Update Horizon to use latest nova policy rules for validation

As Nova's API is unified to os_compute_api, the API policies are also
updated to use this format, Horizon needs to use Nova  policy enforce
rules in the codebase. This patch also update nova_policy.json using
oslo-config-generator for Nova policy file.

Co-Authored-By: Rob Cresswell <robert.cresswell@outlook.com>
Implements: blueprint update-nova-enforce-policies

Change-Id: Id7d01a39930c88592301a5035f0befe5293a78fa
This commit is contained in:
Yaguang Tang 2016-10-25 08:43:10 +08:00 committed by Rob Cresswell
parent f54c52418b
commit c61ae4f083
16 changed files with 243 additions and 469 deletions

View File

@ -2,436 +2,175 @@
"context_is_admin": "role:admin", "context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s", "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner", "default": "rule:admin_or_owner",
"cells_scheduler_filter:TargetCellFilter": "is_admin:True",
"compute:create": "rule:admin_or_owner",
"compute:create:attach_network": "rule:admin_or_owner",
"compute:create:attach_volume": "rule:admin_or_owner",
"compute:create:forced_host": "is_admin:True",
"compute:get": "rule:admin_or_owner",
"compute:get_all": "rule:admin_or_owner",
"compute:get_all_tenants": "is_admin:True",
"compute:update": "rule:admin_or_owner",
"compute:get_instance_metadata": "rule:admin_or_owner",
"compute:get_all_instance_metadata": "rule:admin_or_owner",
"compute:get_all_instance_system_metadata": "rule:admin_or_owner",
"compute:update_instance_metadata": "rule:admin_or_owner",
"compute:delete_instance_metadata": "rule:admin_or_owner",
"compute:get_diagnostics": "rule:admin_or_owner",
"compute:get_instance_diagnostics": "rule:admin_or_owner",
"compute:start": "rule:admin_or_owner",
"compute:stop": "rule:admin_or_owner",
"compute:lock": "rule:admin_or_owner",
"compute:unlock": "rule:admin_or_owner",
"compute:unlock_override": "rule:admin_api",
"compute:get_vnc_console": "rule:admin_or_owner",
"compute:get_spice_console": "rule:admin_or_owner",
"compute:get_rdp_console": "rule:admin_or_owner",
"compute:get_serial_console": "rule:admin_or_owner",
"compute:get_mks_console": "rule:admin_or_owner",
"compute:get_console_output": "rule:admin_or_owner",
"compute:reset_network": "rule:admin_or_owner",
"compute:inject_network_info": "rule:admin_or_owner",
"compute:add_fixed_ip": "rule:admin_or_owner",
"compute:remove_fixed_ip": "rule:admin_or_owner",
"compute:attach_volume": "rule:admin_or_owner",
"compute:detach_volume": "rule:admin_or_owner",
"compute:swap_volume": "rule:admin_api",
"compute:attach_interface": "rule:admin_or_owner",
"compute:detach_interface": "rule:admin_or_owner",
"compute:set_admin_password": "rule:admin_or_owner",
"compute:rescue": "rule:admin_or_owner",
"compute:unrescue": "rule:admin_or_owner",
"compute:suspend": "rule:admin_or_owner",
"compute:resume": "rule:admin_or_owner",
"compute:pause": "rule:admin_or_owner",
"compute:unpause": "rule:admin_or_owner",
"compute:shelve": "rule:admin_or_owner",
"compute:shelve_offload": "rule:admin_or_owner",
"compute:unshelve": "rule:admin_or_owner",
"compute:snapshot": "rule:admin_or_owner",
"compute:snapshot_volume_backed": "rule:admin_or_owner",
"compute:backup": "rule:admin_or_owner",
"compute:resize": "rule:admin_or_owner",
"compute:confirm_resize": "rule:admin_or_owner",
"compute:revert_resize": "rule:admin_or_owner",
"compute:rebuild": "rule:admin_or_owner",
"compute:reboot": "rule:admin_or_owner",
"compute:delete": "rule:admin_or_owner",
"compute:soft_delete": "rule:admin_or_owner",
"compute:force_delete": "rule:admin_or_owner",
"compute:security_groups:add_to_instance": "rule:admin_or_owner",
"compute:security_groups:remove_from_instance": "rule:admin_or_owner",
"compute:restore": "rule:admin_or_owner",
"compute:volume_snapshot_create": "rule:admin_or_owner",
"compute:volume_snapshot_delete": "rule:admin_or_owner",
"admin_api": "is_admin:True", "admin_api": "is_admin:True",
"compute_extension:accounts": "rule:admin_api",
"compute_extension:admin_actions": "rule:admin_api",
"compute_extension:admin_actions:pause": "rule:admin_or_owner",
"compute_extension:admin_actions:unpause": "rule:admin_or_owner",
"compute_extension:admin_actions:suspend": "rule:admin_or_owner",
"compute_extension:admin_actions:resume": "rule:admin_or_owner",
"compute_extension:admin_actions:lock": "rule:admin_or_owner",
"compute_extension:admin_actions:unlock": "rule:admin_or_owner",
"compute_extension:admin_actions:resetNetwork": "rule:admin_api",
"compute_extension:admin_actions:injectNetworkInfo": "rule:admin_api",
"compute_extension:admin_actions:createBackup": "rule:admin_or_owner",
"compute_extension:admin_actions:migrateLive": "rule:admin_api",
"compute_extension:admin_actions:resetState": "rule:admin_api",
"compute_extension:admin_actions:migrate": "rule:admin_api",
"compute_extension:aggregates": "rule:admin_api",
"compute_extension:agents": "rule:admin_api",
"compute_extension:attach_interfaces": "rule:admin_or_owner",
"compute_extension:baremetal_nodes": "rule:admin_api",
"compute_extension:cells": "rule:admin_api",
"compute_extension:cells:create": "rule:admin_api",
"compute_extension:cells:delete": "rule:admin_api",
"compute_extension:cells:update": "rule:admin_api",
"compute_extension:cells:sync_instances": "rule:admin_api",
"compute_extension:certificates": "rule:admin_or_owner",
"compute_extension:cloudpipe": "rule:admin_api",
"compute_extension:cloudpipe_update": "rule:admin_api",
"compute_extension:config_drive": "rule:admin_or_owner",
"compute_extension:console_output": "rule:admin_or_owner",
"compute_extension:consoles": "rule:admin_or_owner",
"compute_extension:createserverext": "rule:admin_or_owner",
"compute_extension:deferred_delete": "rule:admin_or_owner",
"compute_extension:disk_config": "rule:admin_or_owner",
"compute_extension:evacuate": "rule:admin_api",
"compute_extension:extended_server_attributes": "rule:admin_api",
"compute_extension:extended_status": "rule:admin_or_owner",
"compute_extension:extended_availability_zone": "rule:admin_or_owner",
"compute_extension:extended_ips": "rule:admin_or_owner",
"compute_extension:extended_ips_mac": "rule:admin_or_owner",
"compute_extension:extended_vif_net": "rule:admin_or_owner",
"compute_extension:extended_volumes": "rule:admin_or_owner",
"compute_extension:fixed_ips": "rule:admin_api",
"compute_extension:flavor_access": "rule:admin_or_owner",
"compute_extension:flavor_access:addTenantAccess": "rule:admin_api",
"compute_extension:flavor_access:removeTenantAccess": "rule:admin_api",
"compute_extension:flavor_disabled": "rule:admin_or_owner",
"compute_extension:flavor_rxtx": "rule:admin_or_owner",
"compute_extension:flavor_swap": "rule:admin_or_owner",
"compute_extension:flavorextradata": "rule:admin_or_owner",
"compute_extension:flavorextraspecs:index": "rule:admin_or_owner",
"compute_extension:flavorextraspecs:show": "rule:admin_or_owner",
"compute_extension:flavorextraspecs:create": "rule:admin_api",
"compute_extension:flavorextraspecs:update": "rule:admin_api",
"compute_extension:flavorextraspecs:delete": "rule:admin_api",
"compute_extension:flavormanage": "rule:admin_api",
"compute_extension:floating_ip_dns": "rule:admin_or_owner",
"compute_extension:floating_ip_pools": "rule:admin_or_owner",
"compute_extension:floating_ips": "rule:admin_or_owner",
"compute_extension:floating_ips_bulk": "rule:admin_api",
"compute_extension:fping": "rule:admin_or_owner",
"compute_extension:fping:all_tenants": "rule:admin_api",
"compute_extension:hide_server_addresses": "is_admin:False",
"compute_extension:hosts": "rule:admin_api",
"compute_extension:hypervisors": "rule:admin_api",
"compute_extension:image_size": "rule:admin_or_owner",
"compute_extension:instance_actions": "rule:admin_or_owner",
"compute_extension:instance_actions:events": "rule:admin_api",
"compute_extension:instance_usage_audit_log": "rule:admin_api",
"compute_extension:keypairs": "rule:admin_or_owner",
"compute_extension:keypairs:index": "rule:admin_or_owner",
"compute_extension:keypairs:show": "rule:admin_or_owner",
"compute_extension:keypairs:create": "rule:admin_or_owner",
"compute_extension:keypairs:delete": "rule:admin_or_owner",
"compute_extension:multinic": "rule:admin_or_owner",
"compute_extension:networks": "rule:admin_api",
"compute_extension:networks:view": "rule:admin_or_owner",
"compute_extension:networks_associate": "rule:admin_api",
"compute_extension:os-tenant-networks": "rule:admin_or_owner",
"compute_extension:quotas:show": "rule:admin_or_owner",
"compute_extension:quotas:update": "rule:admin_api",
"compute_extension:quotas:delete": "rule:admin_api",
"compute_extension:quota_classes": "rule:admin_or_owner",
"compute_extension:rescue": "rule:admin_or_owner",
"compute_extension:security_group_default_rules": "rule:admin_api",
"compute_extension:security_groups": "rule:admin_or_owner",
"compute_extension:server_diagnostics": "rule:admin_api",
"compute_extension:server_groups": "rule:admin_or_owner",
"compute_extension:server_password": "rule:admin_or_owner",
"compute_extension:server_usage": "rule:admin_or_owner",
"compute_extension:services": "rule:admin_api",
"compute_extension:shelve": "rule:admin_or_owner",
"compute_extension:shelveOffload": "rule:admin_api",
"compute_extension:simple_tenant_usage:show": "rule:admin_or_owner",
"compute_extension:simple_tenant_usage:list": "rule:admin_api",
"compute_extension:unshelve": "rule:admin_or_owner",
"compute_extension:users": "rule:admin_api",
"compute_extension:virtual_interfaces": "rule:admin_or_owner",
"compute_extension:virtual_storage_arrays": "rule:admin_or_owner",
"compute_extension:volumes": "rule:admin_or_owner",
"compute_extension:volume_attachments:index": "rule:admin_or_owner",
"compute_extension:volume_attachments:show": "rule:admin_or_owner",
"compute_extension:volume_attachments:create": "rule:admin_or_owner",
"compute_extension:volume_attachments:update": "rule:admin_api",
"compute_extension:volume_attachments:delete": "rule:admin_or_owner",
"compute_extension:volumetypes": "rule:admin_or_owner",
"compute_extension:availability_zone:list": "rule:admin_or_owner",
"compute_extension:availability_zone:detail": "rule:admin_api",
"compute_extension:used_limits_for_admin": "rule:admin_api",
