Support policy-in-code and deprecated policy

This change adds support for policy-in-code and deprecated policy
following the change in horizon.

Depends-on: https://review.opendev.org/750134
Change-Id: I904c0a8b17d99245bf2f27058752b4b2d4f1b518

.gitignore

@@ -65,6 +65,3 @@ ChangeLog
 
 # IntelliJ editors
 .idea
-
-# Conf
-octavia_dashboard/conf

README.rst

@@ -46,31 +46,30 @@ Howto
       ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/enabled/_1482_*.py \
       ${HORIZON_DIR}/openstack_dashboard/local/enabled/
 
-3. (Optional) Generate the policy file and copy into horizon's policy files
+4. (Optional) Copy ``_1499_load_balancer_settings.py`` in
-   folder, and copy ``_1499_load_balancer_settings.py`` in
    ``octavia_dashboard/local_settings.d`` directory
-   to ``openstack_dashboard/local/local_settings.d``::
+   to ``openstack_dashboard/local/local_settings.d``
+   and policy files in ``octavia_dashboard/conf`` directory to
+   ``openstack_dashboard/local/conf`` directory::
 
-    $ oslopolicy-policy-generator \
+    $ cp -a \
-      --config-file \
+      ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/local_settings.d/_1499_*.py \
-      ${OCTAVIA_DIR}/etc/policy/octavia-policy-generator.conf \
+      ${HORIZON_DIR}/openstack_dashboard/local/local_settings.d/
-      --output-file \
-      ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/octavia_policy.yaml
     $ cp -a \
       ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/octavia_policy.yaml \
       ${HORIZON_DIR}/openstack_dashboard/conf/
     $ cp -a \
-      ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/local_settings.d/_1499_*.py \
+      ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/default_policies/octavia.yaml \
-      ${HORIZON_DIR}/openstack_dashboard/local/local_settings.d/
+      ${HORIZON_DIR}/openstack_dashboard/conf/default_policies/
 
-4. Django has a compressor feature that performs many enhancements for the
+5. Django has a compressor feature that performs many enhancements for the
    delivery of static files. If the compressor feature is enabled in your
    environment (``COMPRESS_OFFLINE = True``), run the following commands::
 
     $ ./manage.py collectstatic
     $ ./manage.py compress
 
-5. Finally restart your web server to enable octavia-dashboard
+6. Finally restart your web server to enable octavia-dashboard
    in your Horizon::
 
     $ sudo service apache2 restart

devstack/plugin.sh

@@ -5,8 +5,8 @@ function octavia_dashboard_install {
 function octavia_dashboard_configure {
     cp -a ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/enabled/_1482_project_load_balancer_panel.py ${HORIZON_DIR}/openstack_dashboard/local/enabled/
     cp -a ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/local_settings.d/_1499_load_balancer_settings.py ${HORIZON_DIR}/openstack_dashboard/local/local_settings.d/
-    oslopolicy-policy-generator --config-file ${OCTAVIA_DIR}/etc/policy/octavia-policy-generator.conf --output-file ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/octavia_policy.yaml
     cp -a ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/octavia_policy.yaml ${HORIZON_DIR}/openstack_dashboard/conf/
+    cp -a ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/default_policies/octavia.yaml ${HORIZON_DIR}/openstack_dashboard/conf/default_policies
     if [[ -d ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/locale ]]; then
         (cd ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard; DJANGO_SETTINGS_MODULE=openstack_dashboard.settings $PYTHON ../manage.py compilemessages)
     fi
@@ -34,5 +34,6 @@ if is_service_enabled horizon && is_service_enabled o-api; then
         rm -f ${HORIZON_DIR}/openstack_dashboard/local/enabled/_1482_project_load_balancer_panel.py*
         rm -f ${HORIZON_DIR}/openstack_dashboard/local/local_settings.d/_1499_load_balancer_settings.py*
         rm -f ${HORIZON_DIR}/openstack_dashboard/conf/octavia_policy.yaml
+        rm -f ${HORIZON_DIR}/openstack_dashboard/conf/default_policies/octavia.yaml
     fi
 fi

doc/source/installation.rst

@@ -17,7 +17,7 @@ octavia_dashboard/enabled directory to openstack_dashboard/local/enabled
 (Optional) To enable policy enforcement at the Horizon level, copy the policy
 file into horizon's policy files folder, and add this config ``POLICY_FILES``::
 
-    'octavia': 'octavia_policy.json',
+    'octavia': 'octavia_policy.yaml',
 
 Django has a compressor feature that performs many enhancements for the
 delivery of static files. If the compressor feature is enabled in your

