From ba1ccf4d9b060674845e4b8e5e53c7ea4fcadd6b Mon Sep 17 00:00:00 2001 From: Keiichi Hikita Date: Thu, 16 Nov 2017 11:08:03 +0900 Subject: [PATCH] Taken over policy file for heat from Horizon repository. In future, Heat relevant files(like GUI, api client, policy files, ...) will be split out from Horizon repository. But now this repository does not have Heat policy file so I've copied it from Horizon latest repository. This review request also includes following changes. - Added installation procedure document relates to heat_policy.json. - Modified plugin.sh to install heat_policy.json. Change-Id: I8dd386e392eb4467b03efd68c7959371d4b9576d --- README.rst | 10 +++ devstack/plugin.sh | 1 + doc/source/install/installation_contents.rst | 10 +++ etc/heat_policy.json | 92 ++++++++++++++++++++ 4 files changed, 113 insertions(+) create mode 100644 etc/heat_policy.json diff --git a/README.rst b/README.rst index aff004e5..67387541 100644 --- a/README.rst +++ b/README.rst @@ -26,6 +26,11 @@ Set up your ``local.conf`` to enable heat-dashboard:: [[local|localrc]] enable_plugin heat-dashboard https://git.openstack.org/openstack/heat-dashboard + +.. note:: + + You also need to install Heat itself into DevStack to use Heat Dashboard. + Manual Installation ------------------- @@ -59,6 +64,11 @@ Enable heat-dashboard plugin in your Horizon environment:: cp heat-dashboard/heat_dashboard/enabled/* \ horizon/openstack_dashboard/local/enabled +Copy Heat policy file to your Horizon environment:: + + cp heat-dashboard/etc/heat_policy.json \ + horizon/openstack_dashboard/conf + Finally you can launch Horizon with Heat Dashboard plugin:: cd horizon diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 1039ae72..c0b165b1 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -16,6 +16,7 @@ function install_heat_dashboard { function configure_heat_dashboard { cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/enabled/* ${DEST}/horizon/openstack_dashboard/local/enabled/ + cp -a ${HEAT_DASHBOARD_DIR}/etc/heat_policy.json ${DEST}/horizon/conf/ # NOTE: If locale directory does not exist, compilemessages will fail, # so check for an existence of locale directory is required. if [ -d ${HEAT_DASHBOARD_DIR}/heat_dashboard/locale ]; then diff --git a/doc/source/install/installation_contents.rst b/doc/source/install/installation_contents.rst index ef4da0a9..5e1b87fe 100644 --- a/doc/source/install/installation_contents.rst +++ b/doc/source/install/installation_contents.rst @@ -6,6 +6,11 @@ Set up your ``local.conf`` to enable heat-dashboard:: [[local|localrc]] enable_plugin heat-dashboard https://git.openstack.org/openstack/heat-dashboard + +.. note:: + + You also need to install Heat itself into DevStack to use Heat Dashboard. + Manual Installation ------------------- @@ -39,6 +44,11 @@ Enable heat-dashboard plugin in your Horizon environment:: cp heat-dashboard/heat_dashboard/enabled/* \ horizon/openstack_dashboard/local/enabled +Copy Heat policy file to your Horizon environment:: + + cp heat-dashboard/etc/heat_policy.json \ + horizon/openstack_dashboard/conf + Finally you can launch Horizon with Heat Dashboard plugin:: cd horizon diff --git a/etc/heat_policy.json b/etc/heat_policy.json new file mode 100644 index 00000000..b40b1eef --- /dev/null +++ b/etc/heat_policy.json @@ -0,0 +1,92 @@ +{ + "context_is_admin": "role:admin", + "deny_stack_user": "not