"compute_extension:migrations:index": "rule:admin_api",
"compute_extension:os-assisted-volume-snapshots:create": "rule:admin_api",
"compute_extension:os-assisted-volume-snapshots:delete": "rule:admin_api",
"compute_extension:console_auth_tokens": "rule:admin_api",
"compute_extension:os-server-external-events:create": "rule:admin_api",
"network:get_all": "rule:admin_or_owner",
"network:get": "rule:admin_or_owner",
"network:create": "rule:admin_or_owner",
"network:delete": "rule:admin_or_owner",
"network:associate": "rule:admin_or_owner",
"network:disassociate": "rule:admin_or_owner",
"network:get_vifs_by_instance": "rule:admin_or_owner",
"network:allocate_for_instance": "rule:admin_or_owner",
"network:deallocate_for_instance": "rule:admin_or_owner",
"network:validate_networks": "rule:admin_or_owner",
"network:get_instance_uuids_by_ip_filter": "rule:admin_or_owner",
"network:get_instance_id_by_floating_address": "rule:admin_or_owner",
"network:setup_networks_on_host": "rule:admin_or_owner",
"network:get_backdoor_port": "rule:admin_or_owner",
"network:get_floating_ip": "rule:admin_or_owner",
"network:get_floating_ip_pools": "rule:admin_or_owner",
"network:get_floating_ip_by_address": "rule:admin_or_owner",
"network:get_floating_ips_by_project": "rule:admin_or_owner",
"network:get_floating_ips_by_fixed_address": "rule:admin_or_owner",
"network:allocate_floating_ip": "rule:admin_or_owner",
"network:associate_floating_ip": "rule:admin_or_owner",
"network:disassociate_floating_ip": "rule:admin_or_owner",
"network:release_floating_ip": "rule:admin_or_owner",
"network:migrate_instance_start": "rule:admin_or_owner",
"network:migrate_instance_finish": "rule:admin_or_owner",
"network:get_fixed_ip": "rule:admin_or_owner",
"network:get_fixed_ip_by_address": "rule:admin_or_owner",
"network:add_fixed_ip_to_instance": "rule:admin_or_owner",
"network:remove_fixed_ip_from_instance": "rule:admin_or_owner",
"network:add_network_to_project": "rule:admin_or_owner",
"network:get_instance_nw_info": "rule:admin_or_owner",
"network:get_dns_domains": "rule:admin_or_owner",
"network:add_dns_entry": "rule:admin_or_owner",
"network:modify_dns_entry": "rule:admin_or_owner",
"network:delete_dns_entry": "rule:admin_or_owner",
"network:get_dns_entries_by_address": "rule:admin_or_owner",
"network:get_dns_entries_by_name": "rule:admin_or_owner",
"network:create_private_dns_domain": "rule:admin_or_owner",
"network:create_public_dns_domain": "rule:admin_or_owner",
"network:delete_dns_domain": "rule:admin_or_owner",
"network:attach_external_network": "rule:admin_api",
"network:get_vif_by_mac_address": "rule:admin_or_owner",
"os_compute_api:servers:detail:get_all_tenants": "is_admin:True",
"os_compute_api:servers:index:get_all_tenants": "is_admin:True",
"os_compute_api:servers:confirm_resize": "rule:admin_or_owner",
"os_compute_api:servers:create": "rule:admin_or_owner",
"os_compute_api:servers:create:attach_network": "rule:admin_or_owner",
"os_compute_api:servers:create:attach_volume": "rule:admin_or_owner",
"os_compute_api:servers:create:forced_host": "rule:admin_api",
"os_compute_api:servers:delete": "rule:admin_or_owner",
"os_compute_api:servers:update": "rule:admin_or_owner",
"os_compute_api:servers:detail": "rule:admin_or_owner",
"os_compute_api:servers:index": "rule:admin_or_owner",
"os_compute_api:servers:reboot": "rule:admin_or_owner",
"os_compute_api:servers:rebuild": "rule:admin_or_owner",
"os_compute_api:servers:resize": "rule:admin_or_owner",
"os_compute_api:servers:revert_resize": "rule:admin_or_owner",
"os_compute_api:servers:show": "rule:admin_or_owner",
"os_compute_api:servers:show:host_status": "rule:admin_api",
"os_compute_api:servers:create_image": "rule:admin_or_owner",
"os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner",
"os_compute_api:servers:start": "rule:admin_or_owner",
"os_compute_api:servers:stop": "rule:admin_or_owner",
"os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner",
"os_compute_api:servers:migrations:force_complete": "rule:admin_api",
"os_compute_api:servers:migrations:delete": "rule:admin_api",
"os_compute_api:servers:discoverable": "@",
"os_compute_api:servers:migrations:index": "rule:admin_api",
"os_compute_api:servers:migrations:show": "rule:admin_api",
"os_compute_api:os-access-ips:discoverable": "@",
"os_compute_api:os-access-ips": "rule:admin_or_owner",
"os_compute_api:os-admin-actions": "rule:admin_api",
"os_compute_api:os-admin-actions:discoverable": "@", "os_compute_api:os-admin-actions:discoverable": "@",
"os_compute_api:os-admin-actions:reset_network": "rule:admin_api",
"os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api",
"os_compute_api:os-admin-actions:reset_state": "rule:admin_api", "os_compute_api:os-admin-actions:reset_state": "rule:admin_api",
"os_compute_api:os-admin-password": "rule:admin_or_owner", "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api",
"os_compute_api:os-admin-actions": "rule:admin_api",
"os_compute_api:os-admin-actions:reset_network": "rule:admin_api",
"os_compute_api:os-admin-password:discoverable": "@", "os_compute_api:os-admin-password:discoverable": "@",
"os_compute_api:os-aggregates:discoverable": "@", "os_compute_api:os-admin-password": "rule:admin_or_owner",
"os_compute_api:os-aggregates:index": "rule:admin_api",
"os_compute_api:os-aggregates:create": "rule:admin_api",
"os_compute_api:os-aggregates:show": "rule:admin_api",
"os_compute_api:os-aggregates:update": "rule:admin_api",
"os_compute_api:os-aggregates:delete": "rule:admin_api",
"os_compute_api:os-aggregates:add_host": "rule:admin_api",
"os_compute_api:os-aggregates:remove_host": "rule:admin_api",
"os_compute_api:os-aggregates:set_metadata": "rule:admin_api",
"os_compute_api:os-agents": "rule:admin_api", "os_compute_api:os-agents": "rule:admin_api",
"os_compute_api:os-agents:discoverable": "@", "os_compute_api:os-agents:discoverable": "@",
"os_compute_api:os-aggregates:set_metadata": "rule:admin_api",
"os_compute_api:os-aggregates:add_host": "rule:admin_api",
"os_compute_api:os-aggregates:discoverable": "@",
"os_compute_api:os-aggregates:create": "rule:admin_api",
"os_compute_api:os-aggregates:remove_host": "rule:admin_api",
"os_compute_api:os-aggregates:update": "rule:admin_api",
"os_compute_api:os-aggregates:index": "rule:admin_api",
"os_compute_api:os-aggregates:delete": "rule:admin_api",
"os_compute_api:os-aggregates:show": "rule:admin_api",
"os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api",
"os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api",
"os_compute_api:os-assisted-volume-snapshots:discoverable": "@",
"os_compute_api:os-attach-interfaces": "rule:admin_or_owner", "os_compute_api:os-attach-interfaces": "rule:admin_or_owner",
"os_compute_api:os-attach-interfaces:discoverable": "@", "os_compute_api:os-attach-interfaces:discoverable": "@",
"os_compute_api:os-baremetal-nodes": "rule:admin_api", "os_compute_api:os-availability-zone:list": "rule:admin_or_owner",
"os_compute_api:os-availability-zone:discoverable": "@",
"os_compute_api:os-availability-zone:detail": "rule:admin_api",
"os_compute_api:os-baremetal-nodes:discoverable": "@", "os_compute_api:os-baremetal-nodes:discoverable": "@",
"os_compute_api:os-baremetal-nodes": "rule:admin_api",
"network:attach_external_network": "is_admin:True",
"os_compute_api:os-block-device-mapping:discoverable": "@",
"os_compute_api:os-block-device-mapping-v1:discoverable": "@", "os_compute_api:os-block-device-mapping-v1:discoverable": "@",
"os_compute_api:os-cells": "rule:admin_api",
"os_compute_api:os-cells:create": "rule:admin_api",
"os_compute_api:os-cells:delete": "rule:admin_api",
"os_compute_api:os-cells:update": "rule:admin_api",
"os_compute_api:os-cells:sync_instances": "rule:admin_api",
"os_compute_api:os-cells:discoverable": "@", "os_compute_api:os-cells:discoverable": "@",
"os_compute_api:os-cells:update": "rule:admin_api",
"os_compute_api:os-cells:create": "rule:admin_api",
"os_compute_api:os-cells": "rule:admin_api",
"os_compute_api:os-cells:sync_instances": "rule:admin_api",
"os_compute_api:os-cells:delete": "rule:admin_api",
"cells_scheduler_filter:DifferentCellFilter": "is_admin:True",
"cells_scheduler_filter:TargetCellFilter": "is_admin:True",
"os_compute_api:os-certificates:discoverable": "@",
"os_compute_api:os-certificates:create": "rule:admin_or_owner", "os_compute_api:os-certificates:create": "rule:admin_or_owner",
"os_compute_api:os-certificates:show": "rule:admin_or_owner", "os_compute_api:os-certificates:show": "rule:admin_or_owner",
"os_compute_api:os-certificates:discoverable": "@",
"os_compute_api:os-cloudpipe": "rule:admin_api", "os_compute_api:os-cloudpipe": "rule:admin_api",
"os_compute_api:os-cloudpipe:discoverable": "@", "os_compute_api:os-cloudpipe:discoverable": "@",
"os_compute_api:os-config-drive": "rule:admin_or_owner",
"os_compute_api:os-config-drive:discoverable": "@", "os_compute_api:os-config-drive:discoverable": "@",
"os_compute_api:os-consoles:discoverable": "@", "os_compute_api:os-config-drive": "rule:admin_or_owner",
"os_compute_api:os-consoles:create": "rule:admin_or_owner", "os_compute_api:os-console-auth-tokens:discoverable": "@",
"os_compute_api:os-consoles:delete": "rule:admin_or_owner", "os_compute_api:os-console-auth-tokens": "rule:admin_api",
"os_compute_api:os-consoles:index": "rule:admin_or_owner",
"os_compute_api:os-consoles:show": "rule:admin_or_owner",
"os_compute_api:os-console-output:discoverable": "@", "os_compute_api:os-console-output:discoverable": "@",
"os_compute_api:os-console-output": "rule:admin_or_owner", "os_compute_api:os-console-output": "rule:admin_or_owner",
"os_compute_api:os-remote-consoles": "rule:admin_or_owner", "os_compute_api:os-consoles:create": "rule:admin_or_owner",
"os_compute_api:os-remote-consoles:discoverable": "@", "os_compute_api:os-consoles:show": "rule:admin_or_owner",
"os_compute_api:os-consoles:delete": "rule:admin_or_owner",
"os_compute_api:os-consoles:discoverable": "@",
"os_compute_api:os-consoles:index": "rule:admin_or_owner",
"os_compute_api:os-create-backup:discoverable": "@", "os_compute_api:os-create-backup:discoverable": "@",
"os_compute_api:os-create-backup": "rule:admin_or_owner", "os_compute_api:os-create-backup": "rule:admin_or_owner",
"os_compute_api:os-deferred-delete": "rule:admin_or_owner",
