This patch updates default policy-in-code rules in horizon based on
nova/neutron/glance RC deliverables. It doesn't update policy
rules for cinder and keystone as I have found no changes in their
policy rules. Horizon needs to update default policy-in-code rules
for all backend services before releasing the horizon[1].
[1] https://docs.openstack.org/horizon/latest/contributor/policies/releasing.html#things-to-do-before-releasing
Change-Id: Ia636b32d0eeec9a4d399fcdbb4d4db1aeaa4fdab
This patch updates default policy-in-code rules in horizon based on
nova/neutron/cinder RC deliverables. It doesn't update policy
rules for glance and keystone as I have found no changes in their
policy rules. Horizon needs to update default policy-in-code rules
for all backend services before releasing the horizon[1].
[1] https://docs.openstack.org/horizon/latest/contributor/policies/releasing.html#things-to-do-before-releasing
Change-Id: Iae50f131be3f7d1345b8b899b70da8301700428c
This patch updates default policy-in-code rules in horizon based on
nova/neutron/glance RC deliverables. It doesn't update policy
rules for cinder and keystone as I have found no changes in their
policy rules.
Change-Id: Ifcf911d9bc649f61cc8522ccea60d30cf7f013be
This patch updates default policy-in-code rules in horizon based on
nova/neutron/keystone/glance/cinder RC deliverables.
It also bumps a few packages versions in lower-constraints.txt and
requirements.txt to fix the failed lower-constraints job after
updating policy rules.
Change-Id: I168bb171076e3442b29670461a29d12c9988df52
This patch updates default policy-in-code rules in horizon based on
nova/neutron/keystone/glance RC deliverables. It doesn't update policy
rules for cinder as I have found no changes in cinder policy rules.
Change-Id: Ie249e6d066ad31c7783b936e52141b1745fd2703
Update default policy-in-code rules in horizon based on
nova/neutron/cinder/glance RC deliverables.
More precisely, they are based on the top of stable/wallaby
branch of these projects as of Apr 7 14UTC.
Change-Id: I2040201b533f1d16f1f629e31be8d7b9130b2e52
This commit allows horizon to handle deprecated policy rules.
The approach is explained in the document updated by this change.
oslo.policy requirement is updated. oslo.policy 3.2.0 is chosen
just because it is the first release in Victoria cycle.
requirements.txt and lower-constraints.txt are updated accordingly
including oslo.policy dependencies.
Change-Id: If5059d03f6bd7e94796065aa1b51c0c23ac85f5e
Cinder consistency group has been replaced by the generic group feature.
Horizon support of the generic group (in the project dashboard) is
available since Rocky release and it covers all existing support
for consistency group in horizon.
The consistency group support is horizon was marked as deprecated
in Stein release [1].
This commit drops the consistency group support.
[1] https://review.openstack.org/#/c/626846/
Change-Id: I11187d2b03b7e0033a6c6ba3f8be25b8b5e4dd74
Based on nova commit 32c8ac6b7dfe4ca0c211cbce7c5a67d88558126f
The new file was generated by oslopolicy-sample-generator:
oslopolicy-sample-generator --namespace nova --format json
nova uses policy-in-code now, so there is a lot of differences.
Sorted version diff is http://paste.openstack.org/show/628742/
All policies with "@" have been dropped.
Dropped policies used in horizon are:
os_compute_api:os-certificates:create
os_compute_api:os-scheduler-hints:discoverable
os_compute_api:os-server-groups:discoverable
[discoverable]
"discoverable" policies are related to nova API extensions
but the API extension mechanism has gone in Nova Queens,
so these policies now make no sense in Nova.
In Horizon side, we are still use a bit older API version
to launch instance, so it seems some fallback policies are needed
and they are added as conf/nova_policy.d.
[os_compute_api:os-certificates:create]
No corresponding policy is found, so the related policy check is dropped.
EC2 API is provided as a separate project from nova.
I guess this is the reason the policy was dropped.
DownloadEC2 action referred to it, but we already checks EC2 service
is available so I believe the policy can be dropped safely.