octavia_dashboard/conf/default_policies/octavia.yaml

@@ -0,0 +1,679 @@
+- check_str: role:admin and system_scope:all
+  description: null
+  name: system-admin
+  operations: []
+  scope_types:
+  - system
+- check_str: role:reader and system_scope:all
+  description: null
+  name: system-reader
+  operations: []
+  scope_types:
+  - system
+- check_str: role:member and project_id:%(project_id)s
+  description: null
+  name: project-member
+  operations: []
+  scope_types:
+  - project
+- check_str: role:reader and project_id:%(project_id)s
+  description: null
+  name: project-reader
+  operations: []
+  scope_types:
+  - project
+- check_str: role:load-balancer_admin or rule:system-admin
+  deprecated_reason: The Octavia API now requires the OpenStack default roles and
+    scoped tokens. See https://docs.openstack.org/octavia/latest/configuration/policy.html
+    and https://docs.openstack.org/keystone/latest/contributor/services.html#reusable-default-roles
+    for more information.
+  deprecated_rule:
+    check_str: role:admin or role:load-balancer_admin
+    name: context_is_admin
+  deprecated_since: W
+  description: null
+  name: context_is_admin
+  operations: []
+  scope_types:
+  - system
+- check_str: project_id:%(project_id)s
+  description: null
+  name: load-balancer:owner
+  operations: []
+  scope_types:
+  - project
+- check_str: role:load-balancer_observer and rule:project-reader
+  deprecated_reason: The Octavia API now requires the OpenStack default roles and
+    scoped tokens. See https://docs.openstack.org/octavia/latest/configuration/policy.html
+    and https://docs.openstack.org/keystone/latest/contributor/services.html#reusable-default-roles
+    for more information.
+  deprecated_rule:
+    check_str: role:load-balancer_observer and rule:load-balancer:owner
+    name: load-balancer:observer_and_owner
+  deprecated_since: W
+  description: null
+  name: load-balancer:observer_and_owner
+  operations: []
+  scope_types:
+  - project
+- check_str: role:load-balancer_global_observer or rule:system-reader
+  description: null
+  name: load-balancer:global_observer
+  operations: []
+  scope_types:
+  - system
+- check_str: role:load-balancer_member and rule:project-member
+  deprecated_reason: The Octavia API now requires the OpenStack default roles and
+    scoped tokens. See https://docs.openstack.org/octavia/latest/configuration/policy.html
+    and https://docs.openstack.org/keystone/latest/contributor/services.html#reusable-default-roles
+    for more information.
+  deprecated_rule:
+    check_str: role:load-balancer_member and rule:load-balancer:owner
+    name: load-balancer:member_and_owner
+  deprecated_since: W
+  description: null
+  name: load-balancer:member_and_owner
+  operations: []
+  scope_types:
+  - project
+- check_str: is_admin:True or role:load-balancer_admin or rule:system-admin
+  description: null
+  name: load-balancer:admin
+  operations: []
+  scope_types:
+  - system
+- check_str: rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer
+    or rule:load-balancer:member_and_owner or rule:load-balancer:admin
+  description: null
+  name: load-balancer:read
+  operations: []
+  scope_types:
+  - project
+  - system
+- check_str: rule:load-balancer:global_observer or rule:load-balancer:admin
+  description: null
+  name: load-balancer:read-global
+  operations: []
+  scope_types:
+  - system
+- check_str: rule:load-balancer:member_and_owner or rule:load-balancer:admin
+  description: null
+  name: load-balancer:write
+  operations: []
+  scope_types:
+  - project
+  - system
+- check_str: rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer
+    or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin
+  description: null
+  name: load-balancer:read-quota
+  operations: []
+  scope_types:
+  - project
+  - system
+- check_str: rule:load-balancer:global_observer or role:load-balancer_quota_admin
+    or rule:load-balancer:admin
+  description: null
+  name: load-balancer:read-quota-global
+  operations: []
+  scope_types:
+  - system
+- check_str: role:load-balancer_quota_admin or rule:load-balancer:admin
+  description: null
+  name: load-balancer:write-quota
+  operations: []
+  scope_types:
+  - system
+- check_str: rule:load-balancer:read
+  description: List Flavors
+  name: os_load-balancer_api:flavor:get_all
+  operations:
+  - method: GET
+    path: /v2.0/lbaas/flavors
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Create a Flavor
+  name: os_load-balancer_api:flavor:post
+  operations:
+  - method: POST
+    path: /v2.0/lbaas/flavors
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Update a Flavor
+  name: os_load-balancer_api:flavor:put
+  operations:
+  - method: PUT
+    path: /v2.0/lbaas/flavors/{flavor_id}
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: Show Flavor details
+  name: os_load-balancer_api:flavor:get_one
+  operations:
+  - method: GET
+    path: /v2.0/lbaas/flavors/{flavor_id}
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Remove a Flavor
+  name: os_load-balancer_api:flavor:delete
+  operations:
+  - method: DELETE
