openstack
/
octavia-dashboard
Code Issues Proposed changes

Support policy-in-code and deprecated policy 

This change adds support for policy-in-code and deprecated policy
following the change in horizon.

Note that now policy files are pre-generated instead of dynamically
generated during installation, which follows the guidance provided
in the horizon repo.
 https://docs.openstack.org/horizon/latest/contributor/topics/policy.html

Depends-on: https://review.opendev.org/750134
Change-Id: I0f6117d36598f791cc91658f36b6f72feb7dd076
This commit is contained in:
Takashi Kajinami 2021-05-05 11:16:41 +09:00
parent 7fb4bac2e8
commit a2e414d1e3
6 changed files with 1081 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -65,6 +65,3 @@ ChangeLog
# IntelliJ editors # IntelliJ editors
.idea .idea
# Conf
octavia_dashboard/conf

3
devstack/plugin.sh
View File

@ -5,8 +5,8 @@ function octavia_dashboard_install {
function octavia_dashboard_configure { function octavia_dashboard_configure {
cp -a ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/enabled/_1482_project_load_balancer_panel.py ${HORIZON_DIR}/openstack_dashboard/local/enabled/ cp -a ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/enabled/_1482_project_load_balancer_panel.py ${HORIZON_DIR}/openstack_dashboard/local/enabled/
cp -a ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/local_settings.d/_1499_load_balancer_settings.py ${HORIZON_DIR}/openstack_dashboard/local/local_settings.d/ cp -a ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/local_settings.d/_1499_load_balancer_settings.py ${HORIZON_DIR}/openstack_dashboard/local/local_settings.d/
oslopolicy-policy-generator --config-file ${OCTAVIA_DIR}/etc/policy/octavia-policy-generator.conf --output-file ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/octavia_policy.yaml
cp -a ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/octavia_policy.yaml ${HORIZON_DIR}/openstack_dashboard/conf/ cp -a ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/octavia_policy.yaml ${HORIZON_DIR}/openstack_dashboard/conf/
cp -a ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/default_policies/octavia.yaml ${HORIZON_DIR}/openstack_dashboard/conf/default_policies/
if [[ -d ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/locale ]]; then if [[ -d ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/locale ]]; then
(cd ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard; DJANGO_SETTINGS_MODULE=openstack_dashboard.settings $PYTHON ../manage.py compilemessages) (cd ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard; DJANGO_SETTINGS_MODULE=openstack_dashboard.settings $PYTHON ../manage.py compilemessages)
fi fi
@ -34,5 +34,6 @@ if is_service_enabled horizon && is_service_enabled o-api; then
rm -f ${HORIZON_DIR}/openstack_dashboard/local/enabled/_1482_project_load_balancer_panel.py* rm -f ${HORIZON_DIR}/openstack_dashboard/local/enabled/_1482_project_load_balancer_panel.py*
rm -f ${HORIZON_DIR}/openstack_dashboard/local/local_settings.d/_1499_load_balancer_settings.py* rm -f ${HORIZON_DIR}/openstack_dashboard/local/local_settings.d/_1499_load_balancer_settings.py*
rm -f ${HORIZON_DIR}/openstack_dashboard/conf/octavia_policy.yaml rm -f ${HORIZON_DIR}/openstack_dashboard/conf/octavia_policy.yaml
rm -f ${HORIZON_DIR}/openstack_dashboard/conf/default_policies/octavia.yaml
fi fi
fi fi

0
octavia_dashboard/conf/.gitkeep
View File

679
octavia_dashboard/conf/default_policies/octavia.yaml Normal file
View File

@ -0,0 +1,679 @@
- check_str: role:admin and system_scope:all
description: null
name: system-admin
operations: []
scope_types:
- system
- check_str: role:reader and system_scope:all
description: null
name: system-reader
operations: []
scope_types:
- system
- check_str: role:member and project_id:%(project_id)s
description: null
name: project-member
operations: []
scope_types:
- project
- check_str: role:reader and project_id:%(project_id)s
description: null
name: project-reader
operations: []
scope_types:
- project
- check_str: role:load-balancer_admin or rule:system-admin
deprecated_reason: The Octavia API now requires the OpenStack default roles and
scoped tokens. See https://docs.openstack.org/octavia/latest/configuration/policy.html
and https://docs.openstack.org/keystone/latest/contributor/services.html#reusable-default-roles
for more information.
deprecated_rule:
check_str: role:admin or role:load-balancer_admin
name: context_is_admin
deprecated_since: W
description: null
name: context_is_admin
operations: []
scope_types:
- system
- check_str: project_id:%(project_id)s
description: null
name: load-balancer:owner
operations: []
scope_types:
- project
- check_str: role:load-balancer_observer and rule:project-reader
deprecated_reason: The Octavia API now requires the OpenStack default roles and
scoped tokens. See https://docs.openstack.org/octavia/latest/configuration/policy.html
and https://docs.openstack.org/keystone/latest/contributor/services.html#reusable-default-roles
for more information.