[openstack_dashboard.test.unit.api.rest.test_policy]
Unit tests are updated according to the nova policy change.
Note that test_rule_alone previously succeeded because it used
non-existing policy and fallbacked to 'default' rule.
The rule is changed to a policy for non-admin user.
Change-Id: I68f91bc29b20a4ecd613fc75735d38b9a48162ee
Based on keystone commit cfbc2aa30b7406b4bc77e40a55561d1f46174b5c
keystone uses policy-in-code now, so there is a lot of differences.
The new file was generated by oslopolicy-sample-generator.
Sorted version diff is http://paste.openstack.org/show/628745/.
Removed policies are:
default
identity:change_password
identity:get_identity_providers
'identity:change_password' is used in horizon.
There seems no corresponding new policy, so the corresponding horizon
rules are dropped in this commit.
Our UT depends on the identity policy file.
This commit updates the UTs in a more robust way.
Change-Id: I76eb9f95c7112bcbad75ee151f363f892298d081
Based on cinder commit 55b2f349514fce1ffde5fd2244cfc26d7daad6a6
The new file was generated by oslopolicy-sample-generator.
nova uses policy-in-code now, so there is a lot of differences.
Sorted version diff is http://paste.openstack.org/show/628744/
Removed policies are:
backup:backup-export
consistencygroup:create
consistencygroup:create_cgsnapshot
consistencygroup:delete
consistencygroup:delete_cgsnapshot
consistencygroup:get
consistencygroup:get_all
consistencygroup:get_all_cgsnapshots
consistencygroup:get_cgsnapshot
consistencygroup:update
default
volume:get_volume_admin_metadata
volume_extension:replication:promote
volume_extension:replication:reenable
volume_extension:types_extra_specs
Horizon still uses consistency group panel, so the removed policies
related to consistency group are still required.
They are added as cinder_policy.d/consistencygroup.json.
Change-Id: I3292fae2b9d2b368954bfbaa19df391d3860bdfe
Remove the option to detach_interface from running instances for
non-admin users.
Change-Id: Id641bde457e8723ace0bc1e49aab2c46b2227485
Closes-bug: #1690790
Orchestration tab in the admin info panel needs a discussion.
It seems not to be covered by heat-dashboard yet.
blueprint heat-dashboard-split-out
Change-Id: I56e6edb1f2ac72e2f42d0e9f3291308e67f24cad
The neutron policy file is out of date. This patch updates it to match
neutron 11.0.0.0rc1. My motivation is to bring in trunk policies. But it
seems to me that if I start editing neutron_policy.json I better
synchronize the whole file from the neutron repo.
Change-Id: I976a0517559dd44f865de0528c4cf96e29340647
Partially-Implements: blueprint neutron-trunk-ui
Related-Change: Ie866f140fd4e5537ff0d757304ab5279f0cf0a79
insert_rule/remove_rule in neutron_policy.json were not removed
as part of FWaaS dashboard split out because policy.json in the
neutron repo contained them even though they were meaningless.
Now they have been dropped in the neutron side [1], we can safely
drop them from neutron_policy.json in the horizon repo.
Note that there is no side effect by having them in neutron_policy.json
so there is no need to backport it to stable/pile.
[1] https://review.openstack.org/#/c/482413/
Change-Id: I200a841a6961781ac0f9709852ea8b3b7a7b473d
Related-Bug: #1703347
This is the final cleanup related to FWaaS dashboard split out.
Note that 'insert_rule' and 'remove_rule' in neutron_policy.json are
kept as the current policy.json in neutron still has it. They are
specific to neutron-fwaas and theoretically it should be moved from
neutron to neutron-fwaas, but it should happen in neutron side.
As horizon, we keep them until policy.json in the neutron repo has them.
(Related to neutron bug 1703347)
Implement blueprint split-out-neutron-xaas-dashboards
Change-Id: I99b63628365b90f51dc8f76be7b3d63b195916b0
As Nova's API is unified to os_compute_api, the API policies are also
updated to use this format, Horizon needs to use Nova policy enforce
rules in the codebase. This patch also update nova_policy.json using
oslo-config-generator for Nova policy file.