+    path: /v2.0/lbaas/flavors/{flavor_id}
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: List Flavor Profiles
+  name: os_load-balancer_api:flavor-profile:get_all
+  operations:
+  - method: GET
+    path: /v2.0/lbaas/flavorprofiles
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Create a Flavor Profile
+  name: os_load-balancer_api:flavor-profile:post
+  operations:
+  - method: POST
+    path: /v2.0/lbaas/flavorprofiles
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Update a Flavor Profile
+  name: os_load-balancer_api:flavor-profile:put
+  operations:
+  - method: PUT
+    path: /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Show Flavor Profile details
+  name: os_load-balancer_api:flavor-profile:get_one
+  operations:
+  - method: GET
+    path: /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Remove a Flavor Profile
+  name: os_load-balancer_api:flavor-profile:delete
+  operations:
+  - method: DELETE
+    path: /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: List Availability Zones
+  name: os_load-balancer_api:availability-zone:get_all
+  operations:
+  - method: GET
+    path: /v2.0/lbaas/availabilityzones
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Create an Availability Zone
+  name: os_load-balancer_api:availability-zone:post
+  operations:
+  - method: POST
+    path: /v2.0/lbaas/availabilityzones
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Update an Availability Zone
+  name: os_load-balancer_api:availability-zone:put
+  operations:
+  - method: PUT
+    path: /v2.0/lbaas/availabilityzones/{availability_zone_id}
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: Show Availability Zone details
+  name: os_load-balancer_api:availability-zone:get_one
+  operations:
+  - method: GET
+    path: /v2.0/lbaas/availabilityzones/{availability_zone_id}
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Remove an Availability Zone
+  name: os_load-balancer_api:availability-zone:delete
+  operations:
+  - method: DELETE
+    path: /v2.0/lbaas/availabilityzones/{availability_zone_id}
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: List Availability Zones
+  name: os_load-balancer_api:availability-zone-profile:get_all
+  operations:
+  - method: GET
+    path: /v2.0/lbaas/availabilityzoneprofiles
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Create an Availability Zone
+  name: os_load-balancer_api:availability-zone-profile:post
+  operations:
+  - method: POST
+    path: /v2.0/lbaas/availabilityzoneprofiles
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Update an Availability Zone
+  name: os_load-balancer_api:availability-zone-profile:put
+  operations:
+  - method: PUT
+    path: /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Show Availability Zone details
+  name: os_load-balancer_api:availability-zone-profile:get_one
+  operations:
+  - method: GET
+    path: /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Remove an Availability Zone
+  name: os_load-balancer_api:availability-zone-profile:delete
+  operations:
+  - method: DELETE
+    path: /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: List Health Monitors of a Pool
+  name: os_load-balancer_api:healthmonitor:get_all
+  operations:
+  - method: GET
+    path: /v2/lbaas/healthmonitors
+  scope_types: null
+- check_str: rule:load-balancer:read-global
+  description: List Health Monitors including resources owned by others
+  name: os_load-balancer_api:healthmonitor:get_all-global
+  operations:
+  - method: GET
+    path: /v2/lbaas/healthmonitors
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Create a Health Monitor
+  name: os_load-balancer_api:healthmonitor:post
+  operations:
+  - method: POST
+    path: /v2/lbaas/healthmonitors
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: Show Health Monitor details
+  name: os_load-balancer_api:healthmonitor:get_one
+  operations:
+  - method: GET
+    path: /v2/lbaas/healthmonitors/{healthmonitor_id}
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Update a Health Monitor
+  name: os_load-balancer_api:healthmonitor:put
+  operations:
+  - method: PUT
+    path: /v2/lbaas/healthmonitors/{healthmonitor_id}
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Remove a Health Monitor
+  name: os_load-balancer_api:healthmonitor:delete
+  operations:
+  - method: DELETE
+    path: /v2/lbaas/healthmonitors/{healthmonitor_id}
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: List L7 Policys
+  name: os_load-balancer_api:l7policy:get_all
+  operations:
+  - method: GET
+    path: /v2/lbaas/l7policies
+  scope_types: null
+- check_str: rule:load-balancer:read-global
+  description: List L7 Policys including resources owned by others
+  name: os_load-balancer_api:l7policy:get_all-global
+  operations:
+  - method: GET
+    path: /v2/lbaas/l7policies
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Create a L7 Policy
+  name: os_load-balancer_api:l7policy:post
+  operations:
+  - method: POST
+    path: /v2/lbaas/l7policies
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: Show L7 Policy details