deprecated_rule:
check_str: role:load-balancer_observer and rule:load-balancer:owner
name: load-balancer:observer_and_owner
deprecated_since: W
description: null
name: load-balancer:observer_and_owner
operations: []
scope_types:
- project
- check_str: role:load-balancer_global_observer or rule:system-reader
description: null
name: load-balancer:global_observer
operations: []
scope_types:
- system
- check_str: role:load-balancer_member and rule:project-member
deprecated_reason: The Octavia API now requires the OpenStack default roles and
scoped tokens. See https://docs.openstack.org/octavia/latest/configuration/policy.html
and https://docs.openstack.org/keystone/latest/contributor/services.html#reusable-default-roles
for more information.
deprecated_rule:
check_str: role:load-balancer_member and rule:load-balancer:owner
name: load-balancer:member_and_owner
deprecated_since: W
description: null
name: load-balancer:member_and_owner
operations: []
scope_types:
- project
- check_str: is_admin:True or role:load-balancer_admin or rule:system-admin
description: null
name: load-balancer:admin
operations: []
scope_types:
- system
- check_str: rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer
or rule:load-balancer:member_and_owner or rule:load-balancer:admin
description: null
name: load-balancer:read
operations: []
scope_types:
- project
- system
- check_str: rule:load-balancer:global_observer or rule:load-balancer:admin
description: null
name: load-balancer:read-global
operations: []
scope_types:
- system
- check_str: rule:load-balancer:member_and_owner or rule:load-balancer:admin
description: null
name: load-balancer:write
operations: []
scope_types:
- project
- system
- check_str: rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer
or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin
description: null
name: load-balancer:read-quota
operations: []
scope_types:
- project
- system
- check_str: rule:load-balancer:global_observer or role:load-balancer_quota_admin
or rule:load-balancer:admin
description: null
name: load-balancer:read-quota-global
operations: []
scope_types:
- system
- check_str: role:load-balancer_quota_admin or rule:load-balancer:admin
description: null
name: load-balancer:write-quota
operations: []
scope_types:
- system
- check_str: rule:load-balancer:read
description: List Flavors
name: os_load-balancer_api:flavor:get_all
operations:
- method: GET
path: /v2.0/lbaas/flavors
scope_types: null
- check_str: rule:load-balancer:admin
description: Create a Flavor
name: os_load-balancer_api:flavor:post
operations:
- method: POST
path: /v2.0/lbaas/flavors
scope_types: null
- check_str: rule:load-balancer:admin
description: Update a Flavor
name: os_load-balancer_api:flavor:put
operations:
- method: PUT
path: /v2.0/lbaas/flavors/{flavor_id}
scope_types: null
- check_str: rule:load-balancer:read
description: Show Flavor details
name: os_load-balancer_api:flavor:get_one
operations:
- method: GET
path: /v2.0/lbaas/flavors/{flavor_id}
scope_types: null
- check_str: rule:load-balancer:admin
description: Remove a Flavor
name: os_load-balancer_api:flavor:delete
operations:
- method: DELETE
path: /v2.0/lbaas/flavors/{flavor_id}
scope_types: null
- check_str: rule:load-balancer:admin
description: List Flavor Profiles
name: os_load-balancer_api:flavor-profile:get_all
operations:
- method: GET
path: /v2.0/lbaas/flavorprofiles
scope_types: null
- check_str: rule:load-balancer:admin
description: Create a Flavor Profile
name: os_load-balancer_api:flavor-profile:post
operations:
- method: POST
path: /v2.0/lbaas/flavorprofiles
scope_types: null
- check_str: rule:load-balancer:admin
description: Update a Flavor Profile
name: os_load-balancer_api:flavor-profile:put
operations:
- method: PUT
path: /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
scope_types: null
- check_str: rule:load-balancer:admin
description: Show Flavor Profile details
name: os_load-balancer_api:flavor-profile:get_one
operations:
- method: GET
path: /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
scope_types: null
- check_str: rule:load-balancer:admin
description: Remove a Flavor Profile
name: os_load-balancer_api:flavor-profile:delete
operations:
- method: DELETE
path: /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
scope_types: null
- check_str: rule:load-balancer:read
description: List Availability Zones
name: os_load-balancer_api:availability-zone:get_all
operations:
- method: GET
path: /v2.0/lbaas/availabilityzones
scope_types: null
- check_str: rule:load-balancer:admin
description: Create an Availability Zone
name: os_load-balancer_api:availability-zone:post
operations:
- method: POST
path: /v2.0/lbaas/availabilityzones
scope_types: null
- check_str: rule:load-balancer:admin
description: Update an Availability Zone
name: os_load-balancer_api:availability-zone:put
operations:
- method: PUT
path: /v2.0/lbaas/availabilityzones/{availability_zone_id}
scope_types: null
- check_str: rule:load-balancer:read