"os_compute_api:os-deferred-delete:discoverable": "@", "os_compute_api:os-deferred-delete:discoverable": "@",
"os_compute_api:os-disk-config": "rule:admin_or_owner", "os_compute_api:os-deferred-delete": "rule:admin_or_owner",
"os_compute_api:os-disk-config:discoverable": "@",
"os_compute_api:os-evacuate": "rule:admin_api",
"os_compute_api:os-evacuate:discoverable": "@", "os_compute_api:os-evacuate:discoverable": "@",
"os_compute_api:os-extended-server-attributes": "rule:admin_api", "os_compute_api:os-evacuate": "rule:admin_api",
"os_compute_api:os-extended-server-attributes:discoverable": "@",
"os_compute_api:os-extended-status": "rule:admin_or_owner",
"os_compute_api:os-extended-status:discoverable": "@",
"os_compute_api:os-extended-availability-zone": "rule:admin_or_owner", "os_compute_api:os-extended-availability-zone": "rule:admin_or_owner",
"os_compute_api:os-extended-availability-zone:discoverable": "@", "os_compute_api:os-extended-availability-zone:discoverable": "@",
"os_compute_api:extensions": "rule:admin_or_owner", "os_compute_api:os-extended-server-attributes": "rule:admin_api",
"os_compute_api:extensions:discoverable": "@", "os_compute_api:os-extended-server-attributes:discoverable": "@",
"os_compute_api:extension_info:discoverable": "@", "os_compute_api:os-extended-status:discoverable": "@",
"os_compute_api:os-extended-status": "rule:admin_or_owner",
"os_compute_api:os-extended-volumes": "rule:admin_or_owner", "os_compute_api:os-extended-volumes": "rule:admin_or_owner",
"os_compute_api:os-extended-volumes:discoverable": "@", "os_compute_api:os-extended-volumes:discoverable": "@",
"os_compute_api:os-fixed-ips": "rule:admin_api", "os_compute_api:extension_info:discoverable": "@",
"os_compute_api:extensions": "rule:admin_or_owner",
"os_compute_api:extensions:discoverable": "@",
"os_compute_api:os-fixed-ips:discoverable": "@", "os_compute_api:os-fixed-ips:discoverable": "@",
"os_compute_api:os-flavor-access": "rule:admin_or_owner", "os_compute_api:os-fixed-ips": "rule:admin_api",
"os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api",
"os_compute_api:os-flavor-access:discoverable": "@", "os_compute_api:os-flavor-access:discoverable": "@",
"os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api", "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api",
"os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api", "os_compute_api:os-flavor-access": "rule:admin_or_owner",
"os_compute_api:os-flavor-rxtx": "rule:admin_or_owner",
"os_compute_api:os-flavor-rxtx:discoverable": "@",
"os_compute_api:flavors": "rule:admin_or_owner",
"os_compute_api:flavors:discoverable": "@",
"os_compute_api:os-flavor-extra-specs:discoverable": "@",
"os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner",
"os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner", "os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner",
"os_compute_api:os-flavor-extra-specs:create": "rule:admin_api", "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api",
"os_compute_api:os-flavor-extra-specs:discoverable": "@",
"os_compute_api:os-flavor-extra-specs:update": "rule:admin_api", "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api",
"os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api", "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api",
"os_compute_api:os-flavor-manage:discoverable": "@", "os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner",
"os_compute_api:os-flavor-manage": "rule:admin_api", "os_compute_api:os-flavor-manage": "rule:admin_api",
"os_compute_api:os-flavor-manage:discoverable": "@",
"os_compute_api:os-flavor-rxtx": "rule:admin_or_owner",
"os_compute_api:os-flavor-rxtx:discoverable": "@",
"os_compute_api:flavors:discoverable": "@",
"os_compute_api:flavors": "rule:admin_or_owner",
"os_compute_api:os-floating-ip-dns": "rule:admin_or_owner", "os_compute_api:os-floating-ip-dns": "rule:admin_or_owner",
"os_compute_api:os-floating-ip-dns:discoverable": "@",
"os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api", "os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api",
"os_compute_api:os-floating-ip-dns:discoverable": "@",
"os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api", "os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api",
"os_compute_api:os-floating-ip-pools": "rule:admin_or_owner",
"os_compute_api:os-floating-ip-pools:discoverable": "@", "os_compute_api:os-floating-ip-pools:discoverable": "@",
"os_compute_api:os-floating-ip-pools": "rule:admin_or_owner",
"os_compute_api:os-floating-ips": "rule:admin_or_owner", "os_compute_api:os-floating-ips": "rule:admin_or_owner",
"os_compute_api:os-floating-ips:discoverable": "@", "os_compute_api:os-floating-ips:discoverable": "@",
"os_compute_api:os-floating-ips-bulk": "rule:admin_api",
"os_compute_api:os-floating-ips-bulk:discoverable": "@", "os_compute_api:os-floating-ips-bulk:discoverable": "@",
"os_compute_api:os-fping": "rule:admin_or_owner", "os_compute_api:os-floating-ips-bulk": "rule:admin_api",
"os_compute_api:os-fping:discoverable": "@",
"os_compute_api:os-fping:all_tenants": "rule:admin_api", "os_compute_api:os-fping:all_tenants": "rule:admin_api",
"os_compute_api:os-hide-server-addresses": "is_admin:False", "os_compute_api:os-fping:discoverable": "@",
"os_compute_api:os-fping": "rule:admin_or_owner",
"os_compute_api:os-hide-server-addresses:discoverable": "@", "os_compute_api:os-hide-server-addresses:discoverable": "@",
"os_compute_api:os-hosts": "rule:admin_api", "os_compute_api:os-hide-server-addresses": "is_admin:False",
"os_compute_api:os-hosts:discoverable": "@", "os_compute_api:os-hosts:discoverable": "@",
"os_compute_api:os-hypervisors": "rule:admin_api", "os_compute_api:os-hosts": "rule:admin_api",
"os_compute_api:os-hypervisors:discoverable": "@", "os_compute_api:os-hypervisors:discoverable": "@",
"os_compute_api:images:discoverable": "@", "os_compute_api:os-hypervisors": "rule:admin_api",
"os_compute_api:image-size": "rule:admin_or_owner", "os_compute_api:image-metadata:discoverable": "@",
"os_compute_api:image-size:discoverable": "@", "os_compute_api:image-size:discoverable": "@",
"os_compute_api:image-size": "rule:admin_or_owner",
"os_compute_api:images:discoverable": "@",
"os_compute_api:os-instance-actions:events": "rule:admin_api",
"os_compute_api:os-instance-actions": "rule:admin_or_owner", "os_compute_api:os-instance-actions": "rule:admin_or_owner",
"os_compute_api:os-instance-actions:discoverable": "@", "os_compute_api:os-instance-actions:discoverable": "@",
"os_compute_api:os-instance-actions:events": "rule:admin_api",
"os_compute_api:os-instance-usage-audit-log": "rule:admin_api", "os_compute_api:os-instance-usage-audit-log": "rule:admin_api",
"os_compute_api:os-instance-usage-audit-log:discoverable": "@", "os_compute_api:os-instance-usage-audit-log:discoverable": "@",
"os_compute_api:ips:discoverable": "@", "os_compute_api:ips:discoverable": "@",
"os_compute_api:ips:index": "rule:admin_or_owner",
"os_compute_api:ips:show": "rule:admin_or_owner", "os_compute_api:ips:show": "rule:admin_or_owner",
"os_compute_api:ips:index": "rule:admin_or_owner",
"os_compute_api:os-keypairs:discoverable": "@", "os_compute_api:os-keypairs:discoverable": "@",
"os_compute_api:os-keypairs": "rule:admin_or_owner",
"os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s", "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s",
"os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s",
"os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s", "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s",
"os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s", "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s",
"os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s",
"os_compute_api:os-keypairs": "rule:admin_or_owner",
"os_compute_api:limits:discoverable": "@", "os_compute_api:limits:discoverable": "@",
"os_compute_api:limits": "rule:admin_or_owner", "os_compute_api:limits": "rule:admin_or_owner",
"os_compute_api:os-lock-server:discoverable": "@", "os_compute_api:os-lock-server:discoverable": "@",
"os_compute_api:os-lock-server:lock": "rule:admin_or_owner", "os_compute_api:os-lock-server:lock": "rule:admin_or_owner",
"os_compute_api:os-lock-server:unlock": "rule:admin_or_owner",
"os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api", "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api",
"os_compute_api:os-migrate-server:discoverable": "@", "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner",
"os_compute_api:os-migrate-server:migrate": "rule:admin_api", "os_compute_api:os-migrate-server:migrate": "rule:admin_api",
"os_compute_api:os-migrate-server:discoverable": "@",
"os_compute_api:os-migrate-server:migrate_live": "rule:admin_api", "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api",
"os_compute_api:os-migrations:index": "rule:admin_api",
"os_compute_api:os-migrations:discoverable": "@",
"os_compute_api:os-multinic": "rule:admin_or_owner", "os_compute_api:os-multinic": "rule:admin_or_owner",
"os_compute_api:os-multinic:discoverable": "@", "os_compute_api:os-multinic:discoverable": "@",
"os_compute_api:os-multiple-create:discoverable": "@",
"os_compute_api:os-networks:discoverable": "@",
"os_compute_api:os-networks": "rule:admin_api", "os_compute_api:os-networks": "rule:admin_api",
"os_compute_api:os-networks:view": "rule:admin_or_owner", "os_compute_api:os-networks:view": "rule:admin_or_owner",
"os_compute_api:os-networks:discoverable": "@",
"os_compute_api:os-networks-associate": "rule:admin_api", "os_compute_api:os-networks-associate": "rule:admin_api",
"os_compute_api:os-networks-associate:discoverable": "@", "os_compute_api:os-networks-associate:discoverable": "@",
"os_compute_api:os-pause-server:unpause": "rule:admin_or_owner",
"os_compute_api:os-pause-server:discoverable": "@", "os_compute_api:os-pause-server:discoverable": "@",
"os_compute_api:os-pause-server:pause": "rule:admin_or_owner", "os_compute_api:os-pause-server:pause": "rule:admin_or_owner",
"os_compute_api:os-pause-server:unpause": "rule:admin_or_owner",
"os_compute_api:os-pci:pci_servers": "rule:admin_or_owner",
"os_compute_api:os-pci:discoverable": "@",
"os_compute_api:os-pci:index": "rule:admin_api", "os_compute_api:os-pci:index": "rule:admin_api",
