Rework hardcoded policy in admin dash

Since the content in a Dashboard is not hardcoded, having hardcoded
policy checks to specific services at the dashboard level is wrong.
The Dashboard was designed to evaluate all panels to determine policy
so this type of thing could be avoided. This patch moves the content
specific policy checks to the panels where they apply.

Additionally, this fix uncovered another bug where policy_rules are
wrapped in a list regardless of format. This patch adds a check and
only wraps where necessary.

Change-Id: I79314a45c3c552ebcb3bb7cc881c2467fa009c5d
Closes-Bug: #1643013
Closes-Bug: #1643074

horizon/base.py

@@ -150,7 +150,10 @@ class HorizonComponent(object):
         # default in the policy engine, so calling each rule individually
         if policy_check and self.policy_rules:
             for rule in self.policy_rules:
-                if policy_check((rule,), request):
+                rule_param = rule
+                if not any(isinstance(r, (list, tuple)) for r in rule):
+                    rule_param = list(rule)
+                if policy_check(rule_param, request):
                     return True
             return False
 

openstack_dashboard/dashboards/admin/aggregates/panel.py

@@ -24,6 +24,7 @@ LOG = logging.getLogger(__name__)
 class Aggregates(horizon.Panel):
     name = _("Host Aggregates")
     slug = 'aggregates'
+    policy_rules = (("compute", "compute_extension:aggregates"),)
     permissions = ('openstack.services.compute',)
 
     def allowed(self, context):

openstack_dashboard/dashboards/admin/defaults/panel.py

@@ -20,3 +20,5 @@ import horizon
 class Defaults(horizon.Panel):
     name = _("Defaults")
     slug = 'defaults'
+    policy_rules = (("compute", "context_is_admin"),
+                    ("volume", "context_is_admin"),)

openstack_dashboard/dashboards/admin/flavors/panel.py

@@ -25,3 +25,4 @@ class Flavors(horizon.Panel):
     name = _("Flavors")
     slug = 'flavors'
     permissions = ('openstack.services.compute',)
+    policy_rules = (("compute", "context_is_admin"),)

openstack_dashboard/dashboards/admin/floating_ips/panel.py

@@ -23,6 +23,7 @@ class AdminFloatingIps(horizon.Panel):
     name = _("Floating IPs")
     slug = 'floating_ips'
     permissions = ('openstack.services.network', )
+    policy_rules = (("network", "context_is_admin"),)
 
     @staticmethod
     def can_register():

openstack_dashboard/dashboards/admin/images/panel.py

@@ -25,4 +25,5 @@ class Images(horizon.Panel):
     name = _("Images")
     slug = 'images'
     permissions = ('openstack.services.image',)
-    policy_rules = (("image", "get_images"),)
+    policy_rules = ((("image", "context_is_admin"),
+                     ("image", "get_images")),)

openstack_dashboard/dashboards/admin/info/panel.py

@@ -24,3 +24,7 @@ import horizon
 class Info(horizon.Panel):
     name = _("System Information")
     slug = 'info'
+    policy_rules = (("compute", "context_is_admin"),
+                    ("volume", "context_is_admin"),
+                    ("network", "context_is_admin"),
+                    ("orchestation", "context_is_admin"),)

openstack_dashboard/dashboards/admin/instances/panel.py

@@ -25,4 +25,5 @@ class Instances(horizon.Panel):
     name = _("Instances")
     slug = 'instances'
     permissions = ('openstack.services.compute',)
-    policy_rules = (("compute", "compute:get_all"),)
+    policy_rules = ((("compute", "context_is_admin"),
+                     ("compute", "compute:get_all")),)

openstack_dashboard/dashboards/admin/metadata_defs/panel.py

@@ -23,7 +23,8 @@ from openstack_dashboard.api import glance
 class MetadataDefinitions(horizon.Panel):
     name = _("Metadata Definitions")
     slug = 'metadata_defs'
-    policy_rules = (("image", "get_metadef_namespaces"),)
+    policy_rules = ((("image", "context_is_admin"),
+                     ("image", "get_metadef_namespaces")),)
     permissions = ('openstack.services.image',)
 
     @staticmethod

openstack_dashboard/dashboards/admin/networks/panel.py

@@ -21,3 +21,4 @@ class Networks(horizon.Panel):
     name = _("Networks")
     slug = 'networks'
     permissions = ('openstack.services.network',)
+    policy_rules = (("network", "context_is_admin"),)

openstack_dashboard/dashboards/admin/ngflavors/panel.py

@@ -22,3 +22,4 @@ class NGFlavors(horizon.Panel):
     name = _("Flavors")
     slug = 'ngflavors'
     permissions = ('openstack.services.compute',)
+    policy_rules = (("compute", "context_is_admin"),)

openstack_dashboard/dashboards/admin/overview/panel.py

@@ -26,7 +26,8 @@ from openstack_dashboard.dashboards.admin import dashboard
 class Overview(horizon.Panel):
     name = _("Overview")
     slug = 'overview'
-    policy_rules = (('identity', 'identity:list_projects'),)
+    policy_rules = ((('identity', 'identity:list_projects'),
+                     ('compute', 'context_is_admin')),)
     permissions = ('openstack.services.compute',)
 
 

openstack_dashboard/dashboards/admin/routers/panel.py

@@ -22,6 +22,7 @@ class Routers(horizon.Panel):
     name = _("Routers")
     slug = 'routers'
     permissions = ('openstack.services.network',)
+    policy_rules = (("network", "context_is_admin"),)
 
     @staticmethod
     def can_register():

openstack_dashboard/dashboards/admin/volumes/panel.py

@@ -21,3 +21,4 @@ class Volumes(horizon.Panel):
     permissions = (
         ('openstack.services.volume', 'openstack.services.volumev2'),
     )
+    policy_rules = (("volume", "context_is_admin"),)