Co-Authored-By: Rob Cresswell <robert.cresswell@outlook.com>
Implements: blueprint update-nova-enforce-policies
Change-Id: Id7d01a39930c88592301a5035f0befe5293a78fa
Notes on enabling consistency groups in devstack:
http://docs.openstack.org/admin-guide/blockstorage-consistency-groups.html
You'll also need to modify the local cinder policy file.
Though that's not actually enough to make it work since
devstack only provides the LVM volume type and CGs don't
work with LVM. You can attempt to create CGs, but they
will error.
Change-Id: I0ab541c81570cd5f67bb7d04c01bc92bc5cc3ab5
Implements: blueprint reorganise-volumes
The current version of the keystone policy file is out of sync
with the default shipped with keystone. This patch updates to
the latest.
Change-Id: I927d6bfb2b20440683fe756fff25605ec7d7160e
Sample policy file is out of sync with Glance repo; we should update it
to make dev/deployer work easier.
Change-Id: I4891e13a387729660e43f476796731937da0aa6e
match neutron master.
Since the neutron policy was last updated, LBaaS, VPNaaS, and FWaaS,
have all been moved out of the neutron repo. When that was done,
apparently all policy support was removed as well. This patch retains
the related policy checks matching the old policy file rules. If
operators use the new policy file, the policy checks are harmless, as
the definition won't be found which will result in policy.check
returning True.
Additionally, the get_network call for the update network view was
modified to not have the subnet info populated as it's not used in
the form.
Change-Id: I6c40b99e88937d428a8e21fa28cdbc8a4190eb57
The heat policy is out of date. This patch updates the policy file
to match heat master.
There have been several modifications to the heat policy rules
checked in the heat views. The previously used policies were a
mix of fantasy, out-dated policy rules and just error. After
instrumenting the heat code to verify policy usage, the new
rule checks align with heat master policy use.
Change-Id: I17eb7d2945924167f3a62440b7e12b9b313d0f5d
The keystone policy file is out of date. This patch updates it. No
policy rules we currently check were removed.
Change-Id: Ic0574be640717d5f8c343b3353f37b9bbdab1d9d
Nova policy file is out of date with current. This patch, pull from
master in nova to update. None of the policy rules we check have
been removed, but the criteria have been modified.
Change-Id: Idbb190e026a0c28128867822e772ea2cae6bed88
This patch set adds a separate panel for Heat template versions and
template functions.
Depends on: Id9718bb5d1c2b70664a9c27c67e91436e5489dd6
Partially implements blueprint: heat-template-versions
Change-Id: I44bfd72a7d4147d48ffa999c93de0e41e591d5c1
This updates the horizon nova policy file to match the current
policy file from nova.
Closes-Bug: #1516714
Change-Id: I02be3d1483947f177a429b624d34cd261d543c6b
The default policy for server_list API in nova has changed. This
exposed a problem in the way Horizon was calling server_list when
reading quota values. The call was always made with
all_tenants=True, which is only something admin should be able to
do. Instead of ignoring the privilege problem in the API as in the
past, there is a pre-emptive policy check that makes the call fail.
The fix in Horizon is to only pass in all_tenants=True when the
user has the appropriate privilege level. nova_policy.json has been
updated with the appropriate default and the permission check has
been added.
Removing passing in all_tenants=True at all was contemplated, but
when setting quota values on projects in the identity dashboard,
the administrator level user needs to read quota values from a
project that they are not currently scoped to.
This fixes the error on the network topology screen that was the
motivation for the original bug report.
Closes-Bug: #1468551
Change-Id: I4255c57f81a13cac121596c99eea4ac629ed9ca7
This patch set adds "Preview Stack" button to Stacks table
to provide user with a possibility to preview stack without
creating it, as it is already implemented in CLI.
