454a7b0ec1
Heat's `policy.json` now can contain policies of the following schema: "resource_types:<resource_type>": "rule" This will allow cloud admins to control resource access utilizing user roles, names, tenants and any other oslo.policy-supported rules. Basic usage is to facilitate fail-early for stacks with resources that a given user will not be able to actually create due to role restrictions. Default policy is 'allow to everyone' (who has passed previous policy checks on REST API layer). Resource types that the user will not be able to use due to resources policy restrictions are hidden from `resource-type-list`. Current operations that are prohibited if the user does not pass policy check for a particular "forbidden" resource: - show resource type for forbidden resource type - show resource template for forbidden resource type - create a stack containing a forbidden resource - delete a stack containing a forbidden resource - update a stack that already has a forbidden resource - update a stack initroducing a new forbidden resource - restore a stack snapshot to a stack that currently has forbidden resource Not yet prohibited, need to be fixed: - restore a stack snapshot that will create a forbidden resource As first step (and for testing purposes) OS::Nova::Flavor is forbidden to create for non-admin users. Simple functional test using this resource is added. Change-Id: I337306c4f1624552a2631e0ffbb43f0d3102813d Implements blueprint conditional-resource-exposure
Heat
Heat is a service to orchestrate multiple composite cloud applications using templates, through both an OpenStack-native REST API and a CloudFormation-compatible Query API.
Why heat? It makes the clouds rise and keeps them there.
Getting Started
If you'd like to run from the master branch, you can clone the git repo:
git clone git@github.com:openstack/heat.git
- Wiki: http://wiki.openstack.org/Heat
- Developer docs: http://docs.openstack.org/developer/heat
Python client
https://github.com/openstack/python-heatclient
References
- http://docs.amazonwebservices.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html
- http://docs.amazonwebservices.com/AWSCloudFormation/latest/UserGuide/create-stack.html
- http://docs.amazonwebservices.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html
- http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=tosca
We have integration with
- https://github.com/openstack/python-novaclient (instance)
- https://github.com/openstack/python-keystoneclient (auth)
- https://github.com/openstack/python-swiftclient (s3)
- https://github.com/openstack/python-neutronclient (networking)
- https://github.com/openstack/python-ceilometerclient (metering)
- https://github.com/openstack/python-cinderclient (storage service)
- https://github.com/openstack/python-glanceclient (image service)
- https://github.com/openstack/python-troveclient (database as a Service)
- https://github.com/openstack/python-saharaclient (hadoop cluster)