"os_compute_api:os-pci:detail": "rule:admin_api", "os_compute_api:os-pci:detail": "rule:admin_api",
"os_compute_api:os-pci:pci_servers": "rule:admin_or_owner",
"os_compute_api:os-pci:show": "rule:admin_api", "os_compute_api:os-pci:show": "rule:admin_api",
"os_compute_api:os-personality:discoverable": "@", "os_compute_api:os-pci:discoverable": "@",
"os_compute_api:os-preserve-ephemeral-rebuild:discoverable": "@",
"os_compute_api:os-quota-sets:discoverable": "@",
"os_compute_api:os-quota-sets:show": "rule:admin_or_owner",
"os_compute_api:os-quota-sets:defaults": "@",
"os_compute_api:os-quota-sets:update": "rule:admin_api",
"os_compute_api:os-quota-sets:delete": "rule:admin_api",
"os_compute_api:os-quota-sets:detail": "rule:admin_api",
"os_compute_api:os-quota-class-sets:update": "rule:admin_api",
"os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s", "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s",
"os_compute_api:os-quota-class-sets:discoverable": "@", "os_compute_api:os-quota-class-sets:discoverable": "@",
"os_compute_api:os-rescue": "rule:admin_or_owner", "os_compute_api:os-quota-class-sets:update": "rule:admin_api",
"os_compute_api:os-quota-sets:update": "rule:admin_api",
"os_compute_api:os-quota-sets:defaults": "@",
"os_compute_api:os-quota-sets:show": "rule:admin_or_owner",
"os_compute_api:os-quota-sets:delete": "rule:admin_api",
"os_compute_api:os-quota-sets:discoverable": "@",
"os_compute_api:os-quota-sets:detail": "rule:admin_api",
"os_compute_api:os-remote-consoles": "rule:admin_or_owner",
"os_compute_api:os-remote-consoles:discoverable": "@",
"os_compute_api:os-rescue:discoverable": "@", "os_compute_api:os-rescue:discoverable": "@",
"os_compute_api:os-rescue": "rule:admin_or_owner",
"os_compute_api:os-scheduler-hints:discoverable": "@", "os_compute_api:os-scheduler-hints:discoverable": "@",
"os_compute_api:os-security-group-default-rules:discoverable": "@", "os_compute_api:os-security-group-default-rules:discoverable": "@",
"os_compute_api:os-security-group-default-rules": "rule:admin_api", "os_compute_api:os-security-group-default-rules": "rule:admin_api",
@ -439,62 +178,82 @@
"os_compute_api:os-security-groups:discoverable": "@", "os_compute_api:os-security-groups:discoverable": "@",
"os_compute_api:os-server-diagnostics": "rule:admin_api", "os_compute_api:os-server-diagnostics": "rule:admin_api",
"os_compute_api:os-server-diagnostics:discoverable": "@", "os_compute_api:os-server-diagnostics:discoverable": "@",
"os_compute_api:os-server-password": "rule:admin_or_owner", "os_compute_api:os-server-external-events:create": "rule:admin_api",
"os_compute_api:os-server-password:discoverable": "@", "os_compute_api:os-server-external-events:discoverable": "@",
"os_compute_api:os-server-usage": "rule:admin_or_owner",
"os_compute_api:os-server-usage:discoverable": "@",
"os_compute_api:os-server-groups": "rule:admin_or_owner",
"os_compute_api:os-server-groups:discoverable": "@", "os_compute_api:os-server-groups:discoverable": "@",
"os_compute_api:os-server-tags:index": "@", "os_compute_api:os-server-groups": "rule:admin_or_owner",
"os_compute_api:os-server-tags:show": "@",
"os_compute_api:os-server-tags:update": "@",
"os_compute_api:os-server-tags:update_all": "@",
"os_compute_api:os-server-tags:delete": "@",
"os_compute_api:os-server-tags:delete_all": "@",
"os_compute_api:os-services": "rule:admin_api",
"os_compute_api:os-services:discoverable": "@",
"os_compute_api:server-metadata:discoverable": "@",
"os_compute_api:server-metadata:index": "rule:admin_or_owner", "os_compute_api:server-metadata:index": "rule:admin_or_owner",
"os_compute_api:server-metadata:show": "rule:admin_or_owner", "os_compute_api:server-metadata:show": "rule:admin_or_owner",
"os_compute_api:server-metadata:delete": "rule:admin_or_owner",
"os_compute_api:server-metadata:create": "rule:admin_or_owner", "os_compute_api:server-metadata:create": "rule:admin_or_owner",
"os_compute_api:server-metadata:update": "rule:admin_or_owner", "os_compute_api:server-metadata:discoverable": "@",
"os_compute_api:server-metadata:update_all": "rule:admin_or_owner", "os_compute_api:server-metadata:update_all": "rule:admin_or_owner",
"os_compute_api:server-metadata:delete": "rule:admin_or_owner",
"os_compute_api:server-metadata:update": "rule:admin_or_owner",
"os_compute_api:os-server-password": "rule:admin_or_owner",
"os_compute_api:os-server-password:discoverable": "@",
"os_compute_api:os-server-tags:delete_all": "@",
"os_compute_api:os-server-tags:index": "@",
"os_compute_api:os-server-tags:update_all": "@",
"os_compute_api:os-server-tags:delete": "@",
"os_compute_api:os-server-tags:update": "@",
"os_compute_api:os-server-tags:show": "@",
"os_compute_api:os-server-tags:discoverable": "@",
"os_compute_api:os-server-usage": "rule:admin_or_owner",
"os_compute_api:os-server-usage:discoverable": "@",
"os_compute_api:servers:index": "rule:admin_or_owner",
"os_compute_api:servers:detail": "rule:admin_or_owner",
"os_compute_api:servers:detail:get_all_tenants": "rule:admin_api",
"os_compute_api:servers:index:get_all_tenants": "rule:admin_api",
"os_compute_api:servers:show": "rule:admin_or_owner",
"os_compute_api:servers:show:host_status": "rule:admin_api",
"os_compute_api:servers:create": "rule:admin_or_owner",
"os_compute_api:servers:create:forced_host": "rule:admin_or_owner",
"os_compute_api:servers:create:attach_volume": "rule:admin_or_owner",
"os_compute_api:servers:create:attach_network": "rule:admin_or_owner",
"os_compute_api:servers:delete": "rule:admin_or_owner",
"os_compute_api:servers:update": "rule:admin_or_owner",
"os_compute_api:servers:confirm_resize": "rule:admin_or_owner",
"os_compute_api:servers:revert_resize": "rule:admin_or_owner",
"os_compute_api:servers:reboot": "rule:admin_or_owner",
"os_compute_api:servers:resize": "rule:admin_or_owner",
"os_compute_api:servers:rebuild": "rule:admin_or_owner",
"os_compute_api:servers:create_image": "rule:admin_or_owner",
"os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner",
"os_compute_api:servers:start": "rule:admin_or_owner",
"os_compute_api:servers:stop": "rule:admin_or_owner",
"os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner",
"os_compute_api:servers:discoverable": "@",
"os_compute_api:servers:migrations:show": "rule:admin_api",
"os_compute_api:servers:migrations:force_complete": "rule:admin_api",
"os_compute_api:servers:migrations:delete": "rule:admin_api",
"os_compute_api:servers:migrations:index": "rule:admin_api",
"os_compute_api:server-migrations:discoverable": "@",
"os_compute_api:os-services": "rule:admin_api",
"os_compute_api:os-services:discoverable": "@",
"os_compute_api:os-shelve:shelve": "rule:admin_or_owner", "os_compute_api:os-shelve:shelve": "rule:admin_or_owner",
"os_compute_api:os-shelve:shelve:discoverable": "@", "os_compute_api:os-shelve:unshelve": "rule:admin_or_owner",
"os_compute_api:os-shelve:shelve_offload": "rule:admin_api", "os_compute_api:os-shelve:shelve_offload": "rule:admin_api",
"os_compute_api:os-simple-tenant-usage:discoverable": "@", "os_compute_api:os-shelve:discoverable": "@",
"os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner", "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner",
"os_compute_api:os-simple-tenant-usage:list": "rule:admin_api", "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api",
"os_compute_api:os-suspend-server:discoverable": "@", "os_compute_api:os-simple-tenant-usage:discoverable": "@",
"os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner",
"os_compute_api:os-suspend-server:resume": "rule:admin_or_owner", "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner",
"os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner",
"os_compute_api:os-suspend-server:discoverable": "@",
"os_compute_api:os-tenant-networks": "rule:admin_or_owner", "os_compute_api:os-tenant-networks": "rule:admin_or_owner",
"os_compute_api:os-tenant-networks:discoverable": "@", "os_compute_api:os-tenant-networks:discoverable": "@",
"os_compute_api:os-shelve:unshelve": "rule:admin_or_owner",
"os_compute_api:os-user-data:discoverable": "@",
"os_compute_api:os-virtual-interfaces": "rule:admin_or_owner",
"os_compute_api:os-virtual-interfaces:discoverable": "@",
"os_compute_api:os-volumes": "rule:admin_or_owner",
"os_compute_api:os-volumes:discoverable": "@",
"os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner",
"os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner",
"os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner",
"os_compute_api:os-volumes-attachments:update": "rule:admin_api",
"os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner",
"os_compute_api:os-volumes-attachments:discoverable": "@",
"os_compute_api:os-availability-zone:list": "rule:admin_or_owner",
"os_compute_api:os-availability-zone:discoverable": "@",
"os_compute_api:os-availability-zone:detail": "rule:admin_api",
"os_compute_api:os-used-limits": "rule:admin_api",
"os_compute_api:os-used-limits:discoverable": "@", "os_compute_api:os-used-limits:discoverable": "@",
"os_compute_api:os-migrations:index": "rule:admin_api", "os_compute_api:os-used-limits": "rule:admin_api",
"os_compute_api:os-migrations:discoverable": "@", "os_compute_api:os-user-data:discoverable": "@",
"os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api", "os_compute_api:versions:discoverable": "@",
"os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api", "os_compute_api:os-virtual-interfaces:discoverable": "@",
"os_compute_api:os-assisted-volume-snapshots:discoverable": "@", "os_compute_api:os-virtual-interfaces": "rule:admin_or_owner",
"os_compute_api:os-console-auth-tokens": "rule:admin_api", "os_compute_api:os-volumes:discoverable": "@",
"os_compute_api:os-console-auth-tokens:discoverable": "@", "os_compute_api:os-volumes": "rule:admin_or_owner",
"os_compute_api:os-server-external-events:create": "rule:admin_api", "os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner",
"os_compute_api:os-server-external-events:discoverable": "@" "os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner",
"os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner",
"os_compute_api:os-volumes-attachments:discoverable": "@",
"os_compute_api:os-volumes-attachments:update": "rule:admin_api",
"os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner"
} }