Partially implements blueprint: heat-ui-improvement
Change-Id: Idf92deb57f8213a403f102db467828087d91e79a
Adding default policy json file for ceilometer which is very sparse.
Configuring access to metering panel to be RBAC gated. Using the
appropriate policy checks to load the panel.
Change-Id: Iad3ffe9d73fb994b146637e714c7d8c46102e104
Closes-Bug: #1419193
Partially-Closes: #1161144
Manage will take an existing volume created outside of Openstack and
make it available. Unmanage will remove the visibility of a volume
within Openstack, but will not delete the actual volume.
Change-Id: I6df46f0944015833d1fb94611f9bf520ca8bca8b
Implements: blueprint add-manage-unmanage-volume
This patch set adds "Suspend Stack" and "Resume Stack" buttons
to Stacks table to provide user with a possibility to suspend
and resume stack, like it is already implemented in CLI.
Partially implements blueprint: heat-ui-improvement
Change-Id: I6ea8cb7f342fdd8fcfd124012aefc66d9d898410
This patch set adds "Check Stack" button to Stacks table
to provide user with a possibility to check stack, like it is
already implemented in CLI.
Partially implements blueprint: heat-ui-improvement
Change-Id: I0a2c6f62844a4120081e74689c4ca8d8cf35251d
Provide a base admin UI for viewing, importing, and associating the
metadata definitions that can be used with various resource types
such as flavors, images, and host aggregates.
In Juno, Glance provided a metadata definitions catalog[1][2] where
users can register the available metadata definitions that can be used
on different types of resources (images, artifacts, volumes, flavors,
aggregates, etc). This includes key / value pairs such as
properties, extra specs, etc. Horizon landed several patches that
read these properties. You can view the functionality in the
"update metadata" action on Flavors, Images, and Host Aggregates.
This specific patch is to bring in the Admin UI for the basic coarse
grained actions on the definitions in the catalog. This includes creating
(importing) a namespace, viewing the overview details about
it, deleting the namespace, and associating the namespace for use with
specific resource types.
Future blueprints will be registered for:
- CRUD on individual metadata definitions within the namespace
For example, editing the default value of an individual property.
[1] Approved Glance Juno Spec:
https://github.com/openstack/glance-specs/blob/master/specs/juno/metadata-schema-catalog.rst
[2] Glance PTL Juno Feature Overview:
https://www.youtube.com/watch?v=3ptriiw1wK8&t=14m27s
Co-Authored-By: Travis Tripp <travis.tripp@hp.com>
Co-Authored-By: Santiago Baldassin<santiago.b.baldassin@intel.com>
Co-Authored-By: Bartosz Fic <bartosz.fic@intel.com>
Co-Authored-By: Pawel Koniszewski <pawel.koniszewski@intel.com>
Co-Authored-By: Michal Dulko <michal.dulko@intel.com>
DocImpact: Concept awareness
Change-Id: Ie34007f73af7e0941631a52f03841068e509a72c
Implements: blueprint glance-metadata-definitions-base-admin-ui
This reverts commit ed586a0355fb99a5b1fbeadfc0625f0ceffe8b72.
The quota_class subcommand in python-novaclient was used to set default
quota values so it shouldn't have been removed. As now it is being
restored, the defaults quota panel is being restored too.
Related mailing list thread on the topic:
http://lists.openstack.org/pipermail/openstack-dev/2014-May/035383.html
Resolved merge conflicts by hand in:
openstack_dashboard/api/cinder.py
openstack_dashboard/dashboards/admin/info/tabs.py
openstack_dashboard/dashboards/admin/info/tests.py
Updated translatable segments to match refactors in
openstack_dashboard/dashboards/admin/defaults/workflows.py
openstack_dashboard/dashboards/admin/defaults/tables.py
Fixed most egregious post-merge styling errors in
openstack_dashboard/dashboards/admin/defaults/templates/defaults/index.html
(probably should have been separate, but I just couldn't let it out that way!)
