: PUT + path: /v1/{tenant_id}/software_deployments/{deployment_id} + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The software deployment API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: software_deployments:delete + deprecated_since: W + description: Delete deployment. + name: software_deployments:delete + operations: + - method: DELETE + path: /v1/{tenant_id}/software_deployments/{deployment_id} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + or (role:heat_stack_user and project_id:%(project_id)s) + description: Show server configuration metadata. + name: software_deployments:metadata + operations: + - method: GET + path: /v1/{tenant_id}/software_deployments/metadata/{server_id} + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:abandon + deprecated_since: W + description: Abandon stack. + name: stacks:abandon + operations: + - method: DELETE + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:create + deprecated_since: W + description: Create stack. + name: stacks:create + operations: + - method: POST + path: /v1/{tenant_id}/stacks + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:delete + deprecated_since: W + description: Delete stack. + name: stacks:delete + operations: + - method: DELETE + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:detail + deprecated_since: W + description: List stacks in detail. + name: stacks:detail + operations: + - method: GET + path: /v1/{tenant_id}/stacks + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:export + deprecated_since: W + description: Export stack. + name: stacks:export + operations: + - method: GET + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:generate_template + deprecated_since: W + description: Generate stack template. + name: stacks:generate_template + operations: + - method: GET + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template + scope_types: + - system + - project +- check_str: role:reader and system_scope:all + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_everybody + name: stacks:global_index + deprecated_since: W + description: List stacks globally. + name: stacks:global_index + operations: + - method: GET + path: /v1/{tenant_id}/stacks + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:index + deprecated_since: W + description: List stacks. + name: stacks:index + operations: + - method: GET + path: /v1/{tenant_id}/stacks + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:list_resource_types + deprecated_since: W + description: List resource types. + name: stacks:list_resource_types + operations: + - method: GET + path: /v1/{tenant_id}/resource_types + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:list_template_versions + deprecated_since: W + description: List template versions. + name: stacks:list_template_versions + operations: + - method: GET + path: /v1/{tenant_id}/template_versions + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:list_template_functions + deprecated_since: W + description: List template functions. + name: stacks:list_template_functions + operations: + - method: GET + path: /v1/{tenant_id}/template_versions/{template_version}/functions + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + or (role:heat_stack_user and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:allow_everybody + name: stacks:lookup + deprecated_since: W + description: Find stack. + name: stacks:lookup + operations: + - method: GET + path: /v1/{tenant_id}/stacks/{stack_identity} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:preview + deprecated_since: W + description: Preview stack. + name: stacks:preview + operations: + - method: POST + path: /v1/{tenant_id}/stacks/preview + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:resource_schema + deprecated_since: W + description: Show resource type schema. + name: stacks:resource_schema + operations: + - method: GET + path: /v1/{tenant_id}/resource_types/{type_name} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:show + deprecated_since: W + description: Show stack. + name: stacks:show + operations: + - method: GET + path: /v1/{tenant_id}/stacks/{stack_identity} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:template + deprecated_since: W + description: Get stack template. + name: stacks:template + operations: + - method: GET + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:environment + deprecated_since: W + description: Get stack environment. + name: stacks:environment + operations: + - method: GET + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/environment + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:files + deprecated_since: W + description: Get stack files. + name: stacks:files + operations: + - method: GET + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/files + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:update + deprecated_since: W + description: Update stack. + name: stacks:update + operations: + - method: PUT + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id} + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:update_patch + deprecated_since: W + description: Update stack (PATCH). + name: stacks:update_patch + operations: + - method: PATCH + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id} + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:preview_update + deprecated_since: W + description: Preview update stack. + name: stacks:preview_update + operations: + - method: PUT + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:preview_update_patch + deprecated_since: W + description: Preview update stack (PATCH). + name: stacks:preview_update_patch + operations: + - method: PATCH + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:validate_template + deprecated_since: W + description: Validate template. + name: stacks:validate_template + operations: + - method: POST + path: /v1/{tenant_id}/validate + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:snapshot + deprecated_since: W + description: Snapshot Stack. + name: stacks:snapshot + operations: + - method: POST + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:show_snapshot + deprecated_since: W + description: Show snapshot. + name: stacks:show_snapshot + operations: + - method: GET + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id} + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:delete_snapshot + deprecated_since: W + description: Delete snapshot. + name: stacks:delete_snapshot + operations: + - method: DELETE + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:list_snapshots + deprecated_since: W + description: List snapshots. + name: stacks:list_snapshots + operations: + - method: GET + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:restore_snapshot + deprecated_since: W + description: Restore snapshot. + name: stacks:restore_snapshot + operations: + - method: POST + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:list_outputs + deprecated_since: W + description: List outputs. + name: stacks:list_outputs + operations: + - method: GET + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + deprecated_reason: ' + + The stack API now supports system scope and default roles. + + ' + deprecated_rule: + check_str: rule:deny_stack_user + name: stacks:show_output + deprecated_since: W + description: Show outputs. + name: stacks:show_output + operations: + - method: GET + path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs/{output_key} + scope_types: + - system + - project diff --git a/heat_dashboard/conf/heat_policy.json b/heat_dashboard/conf/heat_policy.json deleted file mode 100644 index b40b1ee..0000000 --- a/heat_dashboard/conf/heat_policy.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "context_is_admin": "role:admin", - "deny_stack_user": "not role:heat_stack_user", - "deny_everybody": "!", - - "cloudformation:ListStacks": "rule:deny_stack_user", - "cloudformation:CreateStack": "rule:deny_stack_user", - "cloudformation:DescribeStacks": "rule:deny_stack_user", - "cloudformation:DeleteStack": "rule:deny_stack_user", - "cloudformation:UpdateStack": "rule:deny_stack_user", - "cloudformation:CancelUpdateStack": "rule:deny_stack_user", - "cloudformation:DescribeStackEvents": "rule:deny_stack_user", - "cloudformation:ValidateTemplate": "rule:deny_stack_user", - "cloudformation:GetTemplate": "rule:deny_stack_user", - "cloudformation:EstimateTemplateCost": "rule:deny_stack_user", - "cloudformation:DescribeStackResource": "", - "cloudformation:DescribeStackResources": "rule:deny_stack_user", - "cloudformation:ListStackResources": "rule:deny_stack_user", - - "cloudwatch:DeleteAlarms": "rule:deny_stack_user", - "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user", - "cloudwatch:DescribeAlarms": "rule:deny_stack_user", - "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user", - "cloudwatch:DisableAlarmActions": "rule:deny_stack_user", - "cloudwatch:EnableAlarmActions": "rule:deny_stack_user", - "cloudwatch:GetMetricStatistics": "rule:deny_stack_user", - "cloudwatch:ListMetrics": "rule:deny_stack_user", - "cloudwatch:PutMetricAlarm": "rule:deny_stack_user", - "cloudwatch:PutMetricData": "", - "cloudwatch:SetAlarmState": "rule:deny_stack_user", - - "actions:action": "rule:deny_stack_user", - "build_info:build_info": "rule:deny_stack_user", - "events:index": "rule:deny_stack_user", - "events:show": "rule:deny_stack_user", - "resource:index": "rule:deny_stack_user", - "resource:metadata": "", - "resource:signal": "", - "resource:mark_unhealthy": "rule:deny_stack_user", - "resource:show": "rule:deny_stack_user", - "stacks:abandon": "rule:deny_stack_user", - "stacks:create": "rule:deny_stack_user", - "stacks:delete": "rule:deny_stack_user", - "stacks:detail": "rule:deny_stack_user", - "stacks:export": "rule:deny_stack_user", - "stacks:generate_template": "rule:deny_stack_user", - "stacks:global_index": "rule:deny_everybody", - "stacks:index": "rule:deny_stack_user", - "stacks:list_resource_types": "rule:deny_stack_user", - "stacks:list_template_versions": "rule:deny_stack_user", - "stacks:list_template_functions": "rule:deny_stack_user", - "stacks:lookup": "", - "stacks:preview": "rule:deny_stack