From edcd40d3138cfdee76a663a838eb398f36ff015c Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sat, 5 Jun 2021 12:40:14 +0900 Subject: [PATCH] Support policy-in-code and deprecated policy This change adds support for policy-in-code and deprecated policy following the change in horizon. Depends-on: https://review.opendev.org/750134 Change-Id: I904c0a8b17d99245bf2f27058752b4b2d4f1b518 --- .gitignore | 3 - README.rst | 23 +- devstack/plugin.sh | 3 +- doc/source/installation.rst | 2 +- octavia_dashboard/conf/.gitkeep | 0 .../conf/default_policies/octavia.yaml | 679 ++++++++++++++++++ octavia_dashboard/conf/octavia_policy.yaml | 396 ++++++++++ .../_1499_load_balancer_settings.py | 4 + 8 files changed, 1093 insertions(+), 17 deletions(-) delete mode 100644 octavia_dashboard/conf/.gitkeep create mode 100644 octavia_dashboard/conf/default_policies/octavia.yaml create mode 100644 octavia_dashboard/conf/octavia_policy.yaml diff --git a/.gitignore b/.gitignore index 6643fab2..e72d4bc2 100644 --- a/.gitignore +++ b/.gitignore @@ -65,6 +65,3 @@ ChangeLog # IntelliJ editors .idea - -# Conf -octavia_dashboard/conf diff --git a/README.rst b/README.rst index da701953..d97abeb9 100644 --- a/README.rst +++ b/README.rst @@ -46,31 +46,30 @@ Howto ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/enabled/_1482_*.py \ ${HORIZON_DIR}/openstack_dashboard/local/enabled/ -3. (Optional) Generate the policy file and copy into horizon's policy files - folder, and copy ``_1499_load_balancer_settings.py`` in +4. (Optional) Copy ``_1499_load_balancer_settings.py`` in ``octavia_dashboard/local_settings.d`` directory - to ``openstack_dashboard/local/local_settings.d``:: + to ``openstack_dashboard/local/local_settings.d`` + and policy files in ``octavia_dashboard/conf`` directory to + ``openstack_dashboard/local/conf`` directory:: - $ oslopolicy-policy-generator \ - --config-file \ - ${OCTAVIA_DIR}/etc/policy/octavia-policy-generator.conf \ - --output-file \ - ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/octavia_policy.yaml + $ cp -a \ + ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/local_settings.d/_1499_*.py \ + ${HORIZON_DIR}/openstack_dashboard/local/local_settings.d/ $ cp -a \ ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/octavia_policy.yaml \ ${HORIZON_DIR}/openstack_dashboard/conf/ $ cp -a \ - ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/local_settings.d/_1499_*.py \ - ${HORIZON_DIR}/openstack_dashboard/local/local_settings.d/ + ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/default_policies/octavia.yaml \ + ${HORIZON_DIR}/openstack_dashboard/conf/default_policies/ -4. Django has a compressor feature that performs many enhancements for the +5. Django has a compressor feature that performs many enhancements for the delivery of static files. If the compressor feature is enabled in your environment (``COMPRESS_OFFLINE = True``), run the following commands:: $ ./manage.py collectstatic $ ./manage.py compress -5. Finally restart your web server to enable octavia-dashboard +6. Finally restart your web server to enable octavia-dashboard in your Horizon:: $ sudo service apache2 restart diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 91670df2..ae761720 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -5,8 +5,8 @@ function octavia_dashboard_install { function octavia_dashboard_configure { cp -a ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/enabled/_1482_project_load_balancer_panel.py ${HORIZON_DIR}/openstack_dashboard/local/enabled/ cp -a ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/local_settings.d/_1499_load_balancer_settings.py ${HORIZON_DIR}/openstack_dashboard/local/local_settings.d/ - oslopolicy-policy-generator --config-file ${OCTAVIA_DIR}/etc/policy/octavia-policy-generator.conf --output-file ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/octavia_policy.yaml cp -a ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/octavia_policy.yaml ${HORIZON_DIR}/openstack_dashboard/conf/ + cp -a ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/conf/default_policies/octavia.yaml ${HORIZON_DIR}/openstack_dashboard/conf/default_policies if [[ -d ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard/locale ]]; then (cd ${OCTAVIA_DASHBOARD_DIR}/octavia_dashboard; DJANGO_SETTINGS_MODULE=openstack_dashboard.settings $PYTHON ../manage.py compilemessages) fi @@ -34,5 +34,6 @@ if is_service_enabled horizon && is_service_enabled o-api; then rm -f ${HORIZON_DIR}/openstack_dashboard/local/enabled/_1482_project_load_balancer_panel.py* rm -f ${HORIZON_DIR}/openstack_dashboard/local/local_settings.d/_1499_load_balancer_settings.py* rm -f ${HORIZON_DIR}/openstack_dashboard/conf/octavia_policy.yaml + rm -f ${HORIZON_DIR}/openstack_dashboard/conf/default_policies/octavia.yaml fi fi diff --git a/doc/source/installation.rst b/doc/source/installation.rst index 270a853e..0750bd3e 100644 --- a/doc/source/installation.rst +++ b/doc/source/installation.rst @@ -17,7 +17,7 @@ octavia_dashboard/enabled directory to openstack_dashboard/local/enabled (Optional) To enable policy enforcement at the Horizon level, copy the policy file into horizon's policy files folder, and add this config ``POLICY_FILES``:: - 'octavia': 'octavia_policy.json', + 'octavia': 'octavia_policy.yaml', Django has a compressor feature that performs many enhancements