45 Commits

Author SHA1 Message Date
Bence Romsics
674830c4ea Update neutron policy file
The neutron policy file is out of date. This patch updates it to match
neutron 11.0.0.0rc1. My motivation is to bring in trunk policies. But it
seems to me that if I start editing neutron_policy.json I better
synchronize the whole file from the neutron repo.

Change-Id: I976a0517559dd44f865de0528c4cf96e29340647
Partially-Implements: blueprint neutron-trunk-ui
Related-Change: Ie866f140fd4e5537ff0d757304ab5279f0cf0a79
2017-08-17 15:07:29 +02:00
Akihiro Motoki
4cddc75d06 Remove FWaaS specific policies from neutron_policy
insert_rule/remove_rule in neutron_policy.json were not removed
as part of FWaaS dashboard split out because policy.json in the
neutron repo contained them even though they were meaningless.
Now they have been dropped in the neutron side [1], we can safely
drop them from neutron_policy.json in the horizon repo.

Note that there is no side effect by having them in neutron_policy.json
so there is no need to backport it to stable/pile.

[1] https://review.openstack.org/#/c/482413/

Change-Id: I200a841a6961781ac0f9709852ea8b3b7a7b473d
Related-Bug: #1703347
2017-08-16 16:21:47 +00:00
Akihiro Motoki
07ce7bd6b1 Drop FWaaS related policies from neutron_policy.json
This is the final cleanup related to FWaaS dashboard split out.

Note that 'insert_rule' and 'remove_rule' in neutron_policy.json are
kept as the current policy.json in neutron still has it. They are
specific to neutron-fwaas and theoretically it should be moved from
neutron to neutron-fwaas, but it should happen in neutron side.
As horizon, we keep them until policy.json in the neutron repo has them.
(Related to neutron bug 1703347)

Implement blueprint split-out-neutron-xaas-dashboards

Change-Id: I99b63628365b90f51dc8f76be7b3d63b195916b0
2017-07-15 10:45:22 +00:00
Yaguang Tang
c61ae4f083 Update Horizon to use latest nova policy rules for validation
As Nova's API is unified to os_compute_api, the API policies are also
updated to use this format, Horizon needs to use Nova  policy enforce
rules in the codebase. This patch also update nova_policy.json using
oslo-config-generator for Nova policy file.

Co-Authored-By: Rob Cresswell <robert.cresswell@outlook.com>
Implements: blueprint update-nova-enforce-policies

Change-Id: Id7d01a39930c88592301a5035f0befe5293a78fa
2017-03-13 13:43:02 +00:00
Richard Jones
f85e0ffa91 Move Consistency Groups out of Volumes panel
Notes on enabling consistency groups in devstack:
http://docs.openstack.org/admin-guide/blockstorage-consistency-groups.html

You'll also need to modify the local cinder policy file.

Though that's not actually enough to make it work since
devstack only provides the LVM volume type and CGs don't
work with LVM. You can attempt to create CGs, but they
will error.

Change-Id: I0ab541c81570cd5f67bb7d04c01bc92bc5cc3ab5
Implements: blueprint reorganise-volumes
2017-03-06 15:49:53 +11:00
Eric Brown
7b93aa82ce Sync keystone policy to latest
The current version of the keystone policy file is out of sync
with the default shipped with keystone. This patch updates to
the latest.

Change-Id: I927d6bfb2b20440683fe756fff25605ec7d7160e
2017-02-05 17:05:57 -08:00
David Lyle
20ea82b9ef Removing deprecate ceilometer code
The ceilometer code has been deprecated and disabled for
several cycles. Now removing the code.

Change-Id: I1dcfb8aae6ce6898cb46f6312731a92a01ae0b67
2016-11-17 16:52:13 -07:00
Rob Cresswell
8ce6e6c343 Update Glance sample policy file
Sample policy file is out of sync with Glance repo; we should update it
to make dev/deployer work easier.