View File

@ -27,7 +27,7 @@ class EvacuateHost(tables.LinkAction):
verbose_name = _("Evacuate Host") verbose_name = _("Evacuate Host")
url = "horizon:admin:hypervisors:compute:evacuate_host" url = "horizon:admin:hypervisors:compute:evacuate_host"
classes = ("ajax-modal", "btn-migrate") classes = ("ajax-modal", "btn-migrate")
policy_rules = (("compute", "compute_extension:evacuate"),) policy_rules = (("compute", "os_compute_api:os-evacuate"),)
def __init__(self, **kwargs): def __init__(self, **kwargs):
super(EvacuateHost, self).__init__(**kwargs) super(EvacuateHost, self).__init__(**kwargs)
@ -45,7 +45,7 @@ class DisableService(policy.PolicyTargetMixin, tables.LinkAction):
verbose_name = _("Disable Service") verbose_name = _("Disable Service")
url = "horizon:admin:hypervisors:compute:disable_service" url = "horizon:admin:hypervisors:compute:disable_service"
classes = ("ajax-modal", "btn-confirm") classes = ("ajax-modal", "btn-confirm")
policy_rules = (("compute", "compute_extension:services"),) policy_rules = (("compute", "os_compute_api:os-services"),)
def allowed(self, request, service): def allowed(self, request, service):
if not api.nova.extension_supported('AdminActions', request): if not api.nova.extension_supported('AdminActions', request):
@ -56,7 +56,7 @@ class DisableService(policy.PolicyTargetMixin, tables.LinkAction):
class EnableService(policy.PolicyTargetMixin, tables.BatchAction): class EnableService(policy.PolicyTargetMixin, tables.BatchAction):
name = "enable" name = "enable"
policy_rules = (("compute", "compute_extension:services"),) policy_rules = (("compute", "os_compute_api:os-services"),)
@staticmethod @staticmethod
def action_present(count): def action_present(count):
@ -86,7 +86,7 @@ class EnableService(policy.PolicyTargetMixin, tables.BatchAction):
class MigrateMaintenanceHost(tables.LinkAction): class MigrateMaintenanceHost(tables.LinkAction):
name = "migrate_maintenance" name = "migrate_maintenance"
policy_rules = (("compute", "compute_extension:admin_actions:migrate"),) policy_rules = (("compute", "os_compute_api:os-migrate-server:migrate"),)
classes = ('ajax-modal', 'btn-migrate') classes = ('ajax-modal', 'btn-migrate')
verbose_name = _("Migrate Host") verbose_name = _("Migrate Host")
url = "horizon:admin:hypervisors:compute:migrate_host" url = "horizon:admin:hypervisors:compute:migrate_host"

View File

@ -21,4 +21,4 @@ class Hypervisors(horizon.Panel):
name = _("Hypervisors") name = _("Hypervisors")
slug = 'hypervisors' slug = 'hypervisors'
permissions = ('openstack.services.compute',) permissions = ('openstack.services.compute',)
policy_rules = (("compute", "compute_extension:hypervisors"),) policy_rules = (("compute", "os_compute_api:os-hypervisors"),)

View File

@ -43,7 +43,7 @@ class AdminLogLink(project_tables.LogLink):
class MigrateInstance(policy.PolicyTargetMixin, tables.BatchAction): class MigrateInstance(policy.PolicyTargetMixin, tables.BatchAction):
name = "migrate" name = "migrate"
classes = ("btn-migrate",) classes = ("btn-migrate",)
policy_rules = (("compute", "compute_extension:admin_actions:migrate"),) policy_rules = (("compute", "os_compute_api:os-migrate-server:migrate"),)
help_text = _("Migrating instances may cause some unrecoverable results.") help_text = _("Migrating instances may cause some unrecoverable results.")
action_type = "danger" action_type = "danger"
@ -79,7 +79,7 @@ class LiveMigrateInstance(policy.PolicyTargetMixin,
url = "horizon:admin:instances:live_migrate" url = "horizon:admin:instances:live_migrate"
classes = ("ajax-modal", "btn-migrate") classes = ("ajax-modal", "btn-migrate")
policy_rules = ( policy_rules = (
("compute", "compute_extension:admin_actions:migrateLive"),) ("compute", "os_compute_api:os-migrate-server:migrate_live"),)
action_type = "danger" action_type = "danger"
def allowed(self, request, instance): def allowed(self, request, instance):

View File

@ -98,7 +98,7 @@ class UsageLink(tables.LinkAction):
verbose_name = _("View Usage") verbose_name = _("View Usage")
url = "horizon:identity:projects:usage" url = "horizon:identity:projects:usage"
icon = "stats" icon = "stats"
policy_rules = (("compute", "compute_extension:simple_tenant_usage:show"),) policy_rules = (("compute", "os_compute_api:os-simple-tenant-usage:show"),)
def allowed(self, request, project): def allowed(self, request, project):
return (request.user.is_superuser and return (request.user.is_superuser and
@ -146,7 +146,7 @@ class ModifyQuotas(tables.LinkAction):
url = "horizon:identity:projects:update" url = "horizon:identity:projects:update"
classes = ("ajax-modal",) classes = ("ajax-modal",)
icon = "pencil" icon = "pencil"
policy_rules = (('compute', "compute_extension:quotas:update"),) policy_rules = (('compute', "os_compute_api:os-quota-sets:update"),)
def allowed(self, request, datum): def allowed(self, request, datum):
if api.keystone.VERSIONS.active < 3: if api.keystone.VERSIONS.active < 3:

