From d90c3bf03a2e7783f4088680c2f2c4328870b725 Mon Sep 17 00:00:00 2001 From: Jacky Hu Date: Wed, 7 Mar 2018 11:59:34 +0800 Subject: [PATCH] Add rbac support for octavia service apis Co-Authored-By: Michael Johnson Change-Id: I6e27a5e81d9075c2ab8622c617409f0f2747f11e --- .gitignore | 3 ++ README.rst | 26 ++++++++++--- devstack/plugin.sh | 39 ++++++++++--------- devstack/settings | 4 -- doc/source/conf.py | 3 +- .../{enabled/__init__.py => conf/.gitkeep} | 0 .../_1499_load_balancer_settings.py | 22 +++++++++++ .../actions/create/create.action.service.js | 4 +- .../create/create.action.service.spec.js | 6 ++- .../actions/delete/delete.action.service.js | 6 +-- .../actions/edit/edit.action.service.js | 4 +- .../actions/edit/edit.action.service.spec.js | 6 ++- .../actions/create/create.action.service.js | 2 +- .../actions/delete/delete.action.service.js | 6 +-- .../actions/edit/edit.action.service.js | 4 +- .../actions/edit/edit.action.service.spec.js | 2 +- .../actions/create/create.action.service.js | 2 +- .../actions/delete/delete.action.service.js | 6 +-- .../actions/edit/edit.action.service.js | 4 +- .../actions/edit/edit.action.service.spec.js | 2 +- .../actions/create/create.service.js | 4 +- .../actions/create/create.service.spec.js | 8 +++- .../actions/delete/delete.action.service.js | 4 +- .../delete/delete.action.service.spec.js | 8 +++- .../listeners/actions/edit/edit.service.js | 4 +- .../actions/edit/edit.service.spec.js | 8 +++- .../actions/create/create.service.js | 6 +-- .../actions/create/create.service.spec.js | 8 +++- .../actions/delete/delete.action.service.js | 6 +-- .../delete/delete.action.service.spec.js | 8 +++- .../actions/edit/edit.service.js | 6 +-- .../actions/edit/edit.service.spec.js | 8 +++- .../actions/delete/delete.action.service.js | 6 +-- .../actions/edit-member/modal.service.js | 6 +-- .../actions/edit-member/modal.service.spec.js | 8 +++- .../update-list/update-member-list.service.js | 4 +- .../update-member-list.service.spec.js | 8 +++- .../actions/create/create.action.service.js | 4 +- .../actions/delete/delete.action.service.js | 6 +-- .../pools/actions/edit/edit.action.service.js | 4 +- .../actions/edit/edit.action.service.spec.js | 8 +++- .../notes/add-RBAC-43ee180e712294ed.yaml | 18 +++++++++ setup.cfg | 2 + 43 files changed, 223 insertions(+), 80 deletions(-) rename octavia_dashboard/{enabled/__init__.py => conf/.gitkeep} (100%) create mode 100644 octavia_dashboard/local_settings.d/_1499_load_balancer_settings.py create mode 100644 releasenotes/notes/add-RBAC-43ee180e712294ed.yaml diff --git a/.gitignore b/.gitignore index 622541a5..eab6f08c 100644 --- a/.gitignore +++ b/.gitignore @@ -61,3 +61,6 @@ ChangeLog .*.swp .*sw? .ropeproject/ + +# Conf +octavia_dashboard/conf diff --git a/README.rst b/README.rst index 4d732cc9..deee9c0a 100644 --- a/README.rst +++ b/README.rst @@ -37,12 +37,28 @@ Howto 2. Copy ``_1482_project_load_balancer_panel.py`` in ``octavia_dashboard/enabled`` directory - to ``openstack_dashboard/local/enabled``. + to ``openstack_dashboard/local/enabled``:: -3. (Optional) Copy the policy file into horizon's policy files folder, and - add this config ``POLICY_FILES``:: + $ cp -a \ + ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/enabled/_1482_*.py \ + ${HORIZON_DIR}/openstack_dashboard/local/enabled/ - 'octavia': 'octavia_policy.json', +3. (Optional) Generate the policy file and copy into horizon's policy files + folder, and copy ``_1499_load_balancer_settings.py`` in + ``octavia_dashboard/local_settings.d`` directory + to ``openstack_dashboard/local/local_settings.d``:: + + $ oslopolicy-policy-generator \ + --config-file \ + ${OCTAVIA_DIR}/etc/policy/octavia-policy-generator.conf \ + --output-file \ + ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/octavia_policy.yaml + $ cp -a \ + ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/octavia_policy.yaml \ + ${HORIZON_DIR}/openstack_dashboard/conf/ + $ cp -a \ + ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/local_settings.d/_1499_*.py \ + ${HORIZON_DIR}/openstack_dashboard/local/local_settings.d/ 4. Django has a compressor feature that performs many enhancements for the delivery of static files. If the compressor feature is enabled in your @@ -95,4 +111,4 @@ Here is a table to show some cases: | no octavia | v2 API enabled | preferred | preferred | independent | | driver but | v1 API disabled | | | services | | other drivers | | | | | -+---------------+-----------------+----------------+-----------+--------------+ \ No newline at end of file ++---------------+-----------------+----------------+-----------+--------------+ diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 44ae612d..238ec790 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -1,10 +1,15 @@ function octavia_dashboard_install { - setup_develop $OCTAVIA_DASHBOARD_DIR + setup_develop ${OCTAVIA_DASHBOARD_DIR} } function octavia_dashboard_configure { - cp $OCTAVIA_DASHBOARD_ENABLE_FILE_PATH \ - $HORIZON_DIR/openstack_dashboard/local/enabled/ + cp -a ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/enabled/_1482_project_load_balancer_panel.py ${HORIZON_DIR}/openstack_dashboard/local/enabled/ + cp -a ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/local_settings.d/_1499_load_balancer_settings.py ${HORIZON_DIR}/openstack_dashboard/local/local_settings.d/ + oslopolicy-policy-generator --config-file ${OCTAVIA_DIR}/etc/policy/octavia-policy-generator.conf --output-file ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/octavia_policy.yaml + cp -a ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/octavia_policy.yaml ${HORIZON_DIR}/openstack_dashboard/conf/ + if [[ -d ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/locale ]]; then + (cd ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard; DJANGO_SETTINGS_MODULE=openstack_dashboard.settings python ../manage.py compilemessages) + fi } if is_service_enabled horizon && is_service_enabled o-api; then @@ -16,20 +21,18 @@ if is_service_enabled horizon && is_service_enabled o-api; then echo_summary "Configuring octavia-dashboard" octavia_dashboard_configure elif [[ "$1" == "stack" && "$2" == "extra" ]]; then - # Initialize and start the Octavia dashboard service - echo_summary "Initializing octavia-dashboard" + : + fi + + if [[ "$1" == "unstack" ]]; then + : + fi + + if [[ "$1" == "clean" ]]; then + # Remove state and transient data + # Remember clean.sh first calls unstack.sh + rm -f ${HORIZON_DIR}/openstack_dashboard/local/enabled/_1482_project_load_balancer_panel.py* + rm -f ${HORIZON_DIR}/openstack_dashboard/local/local_settings.d/_1499_load_balancer_settings.py* + rm -f ${HORIZON_DIR}/openstack_dashboard/conf/octavia_policy.yaml fi fi - -if [[ "$1" == "unstack" ]]; then - # Shut down Octavia dashboard services - : -fi - -if [[ "$1" == "clean" ]]; then - # Remove state and transient data - # Remember clean.sh first calls unstack.sh - - # Remove octavia-dashboard enabled file and pyc - rm -f "$HORIZON_DIR"/openstack_dashboard/local/enabled/"$OCTAVIA_DASHBOARD_ENABLE_FILE_NAME"* -fi diff --git a/devstack/settings b/devstack/settings index 66ec74d9..c4eb9fae 100644 --- a/devstack/settings +++ b/devstack/settings @@ -1,5 +1 @@ OCTAVIA_DASHBOARD_DIR=$DEST/octavia-dashboard - - -OCTAVIA_DASHBOARD_ENABLE_FILE_NAME=_1482_project_load_balancer_panel.py -OCTAVIA_DASHBOARD_ENABLE_FILE_PATH=$OCTAVIA_DASHBOARD_DIR/octavia_dashboard/enabled/$OCTAVIA_DASHBOARD_ENABLE_FILE_NAME diff --git a/doc/source/conf.py b/doc/source/conf.py index 250d220f..920d3779 100755 --- a/doc/source/conf.py +++ b/doc/source/conf.py @@ -109,7 +109,6 @@ bug_project = '909' bug_tag = 'docs' - # TODO(mordred) We should extract this into a sphinx plugin def run_apidoc(_): cur_dir = os.path.abspath(os.path.dirname(__file__)) @@ -128,6 +127,8 @@ def run_apidoc(_): 'octavia_dashboard/enabled', 'octavia_dashboard/locale', 'octavia_dashboard/static', + 'octavia_dashboard/conf', + 'octavia_dashboard/local_settings.d', 'octavia_dashboard/post_install.sh', 'octavia_dashboard/karma.conf.js' ]) diff --git a/octavia_dashboard/enabled/__init__.py b/octavia_dashboard/conf/.gitkeep similarity index 100% rename from octavia_dashboard/enabled/__init__.py rename to octavia_dashboard/conf/.gitkeep diff --git a/octavia_dashboard/local_settings.d/_1499_load_balancer_settings.py b/octavia_dashboard/local_settings.d/_1499_load_balancer_settings.py new file mode 100644 index 00000000..00366834 --- /dev/null +++ b/octavia_dashboard/local_settings.d/_1499_load_balancer_settings.py @@ -0,0 +1,22 @@ +# Copyright 2018 Walmart. +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# This file is to be included for configuring application which relates +# to load-balancer(Octavia) functions. + +from django.conf import settings + + +settings.POLICY_FILES.update({ + 'load-balancer': 'octavia_policy.yaml', +}) diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/create/create.action.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/create/create.action.service.js index 57f29e57..01eb5aa7 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/create/create.action.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/create/create.action.service.js @@ -54,7 +54,9 @@ }); function allowed() { - return policy.ifAllowed({ rules: [['neutron', 'create_health_monitor']] }); + return policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:healthmonitor:post']] + }); } function handle(response) { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/create/create.action.service.spec.js b/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/create/create.action.service.spec.js index 4d37cf40..0c94ebd3 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/create/create.action.service.spec.