for the delivery of static files. If the compressor feature is enabled in your diff --git a/octavia_dashboard/conf/.gitkeep b/octavia_dashboard/conf/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/octavia_dashboard/conf/default_policies/octavia.yaml b/octavia_dashboard/conf/default_policies/octavia.yaml new file mode 100644 index 00000000..f37fec2e --- /dev/null +++ b/octavia_dashboard/conf/default_policies/octavia.yaml @@ -0,0 +1,679 @@ +- check_str: role:admin and system_scope:all + description: null + name: system-admin + operations: [] + scope_types: + - system +- check_str: role:reader and system_scope:all + description: null + name: system-reader + operations: [] + scope_types: + - system +- check_str: role:member and project_id:%(project_id)s + description: null + name: project-member + operations: [] + scope_types: + - project +- check_str: role:reader and project_id:%(project_id)s + description: null + name: project-reader + operations: [] + scope_types: + - project +- check_str: role:load-balancer_admin or rule:system-admin + deprecated_reason: The Octavia API now requires the OpenStack default roles and + scoped tokens. See https://docs.openstack.org/octavia/latest/configuration/policy.html + and https://docs.openstack.org/keystone/latest/contributor/services.html#reusable-default-roles + for more information. + deprecated_rule: + check_str: role:admin or role:load-balancer_admin + name: context_is_admin + deprecated_since: W + description: null + name: context_is_admin + operations: [] + scope_types: + - system +- check_str: project_id:%(project_id)s + description: null + name: load-balancer:owner + operations: [] + scope_types: + - project +- check_str: role:load-balancer_observer and rule:project-reader + deprecated_reason: The Octavia API now requires the OpenStack default roles and + scoped tokens. See https://docs.openstack.org/octavia/latest/configuration/policy.html + and https://docs.openstack.org/keystone/latest/contributor/services.html#reusable-default-roles + for more information. + deprecated_rule: + check_str: role:load-balancer_observer and rule:load-balancer:owner + name: load-balancer:observer_and_owner + deprecated_since: W + description: null + name: load-balancer:observer_and_owner + operations: [] + scope_types: + - project +- check_str: role:load-balancer_global_observer or rule:system-reader + description: null + name: load-balancer:global_observer + operations: [] + scope_types: + - system +- check_str: role:load-balancer_member and rule:project-member + deprecated_reason: The Octavia API now requires the OpenStack default roles and + scoped tokens. See https://docs.openstack.org/octavia/latest/configuration/policy.html + and https://docs.openstack.org/keystone/latest/contributor/services.html#reusable-default-roles + for more information. + deprecated_rule: + check_str: role:load-balancer_member and rule:load-balancer:owner + name: load-balancer:member_and_owner + deprecated_since: W + description: null + name: load-balancer:member_and_owner + operations: [] + scope_types: + - project +- check_str: is_admin:True or role:load-balancer_admin or rule:system-admin + description: null + name: load-balancer:admin + operations: [] + scope_types: + - system +- check_str: rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer + or rule:load-balancer:member_and_owner or rule:load-balancer:admin + description: null + name: load-balancer:read + operations: [] + scope_types: + - project + - system +- check_str: rule:load-balancer:global_observer or rule:load-balancer:admin + description: null + name: load-balancer:read-global + operations: [] + scope_types: + - system +- check_str: rule:load-balancer:member_and_owner or rule:load-balancer:admin + description: null + name: load-balancer:write + operations: [] + scope_types: + - project + - system +- check_str: rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer + or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin + description: null + name: load-balancer:read-quota + operations: [] + scope_types: + - project + - system +- check_str: rule:load-balancer:global_observer or role:load-balancer_quota_admin + or rule:load-balancer:admin + description: null + name: load-balancer:read-quota-global + operations: [] + scope_types: + - system +- check_str: role:load-balancer_quota_admin or rule:load-balancer:admin + description: null + name: load-balancer:write-quota + operations: [] + scope_types: + - system +- check_str: rule:load-balancer:read + description: List Flavors + name: os_load-balancer_api:flavor:get_all + operations: + - method: GET + path: /v2.0/lbaas/flavors + scope_types: null +- check_str: rule:load-balancer:admin + description: Create a Flavor + name: os_load-balancer_api:flavor:post + operations: + - method: POST + path: /v2.0/lbaas/flavors + scope_types: null +- check_str: rule:load-balancer:admin + description: Update a Flavor + name: os_load-balancer_api:flavor:put + operations: + - method: PUT + path: /v2.0/lbaas/flavors/{flavor_id} + scope_types: null +- check_str: rule:load-balancer:read + description: Show Flavor details + name: os_load-balancer_api:flavor:get_one + operations: + - method: GET + path: /v2.0/lbaas/flavors/{flavor_id} + scope_types: null +- check_str: rule:load-balancer:admin + description: Remove a Flavor + name: os_load-balancer_api:flavor:delete + operations: + - method: DELETE + path: /v2.0/lbaas/flavors/{flavor_id} + scope_types: null +- check_str: rule:load-balancer:admin + description: List Flavor Profiles + name: os_load-balancer_api:flavor-profile:get_all + operations: + - method: GET + path: /v2.0/lbaas/flavorprofiles + scope_types: null +- check_str: rule:load-balancer:admin + description: Create a Flavor Profile + name: os_load-balancer_api:flavor-profile:post + operations: + - method: POST + path: /v2.0/lbaas/flavorprofiles + scope_types: null +- check_str: rule:load-balancer:admin + description: Update a Flavor Profile + name: os_load-balancer_api:flavor-profile:put + operations: + - method: PUT + path: /v2.0/lbaas/flavorprofiles/{flavor_profile_id} + scope_types: null +- check_str: rule:load-balancer:admin + description: Show Flavor Profile details + name: os_load-balancer_api:flavor-profile:get_one + operations: + - method: GET + path: /v2.0/lbaas/flavorprofiles/{flavor_profile_id} + scope_types: null +- check_str: rule:load-balancer:admin + description: Remove a Flavor Profile + name: os_load-balancer_api:flavor-profile:delete + operations: + - method: DELETE + path: /v2.0/lbaas/flavorprofiles/{flavor_profile_id} + scope_types: null +- check_str: rule:load-balancer:read + description: List Availability Zones + name: os_load-balancer_api:availability-zone:get_all + operations: + - method: GET + path: /v2.0/lbaas/availabilityzones + scope_types: null +- check_str: rule:load-balancer:admin + description: Create an Availability Zone + name: os_load-balancer_api:availability-zone:post + operations: + - method: POST + path: /v2.0/lbaas/availabilityzones + scope_types: null +- check_str: rule:load-balancer:admin + description: Update an Availability Zone + name: os_load-balancer_api:availability-zone:put + operations: + - method: PUT + path: /v2.0/lbaas/availabilityzones/{availability_zone_id} + scope_types: null +- check_str: rule:load-balancer:read + description: Show Availability Zone details + name: os_load-balancer_api:availability-zone:get_one + operations: + - method: GET + path: /v2.0/lbaas/availabilityzones/{availability_zone_id} + scope_types: null +- check_str: rule:load-balancer:admin + description: Remove an Availability Zone + name: os_load-balancer_api:availability-zone:delete + operations: + - method: DELETE + path: /v2.0/lbaas/availabilityzones/{availability_zone_id} + scope_types: null +- check_str: rule:load-balancer:admin + description: List Availability Zones + name: os_load-balancer_api:availability-zone-profile:get_all + operations: + - method: GET + path: /v2.0/lbaas/availabilityzoneprofiles + scope_types: null +- check_str: rule:load-balancer:admin + description: Create an Availability Zone + name: os_load-balancer_api:availability-zone-profile:post + operations: + - method: POST + path: /v2.0/lbaas/availabilityzoneprofiles + scope_types: null +- check_str: rule:load-balancer:admin + description: Update an Availability Zone + name: os_load-balancer_api:availability-zone-profile:put + operations: + - method: PUT + path: /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id} + scope_types: null +- check_str: rule:load-balancer:admin + description: Show Availability Zone details + name: os_load-balancer_api:availability-zone-profile:get_one + operations: + - method: GET + path: /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id} + scope_types: null +- check_str: rule:load-balancer:admin + description: Remove an Availability Zone + name: os_load-balancer_api:availability-zone-profile:delete + operations: + - method: DELETE + path: /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id} + scope_types: null +- check_str: rule:load-balancer:read + description: List Health Monitors of a Pool + name: os_load-balancer_api:healthmonitor:get_all + operations: + - method: GET + path: /v2/lbaas/healthmonitors + scope_types: null +- check_str: rule:load-balancer:read-global + description: List Health Monitors including resources owned by others + name: os_load-balancer_api:healthmonitor:get_all-global + operations: + - method: GET + path: /v2/lbaas/healthmonitors + scope_types: null +- check_str: rule:load-balancer:write + description: Create a Health Monitor + name: os_load-balancer_api:healthmonitor:post + operations: + - method: POST + path: /v2/lbaas/healthmonitors + scope_types: null +- check_str: rule:load-balancer:read + description: Show Health Monitor details + name: os_load-balancer_api:healthmonitor:get_one + operations: + - method: GET + path: /v2/lbaas/healthmonitors/{healthmonitor_id} + scope_types: null +- check_str: rule:load-balancer:write + description: Update a Health Monitor + name: os_load-balancer_api:healthmonitor:put + operations: + - method: PUT + path: /v2/lbaas/healthmonitors/{healthmonitor_id} + scope_types: null +- check_str: rule:load-balancer:write + description: Remove a Health Monitor + name: os_load-balancer_api:healthmonitor:delete + operations: + - method: DELETE + path: /v2/lbaas/healthmonitors/{healthmonitor_id} + scope_types: null +- check_str: rule:load-balancer:read + description: List L7 Policys + name: os_load-balancer_api:l7policy:get_all + operations: + - method: GET + path: /v2/lbaas/l7policies + scope_types: null +- check_str: rule:load-balancer:read-global + description: List L7 Policys including resources owned by