View File

@ -37,8 +37,8 @@ class DownloadEC2(tables.LinkAction):
verbose_name = _("Download EC2 Credentials") verbose_name = _("Download EC2 Credentials")
verbose_name_plural = _("Download EC2 Credentials") verbose_name_plural = _("Download EC2 Credentials")
icon = "download" icon = "download"
url = "horizon:project:api_access:ec2" url = "horizon:project:access_and_security:api_access:ec2"
policy_rules = (("compute", "compute_extension:certificates"),) policy_rules = (("compute", "os_compute_api:os-certificates:create"),)
def allowed(self, request, datum=None): def allowed(self, request, datum=None):
return api.base.is_service_enabled(request, 'ec2') return api.base.is_service_enabled(request, 'ec2')
@ -77,8 +77,8 @@ class RecreateCredentials(tables.LinkAction):
classes = ("ajax-modal",) classes = ("ajax-modal",)
icon = "refresh" icon = "refresh"
url = \ url = \
"horizon:project:api_access:recreate_credentials" "horizon:project:access_and_security:api_access:recreate_credentials"
policy_rules = (("compute", "compute_extension:certificates")) policy_rules = (("compute", "os_compute_api:certificates:create"))
action_type = "danger" action_type = "danger"
def allowed(self, request, datum=None): def allowed(self, request, datum=None):

View File

@ -61,8 +61,7 @@ class AllocateIP(tables.LinkAction):
if api.base.is_service_enabled(request, "network"): if api.base.is_service_enabled(request, "network"):
policy_rules = (("network", "create_floatingip"),) policy_rules = (("network", "create_floatingip"),)
else: else:
policy_rules = (("compute", "compute_extension:floating_ips"), policy_rules = (("compute", "os_compute_api:os-floating-ips"),)
("compute", "network:allocate_floating_ip"),)
return policy.check(policy_rules, request) return policy.check(policy_rules, request)
@ -94,8 +93,7 @@ class ReleaseIPs(tables.BatchAction):
if api.base.is_service_enabled(request, "network"): if api.base.is_service_enabled(request, "network"):
policy_rules = (("network", "delete_floatingip"),) policy_rules = (("network", "delete_floatingip"),)
else: else:
policy_rules = (("compute", "compute_extension:floating_ips"), policy_rules = (("compute", "os_compute_api:os-floating-ips"),)
("compute", "network:release_floating_ip"),)
return policy.check(policy_rules, request) return policy.check(policy_rules, request)
@ -114,8 +112,7 @@ class AssociateIP(tables.LinkAction):
if api.base.is_service_enabled(request, "network"): if api.base.is_service_enabled(request, "network"):
policy_rules = (("network", "update_floatingip"),) policy_rules = (("network", "update_floatingip"),)
else: else:
policy_rules = (("compute", "compute_extension:floating_ips"), policy_rules = (("compute", "os_compute_api:os-floating-ips"),)
("compute", "network:associate_floating_ip"),)
return not fip.port_id and policy.check(policy_rules, request) return not fip.port_id and policy.check(policy_rules, request)
@ -136,8 +133,7 @@ class DisassociateIP(tables.Action):
if api.base.is_service_enabled(request, "network"): if api.base.is_service_enabled(request, "network"):
policy_rules = (("network", "update_floatingip"),) policy_rules = (("network", "update_floatingip"),)
else: else:
policy_rules = (("compute", "compute_extension:floating_ips"), policy_rules = (("compute", "os_compute_api:os-floating-ips"),)
("compute", "network:disassociate_floating_ip"),)
return fip.port_id and policy.check(policy_rules, request) return fip.port_id and policy.check(policy_rules, request)

View File

@ -36,7 +36,7 @@ class LaunchImage(tables.LinkAction):
url = "horizon:project:instances:launch" url = "horizon:project:instances:launch"
classes = ("ajax-modal", "btn-launch") classes = ("ajax-modal", "btn-launch")
icon = "cloud-upload" icon = "cloud-upload"
policy_rules = (("compute", "compute:create"),) policy_rules = (("compute", "os_compute_api:servers:create"),)
def get_link_url(self, datum): def get_link_url(self, datum):
base_url = reverse(self.url) base_url = reverse(self.url)