Change-Id: I4891e13a387729660e43f476796731937da0aa6e
2016-10-05 09:01:29 +00:00
David Lyle
d599fdec59 The neutron policy file is out of date. This patch updates it to
match neutron master.

Since the neutron policy was last updated, LBaaS, VPNaaS, and FWaaS,
have all been moved out of the neutron repo. When that was done,
apparently all policy support was removed as well. This patch retains
the related policy checks matching the old policy file rules. If
operators use the new policy file, the policy checks are harmless, as
the definition won't be found which will result in policy.check
returning True.

Additionally, the get_network call for the update network view was
modified to not have the subnet info populated as it's not used in
the form.

Change-Id: I6c40b99e88937d428a8e21fa28cdbc8a4190eb57
2016-08-30 10:59:36 -06:00
David Lyle
af627907d5 Updating heat policy file
The heat policy is out of date. This patch updates the policy file
to match heat master.

There have been several modifications to the heat policy rules
checked in the heat views. The previously used policies were a
mix of fantasy, out-dated policy rules and just error. After
instrumenting the heat code to verify policy usage, the new
rule checks align with heat master policy use.

Change-Id: I17eb7d2945924167f3a62440b7e12b9b313d0f5d
2016-06-14 11:01:45 -06:00
Jenkins
2c00ac5322 Merge "updating keystone policy file" 2016-06-07 11:40:31 +00:00
David Lyle
4e71364c89 updating keystone policy file
The keystone policy file is out of date. This patch updates it. No
policy rules we currently check were removed.

Change-Id: Ic0574be640717d5f8c343b3353f37b9bbdab1d9d
2016-06-06 10:52:41 -06:00
David Lyle
d1134ad3bf Updating nova policy file
Nova policy file is out of date with current. This patch, pull from
master in nova to update. None of the policy rules we check have
been removed, but the criteria have been modified.

Change-Id: Idbb190e026a0c28128867822e772ea2cae6bed88
2016-06-06 10:52:03 -06:00
daniel-a-nguyen
388708b251 Updates horizon's copy of the cinder policy file
Change-Id: I7b83f0d97c330c9fe996fb752f6de57561295bde
Closes-Bug: 1582725
Co-Authored-By: Rob Cresswell <robert.cresswell@outlook.com>
Implements: blueprint update-cinder-policy-file
2016-05-20 16:57:20 +01:00
Tatiana Ovchinnikova
94fd2485f9 Heat Template Versions panel
This patch set adds a separate panel for Heat template versions and
template functions.

Depends on: Id9718bb5d1c2b70664a9c27c67e91436e5489dd6
Partially implements blueprint: heat-template-versions

Change-Id: I44bfd72a7d4147d48ffa999c93de0e41e591d5c1
2016-05-05 06:45:46 +00:00
Justin Pomeroy
c66da865fb Update nova policy file
This updates the horizon nova policy file to match the current
policy file from nova.

Closes-Bug: #1516714
Change-Id: I02be3d1483947f177a429b624d34cd261d543c6b
2015-11-17 10:31:58 -06:00
David Lyle
6bfeee5baf Adding policy check in quota call
The default policy for server_list API in nova has changed. This
exposed a problem in the way Horizon was calling server_list when
reading quota values. The call was always made with
all_tenants=True, which is only something admin should be able to
do. Instead of ignoring the privilege problem in the API as in the
past, there is a pre-emptive policy check that makes the call fail.

The fix in Horizon is to only pass in all_tenants=True when the
user has the appropriate privilege level. nova_policy.json has been
updated with the appropriate default and the permission check has
been added.

Removing passing in all_tenants=True at all was contemplated, but
when setting quota values on projects in the identity dashboard,
the administrator level user needs to read quota values from a
project that they are not currently scoped to.

This fixes the error on the network topology screen that was the
motivation for the original bug report.