others + name: os_load-balancer_api:l7policy:get_all-global + operations: + - method: GET + path: /v2/lbaas/l7policies + scope_types: null +- check_str: rule:load-balancer:write + description: Create a L7 Policy + name: os_load-balancer_api:l7policy:post + operations: + - method: POST + path: /v2/lbaas/l7policies + scope_types: null +- check_str: rule:load-balancer:read + description: Show L7 Policy details + name: os_load-balancer_api:l7policy:get_one + operations: + - method: GET + path: /v2/lbaas/l7policies/{l7policy_id} + scope_types: null +- check_str: rule:load-balancer:write + description: Update a L7 Policy + name: os_load-balancer_api:l7policy:put + operations: + - method: PUT + path: /v2/lbaas/l7policies/{l7policy_id} + scope_types: null +- check_str: rule:load-balancer:write + description: Remove a L7 Policy + name: os_load-balancer_api:l7policy:delete + operations: + - method: DELETE + path: /v2/lbaas/l7policies/{l7policy_id} + scope_types: null +- check_str: rule:load-balancer:read + description: List L7 Rules + name: os_load-balancer_api:l7rule:get_all + operations: + - method: GET + path: /v2/lbaas/l7policies/{l7policy_id}/rules + scope_types: null +- check_str: rule:load-balancer:write + description: Create a L7 Rule + name: os_load-balancer_api:l7rule:post + operations: + - method: POST + path: /v2/lbaas/l7policies/{l7policy_id}/rules + scope_types: null +- check_str: rule:load-balancer:read + description: Show L7 Rule details + name: os_load-balancer_api:l7rule:get_one + operations: + - method: GET + path: /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id} + scope_types: null +- check_str: rule:load-balancer:write + description: Update a L7 Rule + name: os_load-balancer_api:l7rule:put + operations: + - method: PUT + path: /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id} + scope_types: null +- check_str: rule:load-balancer:write + description: Remove a L7 Rule + name: os_load-balancer_api:l7rule:delete + operations: + - method: DELETE + path: /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id} + scope_types: null +- check_str: rule:load-balancer:read + description: List Listeners + name: os_load-balancer_api:listener:get_all + operations: + - method: GET + path: /v2/lbaas/listeners + scope_types: null +- check_str: rule:load-balancer:read-global + description: List Listeners including resources owned by others + name: os_load-balancer_api:listener:get_all-global + operations: + - method: GET + path: /v2/lbaas/listeners + scope_types: null +- check_str: rule:load-balancer:write + description: Create a Listener + name: os_load-balancer_api:listener:post + operations: + - method: POST + path: /v2/lbaas/listeners + scope_types: null +- check_str: rule:load-balancer:read + description: Show Listener details + name: os_load-balancer_api:listener:get_one + operations: + - method: GET + path: /v2/lbaas/listeners/{listener_id} + scope_types: null +- check_str: rule:load-balancer:write + description: Update a Listener + name: os_load-balancer_api:listener:put + operations: + - method: PUT + path: /v2/lbaas/listeners/{listener_id} + scope_types: null +- check_str: rule:load-balancer:write + description: Remove a Listener + name: os_load-balancer_api:listener:delete + operations: + - method: DELETE + path: /v2/lbaas/listeners/{listener_id} + scope_types: null +- check_str: rule:load-balancer:read + description: Show Listener statistics + name: os_load-balancer_api:listener:get_stats + operations: + - method: GET + path: /v2/lbaas/listeners/{listener_id}/stats + scope_types: null +- check_str: rule:load-balancer:read + description: List Load Balancers + name: os_load-balancer_api:loadbalancer:get_all + operations: + - method: GET + path: /v2/lbaas/loadbalancers + scope_types: null +- check_str: rule:load-balancer:read-global + description: List Load Balancers including resources owned by others + name: os_load-balancer_api:loadbalancer:get_all-global + operations: + - method: GET + path: /v2/lbaas/loadbalancers + scope_types: null +- check_str: rule:load-balancer:write + description: Create a Load Balancer + name: os_load-balancer_api:loadbalancer:post + operations: + - method: POST + path: /v2/lbaas/loadbalancers + scope_types: null +- check_str: rule:load-balancer:read + description: Show Load Balancer details + name: os_load-balancer_api:loadbalancer:get_one + operations: + - method: GET + path: /v2/lbaas/loadbalancers/{loadbalancer_id} + scope_types: null +- check_str: rule:load-balancer:write + description: Update a Load Balancer + name: os_load-balancer_api:loadbalancer:put + operations: + - method: PUT + path: /v2/lbaas/loadbalancers/{loadbalancer_id} + scope_types: null +- check_str: rule:load-balancer:write + description: Remove a Load Balancer + name: os_load-balancer_api:loadbalancer:delete + operations: + - method: DELETE + path: /v2/lbaas/loadbalancers/{loadbalancer_id} + scope_types: null +- check_str: rule:load-balancer:read + description: Show Load Balancer statistics + name: os_load-balancer_api:loadbalancer:get_stats + operations: + - method: GET + path: /v2/lbaas/loadbalancers/{loadbalancer_id}/stats + scope_types: null +- check_str: rule:load-balancer:read + description: Show Load Balancer status + name: os_load-balancer_api:loadbalancer:get_status + operations: + - method: GET + path: /v2/lbaas/loadbalancers/{loadbalancer_id}/status + scope_types: null +- check_str: rule:load-balancer:admin + description: Failover a Load Balancer + name: os_load-balancer_api:loadbalancer:put_failover + operations: + - method: PUT + path: /v2/lbaas/loadbalancers/{loadbalancer_id}/failover + scope_types: null +- check_str: rule:load-balancer:read + description: List Members of a Pool + name: os_load-balancer_api:member:get_all + operations: + - method: GET + path: /v2/lbaas/pools/{pool_id}/members + scope_types: null +- check_str: rule:load-balancer:write + description: Create a Member + name: os_load-balancer_api:member:post + operations: + - method: POST + path: /v2/lbaas/pools/{pool_id}/members + scope_types: null +- check_str: rule:load-balancer:read + description: Show Member details + name: os_load-balancer_api:member:get_one + operations: + - method: GET + path: /v2/lbaas/pools/{pool_id}/members/{member_id} + scope_types: null +- check_str: rule:load-balancer:write + description: Update a Member + name: os_load-balancer_api:member:put + operations: + - method: PUT + path: /v2/lbaas/pools/{pool_id}/members/{member_id} + scope_types: null +- check_str: rule:load-balancer:write + description: Remove a Member + name: os_load-balancer_api:member:delete + operations: + - method: DELETE + path: /v2/lbaas/pools/{pool_id}/members/{member_id} + scope_types: null +- check_str: rule:load-balancer:read + description: List Pools + name: os_load-balancer_api:pool:get_all + operations: + - method: GET + path: /v2/lbaas/pools + scope_types: null +- check_str: rule:load-balancer:read-global + description: List Pools including resources owned by others + name: os_load-balancer_api:pool:get_all-global + operations: + - method: GET + path: /v2/lbaas/pools + scope_types: null +- check_str: rule:load-balancer:write + description: Create a Pool + name: os_load-balancer_api:pool:post + operations: + - method: POST + path: /v2/lbaas/pools + scope_types: null +- check_str: rule:load-balancer:read + description: Show Pool details + name: os_load-balancer_api:pool:get_one + operations: + - method: GET + path: /v2/lbaas/pools/{pool_id} + scope_types: null +- check_str: rule:load-balancer:write + description: Update a Pool + name: os_load-balancer_api:pool:put + operations: + - method: PUT + path: /v2/lbaas/pools/{pool_id} + scope_types: null +- check_str: rule:load-balancer:write + description: Remove a Pool + name: os_load-balancer_api:pool:delete + operations: + - method: DELETE + path: /v2/lbaas/pools/{pool_id} + scope_types: null +- check_str: rule:load-balancer:read + description: List enabled providers + name: os_load-balancer_api:provider:get_all + operations: + - method: GET + path: /v2/lbaas/providers + scope_types: null +- check_str: rule:load-balancer:read-quota + description: List Quotas + name: os_load-balancer_api:quota:get_all + operations: + - method: GET + path: /v2/lbaas/quotas + scope_types: null +- check_str: rule:load-balancer:read-quota-global + description: List Quotas including resources owned by others + name: os_load-balancer_api:quota:get_all-global + operations: + - method: GET + path: /v2/lbaas/quotas + scope_types: null +- check_str: rule:load-balancer:read-quota + description: Show Quota details + name: os_load-balancer_api:quota:get_one + operations: + - method: GET + path: /v2/lbaas/quotas/{project_id} + scope_types: null +- check_str: rule:load-balancer:write-quota + description: Update a Quota + name: os_load-balancer_api:quota:put + operations: + - method: PUT + path: /v2/lbaas/quotas/{project_id} + scope_types: null +- check_str: rule:load-balancer:write-quota + description: Reset a Quota + name: os_load-balancer_api:quota:delete + operations: + - method: DELETE + path: /v2/lbaas/quotas/{project_id} + scope_types: null +- check_str: rule:load-balancer:read-quota + description: Show Default Quota for a Project + name: os_load-balancer_api:quota:get_defaults + operations: + - method: GET + path: /v2/lbaas/quotas/{project_id}/default + scope_types: null +- check_str: rule:load-balancer:admin + description: List Amphorae + name: os_load-balancer_api:amphora:get_all + operations: + - method: GET + path: /v2/octavia/amphorae + scope_types: null +- check_str: rule:load-balancer:admin + description: Show Amphora details + name: os_load-balancer_api:amphora:get_one + operations: + - method: GET + path: /v2/octavia/amphorae/{amphora_id} + scope_types: null +- check_str: rule:load-balancer:admin + description: Delete an Amphora + name: os_load-balancer_api:amphora:delete + operations: + - method: DELETE + path: /v2/octavia/amphorae/{amphora_id} + scope_types: null +- check_str: rule:load-balancer:admin + description: Update Amphora Agent Configuration + name: os_load-balancer_api:amphora:put_config + operations: + - method: PUT + path: /v2/octavia/amphorae/{amphora_id}/config + scope_types: null +- check_str: rule:load-balancer:admin + description: Failover Amphora + name: os_load-balancer_api:amphora:put_failover + operations: + - method: PUT + path: /v2/octavia/amphorae/{amphora_id}/failover + scope_types: null +- check_str: rule:load-balancer:admin + description: Show Amphora statistics + name: os_load-balancer_api:amphora:get_stats + operations: + - method: GET + path: /v2/octavia/amphorae/{amphora_id}/stats + scope_types: null +- check_str: rule:load-balancer:admin + description: List the provider flavor capabilities. + name: os_load-balancer_api:provider-flavor:get_all + operations: + - method: GET + path: /v2/lbaas/providers/{provider}/flavor_capabilities + scope_types: null +- check_str: rule:load-balancer:admin + description: List the provider availability zone capabilities. + name: os_load-balancer_api:provider-availability-zone:get_all + operations: + - method: GET + path: /v2/lbaas/providers/{provider}/availability_zone_capabilities + scope_types: null diff --git a/octavia_dashboard/conf/octavia_policy.yaml b/octavia_dashboard/conf/octavia_policy.yaml new file mode 100644 index 00000000..0513b830 --- /dev/null +++ b/octavia_dashboard/conf/octavia_policy.yaml @@ -0,0 +1,396 @@ +# Intended scope(s): system +#"system-admin": "role:admin and system_scope:all" + +# Intended scope(s): system +#"system-reader": "role:reader and system_scope:all" + +# Intended scope(s): project +#"project-member": "role:member and project_id:%(project_id)s" + +# Intended scope(s): project +#"project-reader": "role:reader and project_id:%(project_id)s" + +# Intended scope(s): system +#"context_is_admin": "role:load-balancer_admin or rule:system-admin" + +# DEPRECATED +# "context_is_admin":"role:admin or role:load-balancer_admin" has been +# deprecated since W in favor of "context_is_admin":"role:load- +# balancer_admin or rule:system-admin". +# The Octavia API now requires the OpenStack default roles and scoped +# tokens. See +# https://docs.openstack.org/octavia/latest/configuration/policy.html +# and https://docs.openstack.org/keystone/latest/contributor/services. +# html#reusable-default-roles for more information. + +# Intended scope(s): project +#"load-balancer:owner": "project_id:%(project_id)s" + +# Intended scope(s): project +#"load-balancer:observer_and_owner": "role:load-balancer_observer and rule:project-reader" + +# DEPRECATED +# "load-balancer:observer_and_owner":"role:load-balancer_observer and +# rule:load-balancer:owner" has been deprecated since W in favor of +# "load-balancer:observer_and_owner":"role:load-balancer_observer and +# rule:project-reader". +# The Octavia API now requires the OpenStack default roles and scoped +# tokens. See +# https://docs.openstack.org/octavia/latest/configuration/policy.html +# and https://docs.openstack.org/keystone/latest/contributor/services. +# html#reusable-default-roles for more information. + +# Intended scope(s): system +#"load-balancer:global_observer": "role:load-balancer_global_observer or rule:system-reader" + +# Intended scope(s): project +#"load-balancer:member_and_owner": "role:load-balancer_member and rule:project-member" + +# DEPRECATED +# "load-balancer:member_and_owner":"role:load-balancer_member and +# rule:load-balancer:owner" has been deprecated since W in favor of +# "load-balancer:member_and_owner":"role:load-balancer_member and +# rule:project-member". +# The Octavia API now requires the OpenStack default roles and scoped +# tokens. See +# https://docs.openstack.org/octavia/latest/configuration/policy.html +# and https://docs.openstack.org/keystone/latest/contributor/services. +# html#reusable-default-roles for more information. + +# Intended scope(s): system +#"load-balancer:admin": "is_admin:True or role:load-balancer_admin or rule:system-admin" + +# Intended scope(s): project, system +#"load-balancer:read": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin" + +# Intended scope(s): system +#"load-balancer:read-global": "rule:load-balancer:global_observer or rule:load-balancer:admin" + +# Intended scope(s): project, system +#"load-balancer:write": "rule:load-balancer:member_and_owner or rule:load-balancer:admin" + +# Intended scope(s): project, system +#"load-balancer:read-quota": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin" + +# Intended scope(s): system +#"load-balancer:read-quota-global": "rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin" + +# Intended scope(s): system +#"load-balancer:write-quota": "role:load-balancer_quota_admin or rule:load-balancer:admin" + +# List Flavors +# GET /v2.0/lbaas/flavors +#"os_load-balancer_api:flavor:get_all": "rule:load-balancer:read" + +# Create a Flavor +# POST /v2.0/lbaas/flavors +#"os_load-balancer_api:flavor:post": "rule:load-balancer:admin" + +# Update a Flavor +# PUT /v2.0/lbaas/flavors/{flavor_id} +#"os_load-balancer_api:flavor:put": "rule:load-balancer:admin" + +# Show Flavor details +# GET /v2.0/lbaas/flavors/{flavor_id} +#"os_load-balancer_api:flavor:get_one": "rule:load-balancer:read" + +# Remove a Flavor +# DELETE /v2.0/lbaas/flavors/{flavor_id} +#"os_load-balancer_api:flavor:delete": "rule:load-balancer:admin" + +# List Flavor Profiles +# GET /v2.0/lbaas/flavorprofiles +#"os_load-balancer_api:flavor-profile:get_all": "rule:load-balancer:admin" + +# Create a Flavor Profile +# POST /v2.0/lbaas/flavorprofiles +#"os_load-balancer_api:flavor-profile:post": "rule:load-balancer:admin" + +# Update a Flavor Profile +# PUT /v2.0/lbaas/flavorprofiles/{flavor_profile_id} +#"os_load-balancer_api:flavor-profile:put": "rule:load-balancer:admin" + +# Show Flavor Profile details +# GET /v2.0/lbaas/flavorprofiles/{flavor_profile_id} +#"os_load-balancer_api:flavor-profile:get_one": "rule:load-balancer:admin" + +# Remove a Flavor Profile +# DELETE /v2.0/lbaas/flavorprofiles/{flavor_profile_id} +#"os_load-balancer_api:flavor-profile:delete": "rule:load-balancer:admin" + +# List