View File

@ -81,7 +81,7 @@ def is_deleting(instance):
class DeleteInstance(policy.PolicyTargetMixin, tables.DeleteAction): class DeleteInstance(policy.PolicyTargetMixin, tables.DeleteAction):
policy_rules = (("compute", "compute:delete"),) policy_rules = (("compute", "os_compute_api:servers:delete"),)
help_text = _("Deleted instances are not recoverable.") help_text = _("Deleted instances are not recoverable.")
@staticmethod @staticmethod
@ -116,7 +116,7 @@ class DeleteInstance(policy.PolicyTargetMixin, tables.DeleteAction):
class RebootInstance(policy.PolicyTargetMixin, tables.BatchAction): class RebootInstance(policy.PolicyTargetMixin, tables.BatchAction):
name = "reboot" name = "reboot"
classes = ('btn-reboot',) classes = ('btn-reboot',)
policy_rules = (("compute", "compute:reboot"),) policy_rules = (("compute", "os_compute_api:servers:reboot"),)
help_text = _("Restarted instances will lose any data" help_text = _("Restarted instances will lose any data"
" not saved in persistent storage.") " not saved in persistent storage.")
action_type = "danger" action_type = "danger"
@ -216,11 +216,11 @@ class TogglePause(tables.BatchAction):
if self.paused: if self.paused:
self.current_present_action = UNPAUSE self.current_present_action = UNPAUSE
policy_rules = ( policy_rules = (
("compute", "compute_extension:admin_actions:unpause"),) ("compute", "os_compute_api:os-pause-server:unpause"),)
else: else:
self.current_present_action = PAUSE self.current_present_action = PAUSE
policy_rules = ( policy_rules = (
("compute", "compute_extension:admin_actions:pause"),) ("compute", "os_compute_api:os-pause-server:pause"),)
has_permission = policy.check( has_permission = policy.check(
policy_rules, request, policy_rules, request,
@ -283,11 +283,11 @@ class ToggleSuspend(tables.BatchAction):
if self.suspended: if self.suspended:
self.current_present_action = RESUME self.current_present_action = RESUME
policy_rules = ( policy_rules = (
("compute", "compute_extension:admin_actions:resume"),) ("compute", "os_compute_api:os-rescue"),)
else: else:
self.current_present_action = SUSPEND self.current_present_action = SUSPEND
policy_rules = ( policy_rules = (
("compute", "compute_extension:admin_actions:suspend"),) ("compute", "os_compute_api:os-suspend-server:suspend"),)
has_permission = policy.check( has_permission = policy.check(
policy_rules, request, policy_rules, request,
@ -352,10 +352,10 @@ class ToggleShelve(tables.BatchAction):
self.shelved = instance.status == "SHELVED_OFFLOADED" self.shelved = instance.status == "SHELVED_OFFLOADED"
if self.shelved: if self.shelved:
self.current_present_action = UNSHELVE self.current_present_action = UNSHELVE
policy_rules = (("compute", "compute_extension:unshelve"),) policy_rules = (("compute", "os_compute_api:os-shelve:unshelve"),)
else: else:
self.current_present_action = SHELVE self.current_present_action = SHELVE
policy_rules = (("compute", "compute_extension:shelve"),) policy_rules = (("compute", "os_compute_api:os-shelve:shelve"),)
has_permission = policy.check( has_permission = policy.check(
policy_rules, request, policy_rules, request,
@ -380,7 +380,7 @@ class LaunchLink(tables.LinkAction):
url = "horizon:project:instances:launch" url = "horizon:project:instances:launch"
classes = ("ajax-modal", "btn-launch") classes = ("ajax-modal", "btn-launch")
icon = "cloud-upload" icon = "cloud-upload"
policy_rules = (("compute", "compute:create"),) policy_rules = (("compute", "os_compute_api:servers:create"),)
ajax = True ajax = True
def __init__(self, attrs=None, **kwargs): def __init__(self, attrs=None, **kwargs):
@ -444,7 +444,7 @@ class EditInstance(policy.PolicyTargetMixin, tables.LinkAction):
url = "horizon:project:instances:update" url = "horizon:project:instances:update"
classes = ("ajax-modal",) classes = ("ajax-modal",)
icon = "pencil" icon = "pencil"
policy_rules = (("compute", "compute:update"),) policy_rules = (("compute", "os_compute_api:servers:update"),)
def get_link_url(self, project): def get_link_url(self, project):
return self._get_link_url(project, 'instance_info') return self._get_link_url(project, 'instance_info')
@ -480,7 +480,7 @@ class CreateSnapshot(policy.PolicyTargetMixin, tables.LinkAction):
url = "horizon:project:images:snapshots:create" url = "horizon:project:images:snapshots:create"
classes = ("ajax-modal",) classes = ("ajax-modal",)
icon = "camera" icon = "camera"
policy_rules = (("compute", "compute:snapshot"),) policy_rules = (("compute", "os_compute_api:snapshot"),)
def allowed(self, request, instance=None): def allowed(self, request, instance=None):
return instance.status in SNAPSHOT_READY_STATES \ return instance.status in SNAPSHOT_READY_STATES \
@ -492,7 +492,7 @@ class ConsoleLink(policy.PolicyTargetMixin, tables.LinkAction):
verbose_name = _("Console") verbose_name = _("Console")
url = "horizon:project:instances:detail" url = "horizon:project:instances:detail"
classes = ("btn-console",) classes = ("btn-console",)
policy_rules = (("compute", "compute_extension:consoles"),) policy_rules = (("compute", "os_compute_api:os-consoles:index"),)
def allowed(self, request, instance=None): def allowed(self, request, instance=None):
# We check if ConsoleLink is allowed only if settings.CONSOLE_TYPE is # We check if ConsoleLink is allowed only if settings.CONSOLE_TYPE is
@ -512,7 +512,7 @@ class LogLink(policy.PolicyTargetMixin, tables.LinkAction):
verbose_name = _("View Log") verbose_name = _("View Log")
url = "horizon:project:instances:detail" url = "horizon:project:instances:detail"
classes = ("btn-log",) classes = ("btn-log",)
policy_rules = (("compute", "compute_extension:console_output"),) policy_rules = (("compute", "os_compute_api:os-console-output"),)
def allowed(self, request, instance=None): def allowed(self, request, instance=None):
return instance.status in ACTIVE_STATES and not is_deleting(instance) return instance.status in ACTIVE_STATES and not is_deleting(instance)
@ -529,7 +529,7 @@ class ResizeLink(policy.PolicyTargetMixin, tables.LinkAction):
verbose_name = _("Resize Instance") verbose_name = _("Resize Instance")
url = "horizon:project:instances:resize" url = "horizon:project:instances:resize"
classes = ("ajax-modal", "btn-resize") classes = ("ajax-modal", "btn-resize")
policy_rules = (("compute", "compute:resize"),) policy_rules = (("compute", "os_compute_api:servers:resize"),)
def get_link_url(self, project): def get_link_url(self, project):
return self._get_link_url(project, 'flavor_choice') return self._get_link_url(project, 'flavor_choice')
@ -552,7 +552,7 @@ class ConfirmResize(policy.PolicyTargetMixin, tables.Action):
name = "confirm" name = "confirm"
verbose_name = _("Confirm Resize/Migrate") verbose_name = _("Confirm Resize/Migrate")
classes = ("btn-confirm", "btn-action-required") classes = ("btn-confirm", "btn-action-required")
policy_rules = (("compute", "compute:confirm_resize"),) policy_rules = (("compute", "os_compute_api:servers:confirm_resize"),)
def allowed(self, request, instance): def allowed(self, request, instance):
return instance.status == 'VERIFY_RESIZE' return instance.status == 'VERIFY_RESIZE'
@ -565,7 +565,7 @@ class RevertResize(policy.PolicyTargetMixin, tables.Action):
name = "revert" name = "revert"
verbose_name = _("Revert Resize/Migrate") verbose_name = _("Revert Resize/Migrate")
classes = ("btn-revert", "btn-action-required") classes = ("btn-revert", "btn-action-required")
policy_rules = (("compute", "compute:revert_resize"),) policy_rules = (("compute", "os_compute_api:servers:revert_resize"),)
def allowed(self, request, instance): def allowed(self, request, instance):
return instance.status == 'VERIFY_RESIZE' return instance.status == 'VERIFY_RESIZE'
@ -579,7 +579,7 @@ class RebuildInstance(policy.PolicyTargetMixin, tables.LinkAction):
verbose_name = _("Rebuild Instance") verbose_name = _("Rebuild Instance")
classes = ("btn-rebuild", "ajax-modal") classes = ("btn-rebuild", "ajax-modal")
url = "horizon:project:instances:rebuild" url = "horizon:project:instances:rebuild"
policy_rules = (("compute", "compute:rebuild"),) policy_rules = (("compute", "os_compute_api:servers:rebuild"),)
def allowed(self, request, instance): def allowed(self, request, instance):
return ((instance.status in ACTIVE_STATES return ((instance.status in ACTIVE_STATES
@ -620,7 +620,9 @@ class AssociateIP(policy.PolicyTargetMixin, tables.LinkAction):
url = "horizon:project:floating_ips:associate" url = "horizon:project:floating_ips:associate"
classes = ("ajax-modal",) classes = ("ajax-modal",)
icon = "link" icon = "link"
policy_rules = (("compute", "network:associate_floating_ip"),) # Nova doesn't support floating ip actions policy, update this
# when bug #1610520 resloved
policy_rules = (("compute", "os_compute_api:os-floating-ips"),)
def allowed(self, request, instance): def allowed(self, request, instance):
if not api.network.floating_ip_supported(request): if not api.network.floating_ip_supported(request):
@ -649,7 +651,9 @@ class SimpleAssociateIP(policy.PolicyTargetMixin, tables.Action):
name = "associate-simple" name = "associate-simple"
verbose_name = _("Associate Floating IP") verbose_name = _("Associate Floating IP")
icon = "link" icon = "link"
policy_rules = (("compute", "network:associate_floating_ip"),) # Nova doesn't support floating ip actions policy, update this
# when bug #1610520 resloved
policy_rules = (("compute", "os_compute_api:os-floating-ips"),)
def allowed(self, request, instance): def allowed(self, request, instance):
if not api.network.floating_ip_simple_associate_supported(request): if not api.network.floating_ip_simple_associate_supported(request):
@ -680,7 +684,9 @@ class SimpleDisassociateIP(policy.PolicyTargetMixin, tables.Action):
name = "disassociate" name = "disassociate"
verbose_name = _("Disassociate Floating IP") verbose_name = _("Disassociate Floating IP")
classes = ("btn-disassociate",) classes = ("btn-disassociate",)
policy_rules = (("compute", "network:disassociate_floating_ip"),) # Nova doesn't support floating ip actions policy, update this
# when bug #1610520 resloved
policy_rules = (("compute", "os_compute_api:os-floating-ips"),)
action_type = "danger" action_type = "danger"
def allowed(self, request, instance): def allowed(self, request, instance):
@ -727,7 +733,7 @@ class UpdateMetadata(policy.PolicyTargetMixin, tables.LinkAction):
ajax = False ajax = False
icon = "pencil" icon = "pencil"
attrs = {"ng-controller": "MetadataModalHelperController as modal"} attrs = {"ng-controller": "MetadataModalHelperController as modal"}
policy_rules = (("compute", "compute:update_instance_metadata"),) policy_rules = (("compute", "os_compute_api:server-metadata:update"),)
def __init__(self, attrs=None, **kwargs): def __init__(self, attrs=None, **kwargs):
kwargs['preempt'] = True kwargs['preempt'] = True
@ -797,7 +803,7 @@ class UpdateRow(tables.Row):
class StartInstance(policy.PolicyTargetMixin, tables.BatchAction): class StartInstance(policy.PolicyTargetMixin, tables.BatchAction):
name = "start" name = "start"
classes = ('btn-confirm',) classes = ('btn-confirm',)
policy_rules = (("compute", "compute:start"),) policy_rules = (("compute", "os_compute_api:servers:start"),)
@staticmethod @staticmethod
def action_present(count): def action_present(count):
@ -825,7 +831,7 @@ class StartInstance(policy.PolicyTargetMixin, tables.BatchAction):
class StopInstance(policy.PolicyTargetMixin, tables.BatchAction): class StopInstance(policy.PolicyTargetMixin, tables.BatchAction):
name = "stop" name = "stop"
policy_rules = (("compute", "compute:stop"),) policy_rules = (("compute", "os_compute_api:servers:stop"),)
help_text = _("The instance(s) will be shut off.") help_text = _("The instance(s) will be shut off.")
action_type = "danger" action_type = "danger"
@ -858,7 +864,7 @@ class StopInstance(policy.PolicyTargetMixin, tables.BatchAction):
class LockInstance(policy.PolicyTargetMixin, tables.BatchAction): class LockInstance(policy.PolicyTargetMixin, tables.BatchAction):
name = "lock" name = "lock"
policy_rules = (("compute", "compute_extension:admin_actions:lock"),) policy_rules = (("compute", "os_compute_api:os-lock-server:lock"),)
@staticmethod @staticmethod
def action_present(count): def action_present(count):
@ -891,7 +897,7 @@ class LockInstance(policy.PolicyTargetMixin, tables.BatchAction):
class UnlockInstance(policy.PolicyTargetMixin, tables.BatchAction): class UnlockInstance(policy.PolicyTargetMixin, tables.BatchAction):
name = "unlock" name = "unlock"
policy_rules = (("compute", "compute_extension:admin_actions:unlock"),) policy_rules = (("compute", "os_compute_api:os-lock-server:unlock"),)
@staticmethod @staticmethod
def action_present(count): def action_present(count):
@ -926,7 +932,7 @@ class AttachVolume(tables.LinkAction):
verbose_name = _("Attach Volume") verbose_name = _("Attach Volume")
url = "horizon:project:instances:attach_volume" url = "horizon:project:instances:attach_volume"
classes = ("ajax-modal",) classes = ("ajax-modal",)
policy_rules = (("compute", "compute:attach_volume"),) policy_rules = (("compute", "os_compute_api:servers:attach_volume"),)
# This action should be disabled if the instance # This action should be disabled if the instance
# is not active, or the instance is being deleted # is not active, or the instance is being deleted
@ -939,7 +945,7 @@ class DetachVolume(AttachVolume):
name = "detach_volume" name = "detach_volume"
verbose_name = _("Detach Volume") verbose_name = _("Detach Volume")
url = "horizon:project:instances:detach_volume" url = "horizon:project:instances:detach_volume"
policy_rules = (("compute", "compute:detach_volume"),) policy_rules = (("compute", "os_compute_api:servers:detach_volume"),)
# This action should be disabled if the instance # This action should be disabled if the instance
# is not active, or the instance is being deleted # is not active, or the instance is being deleted
@ -953,7 +959,7 @@ class AttachInterface(policy.PolicyTargetMixin, tables.LinkAction):
verbose_name = _("Attach Interface") verbose_name = _("Attach Interface")
classes = ("btn-confirm", "ajax-modal") classes = ("btn-confirm", "ajax-modal")
url = "horizon:project:instances:attach_interface" url = "horizon:project:instances:attach_interface"
policy_rules = (("compute", "compute_extension:attach_interfaces"),) policy_rules = (("compute", "os_compute_api:os-attach-interfaces"),)
def allowed(self, request, instance): def allowed(self, request, instance):
return ((instance.status in ACTIVE_STATES return ((instance.status in ACTIVE_STATES

View File

@ -3613,7 +3613,7 @@ class InstanceTests(helpers.ResetImageAPIVersionMixin, helpers.TestCase):
self.assertEqual(set(['btn-launch']), self.assertEqual(set(['btn-launch']),
set(launch_action.classes)) set(launch_action.classes))
self.assertEqual('Launch Instance', launch_action.verbose_name) self.assertEqual('Launch Instance', launch_action.verbose_name)
self.assertEqual((('compute', 'compute:create'),), self.assertEqual((('compute', 'os_compute_api:servers:create'),),
launch_action.policy_rules) launch_action.policy_rules)
@helpers.create_stubs({ @helpers.create_stubs({

View File

@ -23,7 +23,7 @@ from openstack_dashboard.usage import quotas
class DeleteKeyPairs(tables.DeleteAction): class DeleteKeyPairs(tables.DeleteAction):
policy_rules = (("compute", "compute_extension:keypairs:delete"),) policy_rules = (("compute", "os_compute_api:os-keypairs:delete"),)
help_text = _("Removing a key pair can leave OpenStack resources orphaned." help_text = _("Removing a key pair can leave OpenStack resources orphaned."
" You should not remove a key pair unless you are certain it" " You should not remove a key pair unless you are certain it"
" is not being used anywhere.") " is not being used anywhere.")

