Merge "Add SYSTEM_SCOPE_SERVICES setting that hides panels"

doc/source/configuration/settings.rst

@@ -2656,3 +2656,16 @@ generated ``kubeconfig`` file.
 .. seealso::
 
    `KUBECONFIG_ENABLED`_ to enable the ``kubeconfig`` file generation.
+
+
+SYSTEM_SCOPE_SERVICES
+---------------------
+.. versionadded:: 21.1.0(Yoga)
+
+Default: ``[]``
+
+A list of names of services for which the system scope token should be used.
+If empty, system scope will be removed from the context switching menu. If not
+empty, the context switching menu will show a "system scope" option, and the
+admin panels for the services listed will be moved to that context, no longer
+showing up in the project context.

openstack_dashboard/dashboards/admin/aggregates/panel.py

@@ -12,6 +12,7 @@
 
 import logging
 
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 
 import horizon
@@ -25,3 +26,9 @@ class Aggregates(horizon.Panel):
     slug = 'aggregates'
     policy_rules = (("compute", "compute_extension:aggregates"),)
     permissions = ('openstack.services.compute',)
+
+    def allowed(self, context):
+        if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
+                bool(context['request'].user.system_scoped)):
+            return False
+        return super().allowed(context)

openstack_dashboard/dashboards/admin/defaults/panel.py

@@ -12,6 +12,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 
 import horizon
@@ -22,3 +23,9 @@ class Defaults(horizon.Panel):
     slug = 'defaults'
     policy_rules = (("compute", "context_is_admin"),
                     ("volume", "context_is_admin"),)
+
+    def allowed(self, context):
+        if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
+                bool(context['request'].user.system_scoped)):
+            return False
+        return super().allowed(context)

openstack_dashboard/dashboards/admin/flavors/panel.py

@@ -16,6 +16,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 
 import horizon
@@ -26,3 +27,9 @@ class Flavors(horizon.Panel):
     slug = 'flavors'
     permissions = ('openstack.services.compute',)
     policy_rules = (("compute", "context_is_admin"),)
+
+    def allowed(self, context):
+        if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
+                bool(context['request'].user.system_scoped)):
+            return False
+        return super().allowed(context)

openstack_dashboard/dashboards/admin/floating_ips/panel.py

@@ -13,6 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 
 import horizon
@@ -30,3 +31,9 @@ class AdminFloatingIps(horizon.Panel):
     def can_register():
         return setting_utils.get_dict_config(
             'OPENSTACK_NEUTRON_NETWORK', 'enable_router')
+
+    def allowed(self, context):
+        if (('network' in settings.SYSTEM_SCOPE_SERVICES) !=
+                bool(context['request'].user.system_scoped)):
+            return False
+        return super().allowed(context)

openstack_dashboard/dashboards/admin/hypervisors/panel.py

@@ -12,6 +12,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 
 import horizon
@@ -22,3 +23,9 @@ class Hypervisors(horizon.Panel):
     slug = 'hypervisors'
     permissions = ('openstack.services.compute',)
     policy_rules = (("compute", "os_compute_api:os-hypervisors"),)
+
+    def allowed(self, context):
+        if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
+                bool(context['request'].user.system_scoped)):
+            return False
+        return super().allowed(context)

openstack_dashboard/dashboards/admin/images/panel.py

@@ -16,6 +16,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 
 import horizon
@@ -27,3 +28,9 @@ class Images(horizon.Panel):
     permissions = ('openstack.services.image',)
     policy_rules = ((("image", "context_is_admin"),
                      ("image", "get_images")),)
+
+    def allowed(self, context):
+        if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
+                bool(context['request'].user.system_scoped)):
+            return False
+        return super().allowed(context)

openstack_dashboard/dashboards/admin/info/panel.py

@@ -16,6 +16,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 
 import horizon
@@ -27,3 +28,9 @@ class Info(horizon.Panel):
     policy_rules = (("compute", "context_is_admin"),
                     ("volume", "context_is_admin"),
                     ("network", "context_is_admin"),)
+
+    def allowed(self, context):
+        if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
+                bool(context['request'].user.system_scoped)):
+            return False
+        return super().allowed(context)

openstack_dashboard/dashboards/admin/instances/panel.py

@@ -16,6 +16,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 
 import horizon
@@ -27,3 +28,9 @@ class Instances(horizon.Panel):
     permissions = ('openstack.services.compute',)
     policy_rules = ((("compute", "context_is_admin"),
                      ("compute", "os_compute_api:servers:detail")),)
+
+    def allowed(self, context):
+        if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
+                bool(context['request'].user.system_scoped)):
+            return False
+        return super().allowed(context)

openstack_dashboard/dashboards/admin/metadata_defs/panel.py

@@ -13,6 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 
 import horizon
@@ -30,3 +31,9 @@ class MetadataDefinitions(horizon.Panel):
     @staticmethod
     def can_register():
         return glance.VERSIONS.active >= 2
+
+    def allowed(self, context):
+        if (('image' in settings.SYSTEM_SCOPE_SERVICES) !=
+                bool(context['request'].user.system_scoped)):
+            return False
+        return super().allowed(context)