+  name: os_load-balancer_api:l7policy:get_one
+  operations:
+  - method: GET
+    path: /v2/lbaas/l7policies/{l7policy_id}
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Update a L7 Policy
+  name: os_load-balancer_api:l7policy:put
+  operations:
+  - method: PUT
+    path: /v2/lbaas/l7policies/{l7policy_id}
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Remove a L7 Policy
+  name: os_load-balancer_api:l7policy:delete
+  operations:
+  - method: DELETE
+    path: /v2/lbaas/l7policies/{l7policy_id}
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: List L7 Rules
+  name: os_load-balancer_api:l7rule:get_all
+  operations:
+  - method: GET
+    path: /v2/lbaas/l7policies/{l7policy_id}/rules
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Create a L7 Rule
+  name: os_load-balancer_api:l7rule:post
+  operations:
+  - method: POST
+    path: /v2/lbaas/l7policies/{l7policy_id}/rules
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: Show L7 Rule details
+  name: os_load-balancer_api:l7rule:get_one
+  operations:
+  - method: GET
+    path: /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Update a L7 Rule
+  name: os_load-balancer_api:l7rule:put
+  operations:
+  - method: PUT
+    path: /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Remove a L7 Rule
+  name: os_load-balancer_api:l7rule:delete
+  operations:
+  - method: DELETE
+    path: /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: List Listeners
+  name: os_load-balancer_api:listener:get_all
+  operations:
+  - method: GET
+    path: /v2/lbaas/listeners
+  scope_types: null
+- check_str: rule:load-balancer:read-global
+  description: List Listeners including resources owned by others
+  name: os_load-balancer_api:listener:get_all-global
+  operations:
+  - method: GET
+    path: /v2/lbaas/listeners
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Create a Listener
+  name: os_load-balancer_api:listener:post
+  operations:
+  - method: POST
+    path: /v2/lbaas/listeners
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: Show Listener details
+  name: os_load-balancer_api:listener:get_one
+  operations:
+  - method: GET
+    path: /v2/lbaas/listeners/{listener_id}
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Update a Listener
+  name: os_load-balancer_api:listener:put
+  operations:
+  - method: PUT
+    path: /v2/lbaas/listeners/{listener_id}
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Remove a Listener
+  name: os_load-balancer_api:listener:delete
+  operations:
+  - method: DELETE
+    path: /v2/lbaas/listeners/{listener_id}
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: Show Listener statistics
+  name: os_load-balancer_api:listener:get_stats
+  operations:
+  - method: GET
+    path: /v2/lbaas/listeners/{listener_id}/stats
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: List Load Balancers
+  name: os_load-balancer_api:loadbalancer:get_all
+  operations:
+  - method: GET
+    path: /v2/lbaas/loadbalancers
+  scope_types: null
+- check_str: rule:load-balancer:read-global
+  description: List Load Balancers including resources owned by others
+  name: os_load-balancer_api:loadbalancer:get_all-global
+  operations:
+  - method: GET
+    path: /v2/lbaas/loadbalancers
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Create a Load Balancer
+  name: os_load-balancer_api:loadbalancer:post
+  operations:
+  - method: POST
+    path: /v2/lbaas/loadbalancers
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: Show Load Balancer details
+  name: os_load-balancer_api:loadbalancer:get_one
+  operations:
+  - method: GET
+    path: /v2/lbaas/loadbalancers/{loadbalancer_id}
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Update a Load Balancer
+  name: os_load-balancer_api:loadbalancer:put
+  operations:
+  - method: PUT
+    path: /v2/lbaas/loadbalancers/{loadbalancer_id}
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Remove a Load Balancer
+  name: os_load-balancer_api:loadbalancer:delete
+  operations:
+  - method: DELETE
+    path: /v2/lbaas/loadbalancers/{loadbalancer_id}
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: Show Load Balancer statistics
+  name: os_load-balancer_api:loadbalancer:get_stats
+  operations:
+  - method: GET
+    path: /v2/lbaas/loadbalancers/{loadbalancer_id}/stats
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: Show Load Balancer status
+  name: os_load-balancer_api:loadbalancer:get_status
+  operations:
+  - method: GET
+    path: /v2/lbaas/loadbalancers/{loadbalancer_id}/status
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Failover a Load Balancer
+  name: os_load-balancer_api:loadbalancer:put_failover
+  operations:
+  - method: PUT
+    path: /v2/lbaas/loadbalancers/{loadbalancer_id}/failover
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: List Members of a Pool
+  name: os_load-balancer_api:member:get_all
+  operations:
+  - method: GET
+    path: /v2/lbaas/pools/{pool_id}/members
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Create a Member
+  name: os_load-balancer_api:member:post
+  operations:
+  - method: POST
+    path: /v2/lbaas/pools/{pool_id}/members
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: Show Member details
+  name: os_load-balancer_api:member:get_one
+  operations:
+  - method: GET
+    path: /v2/lbaas/pools/{pool_id}/members/{member_id}
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Update a Member
+  name: os_load-balancer_api:member:put
+  operations:
+  - method: PUT
+    path: /v2/lbaas/pools/{pool_id}/members/{member_id}
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Remove a Member
+  name: os_load-balancer_api:member:delete
+  operations:
+  - method: DELETE
+    path: /v2/lbaas/pools/{pool_id}/members/{member_id}
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: List Pools
+  name: os_load-balancer_api:pool:get_all
+  operations:
+  - method: GET
+    path: /v2/lbaas/pools
+  scope_types: null
+- check_str: rule:load-balancer:read-global
+  description: List Pools including resources owned by others
+  name: os_load-balancer_api:pool:get_all-global
+  operations:
+  - method: GET
+    path: /v2/lbaas/pools
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Create a Pool
+  name: os_load-balancer_api:pool:post
+  operations:
+  - method: POST
+    path: /v2/lbaas/pools
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: Show Pool details
+  name: os_load-balancer_api:pool:get_one
+  operations:
+  - method: GET
+    path: /v2/lbaas/pools/{pool_id}
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Update a Pool
+  name: os_load-balancer_api:pool:put
+  operations:
+  - method: PUT
+    path: /v2/lbaas/pools/{pool_id}
+  scope_types: null
+- check_str: rule:load-balancer:write
+  description: Remove a Pool
+  name: os_load-balancer_api:pool:delete
+  operations:
+  - method: DELETE
+    path: /v2/lbaas/pools/{pool_id}
+  scope_types: null
+- check_str: rule:load-balancer:read
+  description: List enabled providers
+  name: os_load-balancer_api:provider:get_all
+  operations:
+  - method: GET
+    path: /v2/lbaas/providers
+  scope_types: null
+- check_str: rule:load-balancer:read-quota
+  description: List Quotas
+  name: os_load-balancer_api:quota:get_all
+  operations:
+  - method: GET
+    path: /v2/lbaas/quotas
+  scope_types: null
+- check_str: rule:load-balancer:read-quota-global
+  description: List Quotas including resources owned by others
+  name: os_load-balancer_api:quota:get_all-global
+  operations:
+  - method: GET
+    path: /v2/lbaas/quotas
+  scope_types: null
+- check_str: rule:load-balancer:read-quota
+  description: Show Quota details
+  name: os_load-balancer_api:quota:get_one
+  operations:
+  - method: GET
+    path: /v2/lbaas/quotas/{project_id}
+  scope_types: null
+- check_str: rule:load-balancer:write-quota
+  description: Update a Quota
+  name: os_load-balancer_api:quota:put
+  operations:
+  - method: PUT
+    path: /v2/lbaas/quotas/{project_id}
+  scope_types: null
+- check_str: rule:load-balancer:write-quota
+  description: Reset a Quota
+  name: os_load-balancer_api:quota:delete
+  operations:
+  - method: DELETE
+    path: /v2/lbaas/quotas/{project_id}
+  scope_types: null
+- check_str: rule:load-balancer:read-quota
+  description: Show Default Quota for a Project
+  name: os_load-balancer_api:quota:get_defaults
+  operations:
+  - method: GET
+    path: /v2/lbaas/quotas/{project_id}/default
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: List Amphorae
+  name: os_load-balancer_api:amphora:get_all
+  operations:
+  - method: GET
+    path: /v2/octavia/amphorae
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Show Amphora details
+  name: os_load-balancer_api:amphora:get_one
+  operations:
+  - method: GET
+    path: /v2/octavia/amphorae/{amphora_id}
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Delete an Amphora
+  name: os_load-balancer_api:amphora:delete
+  operations:
+  - method: DELETE
+    path: /v2/octavia/amphorae/{amphora_id}
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Update Amphora Agent Configuration
+  name: os_load-balancer_api:amphora:put_config
+  operations:
+  - method: PUT
+    path: /v2/octavia/amphorae/{amphora_id}/config
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Failover Amphora
+  name: os_load-balancer_api:amphora:put_failover
+  operations:
+  - method: PUT
+    path: /v2/octavia/amphorae/{amphora_id}/failover
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: Show Amphora statistics
+  name: os_load-balancer_api:amphora:get_stats
+  operations:
+  - method: GET
+    path: /v2/octavia/amphorae/{amphora_id}/stats
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: List the provider flavor capabilities.
+  name: os_load-balancer_api:provider-flavor:get_all
+  operations:
+  - method: GET
+    path: /v2/lbaas/providers/{provider}/flavor_capabilities
+  scope_types: null
+- check_str: rule:load-balancer:admin
+  description: List the provider availability zone capabilities.
+  name: os_load-balancer_api:provider-availability-zone:get_all
+  operations:
+  - method: GET
+    path: /v2/lbaas/providers/{provider}/availability_zone_capabilities
+  scope_types: null