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/create/create.action.service.spec.js @@ -31,7 +31,11 @@ spyOn(policy, 'ifAllowed').and.returnValue(true); expect(service.allowed()).toBe(true); expect(policy.ifAllowed) - .toHaveBeenCalledWith({rules: [['neutron', 'create_health_monitor']]}); + .toHaveBeenCalledWith({ + rules: [[ + 'load-balancer', 'os_load-balancer_api:healthmonitor:post' + ]] + }); }); it('should handle the action result properly', function() { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/delete/delete.action.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/delete/delete.action.service.js index fca82d61..0f824dcc 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/delete/delete.action.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/delete/delete.action.service.js @@ -67,9 +67,9 @@ ////////////// function allowed(/*item*/) { - // This rule is made up and should therefore always pass. I assume at some point there - // will be a valid rule similar to this that we will want to use. - return policy.ifAllowed({ rules: [['neutron', 'delete_health_monitor']] }); + return policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:healthmonitor:delete']] + }); } function perform(items, scope) { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/edit/edit.action.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/edit/edit.action.service.js index 7020a04f..9c22f634 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/edit/edit.action.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/edit/edit.action.service.js @@ -55,7 +55,9 @@ }); function allowed(/*healthmonitor*/) { - return policy.ifAllowed({ rules: [['neutron', 'update_health_monitor']] }); + return policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:healthmonitor:put']] + }); } function handle(response) { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/edit/edit.action.service.spec.js b/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/edit/edit.action.service.spec.js index 08cea7ce..5c48ff63 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/edit/edit.action.service.spec.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/healthmonitors/actions/edit/edit.action.service.spec.js @@ -31,7 +31,11 @@ spyOn(policy, 'ifAllowed').and.returnValue(true); expect(service.allowed()).toBe(true); expect(policy.ifAllowed) - .toHaveBeenCalledWith({rules: [['neutron', 'update_health_monitor']]}); + .toHaveBeenCalledWith({ + rules: [[ + 'load-balancer', 'os_load-balancer_api:healthmonitor:put' + ]] + }); }); it('should handle the action result properly', function() { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/l7policies/actions/create/create.action.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/l7policies/actions/create/create.action.service.js index b0800cab..0d2b1d59 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/l7policies/actions/create/create.action.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/l7policies/actions/create/create.action.service.js @@ -61,7 +61,7 @@ function allowed() { return $q.all([ - policy.ifAllowed({ rules: [['neutron', 'create_l7policy']] }) + policy.ifAllowed({ rules: [['load-balancer', 'os_load-balancer_api:l7policy:post']] }) ]); } diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/l7policies/actions/delete/delete.action.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/l7policies/actions/delete/delete.action.service.js index d1260653..e7357b61 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/l7policies/actions/delete/delete.action.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/l7policies/actions/delete/delete.action.service.js @@ -67,9 +67,9 @@ ////////////// function allowed(/*item*/) { - // This rule is made up and should therefore always pass. I assume at some point there - // will be a valid rule similar to this that we will want to use. - return policy.ifAllowed({ rules: [['neutron', 'delete_l7policy']] }); + return policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:l7policy:delete']] + }); } function perform(items, scope) { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/l7policies/actions/edit/edit.action.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/l7policies/actions/edit/edit.action.service.js index 963f4cf3..5b6f3a45 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/l7policies/actions/edit/edit.action.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/l7policies/actions/edit/edit.action.service.js @@ -56,7 +56,9 @@ }); function allowed(/*item*/) { - return policy.ifAllowed({ rules: [['neutron', 'update_l7policy']] }); + return policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:l7policy:put']] + }); } function handle(response) { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/l7policies/actions/edit/edit.action.service.spec.js b/octavia_dashboard/static/dashboard/project/lbaasv2/l7policies/actions/edit/edit.action.service.spec.js index 89d7fe90..00d78488 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/l7policies/actions/edit/edit.action.service.spec.