Taken over policy file for heat from Horizon repository.

In future, Heat relevant files(like GUI, api client, policy files, ...) will be split out from Horizon repository. But now this repository does not have Heat policy file so I've copied it from Horizon latest repository. This review request also includes following changes. - Added installation procedure document relates to heat_policy.json. - Modified plugin.sh to install heat_policy.json. Change-Id: I8dd386e392eb4467b03efd68c7959371d4b9576d
2017-11-16 11:08:03 +09:00 · 2017-11-16 11:08:03 +09:00 · ba1ccf4d9b
commit ba1ccf4d9b
parent 569d70a09a
4 changed files with 113 additions and 0 deletions
--- a/README.rst
+++ b/README.rst
@ -26,6 +26,11 @@ Set up your ``local.conf`` to enable heat-dashboard::
    [[local|localrc]]
    enable_plugin heat-dashboard https://git.openstack.org/openstack/heat-dashboard

+
+.. note::
+
+    You also need to install Heat itself into DevStack to use Heat Dashboard.
+
 Manual Installation
 -------------------

@ -59,6 +64,11 @@ Enable heat-dashboard plugin in your Horizon environment::
    cp heat-dashboard/heat_dashboard/enabled/* \
      horizon/openstack_dashboard/local/enabled

+Copy Heat policy file to your Horizon  environment::
+
+    cp heat-dashboard/etc/heat_policy.json \
+      horizon/openstack_dashboard/conf
+
 Finally you can launch Horizon with Heat Dashboard plugin::

    cd horizon
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -16,6 +16,7 @@ function install_heat_dashboard {

 function configure_heat_dashboard {
    cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/enabled/* ${DEST}/horizon/openstack_dashboard/local/enabled/
+    cp -a ${HEAT_DASHBOARD_DIR}/etc/heat_policy.json ${DEST}/horizon/conf/
    # NOTE: If locale directory does not exist, compilemessages will fail,
    # so check for an existence of locale directory is required.
    if [ -d ${HEAT_DASHBOARD_DIR}/heat_dashboard/locale ]; then
--- a/doc/source/install/installation_contents.rst
+++ b/doc/source/install/installation_contents.rst
@ -6,6 +6,11 @@ Set up your ``local.conf`` to enable heat-dashboard::
    [[local|localrc]]
    enable_plugin heat-dashboard https://git.openstack.org/openstack/heat-dashboard

+
+.. note::
+
+    You also need to install Heat itself into DevStack to use Heat Dashboard.
+
 Manual Installation
 -------------------

@ -39,6 +44,11 @@ Enable heat-dashboard plugin in your Horizon environment::
    cp heat-dashboard/heat_dashboard/enabled/* \
      horizon/openstack_dashboard/local/enabled

+Copy Heat policy file to your Horizon  environment::
+
+    cp heat-dashboard/etc/heat_policy.json \
+      horizon/openstack_dashboard/conf
+
 Finally you can launch Horizon with Heat Dashboard plugin::