description: Show Availability Zone details
name: os_load-balancer_api:availability-zone:get_one
operations:
- method: GET
path: /v2.0/lbaas/availabilityzones/{availability_zone_id}
scope_types: null
- check_str: rule:load-balancer:admin
description: Remove an Availability Zone
name: os_load-balancer_api:availability-zone:delete
operations:
- method: DELETE
path: /v2.0/lbaas/availabilityzones/{availability_zone_id}
scope_types: null
- check_str: rule:load-balancer:admin
description: List Availability Zones
name: os_load-balancer_api:availability-zone-profile:get_all
operations:
- method: GET
path: /v2.0/lbaas/availabilityzoneprofiles
scope_types: null
- check_str: rule:load-balancer:admin
description: Create an Availability Zone
name: os_load-balancer_api:availability-zone-profile:post
operations:
- method: POST
path: /v2.0/lbaas/availabilityzoneprofiles
scope_types: null
- check_str: rule:load-balancer:admin
description: Update an Availability Zone
name: os_load-balancer_api:availability-zone-profile:put
operations:
- method: PUT
path: /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
scope_types: null
- check_str: rule:load-balancer:admin
description: Show Availability Zone details
name: os_load-balancer_api:availability-zone-profile:get_one
operations:
- method: GET
path: /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
scope_types: null
- check_str: rule:load-balancer:admin
description: Remove an Availability Zone
name: os_load-balancer_api:availability-zone-profile:delete
operations:
- method: DELETE
path: /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
scope_types: null
- check_str: rule:load-balancer:read
description: List Health Monitors of a Pool
name: os_load-balancer_api:healthmonitor:get_all
operations:
- method: GET
path: /v2/lbaas/healthmonitors
scope_types: null
- check_str: rule:load-balancer:read-global
description: List Health Monitors including resources owned by others
name: os_load-balancer_api:healthmonitor:get_all-global
operations:
- method: GET
path: /v2/lbaas/healthmonitors
scope_types: null
- check_str: rule:load-balancer:write
description: Create a Health Monitor
name: os_load-balancer_api:healthmonitor:post
operations:
- method: POST
path: /v2/lbaas/healthmonitors
scope_types: null
- check_str: rule:load-balancer:read
description: Show Health Monitor details
name: os_load-balancer_api:healthmonitor:get_one
operations:
- method: GET
path: /v2/lbaas/healthmonitors/{healthmonitor_id}
scope_types: null
- check_str: rule:load-balancer:write
description: Update a Health Monitor
name: os_load-balancer_api:healthmonitor:put
operations:
- method: PUT
path: /v2/lbaas/healthmonitors/{healthmonitor_id}
scope_types: null
- check_str: rule:load-balancer:write
description: Remove a Health Monitor
name: os_load-balancer_api:healthmonitor:delete
operations:
- method: DELETE
path: /v2/lbaas/healthmonitors/{healthmonitor_id}
scope_types: null
- check_str: rule:load-balancer:read
description: List L7 Policys
name: os_load-balancer_api:l7policy:get_all
operations:
- method: GET
path: /v2/lbaas/l7policies
scope_types: null
- check_str: rule:load-balancer:read-global
description: List L7 Policys including resources owned by others
name: os_load-balancer_api:l7policy:get_all-global
operations:
- method: GET
path: /v2/lbaas/l7policies
scope_types: null
- check_str: rule:load-balancer:write
description: Create a L7 Policy
name: os_load-balancer_api:l7policy:post
operations:
- method: POST
path: /v2/lbaas/l7policies
scope_types: null
- check_str: rule:load-balancer:read
description: Show L7 Policy details
name: os_load-balancer_api:l7policy:get_one
operations:
- method: GET
path: /v2/lbaas/l7policies/{l7policy_id}
scope_types: null
- check_str: rule:load-balancer:write
description: Update a L7 Policy
name: os_load-balancer_api:l7policy:put
operations:
- method: PUT
path: /v2/lbaas/l7policies/{l7policy_id}
scope_types: null
- check_str: rule:load-balancer:write
description: Remove a L7 Policy
name: os_load-balancer_api:l7policy:delete
operations:
- method: DELETE
path: /v2/lbaas/l7policies/{l7policy_id}
scope_types: null
- check_str: rule:load-balancer:read
description: List L7 Rules
name: os_load-balancer_api:l7rule:get_all
operations:
- method: GET
path: /v2/lbaas/l7policies/{l7policy_id}/rules
scope_types: null
- check_str: rule:load-balancer:write
description: Create a L7 Rule
name: os_load-balancer_api:l7rule:post
operations:
- method: POST
path: /v2/lbaas/l7policies/{l7policy_id}/rules
scope_types: null
- check_str: rule:load-balancer:read
description: Show L7 Rule details
name: os_load-balancer_api:l7rule:get_one
operations:
- method: GET
path: /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
scope_types: null
- check_str: rule:load-balancer:write
description: Update a L7 Rule
name: os_load-balancer_api:l7rule:put
operations:
- method: PUT
path: /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
scope_types: null
- check_str: rule:load-balancer:write