_user", - "stacks:resource_schema": "rule:deny_stack_user", - "stacks:show": "rule:deny_stack_user", - "stacks:template": "rule:deny_stack_user", - "stacks:environment": "rule:deny_stack_user", - "stacks:update": "rule:deny_stack_user", - "stacks:update_patch": "rule:deny_stack_user", - "stacks:preview_update": "rule:deny_stack_user", - "stacks:preview_update_patch": "rule:deny_stack_user", - "stacks:validate_template": "rule:deny_stack_user", - "stacks:snapshot": "rule:deny_stack_user", - "stacks:show_snapshot": "rule:deny_stack_user", - "stacks:delete_snapshot": "rule:deny_stack_user", - "stacks:list_snapshots": "rule:deny_stack_user", - "stacks:restore_snapshot": "rule:deny_stack_user", - "stacks:list_outputs": "rule:deny_stack_user", - "stacks:show_output": "rule:deny_stack_user", - - "software_configs:global_index": "rule:deny_everybody", - "software_configs:index": "rule:deny_stack_user", - "software_configs:create": "rule:deny_stack_user", - "software_configs:show": "rule:deny_stack_user", - "software_configs:delete": "rule:deny_stack_user", - "software_deployments:index": "rule:deny_stack_user", - "software_deployments:create": "rule:deny_stack_user", - "software_deployments:show": "rule:deny_stack_user", - "software_deployments:update": "rule:deny_stack_user", - "software_deployments:delete": "rule:deny_stack_user", - "software_deployments:metadata": "", - - "service:index": "rule:context_is_admin", - - "resource_types:OS::Nova::Flavor": "rule:context_is_admin", - "resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin", - "resource_types:OS::Cinder::VolumeType": "rule:context_is_admin", - "resource_types:OS::Manila::ShareType": "rule:context_is_admin", - "resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin", - "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin", - "resource_types:OS::Nova::HostAggregate": "rule:context_is_admin" -} diff --git a/heat_dashboard/conf/heat_policy.yaml b/heat_dashboard/conf/heat_policy.yaml new file mode 100644 index 0000000..3766022 --- /dev/null +++ b/heat_dashboard/conf/heat_policy.yaml @@ -0,0 +1,96 @@ +#"context_is_admin": "(role:admin and is_admin_project:True) OR (role:admin and system_scope:all)" +#"project_admin": "role:admin" +#"deny_stack_user": "not role:heat_stack_user" +#"deny_everybody": "!" +#"allow_everybody": "" +#"actions:action": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"actions:snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"actions:suspend": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"actions:resume": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"actions:check": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"actions:cancel_update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"actions:cancel_without_rollback": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"build_info:build_info": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"cloudformation:ListStacks": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"cloudformation:CreateStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"cloudformation:DescribeStacks": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"cloudformation:DeleteStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"cloudformation:UpdateStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"cloudformation:CancelUpdateStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"cloudformation:DescribeStackEvents": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"cloudformation:ValidateTemplate": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"cloudformation:GetTemplate": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"cloudformation:EstimateTemplateCost": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"cloudformation:DescribeStackResource": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)" +#"cloudformation:DescribeStackResources": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"cloudformation:ListStackResources": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"events:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"events:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"resource:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"resource:metadata": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)" +#"resource:signal": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)" +#"resource:mark_unhealthy": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"resource:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"resource_types:OS::Nova::Flavor": "rule:project_admin" +#"resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin" +#"resource_types:OS::Cinder::VolumeType": "rule:project_admin" +#"resource_types:OS::Cinder::Quota": "rule:project_admin" +#"resource_types:OS::Neutron::Quota": "rule:project_admin" +#"resource_types:OS::Nova::Quota": "rule:project_admin" +#"resource_types:OS::Octavia::Quota": "rule:project_admin" +#"resource_types:OS::Manila::ShareType": "rule:project_admin" +#"resource_types:OS::Neutron::ProviderNet": "rule:project_admin" +#"resource_types:OS::Neutron::QoSPolicy": "rule:project_admin" +#"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin" +#"resource_types:OS::Neutron::QoSDscpMarkingRule": "rule:project_admin" +#"resource_types:OS::Neutron::QoSMinimumBandwidthRule": "rule:project_admin" +#"resource_types:OS::Neutron::Segment": "rule:project_admin" +#"resource_types:OS::Nova::HostAggregate": "rule:project_admin" +#"resource_types:OS::Cinder::QoSSpecs": "rule:project_admin" +#"resource_types:OS::Cinder::QoSAssociation": "rule:project_admin" +#"resource_types:OS::Keystone::*": "rule:project_admin" +#"resource_types:OS::Blazar::Host": "rule:project_admin" +#"resource_types:OS::Octavia::Flavor": "rule:project_admin" +#"resource_types:OS::Octavia::FlavorProfile": "rule:project_admin" +#"service:index": "role:reader and system_scope:all" +#"software_configs:global_index": "role:reader and system_scope:all" +#"software_configs:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"software_configs:create": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"software_configs:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"software_configs:delete": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"software_deployments:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"software_deployments:create": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"software_deployments:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"software_deployments:update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"software_deployments:delete": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"software_deployments:metadata": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)" +#"stacks:abandon": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"stacks:create": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"stacks:delete": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"stacks:detail": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"stacks:export": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"stacks:generate_template": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"stacks:global_index": "role:reader and system_scope:all" +#"stacks:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"stacks:list_resource_types": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"stacks:list_template_versions": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"stacks:list_template_functions": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"stacks:lookup": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)" +#"stacks:preview": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"stacks:resource_schema": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"stacks:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"stacks:template": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"stacks:environment": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"stacks:files": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"stacks:update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"stacks:update_patch": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"stacks:preview_update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"stacks:preview_update_patch": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"stacks:validate_template": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"stacks:snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"stacks:show_snapshot": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"stacks:delete_snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"stacks:list_snapshots": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"stacks:restore_snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +#"stacks:list_outputs": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"stacks:show_output": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" diff --git a/heat_dashboard/local_settings.d/_1699_orchestration_settings.py b/heat_dashboard/local_settings.d/_1699_orchestration_settings.py index 8d4b73f..3fd5b12 100644 --- a/heat_dashboard/local_settings.d/_1699_orchestration_settings.py +++ b/heat_dashboard/local_settings.d/_1699_orchestration_settings.py @@ -21,7 +21,11 @@ OPENSTACK_HEAT_STACK = { } settings.POLICY_FILES.update({ - 'orchestration': 'heat_policy.json', + 'orchestration': 'heat_policy.yaml', +}) + +settings.DEFAULT_POLICY_FILES.update({ + 'orchestration': 'default_policies/heat.yaml', }) # Sample diff --git a/releasenotes/notes/policy-in-code-support-42c02d6b73e770ff.yaml b/releasenotes/notes/policy-in-code-support-42c02d6b73e770ff.yaml new file mode 100644 index 0000000..21e9715 --- /dev/null +++ b/releasenotes/notes/policy-in-code-support-42c02d6b73e770ff.yaml @@ -0,0 +1,8 @@ +--- +upgrade: + - | + The default configuration file has been updated and now includes + the required parameters to use the new policy-in-code feature in Horizon. + Because of this change, the defualt policy.json is no longer included in + this repo but replaced with policy.yaml. Please refer to the release note + and documentation of Horizon to find details about this feature.