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/l7policies/actions/edit/edit.action.service.spec.js @@ -43,7 +43,7 @@ it('should check policy to allow editing a l7policy', function() { spyOn(policy, 'ifAllowed').and.returnValue(true); expect(service.allowed()).toBe(true); - expect(policy.ifAllowed).toHaveBeenCalledWith({rules: [['neutron', 'update_l7policy']]}); + expect(policy.ifAllowed).toHaveBeenCalled(); }); it('should handle the action result properly', function() { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/l7rules/actions/create/create.action.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/l7rules/actions/create/create.action.service.js index aa452427..e26044bb 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/l7rules/actions/create/create.action.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/l7rules/actions/create/create.action.service.js @@ -61,7 +61,7 @@ function allowed() { return $q.all([ - policy.ifAllowed({ rules: [['neutron', 'create_l7rule']] }) + policy.ifAllowed({ rules: [['load-balancer', 'os_load-balancer_api:l7rule:post']] }) ]); } diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/l7rules/actions/delete/delete.action.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/l7rules/actions/delete/delete.action.service.js index 54db1b10..6532cd21 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/l7rules/actions/delete/delete.action.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/l7rules/actions/delete/delete.action.service.js @@ -67,9 +67,9 @@ ////////////// function allowed(/*item*/) { - // This rule is made up and should therefore always pass. I assume at some point there - // will be a valid rule similar to this that we will want to use. - return policy.ifAllowed({ rules: [['neutron', 'delete_l7rule']] }); + return policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:l7rule:delete']] + }); } function perform(items, scope) { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/l7rules/actions/edit/edit.action.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/l7rules/actions/edit/edit.action.service.js index 9daced27..aa8e51fa 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/l7rules/actions/edit/edit.action.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/l7rules/actions/edit/edit.action.service.js @@ -56,7 +56,9 @@ }); function allowed(/*item*/) { - return policy.ifAllowed({ rules: [['neutron', 'update_l7rule']] }); + return policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:l7rule:put']] + }); } function handle(response) { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/l7rules/actions/edit/edit.action.service.spec.js b/octavia_dashboard/static/dashboard/project/lbaasv2/l7rules/actions/edit/edit.action.service.spec.js index 922bc3d2..4f27cdf9 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/l7rules/actions/edit/edit.action.service.spec.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/l7rules/actions/edit/edit.action.service.spec.js @@ -43,7 +43,7 @@ it('should check policy to allow editing a l7rule', function() { spyOn(policy, 'ifAllowed').and.returnValue(true); expect(service.allowed()).toBe(true); - expect(policy.ifAllowed).toHaveBeenCalledWith({rules: [['neutron', 'update_l7rule']]}); + expect(policy.ifAllowed).toHaveBeenCalled(); }); it('should handle the action result properly', function() { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/create/create.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/create/create.service.js index 22245452..64aaea23 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/create/create.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/create/create.service.js @@ -56,7 +56,9 @@ }); function allowed() { - return policy.ifAllowed({ rules: [['neutron', 'create_listener']] }); + return policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:listener:post']] + }); } function handle(response) { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/create/create.service.spec.js b/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/create/create.service.spec.js index b24c078d..f5b23349 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/create/create.service.spec.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/create/create.service.spec.js @@ -43,7 +43,13 @@ it('should check policy to allow creating a listener', function() { spyOn(policy, 'ifAllowed').and.returnValue(true); expect(service.allowed()).toBe(true); - expect(policy.ifAllowed).toHaveBeenCalledWith({rules: [['neutron', 'create_listener']]}); + expect(policy.ifAllowed).toHaveBeenCalledWith( + { + rules: [[ + 'load-balancer', 'os_load-balancer_api:listener:post' + ]] + } + ); }); it('should handle the action result properly', function() { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/delete/delete.action.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/delete/delete.action.service.js index 0d995300..d7d7f298 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/delete/delete.action.