Removed unrelated file that was allowed to be part of the original commit
doc/source/topics/settings.rst
Co-Authored-By: Doug Fish <drfish@us.ibm.com>
Change-Id: Ic4c4ecec843c7ea9afd0db36ce0eb15952da15b3
Partial-Bug: #1299517
HA (high availability) mode support is one of the important topics in
Neutron Juno, and this patch adds HA router mode support to Horizon.
This commit also changes the default value of enable_distributed_router
in the example local_settings.py to False. In Juno release of Neutron,
the distributed router and L3 HA mode cannot be enabled at the same
time and only L3-agent deployment with L3 Router service plugin
support both features. Thus I believe it is reasonable to make both
options default to False to avoid unnecessary confusions to operators.
Closes-Bug: #1370110
Change-Id: I77b0292b761f08b4580846f6d58443f7df9a1f6b
Neutron DVR implementation allows to change router type from
centralized to distributed. This commit adds "Edit Router" form
which is not implemented so far to allow this feature.
This commit also adds:
- admin_state field to the router detail.
- documentation on a new option enable_distributed_router
Completes blueprint enhance-horizon-for-dvr
Change-Id: I4b46e44c417726217ed034e305827b102ba656f8
Expose the functionality of the 'cinder upload-to-image' command
in the UI. It allows user to upload of a volume whose status is
in-use or available to the Glance image service.
When the volume is in-use, user still wants to uploads that volume
to image, user needs to set force to be True. The force checkbox
only shows when the volume is in-use. Whether it can
succesfully upload the volume to image depends on if the storage
array that volume is created in supports attaching multiple instances
to the volume. Not all arrays supports that. There is no api that
can detect if array supports that before cinder actutally uploads
the volume in-use to image.
The container format is 'bare'. The list of disk formats are
based on the format supportability by both glance and qemu-img.
cinder uses qemu-img for converting the volume to a image.
Implements: blueprint cinder-volume-upload-image
Change-Id: Ie5fc26c260e5f4ef2700c40c8cea6150fdbd522c
Expose the functionality of the 'cinder retype' command in the UI.
It allows user to change the volume type of a volume whose status is
in-use or available when horizon's cinder API version is >= 2.
cinder retype is only supported starting cinder v2.
If enabled_backends is specified in /etc/cinder/cinder.conf,
retype is actually performed by a specific driver.
It depends on the drivers (backends) that are associated
with volume types.
Volume types are set through type-key extra specs.
If enabled_backends in cinder.conf is not specified, volumes are
created by LVM so retype is actually performaned in LVM.
During retype, if cinder finds it can not retype, it will check
if the migration policy is on_demand or never. If the policy is
is never, then cinder does not do anything, otherwise, it will
perform migration. By default, in the horizon retype dialog UI,
migration policy is never which is also the default
of the cinder cli command.
Currently in horizon cinder api default version is 1. In order to
test this functionallity, you need to update
openstack_dashboard/local/local_settings.py to have the "volume"
API to use version 2 so the "Change Volume Type" action menu
shows up for the volume. If local_settings.py is not available, you
need to copy the local_settings.py.example file, change it to
local_settings.py, update other necessary settings and also update
have the API version setting like the followings:
OPENSTACK_API_VERSIONS = {
#"data_processing": 1.1,
#"identity": 3,
"volume": 2
}
Implements: blueprint volume-retype
Change-Id: Id8bc539e1849f5910df34d7b76cc250ec82f9671
Feature completed :
1. Admin router panel
+ New "Distributed" column introduced.
+ New Field "Distributed" added on to
router detail panel
2. Project router panel
if logged in as "Admin"
======================
+ New distributed column introduced.
+ New Field distributed column added on to
router detail panel.
+ New Router Field dropdown box introduced in
create router form.
if logged in as "nonAdmin"
=========================
+ Router Type dropdown will be invisible for
non admin.
+ Distributed information will be
hidden from details panel.
implements: blueprint enhance-horizon-for-dvr
Co-Authored-By: Akihiro Motoki <motoki@da.jp.nec.com>
Change-Id: I995745dd72a8b750866c0977a7d7cf42036f716f