openstack_dashboard/dashboards/admin/networks/panel.py

@@ -12,6 +12,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 
 import horizon
@@ -22,3 +23,9 @@ class Networks(horizon.Panel):
     slug = 'networks'
     permissions = ('openstack.services.network',)
     policy_rules = (("network", "context_is_admin"),)
+
+    def allowed(self, context):
+        if (('network' in settings.SYSTEM_SCOPE_SERVICES) !=
+                bool(context['request'].user.system_scoped)):
+            return False
+        return super().allowed(context)

openstack_dashboard/dashboards/admin/overview/panel.py

@@ -16,6 +16,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 
 import horizon
@@ -30,5 +31,11 @@ class Overview(horizon.Panel):
                      ('compute', 'context_is_admin')),)
     permissions = ('openstack.services.compute',)
 
+    def allowed(self, context):
+        if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
+                bool(context['request'].user.system_scoped)):
+            return False
+        return super().allowed(context)
+
 
 dashboard.Admin.register(Overview)

openstack_dashboard/dashboards/admin/rbac_policies/panel.py

@@ -12,6 +12,7 @@
 
 import logging
 
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 
 import horizon
@@ -29,6 +30,9 @@ class RBACPolicies(horizon.Panel):
     policy_rules = (("network", "context_is_admin"),)
 
     def allowed(self, context):
+        if (('network' in settings.SYSTEM_SCOPE_SERVICES) !=
+                bool(context['request'].user.system_scoped)):
+            return False
         request = context['request']
         try:
             return (

openstack_dashboard/dashboards/admin/routers/panel.py

@@ -12,6 +12,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 
 import horizon
@@ -29,3 +30,9 @@ class Routers(horizon.Panel):
     def can_register():
         return setting_utils.get_dict_config(
             'OPENSTACK_NEUTRON_NETWORK', 'enable_router')
+
+    def allowed(self, context):
+        if (('network' in settings.SYSTEM_SCOPE_SERVICES) !=
+                bool(context['request'].user.system_scoped)):
+            return False
+        return super().allowed(context)

openstack_dashboard/dashboards/admin/trunks/panel.py

@@ -14,6 +14,7 @@
 
 import logging
 
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 
 import horizon
@@ -30,6 +31,9 @@ class Trunks(horizon.Panel):
     policy_rules = (("trunk", "context_is_admin"),)
 
     def allowed(self, context):
+        if (('network' in settings.SYSTEM_SCOPE_SERVICES) !=
+                bool(context['request'].user.system_scoped)):
+            return False
         request = context['request']
         try:
             return (

openstack_dashboard/dashboards/identity/dashboard.py

@@ -13,6 +13,7 @@
 #    under the License.
 
 
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 
 import horizon
@@ -22,5 +23,11 @@ class Identity(horizon.Dashboard):
     name = _("Identity")
     slug = "identity"
 
+    def can_access(self, context):
+        if (('identity' in settings.SYSTEM_SCOPE_SERVICES) !=
+                bool(context['request'].user.system_scoped)):
+            return False
+        return super().can_access(context)
+
 
 horizon.register(Identity)

openstack_dashboard/defaults.py

@@ -551,3 +551,8 @@ REST_API_ADDITIONAL_SETTINGS = []
 KUBECONFIG_ENABLED = False
 KUBECONFIG_KUBERNETES_URL = ""
 KUBECONFIG_CERTIFICATE_AUTHORITY_DATA = ""
+
+
+# Services may require a System Scope token for certain operations. This
+# settings enables the use of the system scope token on per-service basis.
+SYSTEM_SCOPE_SERVICES = []

openstack_dashboard/templates/header/_context_selection.html

@@ -31,8 +31,8 @@
     {% endif %}
 
 
-    {% is_system_user as system_user %}
-    {% if system_user %}
+    {% show_systems as system_scope_enabled %}
+    {% if system_scope_enabled %}
       <li>
         {% show_system_list %}
       </li>

openstack_dashboard/templatetags/context_selection.py

@@ -42,7 +42,9 @@ def is_multidomain():
 
 
 @register.simple_tag(takes_context=True)
-def is_system_user(context):
+def show_systems(context):
+    if not settings.SYSTEM_SCOPE_SERVICES:
+        return False
     try:
         request = context['request']
     except KeyError:

releasenotes/notes/feature-system-scope-a88a07b7f414b3d6.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Horizon can now use a system scope token when performing admin operations.
+    To enable that, a new setting, SYSTEM_SCOPE_SERVICES, has to list the
+    OpenStack services for which this feature is to be enabled. When that
+    setting is not empty, a new option, "system scope" will appear in the
+    context switching menu, and the panels for the listed services will be
+    moved into that context in the main menu.