description: Remove a L7 Rule
name: os_load-balancer_api:l7rule:delete
operations:
- method: DELETE
path: /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
scope_types: null
- check_str: rule:load-balancer:read
description: List Listeners
name: os_load-balancer_api:listener:get_all
operations:
- method: GET
path: /v2/lbaas/listeners
scope_types: null
- check_str: rule:load-balancer:read-global
description: List Listeners including resources owned by others
name: os_load-balancer_api:listener:get_all-global
operations:
- method: GET
path: /v2/lbaas/listeners
scope_types: null
- check_str: rule:load-balancer:write
description: Create a Listener
name: os_load-balancer_api:listener:post
operations:
- method: POST
path: /v2/lbaas/listeners
scope_types: null
- check_str: rule:load-balancer:read
description: Show Listener details
name: os_load-balancer_api:listener:get_one
operations:
- method: GET
path: /v2/lbaas/listeners/{listener_id}
scope_types: null
- check_str: rule:load-balancer:write
description: Update a Listener
name: os_load-balancer_api:listener:put
operations:
- method: PUT
path: /v2/lbaas/listeners/{listener_id}
scope_types: null
- check_str: rule:load-balancer:write
description: Remove a Listener
name: os_load-balancer_api:listener:delete
operations:
- method: DELETE
path: /v2/lbaas/listeners/{listener_id}
scope_types: null
- check_str: rule:load-balancer:read
description: Show Listener statistics
name: os_load-balancer_api:listener:get_stats
operations:
- method: GET
path: /v2/lbaas/listeners/{listener_id}/stats
scope_types: null
- check_str: rule:load-balancer:read
description: List Load Balancers
name: os_load-balancer_api:loadbalancer:get_all
operations:
- method: GET
path: /v2/lbaas/loadbalancers
scope_types: null
- check_str: rule:load-balancer:read-global
description: List Load Balancers including resources owned by others
name: os_load-balancer_api:loadbalancer:get_all-global
operations:
- method: GET
path: /v2/lbaas/loadbalancers
scope_types: null
- check_str: rule:load-balancer:write
description: Create a Load Balancer
name: os_load-balancer_api:loadbalancer:post
operations:
- method: POST
path: /v2/lbaas/loadbalancers
scope_types: null
- check_str: rule:load-balancer:read
description: Show Load Balancer details
name: os_load-balancer_api:loadbalancer:get_one
operations:
- method: GET
path: /v2/lbaas/loadbalancers/{loadbalancer_id}
scope_types: null
- check_str: rule:load-balancer:write
description: Update a Load Balancer
name: os_load-balancer_api:loadbalancer:put
operations:
- method: PUT
path: /v2/lbaas/loadbalancers/{loadbalancer_id}
scope_types: null
- check_str: rule:load-balancer:write
description: Remove a Load Balancer
name: os_load-balancer_api:loadbalancer:delete
operations:
- method: DELETE
path: /v2/lbaas/loadbalancers/{loadbalancer_id}
scope_types: null
- check_str: rule:load-balancer:read
description: Show Load Balancer statistics
name: os_load-balancer_api:loadbalancer:get_stats
operations:
- method: GET
path: /v2/lbaas/loadbalancers/{loadbalancer_id}/stats
scope_types: null
- check_str: rule:load-balancer:read
description: Show Load Balancer status
name: os_load-balancer_api:loadbalancer:get_status
operations:
- method: GET
path: /v2/lbaas/loadbalancers/{loadbalancer_id}/status
scope_types: null
- check_str: rule:load-balancer:admin
description: Failover a Load Balancer
name: os_load-balancer_api:loadbalancer:put_failover
operations:
- method: PUT
path: /v2/lbaas/loadbalancers/{loadbalancer_id}/failover
scope_types: null
- check_str: rule:load-balancer:read
description: List Members of a Pool
name: os_load-balancer_api:member:get_all
operations:
- method: GET
path: /v2/lbaas/pools/{pool_id}/members
scope_types: null
- check_str: rule:load-balancer:write
description: Create a Member
name: os_load-balancer_api:member:post
operations:
- method: POST
path: /v2/lbaas/pools/{pool_id}/members
scope_types: null
- check_str: rule:load-balancer:read
description: Show Member details
name: os_load-balancer_api:member:get_one
operations:
- method: GET
path: /v2/lbaas/pools/{pool_id}/members/{member_id}
scope_types: null
- check_str: rule:load-balancer:write
description: Update a Member
name: os_load-balancer_api:member:put
operations:
- method: PUT
path: /v2/lbaas/pools/{pool_id}/members/{member_id}
scope_types: null
- check_str: rule:load-balancer:write
description: Remove a Member
name: os_load-balancer_api:member:delete
operations:
- method: DELETE
path: /v2/lbaas/pools/{pool_id}/members/{member_id}
scope_types: null
- check_str: rule:load-balancer:read
description: List Pools
name: os_load-balancer_api:pool:get_all
operations:
- method: GET
path: /v2/lbaas/pools
scope_types: null
- check_str: rule:load-balancer:read-global
description: List Pools including resources owned by others
name: os_load-balancer_api:pool:get_all-global
operations:
- method: GET
path: /v2/lbaas/pools
scope_types: null
- check_str: rule:load-balancer:write
description: Create a Pool