    cd horizon
--- a/etc/heat_policy.json
+++ b/etc/heat_policy.json
@ -0,0 +1,92 @@
+{
+    "context_is_admin":  "role:admin",
+    "deny_stack_user": "not role:heat_stack_user",
+    "deny_everybody": "!",
+
+    "cloudformation:ListStacks": "rule:deny_stack_user",
+    "cloudformation:CreateStack": "rule:deny_stack_user",
+    "cloudformation:DescribeStacks": "rule:deny_stack_user",
+    "cloudformation:DeleteStack": "rule:deny_stack_user",
+    "cloudformation:UpdateStack": "rule:deny_stack_user",
+    "cloudformation:CancelUpdateStack": "rule:deny_stack_user",
+    "cloudformation:DescribeStackEvents": "rule:deny_stack_user",
+    "cloudformation:ValidateTemplate": "rule:deny_stack_user",
+    "cloudformation:GetTemplate": "rule:deny_stack_user",
+    "cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
+    "cloudformation:DescribeStackResource": "",
+    "cloudformation:DescribeStackResources": "rule:deny_stack_user",
+    "cloudformation:ListStackResources": "rule:deny_stack_user",
+
+    "cloudwatch:DeleteAlarms": "rule:deny_stack_user",
+    "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
+    "cloudwatch:DescribeAlarms": "rule:deny_stack_user",
+    "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
+    "cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
+    "cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
+    "cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
+    "cloudwatch:ListMetrics": "rule:deny_stack_user",
+    "cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
+    "cloudwatch:PutMetricData": "",
+    "cloudwatch:SetAlarmState": "rule:deny_stack_user",
+
+    "actions:action": "rule:deny_stack_user",
+    "build_info:build_info": "rule:deny_stack_user",
+    "events:index": "rule:deny_stack_user",
+    "events:show": "rule:deny_stack_user",
+    "resource:index": "rule:deny_stack_user",
+    "resource:metadata": "",
+    "resource:signal": "",
+    "resource:mark_unhealthy": "rule:deny_stack_user",
+    "resource:show": "rule:deny_stack_user",
+    "stacks:abandon": "rule:deny_stack_user",
+    "stacks:create": "rule:deny_stack_user",
+    "stacks:delete": "rule:deny_stack_user",
+    "stacks:detail": "rule:deny_stack_user",
+    "stacks:export": "rule:deny_stack_user",
+    "stacks:generate_template": "rule:deny_stack_user",
+    "stacks:global_index": "rule:deny_everybody",
+    "stacks:index": "rule:deny_stack_user",
+    "stacks:list_resource_types": "rule:deny_stack_user",
+    "stacks:list_template_versions": "rule:deny_stack_user",
+    "stacks:list_template_functions": "rule:deny_stack_user",
+    "stacks:lookup": "",
+    "stacks:preview": "rule:deny_stack_user",
+    "stacks:resource_schema": "rule:deny_stack_user",
+    "stacks:show": "rule:deny_stack_user",
+    "stacks:template": "rule:deny_stack_user",
+    "stacks:environment": "rule:deny_stack_user",
+    "stacks:update": "rule:deny_stack_user",
+    "stacks:update_patch": "rule:deny_stack_user",
+    "stacks:preview_update": "rule:deny_stack_user",
+    "stacks:preview_update_patch": "rule:deny_stack_user",
+    "stacks:validate_template": "rule:deny_stack_user",
+    "stacks:snapshot": "rule:deny_stack_user",
+    "stacks:show_snapshot": "rule:deny_stack_user",
+    "stacks:delete_snapshot": "rule:deny_stack_user",
+    "stacks:list_snapshots": "rule:deny_stack_user",
+    "stacks:restore_snapshot": "rule:deny_stack_user",
+    "stacks:list_outputs": "rule:deny_stack_user",
+    "stacks:show_output": "rule:deny_stack_user",
+
+    "software_configs:global_index": "rule:deny_everybody",
+    "software_configs:index": "rule:deny_stack_user",
+    "software_configs:create": "rule:deny_stack_user",
+    "software_configs:show": "rule:deny_stack_user",
+    "software_configs:delete": "rule:deny_stack_user",
+    "software_deployments:index": "rule:deny_stack_user",
+    "software_deployments:create": "rule:deny_stack_user",
+    "software_deployments:show": "rule:deny_stack_user",
+    "software_deployments:update": "rule:deny_stack_user",
+    "software_deployments:delete": "rule:deny_stack_user",
+    "software_deployments:metadata": "",
+
+    "service:index": "rule:context_is_admin",
+
+    "resource_types:OS::Nova::Flavor": "rule:context_is_admin",
+    "resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin",
+    "resource_types:OS::Cinder::VolumeType": "rule:context_is_admin",
+    "resource_types:OS::Manila::ShareType": "rule:context_is_admin",
+    "resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin",
+    "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin",
+    "resource_types:OS::Nova::HostAggregate": "rule:context_is_admin"
+}