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/delete/delete.action.service.js @@ -156,7 +156,9 @@ } function allowed() { - return policy.ifAllowed({ rules: [['neutron', 'delete_listener']] }); + return policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:listener:delete']] + }); } function deleteItem(id) { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/delete/delete.action.service.spec.js b/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/delete/delete.action.service.spec.js index f388b2e6..a8671252 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/delete/delete.action.service.spec.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/delete/delete.action.service.spec.js @@ -24,7 +24,13 @@ spyOn(policy, 'ifAllowed').and.returnValue(true); var allowed = service.allowed(item); $scope.$apply(); - expect(policy.ifAllowed).toHaveBeenCalledWith({rules: [['neutron', 'delete_listener']]}); + expect(policy.ifAllowed).toHaveBeenCalledWith( + { + rules: [[ + 'load-balancer', 'os_load-balancer_api:listener:delete' + ]] + } + ); return allowed; } diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/edit/edit.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/edit/edit.service.js index c59a6da4..2a069030 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/edit/edit.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/edit/edit.service.js @@ -56,7 +56,9 @@ }); function allowed(/*item*/) { - return policy.ifAllowed({ rules: [['neutron', 'update_listener']] }); + return policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:listener:put']] + }); } function handle(response) { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/edit/edit.service.spec.js b/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/edit/edit.service.spec.js index 6ee839af..7436dd9d 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/edit/edit.service.spec.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/listeners/actions/edit/edit.service.spec.js @@ -43,7 +43,13 @@ it('should check policy to allow editing a listener', function() { spyOn(policy, 'ifAllowed').and.returnValue(true); expect(service.allowed()).toBe(true); - expect(policy.ifAllowed).toHaveBeenCalledWith({rules: [['neutron', 'update_listener']]}); + expect(policy.ifAllowed).toHaveBeenCalledWith( + { + rules: [[ + 'load-balancer', 'os_load-balancer_api:listener:put' + ]] + } + ); }); it('should handle the action result properly', function() { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/create/create.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/create/create.service.js index 9f52d7ac..b1eae72b 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/create/create.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/create/create.service.js @@ -57,9 +57,9 @@ }); function allowed() { - // This rule is made up and should therefore always pass. I assume at some point there - // will be a valid rule similar to this that we will want to use. - return policy.ifAllowed({ rules: [['neutron', 'create_loadbalancer']] }); + return policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:loadbalancer:post']] + }); } function handle(response) { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/create/create.service.spec.js b/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/create/create.service.spec.js index d4c9ca08..cb7a7dbb 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/create/create.service.spec.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/create/create.service.spec.js @@ -44,7 +44,13 @@ it('should check policy to allow creating a load balancer', function() { spyOn(policy, 'ifAllowed').and.returnValue(true); expect(service.allowed()).toBe(true); - expect(policy.ifAllowed).toHaveBeenCalledWith({rules: [['neutron', 'create_loadbalancer']]}); + expect(policy.ifAllowed).toHaveBeenCalledWith( + { + rules: [[ + 'load-balancer', 'os_load-balancer_api:loadbalancer:post' + ]] + } + ); }); it('should handle the action result properly', function() { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/delete/delete.action.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/delete/delete.action.service.js index 7d1abe02..d770c5af 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/delete/delete.action.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/delete/delete.action.service.js @@ -124,9 +124,9 @@ } function allowed() { - // This rule is made up and should therefore always pass. I assume at some point there - // will be a valid rule similar to this that we will want to use. - return policy.ifAllowed({ rules: [['neutron', 'delete_loadbalancer']] }); + return policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:loadbalancer:delete']] + }); } function canBeDeleted(item) { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/delete/delete.action.service.spec.js b/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/delete/delete.action.service.spec.js index 90d6c265..e0f486fc 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/delete/delete.action.service.spec.