Closes-Bug: #1468551
Change-Id: I4255c57f81a13cac121596c99eea4ac629ed9ca7
2015-06-25 22:04:50 +00:00
Tatiana Ovchinnikova
cab3912b69 Add "Preview Stack" action to Stacks table
This patch set adds "Preview Stack" button to Stacks table
to provide user with a possibility to preview stack without
creating it, as it is already implemented in CLI.

Partially implements blueprint: heat-ui-improvement

Change-Id: Idf92deb57f8213a403f102db467828087d91e79a
2015-03-13 15:35:47 +03:00
David Lyle
9d8079db0c Adding policy support for ceilometer
Adding default policy json file for ceilometer which is very sparse.
Configuring access to metering panel to be RBAC gated. Using the
appropriate policy checks to load the panel.

Change-Id: Iad3ffe9d73fb994b146637e714c7d8c46102e104
Closes-Bug: #1419193
Partially-Closes: #1161144
2015-02-06 17:00:27 -07:00
Rich Hagarty
455ee822b4 New admin volume panel to manage/unmanage volumes.
Manage will take an existing volume created outside of Openstack and
make it available. Unmanage will remove the visibility of a volume
within Openstack, but will not delete the actual volume.

Change-Id: I6df46f0944015833d1fb94611f9bf520ca8bca8b
Implements: blueprint add-manage-unmanage-volume
2015-02-03 17:28:51 -08:00
Tatiana Ovchinnikova
b2c07ad64e Add "Suspend" and "Resume" actions to Stacks table
This patch set adds "Suspend Stack" and "Resume Stack" buttons
to Stacks table to provide user with a possibility to suspend
and resume stack, like it is already implemented in CLI.

Partially implements blueprint: heat-ui-improvement

Change-Id: I6ea8cb7f342fdd8fcfd124012aefc66d9d898410
2015-01-23 17:29:56 +03:00
Tatiana Ovchinnikova
a57e913e6c Add "Check Stack" action to Stacks table
This patch set adds "Check Stack" button to Stacks table
to provide user with a possibility to check stack, like it is
already implemented in CLI.

Partially implements blueprint: heat-ui-improvement

Change-Id: I0a2c6f62844a4120081e74689c4ca8d8cf35251d
2015-01-22 07:12:21 +03:00
Travis Tripp
7e5f4d1594 Base Glance Metadata Definitions Admin UI
Provide a base admin UI for viewing, importing, and associating the
metadata definitions that can be used with various resource types
such as flavors, images, and host aggregates.

In Juno, Glance provided a metadata definitions catalog[1][2] where
users can register the available metadata definitions that can be used
on different types of resources (images, artifacts, volumes, flavors,
aggregates, etc). This includes key / value pairs such as
properties, extra specs, etc. Horizon landed several patches that
read these properties. You can view the functionality in the
"update metadata" action on Flavors, Images, and Host Aggregates.

This specific patch is to bring in the Admin UI for the basic coarse
grained actions on the definitions in the catalog. This includes creating
(importing) a namespace, viewing the overview details about
it, deleting the namespace, and associating the namespace for use with
specific resource types.

Future blueprints will be registered for:
 - CRUD on individual metadata definitions within the namespace
For example, editing the default value of an individual property.

[1] Approved Glance Juno Spec:
https://github.com/openstack/glance-specs/blob/master/specs/juno/metadata-schema-catalog.rst

[2] Glance PTL Juno Feature Overview:
https://www.youtube.com/watch?v=3ptriiw1wK8&t=14m27s

Co-Authored-By: Travis Tripp <travis.tripp@hp.com>
Co-Authored-By: Santiago Baldassin<santiago.b.baldassin@intel.com>
Co-Authored-By: Bartosz Fic <bartosz.fic@intel.com>
Co-Authored-By: Pawel Koniszewski <pawel.koniszewski@intel.com>
Co-Authored-By: Michal Dulko <michal.dulko@intel.com>
DocImpact: Concept awareness
Change-Id: Ie34007f73af7e0941631a52f03841068e509a72c
Implements: blueprint glance-metadata-definitions-base-admin-ui
2014-12-17 16:10:53 -07:00
Jenkins
ca4a772d5f Merge "Revert "Remove the update default quotas feature"" 2014-10-02 03:08:37 +00:00
Sergio Cazzolato
b2dd9ded59 Revert "Remove the update default quotas feature"
This reverts commit ed586a0355fb99a5b1fbeadfc0625f0ceffe8b72.

