diff --git a/doc/source/quickstart.rst b/doc/source/quickstart.rst index 4c316a0dbd..d5924ba54c 100644 --- a/doc/source/quickstart.rst +++ b/doc/source/quickstart.rst @@ -297,7 +297,8 @@ you register it in a ``panel.py`` file like so:: class Images(horizon.Panel): name = "Images" slug = 'images' - permissions = ('openstack.roles.admin', 'my.other.permission',) + permissions = ('openstack.roles.admin', 'my.openstack.permission',) + policy_rules = (('endpoint', 'endpoint:rule'),) # You could also register your panel with another application's dashboard diff --git a/doc/source/topics/customizing.rst b/doc/source/topics/customizing.rst index cdb9862bce..839f081604 100644 --- a/doc/source/topics/customizing.rst +++ b/doc/source/topics/customizing.rst @@ -441,12 +441,6 @@ Or get the instances panel:: projects_dashboard = horizon.get_dashboard("project") instances_panel = projects_dashboard.get_panel("instances") -And limit access to users with the Keystone Admin role:: - - permissions = list(getattr(instances_panel, 'permissions', [])) - permissions.append('openstack.roles.admin') - instances_panel.permissions = tuple(permissions) - Or just remove it entirely:: projects_dashboard.unregister(instances_panel.__class__) diff --git a/openstack_dashboard/dashboards/admin/dashboard.py b/openstack_dashboard/dashboards/admin/dashboard.py index 667b364d0c..3e8c7bb20c 100644 --- a/openstack_dashboard/dashboards/admin/dashboard.py +++ b/openstack_dashboard/dashboards/admin/dashboard.py @@ -15,12 +15,23 @@ from django.utils.translation import ugettext_lazy as _ import horizon +from openstack_dashboard import settings class Admin(horizon.Dashboard): name = _("Admin") slug = "admin" - permissions = ('openstack.roles.admin',) - policy_rules = (("identity", "cloud_admin"),) + + if getattr(settings, 'POLICY_CHECK_FUNCTION', None): + policy_rules = (('identity', 'admin_required'), + ('image', 'context_is_admin'), + ('volume', 'context_is_admin'), + ('compute', 'context_is_admin'), + ('network', 'context_is_admin'), + ('orchestration', 'context_is_admin'), + ('telemetry', 'context_is_admin'),) + else: + permissions = ('openstack.roles.admin',) + horizon.register(Admin) diff --git a/openstack_dashboard/dashboards/admin/hypervisors/panel.py b/openstack_dashboard/dashboards/admin/hypervisors/panel.py index c5cddb1baa..2f221142c3 100644 --- a/openstack_dashboard/dashboards/admin/hypervisors/panel.py +++ b/openstack_dashboard/dashboards/admin/hypervisors/panel.py @@ -21,3 +21,4 @@ class Hypervisors(horizon.Panel): name = _("Hypervisors") slug = 'hypervisors' permissions = ('openstack.services.compute',) + policy_rules = (("compute", "compute_extension:hypervisors"),) diff --git a/openstack_dashboard/dashboards/admin/instances/panel.py b/openstack_dashboard/dashboards/admin/instances/panel.py index bd9f2e910c..efaad956d5 100644 --- a/openstack_dashboard/dashboards/admin/instances/panel.py +++ b/openstack_dashboard/dashboards/admin/instances/panel.py @@ -25,3 +25,4 @@ class Instances(horizon.Panel): name = _("Instances") slug = 'instances' permissions = ('openstack.services.compute',) + policy_rules = (("compute", "compute:get_all"),) diff --git a/openstack_dashboard/dashboards/admin/metadata_defs/panel.py b/openstack_dashboard/dashboards/admin/metadata_defs/panel.py index d0a47c2871..49c9914ddf 100644 --- a/openstack_dashboard/dashboards/admin/metadata_defs/panel.py +++ b/openstack_dashboard/dashboards/admin/metadata_defs/panel.py @@ -23,6 +23,7 @@ from openstack_dashboard.api import glance class MetadataDefinitions(horizon.Panel): name = _("Metadata Definitions") slug = 'metadata_defs' + policy_rules = (("image", "get_metadef_namespaces"),) @staticmethod def can_register(): diff --git a/openstack_dashboard/dashboards/admin/overview/panel.py b/openstack_dashboard/dashboards/admin/overview/panel.py index bfb170f30b..d75f9b35ef 100644 --- a/openstack_dashboard/dashboards/admin/overview/panel.py +++ b/openstack_dashboard/dashboards/admin/overview/panel.py @@ -26,6 +26,7 @@ from openstack_dashboard.dashboards.admin import dashboard class Overview(horizon.Panel): name = _("Overview") slug = 'overview' + policy_rules = (('identity', 'identity:list_projects'),) dashboard.Admin.register(Overview)