As Nova's API is unified to os_compute_api, the API policies are also
updated to use this format, Horizon needs to use Nova policy enforce
rules in the codebase. This patch also update nova_policy.json using
oslo-config-generator for Nova policy file.
Co-Authored-By: Rob Cresswell <robert.cresswell@outlook.com>
Implements: blueprint update-nova-enforce-policies
Change-Id: Id7d01a39930c88592301a5035f0befe5293a78fa
Nova policy file is out of date with current. This patch, pull from
master in nova to update. None of the policy rules we check have
been removed, but the criteria have been modified.
Change-Id: Idbb190e026a0c28128867822e772ea2cae6bed88
This updates the horizon nova policy file to match the current
policy file from nova.
Closes-Bug: #1516714
Change-Id: I02be3d1483947f177a429b624d34cd261d543c6b
The default policy for server_list API in nova has changed. This
exposed a problem in the way Horizon was calling server_list when
reading quota values. The call was always made with
all_tenants=True, which is only something admin should be able to
do. Instead of ignoring the privilege problem in the API as in the
past, there is a pre-emptive policy check that makes the call fail.
The fix in Horizon is to only pass in all_tenants=True when the
user has the appropriate privilege level. nova_policy.json has been
updated with the appropriate default and the permission check has
been added.
Removing passing in all_tenants=True at all was contemplated, but
when setting quota values on projects in the identity dashboard,
the administrator level user needs to read quota values from a
project that they are not currently scoped to.
This fixes the error on the network topology screen that was the
motivation for the original bug report.
Closes-Bug: #1468551
Change-Id: I4255c57f81a13cac121596c99eea4ac629ed9ca7
This reverts commit ed586a0355fb99a5b1fbeadfc0625f0ceffe8b72.
The quota_class subcommand in python-novaclient was used to set default
quota values so it shouldn't have been removed. As now it is being
restored, the defaults quota panel is being restored too.
Related mailing list thread on the topic:
http://lists.openstack.org/pipermail/openstack-dev/2014-May/035383.html
Resolved merge conflicts by hand in:
openstack_dashboard/api/cinder.py
openstack_dashboard/dashboards/admin/info/tabs.py
openstack_dashboard/dashboards/admin/info/tests.py
Updated translatable segments to match refactors in
openstack_dashboard/dashboards/admin/defaults/workflows.py
openstack_dashboard/dashboards/admin/defaults/tables.py
Fixed most egregious post-merge styling errors in
openstack_dashboard/dashboards/admin/defaults/templates/defaults/index.html
(probably should have been separate, but I just couldn't let it out that way!)
Removed unrelated file that was allowed to be part of the original commit
doc/source/topics/settings.rst
Co-Authored-By: Doug Fish <drfish@us.ibm.com>
Change-Id: Ic4c4ecec843c7ea9afd0db36ce0eb15952da15b3
Partial-Bug: #1299517
The default quota panel has been moved to a tab in the system
info panel.
The update default quotas feature has been removed.
The cinder quota-class methods have been removed to keep consistency.
The test cases and the apis for nova and cinder have been modified
according the change.
This change is done to support the change:
I1110022d6f628d03aaf363da707f2d2ef1600437
Change-Id: I193c7209d9681b6d69afe0d996153ac86850d243
Closes-Bug: #1292589
Adding policy rule checks for all Nova instance actions (on both the
project and admin dashboards).
Change-Id: Ibf419ecf6624cf3315ddb10daee0542f7d8d2c3e
Implements: blueprint compute-rbac
Adding cinder policy rules file for policy checks. Implementing
rule checks as well. Some cinder API calls actually hit nova, so
adding those calls as well.
Also a couple of improvements to the Horizon policy engine. First,
now providing the token scope project_id and user_id as targets by
default, unless otherwise specified. Most service policy rules
check on or both of these. Second, checking to see if rule exists,
before attempting enforcement. If the rule does not exist, using
the default rule for that service. This now matches what the
service policy engines do.
Implements: blueprint block-rbac
Change-Id: Ifef08b8975280f4e621ba8eebec9d405e1e870a2
Adding file based RBAC engine for Horizon using copies of nova and
keystone policy.json files
Policy engine builds on top of oslo incubator policy.py, fileutils
was also pulled from oslo incubator as a dependency of policy.py
When Horizon runs and a policy check is made, a path and mapping of
services to policy files is used to load the rules into the policy
engine. Each check is mapped to a service type and validated. This
extra level of mapping is required because the policy.json files
may each contain a 'default' rule or unqualified (no service name
include) rule. Additionally, maintaining separate policy.json
files per service will allow easier syncing with the service
projects.
The engine allows for compound 'and' checks at this time. E.g.,
the way the Create User action is written, multiple APIs are
called to read data (roles, projects) and more are required to
update data (grants, user).
Other workflows e.g., Edit Project, should have separate save
actions per step as they are unrelated. Only the applicable
policy checks to that step were added. The separating unrelated
steps saves will should be future work.
The underlying engine supports more rule types that are used in the
underlying policy.json files.
Policy checks were added for all actions on tables in the Identity
Panel only. And the service policy files imported are limited in
this commit to reduce scope of the change.
Additionally, changes were made to the base action class to add
support or setting policy rules and an overridable method for
determining the policy check target. This reduces the need for
redundant code in each action policy check.
Note, the benefit Horizon has is that the underlying APIs will
correct us if we get it wrong, so if a policy file is not found for
a particular service, permission is assumed and the actual API call
to the service will fail if the action isn't authorized for that user.
Finally, adding documentation regarding policy enforcement.
Implements: blueprint rbac
Change-Id: I4a4a71163186b973229a0461b165c16936bc10e5