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/delete/delete.action.service.spec.js @@ -24,7 +24,13 @@ spyOn(policy, 'ifAllowed').and.returnValue(true); var allowed = service.allowed(item); $scope.$apply(); - expect(policy.ifAllowed).toHaveBeenCalledWith({rules: [['neutron', 'delete_loadbalancer']]}); + expect(policy.ifAllowed).toHaveBeenCalledWith( + { + rules: [[ + 'load-balancer', 'os_load-balancer_api:loadbalancer:delete' + ]] + } + ); return allowed; } diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/edit/edit.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/edit/edit.service.js index f8d6e918..6d638bc2 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/edit/edit.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/edit/edit.service.js @@ -62,9 +62,9 @@ /////////////// function allowed() { - // This rule is made up and should therefore always pass. At some point there will - // likely be a valid rule similar to this that we will want to use. - return policy.ifAllowed({ rules: [['neutron', 'update_loadbalancer']] }); + return policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:loadbalancer:put']] + }); } function handle(response) { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/edit/edit.service.spec.js b/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/edit/edit.service.spec.js index 7308e530..f0ac52bd 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/edit/edit.service.spec.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/loadbalancers/actions/edit/edit.service.spec.js @@ -24,7 +24,13 @@ spyOn(policy, 'ifAllowed').and.returnValue(true); var allowed = service.allowed(item); scope.$apply(); - expect(policy.ifAllowed).toHaveBeenCalledWith({rules: [['neutron', 'update_loadbalancer']]}); + expect(policy.ifAllowed).toHaveBeenCalledWith( + { + rules: [[ + 'load-balancer', 'os_load-balancer_api:loadbalancer:put' + ]] + } + ); return allowed; } diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/delete/delete.action.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/delete/delete.action.service.js index 3761b32c..65e0240d 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/delete/delete.action.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/delete/delete.action.service.js @@ -65,9 +65,9 @@ ////////////// function allowed(/*item*/) { - // This rule is made up and should therefore always pass. I assume at some point there - // will be a valid rule similar to this that we will want to use. - return policy.ifAllowed({ rules: [['neutron', 'pool_member_delete']] }); + return policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:member:delete']] + }); } function perform(items, scope) { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/edit-member/modal.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/edit-member/modal.service.js index 4aedd3af..c811f1fd 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/edit-member/modal.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/edit-member/modal.service.js @@ -71,9 +71,9 @@ //////////// function allowed(/*item*/) { - // This rule is made up and should therefore always pass. At some point there will - // likely be a valid rule similar to this that we will want to use. - return policy.ifAllowed({ rules: [['neutron', 'pool_member_update']] }); + return policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:member:put']] + }); } /** diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/edit-member/modal.service.spec.js b/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/edit-member/modal.service.spec.js index e2a54a57..ee9f4b5a 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/edit-member/modal.service.spec.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/edit-member/modal.service.spec.js @@ -32,7 +32,13 @@ function allowed(item) { spyOn(policy, 'ifAllowed').and.returnValue(true); var allowed = service.allowed(item); - expect(policy.ifAllowed).toHaveBeenCalledWith({rules: [['neutron', 'pool_member_update']]}); + expect(policy.ifAllowed).toHaveBeenCalledWith( + { + rules: [[ + 'load-balancer', 'os_load-balancer_api:member:put' + ]] + } + ); return allowed; } diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/update-list/update-member-list.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/update-list/update-member-list.service.js index 5c98fb36..7c21a434 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/update-list/update-member-list.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/update-list/update-member-list.service.js @@ -57,7 +57,9 @@ }); function allowed(/*item*/) { - return policy.ifAllowed({ rules: [['neutron', 'update_member_list']] }); + return policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:pool:put']] + }); } function handle(response) { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/update-list/update-member-list.service.spec.js b/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/update-list/update-member-list.service.spec.js index 4d89ed3f..a350c5a1 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/update-list/update-member-list.service.spec.