name: os_load-balancer_api:pool:post
operations:
- method: POST
path: /v2/lbaas/pools
scope_types: null
- check_str: rule:load-balancer:read
description: Show Pool details
name: os_load-balancer_api:pool:get_one
operations:
- method: GET
path: /v2/lbaas/pools/{pool_id}
scope_types: null
- check_str: rule:load-balancer:write
description: Update a Pool
name: os_load-balancer_api:pool:put
operations:
- method: PUT
path: /v2/lbaas/pools/{pool_id}
scope_types: null
- check_str: rule:load-balancer:write
description: Remove a Pool
name: os_load-balancer_api:pool:delete
operations:
- method: DELETE
path: /v2/lbaas/pools/{pool_id}
scope_types: null
- check_str: rule:load-balancer:read
description: List enabled providers
name: os_load-balancer_api:provider:get_all
operations:
- method: GET
path: /v2/lbaas/providers
scope_types: null
- check_str: rule:load-balancer:read-quota
description: List Quotas
name: os_load-balancer_api:quota:get_all
operations:
- method: GET
path: /v2/lbaas/quotas
scope_types: null
- check_str: rule:load-balancer:read-quota-global
description: List Quotas including resources owned by others
name: os_load-balancer_api:quota:get_all-global
operations:
- method: GET
path: /v2/lbaas/quotas
scope_types: null
- check_str: rule:load-balancer:read-quota
description: Show Quota details
name: os_load-balancer_api:quota:get_one
operations:
- method: GET
path: /v2/lbaas/quotas/{project_id}
scope_types: null
- check_str: rule:load-balancer:write-quota
description: Update a Quota
name: os_load-balancer_api:quota:put
operations:
- method: PUT
path: /v2/lbaas/quotas/{project_id}
scope_types: null
- check_str: rule:load-balancer:write-quota
description: Reset a Quota
name: os_load-balancer_api:quota:delete
operations:
- method: DELETE
path: /v2/lbaas/quotas/{project_id}
scope_types: null
- check_str: rule:load-balancer:read-quota
description: Show Default Quota for a Project
name: os_load-balancer_api:quota:get_defaults
operations:
- method: GET
path: /v2/lbaas/quotas/{project_id}/default
scope_types: null
- check_str: rule:load-balancer:admin
description: List Amphorae
name: os_load-balancer_api:amphora:get_all
operations:
- method: GET
path: /v2/octavia/amphorae
scope_types: null
- check_str: rule:load-balancer:admin
description: Show Amphora details
name: os_load-balancer_api:amphora:get_one
operations:
- method: GET
path: /v2/octavia/amphorae/{amphora_id}
scope_types: null
- check_str: rule:load-balancer:admin
description: Delete an Amphora
name: os_load-balancer_api:amphora:delete
operations:
- method: DELETE
path: /v2/octavia/amphorae/{amphora_id}
scope_types: null
- check_str: rule:load-balancer:admin
description: Update Amphora Agent Configuration
name: os_load-balancer_api:amphora:put_config
operations:
- method: PUT
path: /v2/octavia/amphorae/{amphora_id}/config
scope_types: null
- check_str: rule:load-balancer:admin
description: Failover Amphora
name: os_load-balancer_api:amphora:put_failover
operations:
- method: PUT
path: /v2/octavia/amphorae/{amphora_id}/failover
scope_types: null
- check_str: rule:load-balancer:admin
description: Show Amphora statistics
name: os_load-balancer_api:amphora:get_stats
operations:
- method: GET
path: /v2/octavia/amphorae/{amphora_id}/stats
scope_types: null
- check_str: rule:load-balancer:admin
description: List the provider flavor capabilities.
name: os_load-balancer_api:provider-flavor:get_all
operations:
- method: GET
path: /v2/lbaas/providers/{provider}/flavor_capabilities
scope_types: null
- check_str: rule:load-balancer:admin
description: List the provider availability zone capabilities.
name: os_load-balancer_api:provider-availability-zone:get_all
operations:
- method: GET
path: /v2/lbaas/providers/{provider}/availability_zone_capabilities
scope_types: null

396
octavia_dashboard/conf/octavia_policy.yaml Normal file
View File

@ -0,0 +1,396 @@
# Intended scope(s): system
#"system-admin": "role:admin and system_scope:all"
# Intended scope(s): system
#"system-reader": "role:reader and system_scope:all"
# Intended scope(s): project
#"project-member": "role:member and project_id:%(project_id)s"
# Intended scope(s): project
#"project-reader": "role:reader and project_id:%(project_id)s"
# Intended scope(s): system
#"context_is_admin": "role:load-balancer_admin or rule:system-admin"
# DEPRECATED
# "context_is_admin":"role:admin or role:load-balancer_admin" has been
# deprecated since W in favor of "context_is_admin":"role:load-
# balancer_admin or rule:system-admin".
# The Octavia API now requires the OpenStack default roles and scoped
# tokens. See
# https://docs.openstack.org/octavia/latest/configuration/policy.html
# and https://docs.openstack.org/keystone/latest/contributor/services.
# html#reusable-default-roles for more information.
# Intended scope(s): project
#"load-balancer:owner": "project_id:%(project_id)s"
# Intended scope(s): project
#"load-balancer:observer_and_owner": "role:load-balancer_observer and rule:project-reader"
