diff --git a/openstack_dashboard/conf/heat_policy.json b/openstack_dashboard/conf/heat_policy.json index eb5fab695c..b40b1eef2e 100644 --- a/openstack_dashboard/conf/heat_policy.json +++ b/openstack_dashboard/conf/heat_policy.json @@ -1,13 +1,14 @@ { - "context_is_admin": "role:admin", + "context_is_admin": "role:admin", "deny_stack_user": "not role:heat_stack_user", + "deny_everybody": "!", "cloudformation:ListStacks": "rule:deny_stack_user", "cloudformation:CreateStack": "rule:deny_stack_user", - "cloudformation:PreviewStack": "rule:deny_stack_user", "cloudformation:DescribeStacks": "rule:deny_stack_user", "cloudformation:DeleteStack": "rule:deny_stack_user", "cloudformation:UpdateStack": "rule:deny_stack_user", + "cloudformation:CancelUpdateStack": "rule:deny_stack_user", "cloudformation:DescribeStackEvents": "rule:deny_stack_user", "cloudformation:ValidateTemplate": "rule:deny_stack_user", "cloudformation:GetTemplate": "rule:deny_stack_user", @@ -15,9 +16,6 @@ "cloudformation:DescribeStackResource": "", "cloudformation:DescribeStackResources": "rule:deny_stack_user", "cloudformation:ListStackResources": "rule:deny_stack_user", - "cloudformation:CheckStack": "rule:deny_stack_user", - "cloudformation:SuspendStack": "rule:deny_stack_user", - "cloudformation:ResumeStack": "rule:deny_stack_user", "cloudwatch:DeleteAlarms": "rule:deny_stack_user", "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user", @@ -37,20 +35,58 @@ "events:show": "rule:deny_stack_user", "resource:index": "rule:deny_stack_user", "resource:metadata": "", + "resource:signal": "", + "resource:mark_unhealthy": "rule:deny_stack_user", "resource:show": "rule:deny_stack_user", "stacks:abandon": "rule:deny_stack_user", "stacks:create": "rule:deny_stack_user", "stacks:delete": "rule:deny_stack_user", "stacks:detail": "rule:deny_stack_user", + "stacks:export": "rule:deny_stack_user", "stacks:generate_template": "rule:deny_stack_user", + "stacks:global_index": "rule:deny_everybody", "stacks:index": "rule:deny_stack_user", "stacks:list_resource_types": "rule:deny_stack_user", "stacks:list_template_versions": "rule:deny_stack_user", "stacks:list_template_functions": "rule:deny_stack_user", - "stacks:lookup": "rule:deny_stack_user", + "stacks:lookup": "", + "stacks:preview": "rule:deny_stack_user", "stacks:resource_schema": "rule:deny_stack_user", "stacks:show": "rule:deny_stack_user", "stacks:template": "rule:deny_stack_user", + "stacks:environment": "rule:deny_stack_user", "stacks:update": "rule:deny_stack_user", - "stacks:validate_template": "rule:deny_stack_user" -} \ No newline at end of file + "stacks:update_patch": "rule:deny_stack_user", + "stacks:preview_update": "rule:deny_stack_user", + "stacks:preview_update_patch": "rule:deny_stack_user", + "stacks:validate_template": "rule:deny_stack_user", + "stacks:snapshot": "rule:deny_stack_user", + "stacks:show_snapshot": "rule:deny_stack_user", + "stacks:delete_snapshot": "rule:deny_stack_user", + "stacks:list_snapshots": "rule:deny_stack_user", + "stacks:restore_snapshot": "rule:deny_stack_user", + "stacks:list_outputs": "rule:deny_stack_user", + "stacks:show_output": "rule:deny_stack_user", + + "software_configs:global_index": "rule:deny_everybody", + "software_configs:index": "rule:deny_stack_user", + "software_configs:create": "rule:deny_stack_user", + "software_configs:show": "rule:deny_stack_user", + "software_configs:delete": "rule:deny_stack_user", + "software_deployments:index": "rule:deny_stack_user", + "software_deployments:create": "rule:deny_stack_user", + "software_deployments:show": "rule:deny_stack_user", + "software_deployments:update": "rule:deny_stack_user", + "software_deployments:delete": "rule:deny_stack_user", + "software_deployments:metadata": "", + + "service:index": "rule:context_is_admin", + + "resource_types:OS::Nova::Flavor": "rule:context_is_admin", + "resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin", + "resource_types:OS::Cinder::VolumeType": "rule:context_is_admin", + "resource_types:OS::Manila::ShareType": "rule:context_is_admin", + "resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin", + "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin", + "resource_types:OS::Nova::HostAggregate": "rule:context_is_admin" +} diff --git a/openstack_dashboard/dashboards/project/stacks/tables.py b/openstack_dashboard/dashboards/project/stacks/tables.py index 5301cc8b1b..7202a0ec15 100644 --- a/openstack_dashboard/dashboards/project/stacks/tables.py +++ b/openstack_dashboard/dashboards/project/stacks/tables.py @@ -33,7 +33,8 @@ class LaunchStack(tables.LinkAction): url = "horizon:project:stacks:select_template" classes = ("ajax-modal",) icon = "plus" - policy_rules = (("orchestration", "cloudformation:CreateStack"),) + policy_rules = (("orchestration", "stacks:validate_template"), + ("orchestration", "stacks:create"),) class PreviewStack(tables.LinkAction): @@ -42,13 +43,14 @@ class PreviewStack(tables.LinkAction): url = "horizon:project:stacks:preview_template" classes = ("ajax-modal",) icon = "eye" - policy_rules = (("orchestration", "cloudformation:PreviewStack"),) + policy_rules = (("orchestration", "stacks:validate_template"), + ("orchestration", "stacks:preview"),) class CheckStack(tables.BatchAction): name = "check" verbose_name = _("Check Stack") - policy_rules = (("orchestration", "cloudformation:CheckStack"),) + policy_rules = (("orchestration", "actions:action"),) icon = "check-square" @staticmethod @@ -74,7 +76,7 @@ class CheckStack(tables.BatchAction): class SuspendStack(tables.BatchAction): name = "suspend" verbose_name = _("Suspend Stack") - policy_rules = (("orchestration", "cloudformation:SuspendStack"),) + policy_rules = (("orchestration", "actions:action"),) icon = "pause" @staticmethod @@ -100,7 +102,7 @@ class SuspendStack(tables.BatchAction): class ResumeStack(tables.BatchAction): name = "resume" verbose_name = _("Resume Stack") - policy_rules = (("orchestration", "cloudformation:ResumeStack"),) + policy_rules = (("orchestration", "actions:action"),) icon = "play" @staticmethod @@ -151,7 +153,7 @@ class DeleteStack(tables.DeleteAction): count ) - policy_rules = (("orchestration", "cloudformation:DeleteStack"),) + policy_rules = (("orchestration", "stacks:delete"),) def delete(self, request, stack_id): api.heat.stack_delete(request, stack_id) diff --git a/openstack_dashboard/dashboards/project/stacks/tabs.py b/openstack_dashboard/dashboards/project/stacks/tabs.py index f21ff12bd5..01e548180e 100644 --- a/openstack_dashboard/dashboards/project/stacks/tabs.py +++ b/openstack_dashboard/dashboards/project/stacks/tabs.py @@ -37,8 +37,10 @@ class StackTopologyTab(tabs.Tab): def allowed(self, request): return policy.check( - (("orchestration", "cloudformation:DescribeStacks"), - ("orchestration", "cloudformation:ListStackResources"),), + (("orchestration", "stacks:template"), + ("orchestration", "stacks:lookup"), + ("orchestration", "stacks:show"), + ("orchestration", "resources:index"),), request) def get_context_data(self, request): @@ -56,7 +58,9 @@ class StackOverviewTab(tabs.Tab): def allowed(self, request): return policy.check( - (("orchestration", "cloudformation:DescribeStacks"),), + (("orchestration", "stacks:template"), + ("orchestration", "stacks:lookup"), + ("orchestration", "stacks:show"),), request) def get_context_data(self, request): @@ -68,11 +72,6 @@ class ResourceOverviewTab(tabs.Tab): slug = "resource_overview" template_name = "project/stacks/_resource_overview.html" - def allowed(self, request): - return policy.check( - (("orchestration", "cloudformation:DescribeStackResource"),), - request) - def get_context_data(self, request): resource = self.tab_group.kwargs['resource'] resource_url = mappings.resource_to_url(resource) @@ -90,7 +89,10 @@ class StackEventsTab(tabs.Tab): def allowed(self, request): return policy.check( - (("orchestration", "cloudformation:DescribeStackEvents"),), + (("orchestration", "stacks:template"), + ("orchestration", "stacks:lookup"), + ("orchestration", "stacks:show"), + ("orchestration", "events:index"),), request) def get_context_data(self, request): @@ -118,7 +120,10 @@ class StackResourcesTab(tabs.Tab): def allowed(self, request): return policy.check( - (("orchestration", "cloudformation:ListStackResources"),), + (("orchestration", "stacks:template"), + ("orchestration", "stacks:lookup"), + ("orchestration", "stacks:show"), + ("orchestration", "resource:index"),), request) def get_context_data(self, request): @@ -146,7 +151,9 @@ class StackTemplateTab(tabs.Tab): def allowed(self, request): return policy.check( - (("orchestration", "cloudformation:DescribeStacks"),), + (("orchestration", "stacks:template"), + ("orchestration", "stacks:lookup"), + ("orchestration", "stacks:show"),), request) def get_context_data(self, request): diff --git a/openstack_dashboard/dashboards/project/stacks/template_versions/panel.py b/openstack_dashboard/dashboards/project/stacks/template_versions/panel.py index 193da6e486..3492d59a27 100644 --- a/openstack_dashboard/dashboards/project/stacks/template_versions/panel.py +++ b/openstack_dashboard/dashboards/project/stacks/template_versions/panel.py @@ -20,3 +20,4 @@ class TemplateVersions(horizon.Panel): name = _("Template Versions") slug = "stacks.template_versions" permissions = ('openstack.services.orchestration',) + policy_rules = (("orchestration", "stacks:list_template_versions"),)