View File

@ -31,7 +31,7 @@ def get_context(request, context=None):
network_config = getattr(settings, 'OPENSTACK_NEUTRON_NETWORK', {}) network_config = getattr(settings, 'OPENSTACK_NEUTRON_NETWORK', {})
context['launch_instance_allowed'] = policy.check( context['launch_instance_allowed'] = policy.check(
(("compute", "compute:create"),), request) (("compute", "os_compute_api:servers:create"),), request)
context['instance_quota_exceeded'] = _quota_exceeded(request, 'instances') context['instance_quota_exceeded'] = _quota_exceeded(request, 'instances')
context['create_network_allowed'] = policy.check( context['create_network_allowed'] = policy.check(
(("network", "create_network"),), request) (("network", "create_network"),), request)

View File

@ -47,7 +47,7 @@ class DeleteGroup(policy.PolicyTargetMixin, tables.DeleteAction):
def allowed(self, request, security_group=None): def allowed(self, request, security_group=None):
policy_target = self.get_policy_target(request, security_group) policy_target = self.get_policy_target(request, security_group)
if not api.base.is_service_enabled(request, "network"): if not api.base.is_service_enabled(request, "network"):
policy_rules = (("compute", "compute_extension:security_groups"),) policy_rules = (("compute", "os_compute_api:os-security-groups"),)
if not policy.check(policy_rules, request, policy_target): if not policy.check(policy_rules, request, policy_target):
return False return False
@ -77,7 +77,7 @@ class CreateGroup(tables.LinkAction):
self.classes = [c for c in self.classes if c != "disabled"] self.classes = [c for c in self.classes if c != "disabled"]
if not api.base.is_service_enabled(request, "network"): if not api.base.is_service_enabled(request, "network"):
policy_rules = (("compute", "compute_extension:security_groups"),) policy_rules = (("compute", "os_compute_api:os-security-groups"),)
return policy.check(policy_rules, request, target={}) return policy.check(policy_rules, request, target={})
return True return True
@ -93,7 +93,7 @@ class EditGroup(policy.PolicyTargetMixin, tables.LinkAction):
def allowed(self, request, security_group=None): def allowed(self, request, security_group=None):
policy_target = self.get_policy_target(request, security_group) policy_target = self.get_policy_target(request, security_group)
if not api.base.is_service_enabled(request, "network"): if not api.base.is_service_enabled(request, "network"):
policy_rules = (("compute", "compute_extension:security_groups"),) policy_rules = (("compute", "os_compute_api:os-security-groups"),)
if not policy.check(policy_rules, request, policy_target): if not policy.check(policy_rules, request, policy_target):
return False return False
@ -111,7 +111,7 @@ class ManageRules(policy.PolicyTargetMixin, tables.LinkAction):
def allowed(self, request, security_group=None): def allowed(self, request, security_group=None):
policy_target = self.get_policy_target(request, security_group) policy_target = self.get_policy_target(request, security_group)
if not api.base.is_service_enabled(request, "network"): if not api.base.is_service_enabled(request, "network"):
policy_rules = (("compute", "compute_extension:security_groups"),) policy_rules = (("compute", "os_compute_api:os-security-groups"),)
return policy.check(policy_rules, request, policy_target) return policy.check(policy_rules, request, policy_target)
return True return True
@ -151,7 +151,7 @@ class CreateRule(tables.LinkAction):
def allowed(self, request, security_group_rule=None): def allowed(self, request, security_group_rule=None):
if not api.base.is_service_enabled(request, "network"): if not api.base.is_service_enabled(request, "network"):
policy_rules = (("compute", "compute_extension:security_groups"),) policy_rules = (("compute", "os_compute_api:os-security-groups"),)
return policy.check(policy_rules, request, target={}) return policy.check(policy_rules, request, target={})
return True return True
@ -179,7 +179,7 @@ class DeleteRule(tables.DeleteAction):
def allowed(self, request, security_group_rule=None): def allowed(self, request, security_group_rule=None):
if not api.base.is_service_enabled(request, "network"): if not api.base.is_service_enabled(request, "network"):
policy_rules = (("compute", "compute_extension:security_groups"),) policy_rules = (("compute", "os_compute_api:os-security-groups"),)
return policy.check(policy_rules, request, target={}) return policy.check(policy_rules, request, target={})
return True return True

View File

@ -48,7 +48,7 @@ class LaunchVolume(tables.LinkAction):
url = "horizon:project:instances:launch" url = "horizon:project:instances:launch"
classes = ("ajax-modal", "btn-launch") classes = ("ajax-modal", "btn-launch")
icon = "cloud-upload" icon = "cloud-upload"
policy_rules = (("compute", "compute:create"),) policy_rules = (("compute", "os_compute_api:servers:create"),)
def get_link_url(self, datum): def get_link_url(self, datum):
base_url = reverse(self.url) base_url = reverse(self.url)
@ -188,11 +188,13 @@ class EditAttachments(tables.LinkAction):
if volume: if volume:
project_id = getattr(volume, "os-vol-tenant-attr:tenant_id", None) project_id = getattr(volume, "os-vol-tenant-attr:tenant_id", None)
attach_allowed = \ attach_allowed = \
policy.check((("compute", "compute:attach_volume"),), policy.check((("compute",
"os_compute_api:servers:attach_volume"),),
request, request,
{"project_id": project_id}) {"project_id": project_id})
detach_allowed = \ detach_allowed = \
policy.check((("compute", "compute:detach_volume"),), policy.check((("compute",
"os_compute_api:servers:detach_volume"),),
request, request,
{"project_id": project_id}) {"project_id": project_id})
@ -528,7 +530,7 @@ class VolumesTable(VolumesTableBase):
class DetachVolume(tables.BatchAction): class DetachVolume(tables.BatchAction):
name = "detach" name = "detach"
classes = ('btn-detach',) classes = ('btn-detach',)
policy_rules = (("compute", "compute:detach_volume"),) policy_rules = (("compute", "os_compute_api:servers:detach_volume"),)
help_text = _("The data will remain in the volume and another instance" help_text = _("The data will remain in the volume and another instance"
" will be able to access the data if you attach" " will be able to access the data if you attach"
" this volume to it.") " this volume to it.")

View File

@ -26,26 +26,27 @@ class PolicyRestTestCase(test.TestCase):
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check') @override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
def test_rule_alone(self): def test_rule_alone(self):
body = '{"rules": [["compute", "compute:get_all" ]]}' body = '{"rules": [["compute", \
"os_compute_api:index:get_all_tenants"]]}'
self.test_policy(body) self.test_policy(body)
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check') @override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
def test_multiple_rule(self): def test_multiple_rule(self):
body = '{"rules": [["compute", "compute:get_all"],' \ body = '{"rules": [["compute", "os_compute_api:stop"],' \
' ["compute", "compute:start"]]}' ' ["compute", "os_compute_api:start"]]}'
self.test_policy(body) self.test_policy(body)
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check') @override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
def test_rule_with_empty_target(self): def test_rule_with_empty_target(self):
body = '{"rules": [["compute", "compute:get_all"],' \ body = '{"rules": [["compute", "os_compute_api:stop"],' \
' ["compute", "compute:start"]],' \ ' ["compute", "os_compute_api:start"]],' \
' "target": {}}' ' "target": {}}'
self.test_policy(body) self.test_policy(body)
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check') @override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
def test_rule_with_target(self): def test_rule_with_target(self):
body = '{"rules": [["compute", "compute:get_all"],' \ body = '{"rules": [["compute", "os_compute_api:stop"],' \
' ["compute", "compute:start"]],' \ ' ["compute", "os_compute_api:start"]],' \
' "target": {"project_id": "1"}}' ' "target": {"project_id": "1"}}'
self.test_policy(body) self.test_policy(body)
@ -53,7 +54,9 @@ class PolicyRestTestCase(test.TestCase):
def test_policy_fail(self): def test_policy_fail(self):
# admin only rule, default test case user should fail # admin only rule, default test case user should fail
request = self.mock_rest_request( request = self.mock_rest_request(
body='''{"rules": [["compute", "compute:unlock_override"]]}''') body=('{"rules": ['
'["compute",'
'"os_compute_api:servers:index:get_all_tenants"]]}'))
response = policy.Policy().post(request) response = policy.Policy().post(request)
self.assertStatusCode(response, 200) self.assertStatusCode(response, 200)
self.assertEqual({"allowed": False}, response.json) self.assertEqual({"allowed": False}, response.json)
@ -70,7 +73,8 @@ class PolicyRestTestCase(test.TestCase):
class AdminPolicyRestTestCase(test.BaseAdminViewTests): class AdminPolicyRestTestCase(test.BaseAdminViewTests):
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check') @override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
def test_rule_with_target(self): def test_rule_with_target(self):
body = '{"rules": [["compute", "compute:unlock_override"]]}' body = '{"rules": [["compute", \
"os_compute_api:index:get_all_tenants"]]}'
request = self.mock_rest_request(body=body) request = self.mock_rest_request(body=body)
response = policy.Policy().post(request) response = policy.Policy().post(request)
self.assertStatusCode(response, 200) self.assertStatusCode(response, 200)

View File

@ -0,0 +1,7 @@
---
upgrade:
- Horizon is updated to use the same API policy
target rules with Nova, if you made any changes
to Horizon's old nova policy file before, make sure
to apply your specific policy changes to the new
Nova policy file used by Horizon.