octavia_dashboard/conf/octavia_policy.yaml

@@ -0,0 +1,396 @@
+# Intended scope(s): system
+#"system-admin": "role:admin and system_scope:all"
+
+# Intended scope(s): system
+#"system-reader": "role:reader and system_scope:all"
+
+# Intended scope(s): project
+#"project-member": "role:member and project_id:%(project_id)s"
+
+# Intended scope(s): project
+#"project-reader": "role:reader and project_id:%(project_id)s"
+
+# Intended scope(s): system
+#"context_is_admin": "role:load-balancer_admin or rule:system-admin"
+
+# DEPRECATED
+# "context_is_admin":"role:admin or role:load-balancer_admin" has been
+# deprecated since W in favor of "context_is_admin":"role:load-
+# balancer_admin or rule:system-admin".
+# The Octavia API now requires the OpenStack default roles and scoped
+# tokens. See
+# https://docs.openstack.org/octavia/latest/configuration/policy.html
+# and https://docs.openstack.org/keystone/latest/contributor/services.
+# html#reusable-default-roles for more information.
+
+# Intended scope(s): project
+#"load-balancer:owner": "project_id:%(project_id)s"
+
+# Intended scope(s): project
+#"load-balancer:observer_and_owner": "role:load-balancer_observer and rule:project-reader"
+
+# DEPRECATED
+# "load-balancer:observer_and_owner":"role:load-balancer_observer and
+# rule:load-balancer:owner" has been deprecated since W in favor of
+# "load-balancer:observer_and_owner":"role:load-balancer_observer and
+# rule:project-reader".
+# The Octavia API now requires the OpenStack default roles and scoped
+# tokens. See
+# https://docs.openstack.org/octavia/latest/configuration/policy.html
+# and https://docs.openstack.org/keystone/latest/contributor/services.
+# html#reusable-default-roles for more information.
+
+# Intended scope(s): system
+#"load-balancer:global_observer": "role:load-balancer_global_observer or rule:system-reader"
+
+# Intended scope(s): project
+#"load-balancer:member_and_owner": "role:load-balancer_member and rule:project-member"
+
+# DEPRECATED
+# "load-balancer:member_and_owner":"role:load-balancer_member and
+# rule:load-balancer:owner" has been deprecated since W in favor of
+# "load-balancer:member_and_owner":"role:load-balancer_member and
+# rule:project-member".
+# The Octavia API now requires the OpenStack default roles and scoped
+# tokens. See
+# https://docs.openstack.org/octavia/latest/configuration/policy.html
+# and https://docs.openstack.org/keystone/latest/contributor/services.
+# html#reusable-default-roles for more information.
+
+# Intended scope(s): system
+#"load-balancer:admin": "is_admin:True or role:load-balancer_admin or rule:system-admin"
+
+# Intended scope(s): project, system
+#"load-balancer:read": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin"
+
+# Intended scope(s): system
+#"load-balancer:read-global": "rule:load-balancer:global_observer or rule:load-balancer:admin"
+
+# Intended scope(s): project, system
+#"load-balancer:write": "rule:load-balancer:member_and_owner or rule:load-balancer:admin"
+
+# Intended scope(s): project, system
+#"load-balancer:read-quota": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin"
+
+# Intended scope(s): system
+#"load-balancer:read-quota-global": "rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin"
+
+# Intended scope(s): system
+#"load-balancer:write-quota": "role:load-balancer_quota_admin or rule:load-balancer:admin"
+
+# List Flavors
+# GET  /v2.0/lbaas/flavors
+#"os_load-balancer_api:flavor:get_all": "rule:load-balancer:read"
+
+# Create a Flavor
+# POST  /v2.0/lbaas/flavors
+#"os_load-balancer_api:flavor:post": "rule:load-balancer:admin"
+
+# Update a Flavor
+# PUT  /v2.0/lbaas/flavors/{flavor_id}
+#"os_load-balancer_api:flavor:put": "rule:load-balancer:admin"
+
+# Show Flavor details
+# GET  /v2.0/lbaas/flavors/{flavor_id}
+#"os_load-balancer_api:flavor:get_one": "rule:load-balancer:read"
+
+# Remove a Flavor
+# DELETE  /v2.0/lbaas/flavors/{flavor_id}
+#"os_load-balancer_api:flavor:delete": "rule:load-balancer:admin"
+
+# List Flavor Profiles
+# GET  /v2.0/lbaas/flavorprofiles
+#"os_load-balancer_api:flavor-profile:get_all": "rule:load-balancer:admin"
+
+# Create a Flavor Profile
+# POST  /v2.0/lbaas/flavorprofiles
+#"os_load-balancer_api:flavor-profile:post": "rule:load-balancer:admin"
+
+# Update a Flavor Profile
+# PUT  /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
+#"os_load-balancer_api:flavor-profile:put": "rule:load-balancer:admin"
+
+# Show Flavor Profile details
+# GET  /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
+#"os_load-balancer_api:flavor-profile:get_one": "rule:load-balancer:admin"
+
+# Remove a Flavor Profile
+# DELETE  /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
+#"os_load-balancer_api:flavor-profile:delete": "rule:load-balancer:admin"
+
+# List Availability Zones
+# GET  /v2.0/lbaas/availabilityzones
+#"os_load-balancer_api:availability-zone:get_all": "rule:load-balancer:read"
+
+# Create an Availability Zone
+# POST  /v2.0/lbaas/availabilityzones
+#"os_load-balancer_api:availability-zone:post": "rule:load-balancer:admin"