The quota_class subcommand in python-novaclient was used to set default
quota values so it shouldn't have been removed. As now it is being
restored, the defaults quota panel is being restored too.

Related mailing list thread on the topic:
http://lists.openstack.org/pipermail/openstack-dev/2014-May/035383.html

Resolved merge conflicts by hand in:
openstack_dashboard/api/cinder.py
openstack_dashboard/dashboards/admin/info/tabs.py
openstack_dashboard/dashboards/admin/info/tests.py

Updated translatable segments to match refactors in
openstack_dashboard/dashboards/admin/defaults/workflows.py
openstack_dashboard/dashboards/admin/defaults/tables.py

Fixed most egregious post-merge styling errors in
openstack_dashboard/dashboards/admin/defaults/templates/defaults/index.html
(probably should have been separate, but I just couldn't let it out that way!)

Removed unrelated file that was allowed to be part of the original commit
doc/source/topics/settings.rst

Co-Authored-By: Doug Fish <drfish@us.ibm.com>
Change-Id: Ic4c4ecec843c7ea9afd0db36ce0eb15952da15b3
Partial-Bug: #1299517
2014-09-30 18:12:02 +09:00
Akihiro Motoki
f06e401adf Add HA mode support for Neutron router
HA (high availability) mode support is one of the important topics in
Neutron Juno, and this patch adds HA router mode support to Horizon.

This commit also changes the default value of enable_distributed_router
in the example local_settings.py to False. In Juno release of Neutron,
the distributed router and L3 HA mode cannot be enabled at the same
time and only L3-agent deployment with L3 Router service plugin
support both features. Thus I believe it is reasonable to make both
options default to False to avoid unnecessary confusions to operators.

Closes-Bug: #1370110
Change-Id: I77b0292b761f08b4580846f6d58443f7df9a1f6b
2014-09-26 17:08:26 +09:00
Jenkins
9416662e42 Merge "Upload volume to image service" 2014-09-01 05:44:06 +00:00
Akihiro Motoki
6a8ea3385c Add "Edit Router" to allow to change router type
Neutron DVR implementation allows to change router type from
centralized to distributed. This commit adds "Edit Router" form
which is not implemented so far to allow this feature.

This commit also adds:
- admin_state field to the router detail.
- documentation on a new option enable_distributed_router

Completes blueprint enhance-horizon-for-dvr
Change-Id: I4b46e44c417726217ed034e305827b102ba656f8
2014-08-30 05:01:25 +09:00
Gloria Gu
d350df03c1 Upload volume to image service
Expose the functionality of the 'cinder upload-to-image' command
in the UI. It allows user to upload of a volume whose status is
in-use or available to the Glance image service.

When the volume is in-use, user still wants to uploads that volume
to image, user needs to set force to be True. The force checkbox
only shows when the volume is in-use. Whether it can
succesfully upload the volume to image depends on if the storage
array that volume is created in supports attaching multiple instances
to the volume. Not all arrays supports that. There is no api that
can detect if array supports that before cinder actutally uploads
the volume in-use to image.

The container format is 'bare'. The list of disk formats are
based on the format supportability by both glance and qemu-img.
cinder uses qemu-img for converting the volume to a image.

Implements: blueprint cinder-volume-upload-image

Change-Id: Ie5fc26c260e5f4ef2700c40c8cea6150fdbd522c
2014-08-28 15:04:24 -07:00
Jenkins
de11167ef1 Merge "Horizon changes for DVR" 2014-08-27 07:54:00 +00:00
Gloria Gu
fa7105d0da Enable changing volume type of a volume
Expose the functionality of the 'cinder retype' command in the UI.
It allows user to change the volume type of a volume whose status is
in-use or available when horizon's cinder API version is >= 2.

cinder retype is only supported starting cinder v2.