# DEPRECATED
# "load-balancer:observer_and_owner":"role:load-balancer_observer and
# rule:load-balancer:owner" has been deprecated since W in favor of
# "load-balancer:observer_and_owner":"role:load-balancer_observer and
# rule:project-reader".
# The Octavia API now requires the OpenStack default roles and scoped
# tokens. See
# https://docs.openstack.org/octavia/latest/configuration/policy.html
# and https://docs.openstack.org/keystone/latest/contributor/services.
# html#reusable-default-roles for more information.
# Intended scope(s): system
#"load-balancer:global_observer": "role:load-balancer_global_observer or rule:system-reader"
# Intended scope(s): project
#"load-balancer:member_and_owner": "role:load-balancer_member and rule:project-member"
# DEPRECATED
# "load-balancer:member_and_owner":"role:load-balancer_member and
# rule:load-balancer:owner" has been deprecated since W in favor of
# "load-balancer:member_and_owner":"role:load-balancer_member and
# rule:project-member".
# The Octavia API now requires the OpenStack default roles and scoped
# tokens. See
# https://docs.openstack.org/octavia/latest/configuration/policy.html
# and https://docs.openstack.org/keystone/latest/contributor/services.
# html#reusable-default-roles for more information.
# Intended scope(s): system
#"load-balancer:admin": "is_admin:True or role:load-balancer_admin or rule:system-admin"
# Intended scope(s): project, system
#"load-balancer:read": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin"
# Intended scope(s): system
#"load-balancer:read-global": "rule:load-balancer:global_observer or rule:load-balancer:admin"
# Intended scope(s): project, system
#"load-balancer:write": "rule:load-balancer:member_and_owner or rule:load-balancer:admin"
# Intended scope(s): project, system
#"load-balancer:read-quota": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin"
# Intended scope(s): system
#"load-balancer:read-quota-global": "rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin"
# Intended scope(s): system
#"load-balancer:write-quota": "role:load-balancer_quota_admin or rule:load-balancer:admin"
# List Flavors
# GET /v2.0/lbaas/flavors
#"os_load-balancer_api:flavor:get_all": "rule:load-balancer:read"
# Create a Flavor
# POST /v2.0/lbaas/flavors
#"os_load-balancer_api:flavor:post": "rule:load-balancer:admin"
# Update a Flavor
# PUT /v2.0/lbaas/flavors/{flavor_id}
#"os_load-balancer_api:flavor:put": "rule:load-balancer:admin"
# Show Flavor details
# GET /v2.0/lbaas/flavors/{flavor_id}
#"os_load-balancer_api:flavor:get_one": "rule:load-balancer:read"
# Remove a Flavor
# DELETE /v2.0/lbaas/flavors/{flavor_id}
#"os_load-balancer_api:flavor:delete": "rule:load-balancer:admin"
# List Flavor Profiles
# GET /v2.0/lbaas/flavorprofiles
#"os_load-balancer_api:flavor-profile:get_all": "rule:load-balancer:admin"
# Create a Flavor Profile
# POST /v2.0/lbaas/flavorprofiles
#"os_load-balancer_api:flavor-profile:post": "rule:load-balancer:admin"
# Update a Flavor Profile
# PUT /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
#"os_load-balancer_api:flavor-profile:put": "rule:load-balancer:admin"
# Show Flavor Profile details
# GET /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
#"os_load-balancer_api:flavor-profile:get_one": "rule:load-balancer:admin"
# Remove a Flavor Profile
# DELETE /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
#"os_load-balancer_api:flavor-profile:delete": "rule:load-balancer:admin"
# List Availability Zones
# GET /v2.0/lbaas/availabilityzones
#"os_load-balancer_api:availability-zone:get_all": "rule:load-balancer:read"
# Create an Availability Zone
# POST /v2.0/lbaas/availabilityzones
#"os_load-balancer_api:availability-zone:post": "rule:load-balancer:admin"
# Update an Availability Zone
# PUT /v2.0/lbaas/availabilityzones/{availability_zone_id}
#"os_load-balancer_api:availability-zone:put": "rule:load-balancer:admin"
# Show Availability Zone details
# GET /v2.0/lbaas/availabilityzones/{availability_zone_id}
#"os_load-balancer_api:availability-zone:get_one": "rule:load-balancer:read"
# Remove an Availability Zone
# DELETE /v2.0/lbaas/availabilityzones/{availability_zone_id}
#"os_load-balancer_api:availability-zone:delete": "rule:load-balancer:admin"
# List Availability Zones
# GET /v2.0/lbaas/availabilityzoneprofiles
#"os_load-balancer_api:availability-zone-profile:get_all": "rule:load-balancer:admin"
# Create an Availability Zone
# POST /v2.0/lbaas/availabilityzoneprofiles
#"os_load-balancer_api:availability-zone-profile:post": "rule:load-balancer:admin"
