The new version of install_venv_common evaluates requirements.txt
and test-requirements.txt at the same time and we avoid Django 1.6
is installed when evaluating django-nose dependencies.
Change-Id: I2ab7108b3615ac6c0525089b81b80e5c0a4793fc
Closes-Bug: #1250581
Adding file based RBAC engine for Horizon using copies of nova and
keystone policy.json files
Policy engine builds on top of oslo incubator policy.py, fileutils
was also pulled from oslo incubator as a dependency of policy.py
When Horizon runs and a policy check is made, a path and mapping of
services to policy files is used to load the rules into the policy
engine. Each check is mapped to a service type and validated. This
extra level of mapping is required because the policy.json files
may each contain a 'default' rule or unqualified (no service name
include) rule. Additionally, maintaining separate policy.json
files per service will allow easier syncing with the service
projects.
The engine allows for compound 'and' checks at this time. E.g.,
the way the Create User action is written, multiple APIs are
called to read data (roles, projects) and more are required to
update data (grants, user).
Other workflows e.g., Edit Project, should have separate save
actions per step as they are unrelated. Only the applicable
policy checks to that step were added. The separating unrelated
steps saves will should be future work.
The underlying engine supports more rule types that are used in the
underlying policy.json files.
Policy checks were added for all actions on tables in the Identity
Panel only. And the service policy files imported are limited in
this commit to reduce scope of the change.
Additionally, changes were made to the base action class to add
support or setting policy rules and an overridable method for
determining the policy check target. This reduces the need for
redundant code in each action policy check.
Note, the benefit Horizon has is that the underlying APIs will
correct us if we get it wrong, so if a policy file is not found for
a particular service, permission is assumed and the actual API call
to the service will fail if the action isn't authorized for that user.
Finally, adding documentation regarding policy enforcement.
Implements: blueprint rbac
Change-Id: I4a4a71163186b973229a0461b165c16936bc10e5
We're going to use openstack-common to receive notifications and then
pass them via socket.io to the client.
Prerequisite for blueprint realtime-communication
Change-Id: Ic590f52f14d000d07be6ee9a8da3df976b58c302
Signed-off-by: Tomas Sedovic <tomas@sedovic.cz>
pbr is the library-ified version of the code that was in
openstack.common.setup and version. It builds on top of d2to1 to
provide declarative build configuration.
Change-Id: Ic264fa33e17fe5fdc71d8c53412495b069ab74a4
Moves everything OpenStack-specific (dashboards, apis, etc.)
into the openstack_dashboard project, achieving a much
cleaner separation between the project-specific code and
the generic Horizon framework code.
Change-Id: I7235b41d449b26c980668fc3eb4360b24508717b
Horizon is the last project that doesn't have support for the common
Project Testing Interface. This gets horizon up to speed with the
other bits, but shouldn't break any of the existing interfaces.
Change-Id: I464c3b10d9708a0b7b5ffd42c88cd3cf515ef6a7