+
+# Update an Availability Zone
+# PUT  /v2.0/lbaas/availabilityzones/{availability_zone_id}
+#"os_load-balancer_api:availability-zone:put": "rule:load-balancer:admin"
+
+# Show Availability Zone details
+# GET  /v2.0/lbaas/availabilityzones/{availability_zone_id}
+#"os_load-balancer_api:availability-zone:get_one": "rule:load-balancer:read"
+
+# Remove an Availability Zone
+# DELETE  /v2.0/lbaas/availabilityzones/{availability_zone_id}
+#"os_load-balancer_api:availability-zone:delete": "rule:load-balancer:admin"
+
+# List Availability Zones
+# GET  /v2.0/lbaas/availabilityzoneprofiles
+#"os_load-balancer_api:availability-zone-profile:get_all": "rule:load-balancer:admin"
+
+# Create an Availability Zone
+# POST  /v2.0/lbaas/availabilityzoneprofiles
+#"os_load-balancer_api:availability-zone-profile:post": "rule:load-balancer:admin"
+
+# Update an Availability Zone
+# PUT  /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
+#"os_load-balancer_api:availability-zone-profile:put": "rule:load-balancer:admin"
+
+# Show Availability Zone details
+# GET  /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
+#"os_load-balancer_api:availability-zone-profile:get_one": "rule:load-balancer:admin"
+
+# Remove an Availability Zone
+# DELETE  /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
+#"os_load-balancer_api:availability-zone-profile:delete": "rule:load-balancer:admin"
+
+# List Health Monitors of a Pool
+# GET  /v2/lbaas/healthmonitors
+#"os_load-balancer_api:healthmonitor:get_all": "rule:load-balancer:read"
+
+# List Health Monitors including resources owned by others
+# GET  /v2/lbaas/healthmonitors
+#"os_load-balancer_api:healthmonitor:get_all-global": "rule:load-balancer:read-global"
+
+# Create a Health Monitor
+# POST  /v2/lbaas/healthmonitors
+#"os_load-balancer_api:healthmonitor:post": "rule:load-balancer:write"
+
+# Show Health Monitor details
+# GET  /v2/lbaas/healthmonitors/{healthmonitor_id}
+#"os_load-balancer_api:healthmonitor:get_one": "rule:load-balancer:read"
+
+# Update a Health Monitor
+# PUT  /v2/lbaas/healthmonitors/{healthmonitor_id}
+#"os_load-balancer_api:healthmonitor:put": "rule:load-balancer:write"
+
+# Remove a Health Monitor
+# DELETE  /v2/lbaas/healthmonitors/{healthmonitor_id}
+#"os_load-balancer_api:healthmonitor:delete": "rule:load-balancer:write"
+
+# List L7 Policys
+# GET  /v2/lbaas/l7policies
+#"os_load-balancer_api:l7policy:get_all": "rule:load-balancer:read"
+
+# List L7 Policys including resources owned by others
+# GET  /v2/lbaas/l7policies
+#"os_load-balancer_api:l7policy:get_all-global": "rule:load-balancer:read-global"
+
+# Create a L7 Policy
+# POST  /v2/lbaas/l7policies
+#"os_load-balancer_api:l7policy:post": "rule:load-balancer:write"
+
+# Show L7 Policy details
+# GET  /v2/lbaas/l7policies/{l7policy_id}
+#"os_load-balancer_api:l7policy:get_one": "rule:load-balancer:read"
+
+# Update a L7 Policy
+# PUT  /v2/lbaas/l7policies/{l7policy_id}
+#"os_load-balancer_api:l7policy:put": "rule:load-balancer:write"
+
+# Remove a L7 Policy
+# DELETE  /v2/lbaas/l7policies/{l7policy_id}
+#"os_load-balancer_api:l7policy:delete": "rule:load-balancer:write"
+
+# List L7 Rules
+# GET  /v2/lbaas/l7policies/{l7policy_id}/rules
+#"os_load-balancer_api:l7rule:get_all": "rule:load-balancer:read"
+
+# Create a L7 Rule
+# POST  /v2/lbaas/l7policies/{l7policy_id}/rules
+#"os_load-balancer_api:l7rule:post": "rule:load-balancer:write"
+
+# Show L7 Rule details
+# GET  /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
+#"os_load-balancer_api:l7rule:get_one": "rule:load-balancer:read"
+
+# Update a L7 Rule
+# PUT  /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
+#"os_load-balancer_api:l7rule:put": "rule:load-balancer:write"
+
+# Remove a L7 Rule
+# DELETE  /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
+#"os_load-balancer_api:l7rule:delete": "rule:load-balancer:write"
+
+# List Listeners
+# GET  /v2/lbaas/listeners
+#"os_load-balancer_api:listener:get_all": "rule:load-balancer:read"
+
+# List Listeners including resources owned by others
+# GET  /v2/lbaas/listeners
+#"os_load-balancer_api:listener:get_all-global": "rule:load-balancer:read-global"
+
+# Create a Listener
+# POST  /v2/lbaas/listeners
+#"os_load-balancer_api:listener:post": "rule:load-balancer:write"
+
+# Show Listener details
+# GET  /v2/lbaas/listeners/{listener_id}
+#"os_load-balancer_api:listener:get_one": "rule:load-balancer:read"
+
+# Update a Listener
+# PUT  /v2/lbaas/listeners/{listener_id}
+#"os_load-balancer_api:listener:put": "rule:load-balancer:write"
+
+# Remove a Listener
+# DELETE  /v2/lbaas/listeners/{listener_id}
+#"os_load-balancer_api:listener:delete": "rule:load-balancer:write"
+
+# Show Listener statistics
+# GET  /v2/lbaas/listeners/{listener_id}/stats
+#"os_load-balancer_api:listener:get_stats": "rule:load-balancer:read"
+
+# List Load Balancers
+# GET  /v2/lbaas/loadbalancers
+#"os_load-balancer_api:loadbalancer:get_all": "rule:load-balancer:read"
+
+# List Load Balancers including resources owned by others
+# GET  /v2/lbaas/loadbalancers