# Update an Availability Zone
# PUT /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
#"os_load-balancer_api:availability-zone-profile:put": "rule:load-balancer:admin"
# Show Availability Zone details
# GET /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
#"os_load-balancer_api:availability-zone-profile:get_one": "rule:load-balancer:admin"
# Remove an Availability Zone
# DELETE /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
#"os_load-balancer_api:availability-zone-profile:delete": "rule:load-balancer:admin"
# List Health Monitors of a Pool
# GET /v2/lbaas/healthmonitors
#"os_load-balancer_api:healthmonitor:get_all": "rule:load-balancer:read"
# List Health Monitors including resources owned by others
# GET /v2/lbaas/healthmonitors
#"os_load-balancer_api:healthmonitor:get_all-global": "rule:load-balancer:read-global"
# Create a Health Monitor
# POST /v2/lbaas/healthmonitors
#"os_load-balancer_api:healthmonitor:post": "rule:load-balancer:write"
# Show Health Monitor details
# GET /v2/lbaas/healthmonitors/{healthmonitor_id}
#"os_load-balancer_api:healthmonitor:get_one": "rule:load-balancer:read"
# Update a Health Monitor
# PUT /v2/lbaas/healthmonitors/{healthmonitor_id}
#"os_load-balancer_api:healthmonitor:put": "rule:load-balancer:write"
# Remove a Health Monitor
# DELETE /v2/lbaas/healthmonitors/{healthmonitor_id}
#"os_load-balancer_api:healthmonitor:delete": "rule:load-balancer:write"
# List L7 Policys
# GET /v2/lbaas/l7policies
#"os_load-balancer_api:l7policy:get_all": "rule:load-balancer:read"
# List L7 Policys including resources owned by others
# GET /v2/lbaas/l7policies
#"os_load-balancer_api:l7policy:get_all-global": "rule:load-balancer:read-global"
# Create a L7 Policy
# POST /v2/lbaas/l7policies
#"os_load-balancer_api:l7policy:post": "rule:load-balancer:write"
# Show L7 Policy details
# GET /v2/lbaas/l7policies/{l7policy_id}
#"os_load-balancer_api:l7policy:get_one": "rule:load-balancer:read"
# Update a L7 Policy
# PUT /v2/lbaas/l7policies/{l7policy_id}
#"os_load-balancer_api:l7policy:put": "rule:load-balancer:write"
# Remove a L7 Policy
# DELETE /v2/lbaas/l7policies/{l7policy_id}
#"os_load-balancer_api:l7policy:delete": "rule:load-balancer:write"
# List L7 Rules
# GET /v2/lbaas/l7policies/{l7policy_id}/rules
#"os_load-balancer_api:l7rule:get_all": "rule:load-balancer:read"
# Create a L7 Rule
# POST /v2/lbaas/l7policies/{l7policy_id}/rules
#"os_load-balancer_api:l7rule:post": "rule:load-balancer:write"
# Show L7 Rule details
# GET /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
#"os_load-balancer_api:l7rule:get_one": "rule:load-balancer:read"
# Update a L7 Rule
# PUT /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
#"os_load-balancer_api:l7rule:put": "rule:load-balancer:write"
# Remove a L7 Rule
# DELETE /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
#"os_load-balancer_api:l7rule:delete": "rule:load-balancer:write"
# List Listeners
# GET /v2/lbaas/listeners
#"os_load-balancer_api:listener:get_all": "rule:load-balancer:read"
# List Listeners including resources owned by others
# GET /v2/lbaas/listeners
#"os_load-balancer_api:listener:get_all-global": "rule:load-balancer:read-global"
# Create a Listener
# POST /v2/lbaas/listeners
#"os_load-balancer_api:listener:post": "rule:load-balancer:write"
# Show Listener details
# GET /v2/lbaas/listeners/{listener_id}
#"os_load-balancer_api:listener:get_one": "rule:load-balancer:read"
# Update a Listener
# PUT /v2/lbaas/listeners/{listener_id}
#"os_load-balancer_api:listener:put": "rule:load-balancer:write"
# Remove a Listener
# DELETE /v2/lbaas/listeners/{listener_id}
#"os_load-balancer_api:listener:delete": "rule:load-balancer:write"
# Show Listener statistics
# GET /v2/lbaas/listeners/{listener_id}/stats
#"os_load-balancer_api:listener:get_stats": "rule:load-balancer:read"
# List Load Balancers
# GET /v2/lbaas/loadbalancers
#"os_load-balancer_api:loadbalancer:get_all": "rule:load-balancer:read"
# List Load Balancers including resources owned by others
# GET /v2/lbaas/loadbalancers
#"os_load-balancer_api:loadbalancer:get_all-global": "rule:load-balancer:read-global"
# Create a Load Balancer
# POST /v2/lbaas/loadbalancers
#"os_load-balancer_api:loadbalancer:post": "rule:load-balancer:write"
# Show Load Balancer details
# GET /v2/lbaas/loadbalancers/{loadbalancer_id}
#"os_load-balancer_api:loadbalancer:get_one": "rule:load-balancer:read"
# Update a Load Balancer
# PUT /v2/lbaas/loadbalancers/{loadbalancer_id}
#"os_load-balancer_api:loadbalancer:put": "rule:load-balancer:write"