Availability Zones +# GET /v2.0/lbaas/availabilityzones +#"os_load-balancer_api:availability-zone:get_all": "rule:load-balancer:read" + +# Create an Availability Zone +# POST /v2.0/lbaas/availabilityzones +#"os_load-balancer_api:availability-zone:post": "rule:load-balancer:admin" + +# Update an Availability Zone +# PUT /v2.0/lbaas/availabilityzones/{availability_zone_id} +#"os_load-balancer_api:availability-zone:put": "rule:load-balancer:admin" + +# Show Availability Zone details +# GET /v2.0/lbaas/availabilityzones/{availability_zone_id} +#"os_load-balancer_api:availability-zone:get_one": "rule:load-balancer:read" + +# Remove an Availability Zone +# DELETE /v2.0/lbaas/availabilityzones/{availability_zone_id} +#"os_load-balancer_api:availability-zone:delete": "rule:load-balancer:admin" + +# List Availability Zones +# GET /v2.0/lbaas/availabilityzoneprofiles +#"os_load-balancer_api:availability-zone-profile:get_all": "rule:load-balancer:admin" + +# Create an Availability Zone +# POST /v2.0/lbaas/availabilityzoneprofiles +#"os_load-balancer_api:availability-zone-profile:post": "rule:load-balancer:admin" + +# Update an Availability Zone +# PUT /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id} +#"os_load-balancer_api:availability-zone-profile:put": "rule:load-balancer:admin" + +# Show Availability Zone details +# GET /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id} +#"os_load-balancer_api:availability-zone-profile:get_one": "rule:load-balancer:admin" + +# Remove an Availability Zone +# DELETE /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id} +#"os_load-balancer_api:availability-zone-profile:delete": "rule:load-balancer:admin" + +# List Health Monitors of a Pool +# GET /v2/lbaas/healthmonitors +#"os_load-balancer_api:healthmonitor:get_all": "rule:load-balancer:read" + +# List Health Monitors including resources owned by others +# GET /v2/lbaas/healthmonitors +#"os_load-balancer_api:healthmonitor:get_all-global": "rule:load-balancer:read-global" + +# Create a Health Monitor +# POST /v2/lbaas/healthmonitors +#"os_load-balancer_api:healthmonitor:post": "rule:load-balancer:write" + +# Show Health Monitor details +# GET /v2/lbaas/healthmonitors/{healthmonitor_id} +#"os_load-balancer_api:healthmonitor:get_one": "rule:load-balancer:read" + +# Update a Health Monitor +# PUT /v2/lbaas/healthmonitors/{healthmonitor_id} +#"os_load-balancer_api:healthmonitor:put": "rule:load-balancer:write" + +# Remove a Health Monitor +# DELETE /v2/lbaas/healthmonitors/{healthmonitor_id} +#"os_load-balancer_api:healthmonitor:delete": "rule:load-balancer:write" + +# List L7 Policys +# GET /v2/lbaas/l7policies +#"os_load-balancer_api:l7policy:get_all": "rule:load-balancer:read" + +# List L7 Policys including resources owned by others +# GET /v2/lbaas/l7policies +#"os_load-balancer_api:l7policy:get_all-global": "rule:load-balancer:read-global" + +# Create a L7 Policy +# POST /v2/lbaas/l7policies +#"os_load-balancer_api:l7policy:post": "rule:load-balancer:write" + +# Show L7 Policy details +# GET /v2/lbaas/l7policies/{l7policy_id} +#"os_load-balancer_api:l7policy:get_one": "rule:load-balancer:read" + +# Update a L7 Policy +# PUT /v2/lbaas/l7policies/{l7policy_id} +#"os_load-balancer_api:l7policy:put": "rule:load-balancer:write" + +# Remove a L7 Policy +# DELETE /v2/lbaas/l7policies/{l7policy_id} +#"os_load-balancer_api:l7policy:delete": "rule:load-balancer:write" + +# List L7 Rules +# GET /v2/lbaas/l7policies/{l7policy_id}/rules +#"os_load-balancer_api:l7rule:get_all": "rule:load-balancer:read" + +# Create a L7 Rule +# POST /v2/lbaas/l7policies/{l7policy_id}/rules +#"os_load-balancer_api:l7rule:post": "rule:load-balancer:write" + +# Show L7 Rule details +# GET /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id} +#"os_load-balancer_api:l7rule:get_one": "rule:load-balancer:read" + +# Update a L7 Rule +# PUT /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id} +#"os_load-balancer_api:l7rule:put": "rule:load-balancer:write" + +# Remove a L7 Rule +# DELETE /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id} +#"os_load-balancer_api:l7rule:delete": "rule:load-balancer:write" + +# List Listeners +# GET /v2/lbaas/listeners +#"os_load-balancer_api:listener:get_all": "rule:load-balancer:read" + +# List Listeners including resources owned by others +# GET /v2/lbaas/listeners +#"os_load-balancer_api:listener:get_all-global": "rule:load-balancer:read-global" + +# Create a Listener +# POST /v2/lbaas/listeners +#"os_load-balancer_api:listener:post": "rule:load-balancer:write" + +# Show Listener details +# GET /v2/lbaas/listeners/{listener_id} +#"os_load-balancer_api:listener:get_one": "rule:load-balancer:read" + +# Update a Listener +# PUT /v2/lbaas/listeners/{listener_id} +#"os_load-balancer_api:listener:put": "rule:load-balancer:write" + +# Remove a Listener +# DELETE /v2/lbaas/listeners/{listener_id} +#"os_load-balancer_api:listener:delete": "rule:load-balancer:write" + +# Show Listener statistics +# GET /v2/lbaas/listeners/{listener_id}/stats +#"os_load-balancer_api:listener:get_stats": "rule:load-balancer:read" + +# List Load Balancers +# GET /v2/lbaas/loadbalancers +#"os_load-balancer_api:loadbalancer:get_all": "rule:load-balancer:read" + +# List Load Balancers including resources owned by others +# GET /v2/lbaas/loadbalancers +#"os_load-balancer_api:loadbalancer:get_all-global": "rule:load-balancer:read-global" + +# Create a Load Balancer +# POST /v2/lbaas/loadbalancers +#"os_load-balancer_api:loadbalancer:post": "rule:load-balancer:write" + +# Show Load Balancer details +# GET /v2/lbaas/loadbalancers/{loadbalancer_id} +#"os_load-balancer_api:loadbalancer:get_one": "rule:load-balancer:read" + +# Update a Load Balancer +# PUT /v2/lbaas/loadbalancers/{loadbalancer_id} +#"os_load-balancer_api:loadbalancer:put": "rule:load-balancer:write" + +# Remove a Load Balancer +# DELETE /v2/lbaas/loadbalancers/{loadbalancer_id} +#"os_load-balancer_api:loadbalancer:delete": "rule:load-balancer:write" + +# Show Load Balancer statistics +# GET /v2/lbaas/loadbalancers/{loadbalancer_id}/stats +#"os_load-balancer_api:loadbalancer:get_stats": "rule:load-balancer:read" + +# Show Load Balancer status +# GET /v2/lbaas/loadbalancers/{loadbalancer_id}/status +#"os_load-balancer_api:loadbalancer:get_status": "rule:load-balancer:read" + +# Failover a Load Balancer +# PUT /v2/lbaas/loadbalancers/{loadbalancer_id}/failover +#"os_load-balancer_api:loadbalancer:put_failover": "rule:load-balancer:admin" + +# List Members of a Pool +# GET /v2/lbaas/pools/{pool_id}/members +#"os_load-balancer_api:member:get_all": "rule:load-balancer:read" + +# Create a Member +# POST /v2/lbaas/pools/{pool_id}/members +#"os_load-balancer_api:member:post": "rule:load-balancer:write" + +# Show Member details +# GET /v2/lbaas/pools/{pool_id}/members/{member_id} +#"os_load-balancer_api:member:get_one": "rule:load-balancer:read" + +# Update a Member +# PUT /v2/lbaas/pools/{pool_id}/members/{member_id} +#"os_load-balancer_api:member:put": "rule:load-balancer:write" + +# Remove a Member +# DELETE /v2/lbaas/pools/{pool_id}/members/{member_id} +#"os_load-balancer_api:member:delete": "rule:load-balancer:write" + +# List Pools +# GET /v2/lbaas/pools +#"os_load-balancer_api:pool:get_all": "rule:load-balancer:read" + +# List Pools including resources owned by others +# GET /v2/lbaas/pools +#"os_load-balancer_api:pool:get_all-global": "rule:load-balancer:read-global" + +# Create a Pool +# POST /v2/lbaas/pools +#"os_load-balancer_api:pool:post": "rule:load-balancer:write" + +# Show Pool details +# GET /v2/lbaas/pools/{pool_id} +#"os_load-balancer_api:pool:get_one": "rule:load-balancer:read" + +# Update a Pool +# PUT /v2/lbaas/pools/{pool_id} +#"os_load-balancer_api:pool:put": "rule:load-balancer:write" + +# Remove a Pool +# DELETE /v2/lbaas/pools/{pool_id} +#"os_load-balancer_api:pool:delete": "rule:load-balancer:write" + +# List enabled providers +# GET /v2/lbaas/providers +#"os_load-balancer_api:provider:get_all": "rule:load-balancer:read" + +# List Quotas +# GET /v2/lbaas/quotas +#"os_load-balancer_api:quota:get_all": "rule:load-balancer:read-quota" + +# List Quotas including resources owned by others +# GET /v2/lbaas/quotas +#"os_load-balancer_api:quota:get_all-global": "rule:load-balancer:read-quota-global" + +# Show Quota details +# GET /v2/lbaas/quotas/{project_id} +#"os_load-balancer_api:quota:get_one": "rule:load-balancer:read-quota" + +# Update a Quota +# PUT /v2/lbaas/quotas/{project_id} +#"os_load-balancer_api:quota:put": "rule:load-balancer:write-quota" + +# Reset a Quota +# DELETE /v2/lbaas/quotas/{project_id} +#"os_load-balancer_api:quota:delete": "rule:load-balancer:write-quota" + +# Show Default Quota for a Project +# GET /v2/lbaas/quotas/{project_id}/default +#"os_load-balancer_api:quota:get_defaults": "rule:load-balancer:read-quota" + +# List Amphorae +# GET /v2/octavia/amphorae +#"os_load-balancer_api:amphora:get_all": "rule:load-balancer:admin" + +# Show Amphora details +# GET /v2/octavia/amphorae/{amphora_id} +#"os_load-balancer_api:amphora:get_one": "rule:load-balancer:admin" + +# Delete an Amphora +# DELETE /v2/octavia/amphorae/{amphora_id} +#"os_load-balancer_api:amphora:delete": "rule:load-balancer:admin" + +# Update Amphora Agent Configuration +# PUT /v2/octavia/amphorae/{amphora_id}/config +#"os_load-balancer_api:amphora:put_config": "rule:load-balancer:admin" + +# Failover Amphora +# PUT /v2/octavia/amphorae/{amphora_id}/failover +#"os_load-balancer_api:amphora:put_failover": "rule:load-balancer:admin" + +# Show Amphora statistics +# GET /v2/octavia/amphorae/{amphora_id}/stats +#"os_load-balancer_api:amphora:get_stats": "rule:load-balancer:admin" + +# List the provider flavor capabilities. +# GET /v2/lbaas/providers/{provider}/flavor_capabilities +#"os_load-balancer_api:provider-flavor:get_all": "rule:load-balancer:admin" + +# List the provider availability zone capabilities. +# GET /v2/lbaas/providers/{provider}/availability_zone_capabilities +#"os_load-balancer_api:provider-availability-zone:get_all": "rule:load-balancer:admin" + diff --git a/octavia_dashboard/local_settings.d/_1499_load_balancer_settings.py b/octavia_dashboard/local_settings.d/_1499_load_balancer_settings.py index f40e85c7..3c047b7d 100644 --- a/octavia_dashboard/local_settings.d/_1499_load_balancer_settings.py +++ b/octavia_dashboard/local_settings.d/_1499_load_balancer_settings.py @@ -21,6 +21,10 @@ settings.POLICY_FILES.update({ 'load-balancer': 'octavia_policy.yaml', }) +settings.iDEFAULT_POLICY_FILES.update({ + 'load-balancer': 'default_policies/octavia.yaml', +}) + # Sample # settings.LOGGING['loggers'].update({ # 'openstack': {