+#"os_load-balancer_api:loadbalancer:get_all-global": "rule:load-balancer:read-global"
+
+# Create a Load Balancer
+# POST  /v2/lbaas/loadbalancers
+#"os_load-balancer_api:loadbalancer:post": "rule:load-balancer:write"
+
+# Show Load Balancer details
+# GET  /v2/lbaas/loadbalancers/{loadbalancer_id}
+#"os_load-balancer_api:loadbalancer:get_one": "rule:load-balancer:read"
+
+# Update a Load Balancer
+# PUT  /v2/lbaas/loadbalancers/{loadbalancer_id}
+#"os_load-balancer_api:loadbalancer:put": "rule:load-balancer:write"
+
+# Remove a Load Balancer
+# DELETE  /v2/lbaas/loadbalancers/{loadbalancer_id}
+#"os_load-balancer_api:loadbalancer:delete": "rule:load-balancer:write"
+
+# Show Load Balancer statistics
+# GET  /v2/lbaas/loadbalancers/{loadbalancer_id}/stats
+#"os_load-balancer_api:loadbalancer:get_stats": "rule:load-balancer:read"
+
+# Show Load Balancer status
+# GET  /v2/lbaas/loadbalancers/{loadbalancer_id}/status
+#"os_load-balancer_api:loadbalancer:get_status": "rule:load-balancer:read"
+
+# Failover a Load Balancer
+# PUT  /v2/lbaas/loadbalancers/{loadbalancer_id}/failover
+#"os_load-balancer_api:loadbalancer:put_failover": "rule:load-balancer:admin"
+
+# List Members of a Pool
+# GET  /v2/lbaas/pools/{pool_id}/members
+#"os_load-balancer_api:member:get_all": "rule:load-balancer:read"
+
+# Create a Member
+# POST  /v2/lbaas/pools/{pool_id}/members
+#"os_load-balancer_api:member:post": "rule:load-balancer:write"
+
+# Show Member details
+# GET  /v2/lbaas/pools/{pool_id}/members/{member_id}
+#"os_load-balancer_api:member:get_one": "rule:load-balancer:read"
+
+# Update a Member
+# PUT  /v2/lbaas/pools/{pool_id}/members/{member_id}
+#"os_load-balancer_api:member:put": "rule:load-balancer:write"
+
+# Remove a Member
+# DELETE  /v2/lbaas/pools/{pool_id}/members/{member_id}
+#"os_load-balancer_api:member:delete": "rule:load-balancer:write"
+
+# List Pools
+# GET  /v2/lbaas/pools
+#"os_load-balancer_api:pool:get_all": "rule:load-balancer:read"
+
+# List Pools including resources owned by others
+# GET  /v2/lbaas/pools
+#"os_load-balancer_api:pool:get_all-global": "rule:load-balancer:read-global"
+
+# Create a Pool
+# POST  /v2/lbaas/pools
+#"os_load-balancer_api:pool:post": "rule:load-balancer:write"
+
+# Show Pool details
+# GET  /v2/lbaas/pools/{pool_id}
+#"os_load-balancer_api:pool:get_one": "rule:load-balancer:read"
+
+# Update a Pool
+# PUT  /v2/lbaas/pools/{pool_id}
+#"os_load-balancer_api:pool:put": "rule:load-balancer:write"
+
+# Remove a Pool
+# DELETE  /v2/lbaas/pools/{pool_id}
+#"os_load-balancer_api:pool:delete": "rule:load-balancer:write"
+
+# List enabled providers
+# GET  /v2/lbaas/providers
+#"os_load-balancer_api:provider:get_all": "rule:load-balancer:read"
+
+# List Quotas
+# GET  /v2/lbaas/quotas
+#"os_load-balancer_api:quota:get_all": "rule:load-balancer:read-quota"
+
+# List Quotas including resources owned by others
+# GET  /v2/lbaas/quotas
+#"os_load-balancer_api:quota:get_all-global": "rule:load-balancer:read-quota-global"
+
+# Show Quota details
+# GET  /v2/lbaas/quotas/{project_id}
+#"os_load-balancer_api:quota:get_one": "rule:load-balancer:read-quota"
+
+# Update a Quota
+# PUT  /v2/lbaas/quotas/{project_id}
+#"os_load-balancer_api:quota:put": "rule:load-balancer:write-quota"
+
+# Reset a Quota
+# DELETE  /v2/lbaas/quotas/{project_id}
+#"os_load-balancer_api:quota:delete": "rule:load-balancer:write-quota"
+
+# Show Default Quota for a Project
+# GET  /v2/lbaas/quotas/{project_id}/default
+#"os_load-balancer_api:quota:get_defaults": "rule:load-balancer:read-quota"
+
+# List Amphorae
+# GET  /v2/octavia/amphorae
+#"os_load-balancer_api:amphora:get_all": "rule:load-balancer:admin"
+
+# Show Amphora details
+# GET  /v2/octavia/amphorae/{amphora_id}
+#"os_load-balancer_api:amphora:get_one": "rule:load-balancer:admin"
+
+# Delete an Amphora
+# DELETE  /v2/octavia/amphorae/{amphora_id}
+#"os_load-balancer_api:amphora:delete": "rule:load-balancer:admin"
+
+# Update Amphora Agent Configuration
+# PUT  /v2/octavia/amphorae/{amphora_id}/config
+#"os_load-balancer_api:amphora:put_config": "rule:load-balancer:admin"
+
+# Failover Amphora
+# PUT  /v2/octavia/amphorae/{amphora_id}/failover
+#"os_load-balancer_api:amphora:put_failover": "rule:load-balancer:admin"
+
+# Show Amphora statistics
+# GET  /v2/octavia/amphorae/{amphora_id}/stats
+#"os_load-balancer_api:amphora:get_stats": "rule:load-balancer:admin"
+
+# List the provider flavor capabilities.
+# GET  /v2/lbaas/providers/{provider}/flavor_capabilities
+#"os_load-balancer_api:provider-flavor:get_all": "rule:load-balancer:admin"
+
+# List the provider availability zone capabilities.
+# GET  /v2/lbaas/providers/{provider}/availability_zone_capabilities
+#"os_load-balancer_api:provider-availability-zone:get_all": "rule:load-balancer:admin"
+

octavia_dashboard/local_settings.d/_1499_load_balancer_settings.py

@@ -20,3 +20,7 @@ from django.conf import settings
 settings.POLICY_FILES.update({
     'load-balancer': 'octavia_policy.yaml',
 })
+
+settings.iDEFAULT_POLICY_FILES.update({
+    'load-balancer': 'default_policies/octavia.yaml',
+})