If enabled_backends is specified in /etc/cinder/cinder.conf,
retype is actually performed by a specific driver.
It depends on the drivers (backends) that are associated
with volume types.
Volume types are set through type-key extra specs.

If enabled_backends in cinder.conf is not specified, volumes are
created by LVM so retype is actually performaned in LVM.

During retype, if cinder finds it can not retype, it will check
if the migration policy is on_demand or never. If the policy is
is never, then cinder does not do anything, otherwise, it will
perform migration. By default, in the horizon retype dialog UI,
migration policy is never which is also the default
of the cinder cli command.

Currently in horizon cinder api default version is 1. In order to
test this functionallity, you need to update
openstack_dashboard/local/local_settings.py to have the "volume"
API to use version 2 so the "Change Volume Type" action menu
shows up for the volume. If local_settings.py is not available, you
need to copy the local_settings.py.example file, change it to
local_settings.py, update other necessary settings and also update
have the API version setting like the followings:

OPENSTACK_API_VERSIONS = {
    #"data_processing": 1.1,
    #"identity": 3,
    "volume": 2
}

Implements: blueprint volume-retype

Change-Id: Id8bc539e1849f5910df34d7b76cc250ec82f9671
2014-08-25 11:09:31 -07:00
Saro Chandra Bhooshan
0d8fb6ce08 Horizon changes for DVR
Feature completed :
1. Admin router panel
   + New "Distributed" column introduced.
   + New Field "Distributed" added on to
     router detail panel
2. Project router panel
   if logged in as "Admin"
   ======================
   + New distributed column introduced.
   + New Field distributed column added on to
     router detail panel.
   + New Router Field dropdown box introduced in
     create router form.
   if logged in as "nonAdmin"
   =========================
   + Router Type dropdown will be invisible for
     non admin.
   + Distributed information will be
     hidden from details panel.

implements: blueprint enhance-horizon-for-dvr

Co-Authored-By: Akihiro Motoki <motoki@da.jp.nec.com>

Change-Id: I995745dd72a8b750866c0977a7d7cf42036f716f
2014-08-25 14:26:28 +09:00
Lin Hua Cheng
da5853040e Sync keystone policy file
This updates the policy files to use the new policy language
for rules.

Change-Id: I7210229da885af9e0abf72dd4e32e5a477ae8d67
Closes-Bug: #1347348
2014-07-22 21:42:12 -07:00
Laura Frank
630bf3d5a4 Adding support for volume backups
Users can create, view, delete and restore volume backups

Change-Id: I85b372013c4573018d39178314e769ec8adfd3c7
Co-Authored-By: Lin Hua Cheng <lin-hua.cheng@hp.com>
Implements: blueprint volume-backups
2014-07-04 03:07:53 -07:00
Jenkins
bf4950ccc0 Merge "adding policy check for neutron" 2014-05-29 19:51:27 +00:00
Brian DeHamer
d93722d379 adding policy check for neutron
Policy checks for all actions on firewalls, loadbalancers, network_topology,
networks, routers and vpn panels.

Co-Authored-By: Lin Hua Cheng <lin-hua.cheng@hp.com>
Change-Id: Id12257d3200f8af6ff590fd576c4cb6e414b455a
Implements: blueprint network-rbac
2014-05-07 11:10:33 -07:00
Zhenguo Niu
235ceff89c Add update method of snapshot name and description
Change-Id: I0c396bee1f14bdb96812012ea89d6fd2bf0c6e34
Closes-Bug: #1265140
Closes-Bug: #1296398
2014-05-07 04:53:06 +00:00
Jenkins
f4282f73ec Merge "Adding policy checks for heat" 2014-03-31 20:32:45 +00:00
Sergio Cazzolato
ed586a0355 Remove the update default quotas feature
The default quota panel has been moved to a tab in the system
info panel.
The update default quotas feature has been removed.
The cinder quota-class methods have been removed to keep consistency.
The test cases and the apis for nova and cinder have been modified
according the change.