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/members/actions/update-list/update-member-list.service.spec.js @@ -46,7 +46,13 @@ it('should check policy to allow updating member list', function() { spyOn(policy, 'ifAllowed').and.returnValue(true); expect(service.allowed()).toBe(true); - expect(policy.ifAllowed).toHaveBeenCalledWith({rules: [['neutron', 'update_member_list']]}); + expect(policy.ifAllowed).toHaveBeenCalledWith( + { + rules: [[ + 'load-balancer', 'os_load-balancer_api:pool:put' + ]] + } + ); }); it('should handle the action result properly', function() { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/pools/actions/create/create.action.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/pools/actions/create/create.action.service.js index 9b2bb848..77ca26bd 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/pools/actions/create/create.action.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/pools/actions/create/create.action.service.js @@ -62,7 +62,9 @@ function allowed() { return $q.all([ - policy.ifAllowed({ rules: [['neutron', 'create_pool']] }) + policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:pool:post']] + }) ]); } diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/pools/actions/delete/delete.action.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/pools/actions/delete/delete.action.service.js index 0f10683b..b67562fb 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/pools/actions/delete/delete.action.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/pools/actions/delete/delete.action.service.js @@ -68,9 +68,9 @@ ////////////// function allowed(/*item*/) { - // This rule is made up and should therefore always pass. I assume at some point there - // will be a valid rule similar to this that we will want to use. - return policy.ifAllowed({ rules: [['neutron', 'delete_pool']] }); + return policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:pool:delete']] + }); } function perform(items, scope) { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/pools/actions/edit/edit.action.service.js b/octavia_dashboard/static/dashboard/project/lbaasv2/pools/actions/edit/edit.action.service.js index 9b8eaed5..9a703ce2 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/pools/actions/edit/edit.action.service.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/pools/actions/edit/edit.action.service.js @@ -57,7 +57,9 @@ }); function allowed(/*item*/) { - return policy.ifAllowed({ rules: [['neutron', 'update_pool']] }); + return policy.ifAllowed({ + rules: [['load-balancer', 'os_load-balancer_api:pool:put']] + }); } function handle(response) { diff --git a/octavia_dashboard/static/dashboard/project/lbaasv2/pools/actions/edit/edit.action.service.spec.js b/octavia_dashboard/static/dashboard/project/lbaasv2/pools/actions/edit/edit.action.service.spec.js index 6528f2b8..985bbf15 100644 --- a/octavia_dashboard/static/dashboard/project/lbaasv2/pools/actions/edit/edit.action.service.spec.js +++ b/octavia_dashboard/static/dashboard/project/lbaasv2/pools/actions/edit/edit.action.service.spec.js @@ -44,7 +44,13 @@ it('should check policy to allow editing a pool', function() { spyOn(policy, 'ifAllowed').and.returnValue(true); expect(service.allowed()).toBe(true); - expect(policy.ifAllowed).toHaveBeenCalledWith({rules: [['neutron', 'update_pool']]}); + expect(policy.ifAllowed).toHaveBeenCalledWith( + { + rules: [[ + 'load-balancer', 'os_load-balancer_api:pool:put' + ]] + } + ); }); it('should handle the action result properly', function() { diff --git a/releasenotes/notes/add-RBAC-43ee180e712294ed.yaml b/releasenotes/notes/add-RBAC-43ee180e712294ed.yaml new file mode 100644 index 00000000..5ea05db1 --- /dev/null +++ b/releasenotes/notes/add-RBAC-43ee180e712294ed.yaml @@ -0,0 +1,18 @@ +--- +features: + - | + Adds RBAC support to the dashboard panels. +upgrade: + - | + To enable RBAC support in the Octavia dashboard you need to install the + generated octavia_dashboard/conf/octavia_policy.yaml file into your + horizon openstack_dashboard/conf/ directory and also + copy octavia_dashboard/local_settings.d/_1499_load_balancer_settings.py + file into your horizon openstack_dashboard/local/local_settings.d/ + directory. +security: + - | + RBAC can now be enabled for the Octavia dashboard. Whether you enable RBAC + in the dashboard or not, the API RBAC will still be in effect. Enabling + RBAC in the dashboard will enforce the policies in the dashboard before + the API call is made. diff --git a/setup.cfg b/setup.cfg index 8b196132..f2d33018 100644 --- a/setup.cfg +++ b/setup.cfg @@ -38,6 +38,8 @@ autodoc_tree_excludes = octavia_dashboard/enabled octavia_dashboard/locale octavia_dashboard/static + octavia_dashboard/conf + octavia_dashboard/local_settings.d octavia_dashboard/post_install.sh octavia_dashboard/karma.conf.js autodoc_index_modules = False