9 Commits

Author SHA1 Message Date
Yaguang Tang
c61ae4f083 Update Horizon to use latest nova policy rules for validation
As Nova's API is unified to os_compute_api, the API policies are also
updated to use this format, Horizon needs to use Nova  policy enforce
rules in the codebase. This patch also update nova_policy.json using
oslo-config-generator for Nova policy file.

Co-Authored-By: Rob Cresswell <robert.cresswell@outlook.com>
Implements: blueprint update-nova-enforce-policies

Change-Id: Id7d01a39930c88592301a5035f0befe5293a78fa
2017-03-13 13:43:02 +00:00
David Lyle
d1134ad3bf Updating nova policy file
Nova policy file is out of date with current. This patch, pull from
master in nova to update. None of the policy rules we check have
been removed, but the criteria have been modified.

Change-Id: Idbb190e026a0c28128867822e772ea2cae6bed88
2016-06-06 10:52:03 -06:00
Justin Pomeroy
c66da865fb Update nova policy file
This updates the horizon nova policy file to match the current
policy file from nova.

Closes-Bug: #1516714
Change-Id: I02be3d1483947f177a429b624d34cd261d543c6b
2015-11-17 10:31:58 -06:00
David Lyle
6bfeee5baf Adding policy check in quota call
The default policy for server_list API in nova has changed. This
exposed a problem in the way Horizon was calling server_list when
reading quota values. The call was always made with
all_tenants=True, which is only something admin should be able to
do. Instead of ignoring the privilege problem in the API as in the
past, there is a pre-emptive policy check that makes the call fail.

The fix in Horizon is to only pass in all_tenants=True when the
user has the appropriate privilege level. nova_policy.json has been
updated with the appropriate default and the permission check has
been added.

Removing passing in all_tenants=True at all was contemplated, but
when setting quota values on projects in the identity dashboard,
the administrator level user needs to read quota values from a
project that they are not currently scoped to.

This fixes the error on the network topology screen that was the
motivation for the original bug report.

Closes-Bug: #1468551
Change-Id: I4255c57f81a13cac121596c99eea4ac629ed9ca7
2015-06-25 22:04:50 +00:00
Sergio Cazzolato
b2dd9ded59 Revert "Remove the update default quotas feature"
This reverts commit ed586a0355fb99a5b1fbeadfc0625f0ceffe8b72.

The quota_class subcommand in python-novaclient was used to set default
quota values so it shouldn't have been removed. As now it is being
restored, the defaults quota panel is being restored too.

Related mailing list thread on the topic:
http://lists.openstack.org/pipermail/openstack-dev/2014-May/035383.html

Resolved merge conflicts by hand in:
openstack_dashboard/api/cinder.py
openstack_dashboard/dashboards/admin/info/tabs.py
openstack_dashboard/dashboards/admin/info/tests.py

Updated translatable segments to match refactors in
openstack_dashboard/dashboards/admin/defaults/workflows.py
openstack_dashboard/dashboards/admin/defaults/tables.py

Fixed most egregious post-merge styling errors in
openstack_dashboard/dashboards/admin/defaults/templates/defaults/index.html
(probably should have been separate, but I just couldn't let it out that way!)

Removed unrelated file that was allowed to be part of the original commit
doc/source/topics/settings.rst

Co-Authored-By: Doug Fish <drfish@us.ibm.com>
Change-Id: Ic4c4ecec843c7ea9afd0db36ce0eb15952da15b3
Partial-Bug: #1299517
2014-09-30 18:12:02 +09:00
Sergio Cazzolato
ed586a0355 Remove the update default quotas feature
The default quota panel has been moved to a tab in the system
info panel.
The update default quotas feature has been removed.
The cinder quota-class methods have been removed to keep consistency.
The test cases and the apis for nova and cinder have been modified
according the change.

This change is done to support the change:
I1110022d6f628d03aaf363da707f2d2ef1600437

Change-Id: I193c7209d9681b6d69afe0d996153ac86850d243
Closes-Bug: #1292589
2014-03-26 12:19:21 -03:00
Brian DeHamer
4d8c573b1d adding policy checks for nova instance actions
Adding policy rule checks for all Nova instance actions (on both the
project and admin dashboards).

Change-Id: Ibf419ecf6624cf3315ddb10daee0542f7d8d2c3e
Implements: blueprint compute-rbac
2014-01-22 12:08:18 -08:00
David Lyle
985bd7390d adding policy checks for cinder
Adding cinder policy rules file for policy checks. Implementing
rule checks as well. Some cinder API calls actually hit nova, so
adding those calls as well.

Also a couple of improvements to the Horizon policy engine. First,
now providing the token scope project_id and user_id as targets by
default, unless otherwise specified.  Most service policy rules
check on or both of these.  Second, checking to see if rule exists,
before attempting enforcement.  If the rule does not exist, using
the default rule for that service.  This now matches what the
service policy engines do.

Implements: blueprint block-rbac

Change-Id: Ifef08b8975280f4e621ba8eebec9d405e1e870a2
2014-01-10 15:07:15 -07:00
David Lyle
5984e34862 Adding RBAC policy system and checks for identity
Adding file based RBAC engine for Horizon using copies of nova and
keystone policy.json files

Policy engine builds on top of oslo incubator policy.py, fileutils
was also pulled from oslo incubator as a dependency of policy.py

When Horizon runs and a policy check is made, a path and mapping of
services to policy files is used to load the rules into the policy
engine.  Each check is mapped to a service type and validated.  This
extra level of mapping is required because the policy.json files
may each contain a 'default' rule or unqualified (no service name
include) rule.  Additionally, maintaining separate policy.json
files per service will allow easier syncing with the service
projects.

The engine allows for compound 'and' checks at this time.  E.g.,
the way the Create User action is written, multiple APIs are
called to read data (roles, projects) and more are required to
update data (grants, user).

Other workflows e.g., Edit Project,  should have separate save
actions per step as they are unrelated.  Only the applicable
policy checks to that step were added.  The separating unrelated
steps saves will should be future work.

The underlying engine supports more rule types that are used in the
underlying policy.json files.

Policy checks were added for all actions on tables in the Identity
Panel only.  And the service policy files imported are limited in
this commit to reduce scope of the change.

Additionally, changes were made to the base action class to add
support or setting policy rules and an overridable method for
determining the policy check target. This reduces the need for
redundant code in each action policy check.

Note, the benefit Horizon has is that the underlying APIs will
correct us if we get it wrong, so if a policy file is not found for
a particular service, permission is assumed and the actual API call
to the service will fail if the action isn't authorized for that user.

Finally, adding documentation regarding policy enforcement.

Implements: blueprint rbac

Change-Id: I4a4a71163186b973229a0461b165c16936bc10e5
2013-08-26 10:32:28 -06:00