This change is done to support the change:
I1110022d6f628d03aaf363da707f2d2ef1600437

Change-Id: I193c7209d9681b6d69afe0d996153ac86850d243
Closes-Bug: #1292589
2014-03-26 12:19:21 -03:00
Lin Hua Cheng
610e1b0631 Adding policy checks for heat
Change-Id: Ia454eefbaaf0c6262bfcc2890dead4d074555404
Implements: blueprint heat-rbac
2014-02-15 20:00:10 -08:00
lin-hua-cheng
a300c605da Adding policy checks for glance
Additionally, added the missing policy checks on Image panel.

Change-Id: Ia9fa2fcdfb12f97ff27150a69d964be47ab717cf
Implements: blueprint image-rbac
2014-01-30 21:01:41 -08:00
Brian DeHamer
4d8c573b1d adding policy checks for nova instance actions
Adding policy rule checks for all Nova instance actions (on both the
project and admin dashboards).

Change-Id: Ibf419ecf6624cf3315ddb10daee0542f7d8d2c3e
Implements: blueprint compute-rbac
2014-01-22 12:08:18 -08:00
Zhenguo Niu
dcd166e1c8 Add update method of volume name and description
Change-Id: I19596f1b83b061a47a8784962e6f74f1f43048cf
Closes-Bug: #1264411
2014-01-13 14:39:21 +08:00
David Lyle
985bd7390d adding policy checks for cinder
Adding cinder policy rules file for policy checks. Implementing
rule checks as well. Some cinder API calls actually hit nova, so
adding those calls as well.

Also a couple of improvements to the Horizon policy engine. First,
now providing the token scope project_id and user_id as targets by
default, unless otherwise specified.  Most service policy rules
check on or both of these.  Second, checking to see if rule exists,
before attempting enforcement.  If the rule does not exist, using
the default rule for that service.  This now matches what the
service policy engines do.

Implements: blueprint block-rbac

Change-Id: Ifef08b8975280f4e621ba8eebec9d405e1e870a2
2014-01-10 15:07:15 -07:00
David Lyle
5984e34862 Adding RBAC policy system and checks for identity
Adding file based RBAC engine for Horizon using copies of nova and
keystone policy.json files

Policy engine builds on top of oslo incubator policy.py, fileutils
was also pulled from oslo incubator as a dependency of policy.py

When Horizon runs and a policy check is made, a path and mapping of
services to policy files is used to load the rules into the policy
engine.  Each check is mapped to a service type and validated.  This
extra level of mapping is required because the policy.json files
may each contain a 'default' rule or unqualified (no service name
include) rule.  Additionally, maintaining separate policy.json
files per service will allow easier syncing with the service
projects.

The engine allows for compound 'and' checks at this time.  E.g.,
the way the Create User action is written, multiple APIs are
called to read data (roles, projects) and more are required to
update data (grants, user).

Other workflows e.g., Edit Project,  should have separate save
actions per step as they are unrelated.  Only the applicable
policy checks to that step were added.  The separating unrelated
steps saves will should be future work.

The underlying engine supports more rule types that are used in the
underlying policy.json files.

Policy checks were added for all actions on tables in the Identity
Panel only.  And the service policy files imported are limited in
this commit to reduce scope of the change.

Additionally, changes were made to the base action class to add
support or setting policy rules and an overridable method for
determining the policy check target. This reduces the need for
redundant code in each action policy check.

Note, the benefit Horizon has is that the underlying APIs will
correct us if we get it wrong, so if a policy file is not found for
a particular service, permission is assumed and the actual API call
to the service will fail if the action isn't authorized for that user.

Finally, adding documentation regarding policy enforcement.

Implements: blueprint rbac

Change-Id: I4a4a71163186b973229a0461b165c16936bc10e5
2013-08-26 10:32:28 -06:00