5984e34862
Adding file based RBAC engine for Horizon using copies of nova and keystone policy.json files Policy engine builds on top of oslo incubator policy.py, fileutils was also pulled from oslo incubator as a dependency of policy.py When Horizon runs and a policy check is made, a path and mapping of services to policy files is used to load the rules into the policy engine. Each check is mapped to a service type and validated. This extra level of mapping is required because the policy.json files may each contain a 'default' rule or unqualified (no service name include) rule. Additionally, maintaining separate policy.json files per service will allow easier syncing with the service projects. The engine allows for compound 'and' checks at this time. E.g., the way the Create User action is written, multiple APIs are called to read data (roles, projects) and more are required to update data (grants, user). Other workflows e.g., Edit Project, should have separate save actions per step as they are unrelated. Only the applicable policy checks to that step were added. The separating unrelated steps saves will should be future work. The underlying engine supports more rule types that are used in the underlying policy.json files. Policy checks were added for all actions on tables in the Identity Panel only. And the service policy files imported are limited in this commit to reduce scope of the change. Additionally, changes were made to the base action class to add support or setting policy rules and an overridable method for determining the policy check target. This reduces the need for redundant code in each action policy check. Note, the benefit Horizon has is that the underlying APIs will correct us if we get it wrong, so if a policy file is not found for a particular service, permission is assumed and the actual API call to the service will fail if the action isn't authorized for that user. Finally, adding documentation regarding policy enforcement. Implements: blueprint rbac Change-Id: I4a4a71163186b973229a0461b165c16936bc10e5 |
||
|---|---|---|
| .tx | ||
| bin | ||
| doc | ||
| horizon | ||
| openstack_dashboard | ||
| tools | ||
| .gitignore | ||
| .gitreview | ||
| .mailmap | ||
| .pylintrc | ||
| HACKING.rst | ||
| LICENSE | ||
| Makefile | ||
| manage.py | ||
| MANIFEST.in | ||
| openstack-common.conf | ||
| README.rst | ||
| requirements.txt | ||
| run_tests.sh | ||
| setup.cfg | ||
| setup.py | ||
| test-requirements.txt | ||
| tox.ini | ||
Horizon (OpenStack Dashboard)
Horizon is a Django-based project aimed at providing a complete
OpenStack Dashboard along with an extensible framework for building new
dashboards from reusable components. The
openstack_dashboard module is a reference implementation of
a Django site that uses the horizon app to provide
web-based interactions with the various OpenStack projects.
For release management:
For blueprints and feature specifications:
For issue tracking:
Dependencies
To get started you will need to install Node.js (http://nodejs.org/) on your machine. Node.js is used with Horizon in order to use LESS (http://lesscss.org/) for our CSS needs. Horizon is currently using Node.js v0.6.12.
For Ubuntu use apt to install Node.js:
$ sudo apt-get install nodejsFor other versions of Linux, please see here:: http://nodejs.org/#download for how to install Node.js on your system.
Getting Started
For local development, first create a virtualenv for the project. In
the tools directory there is a script to create one for
you:
$ python tools/install_venv.py
Alternatively, the run_tests.sh script will also install
the environment for you and then run the full test suite to verify
everything is installed and functioning correctly.
Now that the virtualenv is created, you need to configure your local
environment. To do this, create a local_settings.py file in
the openstack_dashboard/local/ directory. There is a
local_settings.py.example file there that may be used as a
template.
If all is well you should able to run the development server locally:
$ tools/with_venv.sh manage.py runserver
or, as a shortcut:
$ ./run_tests.sh --runserverSettings Up OpenStack
The recommended tool for installing and configuring the core OpenStack components is Devstack. Refer to their documentation for getting Nova, Keystone, Glance, etc. up and running.
Note
The minimum required set of OpenStack services running includes the following:
- Nova (compute, api, scheduler, network, and volume services)
- Glance
- Keystone
Optional support is provided for Swift.
Development
For development, start with the getting started instructions above. Once you have a working virtualenv and all the necessary packages, read on.
If dependencies are added to either horizon or
openstack-dashboard, they should be added to
requirements.txt.
The run_tests.sh script invokes tests and analyses on
both of these components in its process, and it is what Jenkins uses to
verify the stability of the project. If run before an environment is set
up, it will ask if you wish to install one.
To run the unit tests:
$ ./run_tests.shBuilding Contributor Documentation
This documentation is written by contributors, for contributors.
The source is maintained in the doc/source folder using
reStructuredText
and built by Sphinx
Building Automatically:
$ ./run_tests.sh --docsBuilding Manually:
$ export DJANGO_SETTINGS_MODULE=local.local_settings $ python doc/generate_autodoc_index.py $ sphinx-build -b html doc/source build/sphinx/html
Results are in the build/sphinx/html directory