# Remove a Load Balancer
# DELETE /v2/lbaas/loadbalancers/{loadbalancer_id}
#"os_load-balancer_api:loadbalancer:delete": "rule:load-balancer:write"
# Show Load Balancer statistics
# GET /v2/lbaas/loadbalancers/{loadbalancer_id}/stats
#"os_load-balancer_api:loadbalancer:get_stats": "rule:load-balancer:read"
# Show Load Balancer status
# GET /v2/lbaas/loadbalancers/{loadbalancer_id}/status
#"os_load-balancer_api:loadbalancer:get_status": "rule:load-balancer:read"
# Failover a Load Balancer
# PUT /v2/lbaas/loadbalancers/{loadbalancer_id}/failover
#"os_load-balancer_api:loadbalancer:put_failover": "rule:load-balancer:admin"
# List Members of a Pool
# GET /v2/lbaas/pools/{pool_id}/members
#"os_load-balancer_api:member:get_all": "rule:load-balancer:read"
# Create a Member
# POST /v2/lbaas/pools/{pool_id}/members
#"os_load-balancer_api:member:post": "rule:load-balancer:write"
# Show Member details
# GET /v2/lbaas/pools/{pool_id}/members/{member_id}
#"os_load-balancer_api:member:get_one": "rule:load-balancer:read"
# Update a Member
# PUT /v2/lbaas/pools/{pool_id}/members/{member_id}
#"os_load-balancer_api:member:put": "rule:load-balancer:write"
# Remove a Member
# DELETE /v2/lbaas/pools/{pool_id}/members/{member_id}
#"os_load-balancer_api:member:delete": "rule:load-balancer:write"
# List Pools
# GET /v2/lbaas/pools
#"os_load-balancer_api:pool:get_all": "rule:load-balancer:read"
# List Pools including resources owned by others
# GET /v2/lbaas/pools
#"os_load-balancer_api:pool:get_all-global": "rule:load-balancer:read-global"
# Create a Pool
# POST /v2/lbaas/pools
#"os_load-balancer_api:pool:post": "rule:load-balancer:write"
# Show Pool details
# GET /v2/lbaas/pools/{pool_id}
#"os_load-balancer_api:pool:get_one": "rule:load-balancer:read"
# Update a Pool
# PUT /v2/lbaas/pools/{pool_id}
#"os_load-balancer_api:pool:put": "rule:load-balancer:write"
# Remove a Pool
# DELETE /v2/lbaas/pools/{pool_id}
#"os_load-balancer_api:pool:delete": "rule:load-balancer:write"
# List enabled providers
# GET /v2/lbaas/providers
#"os_load-balancer_api:provider:get_all": "rule:load-balancer:read"
# List Quotas
# GET /v2/lbaas/quotas
#"os_load-balancer_api:quota:get_all": "rule:load-balancer:read-quota"
# List Quotas including resources owned by others
# GET /v2/lbaas/quotas
#"os_load-balancer_api:quota:get_all-global": "rule:load-balancer:read-quota-global"
# Show Quota details
# GET /v2/lbaas/quotas/{project_id}
#"os_load-balancer_api:quota:get_one": "rule:load-balancer:read-quota"
# Update a Quota
# PUT /v2/lbaas/quotas/{project_id}
#"os_load-balancer_api:quota:put": "rule:load-balancer:write-quota"
# Reset a Quota
# DELETE /v2/lbaas/quotas/{project_id}
#"os_load-balancer_api:quota:delete": "rule:load-balancer:write-quota"
# Show Default Quota for a Project
# GET /v2/lbaas/quotas/{project_id}/default
#"os_load-balancer_api:quota:get_defaults": "rule:load-balancer:read-quota"
# List Amphorae
# GET /v2/octavia/amphorae
#"os_load-balancer_api:amphora:get_all": "rule:load-balancer:admin"
# Show Amphora details
# GET /v2/octavia/amphorae/{amphora_id}
#"os_load-balancer_api:amphora:get_one": "rule:load-balancer:admin"
# Delete an Amphora
# DELETE /v2/octavia/amphorae/{amphora_id}
#"os_load-balancer_api:amphora:delete": "rule:load-balancer:admin"
# Update Amphora Agent Configuration
# PUT /v2/octavia/amphorae/{amphora_id}/config
#"os_load-balancer_api:amphora:put_config": "rule:load-balancer:admin"
# Failover Amphora
# PUT /v2/octavia/amphorae/{amphora_id}/failover
#"os_load-balancer_api:amphora:put_failover": "rule:load-balancer:admin"
# Show Amphora statistics
# GET /v2/octavia/amphorae/{amphora_id}/stats
#"os_load-balancer_api:amphora:get_stats": "rule:load-balancer:admin"
# List the provider flavor capabilities.
# GET /v2/lbaas/providers/{provider}/flavor_capabilities
#"os_load-balancer_api:provider-flavor:get_all": "rule:load-balancer:admin"
# List the provider availability zone capabilities.
# GET /v2/lbaas/providers/{provider}/availability_zone_capabilities
#"os_load-balancer_api:provider-availability-zone:get_all": "rule:load-balancer:admin"

4
octavia_dashboard/local_settings.d/_1499_load_balancer_settings.py
View File

@ -20,3 +20,7 @@ from django.conf import settings
settings.POLICY_FILES.update({ settings.POLICY_FILES.update({
'load-balancer': 'octavia_policy.yaml', 'load-balancer': 'octavia_policy.yaml',
}) })
settings.DEFAULT_POLICY_FILES.update({
'orchestration': 'default_policies/octavia.yaml',
})