role:heat_stack_user", + "deny_everybody": "!", + + "cloudformation:ListStacks": "rule:deny_stack_user", + "cloudformation:CreateStack": "rule:deny_stack_user", + "cloudformation:DescribeStacks": "rule:deny_stack_user", + "cloudformation:DeleteStack": "rule:deny_stack_user", + "cloudformation:UpdateStack": "rule:deny_stack_user", + "cloudformation:CancelUpdateStack": "rule:deny_stack_user", + "cloudformation:DescribeStackEvents": "rule:deny_stack_user", + "cloudformation:ValidateTemplate": "rule:deny_stack_user", + "cloudformation:GetTemplate": "rule:deny_stack_user", + "cloudformation:EstimateTemplateCost": "rule:deny_stack_user", + "cloudformation:DescribeStackResource": "", + "cloudformation:DescribeStackResources": "rule:deny_stack_user", + "cloudformation:ListStackResources": "rule:deny_stack_user", + + "cloudwatch:DeleteAlarms": "rule:deny_stack_user", + "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user", + "cloudwatch:DescribeAlarms": "rule:deny_stack_user", + "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user", + "cloudwatch:DisableAlarmActions": "rule:deny_stack_user", + "cloudwatch:EnableAlarmActions": "rule:deny_stack_user", + "cloudwatch:GetMetricStatistics": "rule:deny_stack_user", + "cloudwatch:ListMetrics": "rule:deny_stack_user", + "cloudwatch:PutMetricAlarm": "rule:deny_stack_user", + "cloudwatch:PutMetricData": "", + "cloudwatch:SetAlarmState": "rule:deny_stack_user", + + "actions:action": "rule:deny_stack_user", + "build_info:build_info": "rule:deny_stack_user", + "events:index": "rule:deny_stack_user", + "events:show": "rule:deny_stack_user", + "resource:index": "rule:deny_stack_user", + "resource:metadata": "", + "resource:signal": "", + "resource:mark_unhealthy": "rule:deny_stack_user", + "resource:show": "rule:deny_stack_user", + "stacks:abandon": "rule:deny_stack_user", + "stacks:create": "rule:deny_stack_user", + "stacks:delete": "rule:deny_stack_user", + "stacks:detail": "rule:deny_stack_user", + "stacks:export": "rule:deny_stack_user", + "stacks:generate_template": "rule:deny_stack_user", + "stacks:global_index": "rule:deny_everybody", + "stacks:index": "rule:deny_stack_user", + "stacks:list_resource_types": "rule:deny_stack_user", + "stacks:list_template_versions": "rule:deny_stack_user", + "stacks:list_template_functions": "rule:deny_stack_user", + "stacks:lookup": "", + "stacks:preview": "rule:deny_stack_user", + "stacks:resource_schema": "rule:deny_stack_user", + "stacks:show": "rule:deny_stack_user", + "stacks:template": "rule:deny_stack_user", + "stacks:environment": "rule:deny_stack_user", + "stacks:update": "rule:deny_stack_user", + "stacks:update_patch": "rule:deny_stack_user", + "stacks:preview_update": "rule:deny_stack_user", + "stacks:preview_update_patch": "rule:deny_stack_user", + "stacks:validate_template": "rule:deny_stack_user", + "stacks:snapshot": "rule:deny_stack_user", + "stacks:show_snapshot": "rule:deny_stack_user", + "stacks:delete_snapshot": "rule:deny_stack_user", + "stacks:list_snapshots": "rule:deny_stack_user", + "stacks:restore_snapshot": "rule:deny_stack_user", + "stacks:list_outputs": "rule:deny_stack_user", + "stacks:show_output": "rule:deny_stack_user", + + "software_configs:global_index": "rule:deny_everybody", + "software_configs:index": "rule:deny_stack_user", + "software_configs:create": "rule:deny_stack_user", + "software_configs:show": "rule:deny_stack_user", + "software_configs:delete": "rule:deny_stack_user", + "software_deployments:index": "rule:deny_stack_user", + "software_deployments:create": "rule:deny_stack_user", + "software_deployments:show": "rule:deny_stack_user", + "software_deployments:update": "rule:deny_stack_user", + "software_deployments:delete": "rule:deny_stack_user", + "software_deployments:metadata": "", + + "service:index": "rule:context_is_admin", + + "resource_types:OS::Nova::Flavor": "rule:context_is_admin", + "resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin", + "resource_types:OS::Cinder::VolumeType": "rule:context_is_admin", + "resource_types:OS::Manila::ShareType": "rule:context_is_admin", + "resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin", + "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin", + "resource_types:OS::Nova::HostAggregate": "rule:context_is_admin" +}