Browse Source

Drop noauth_policy and use the default

This drops the noauth policy file and instead uses the heat
defaults in the code. This would avoid us moving to the
new yaml based policy files.

Change-Id: Idd72ce488ff73d956bf16f95121e713bab65fbc3
changes/13/797613/1
ramishra 3 months ago
parent
commit
761b791b8b
  1. 7
      templates/ephemeral-heat/heat-pod.yaml.j2
  2. 3
      templates/ephemeral-heat/heat.conf.j2
  3. 10
      tripleoclient/heat_launcher.py
  4. 93
      tripleoclient/noauth_policy.json

7
templates/ephemeral-heat/heat-pod.yaml.j2

@ -77,9 +77,6 @@ spec:
- mountPath: /token_file.json
name: heat-token-file
readOnly: true
- mountPath: /etc/heat/noauth_policy.json
name: heat-noauth-policy
readOnly: true
workingDir: /
volumes:
- hostPath:
@ -98,8 +95,4 @@ spec:
path: {{ heat_dir }}/token_file.json
type: File
name: heat-token-file
- hostPath:
path: {{ policy_file }}
type: File
name: heat-noauth-policy
status: {}

3
templates/ephemeral-heat/heat.conf.j2

@ -36,9 +36,6 @@ connection = {{ db_connection }}
api_paste_config = /etc/heat/api-paste.ini
flavor = noauth
[oslo_policy]
policy_file = /etc/heat/noauth_policy.json
[yaql]
limit_iterators=9000
memory_quota=900000

10
tripleoclient/heat_launcher.py

@ -204,8 +204,6 @@ class HeatBaseLauncher(object):
self.paste_file = os.path.join(self.install_dir, 'api-paste.ini')
self.token_file = os.path.join(self.install_dir, 'token_file.json')
self.policy_file = os.path.join(os.path.dirname(__file__),
'noauth_policy.json')
self.user = user
self._write_fake_keystone_token(self.api_port, self.token_file)
self._write_heat_config()
@ -260,14 +258,11 @@ connection = sqlite:///%(sqlite_db)s.db
flavor = noauth
api_paste_config = api-paste.ini
[oslo_policy]
policy_file = %(policy_file)s
[yaql]
memory_quota=900000
limit_iterators=9000
''' % {'sqlite_db': self.sql_db, 'log_file': self.log_file,
'api_port': self.api_port, 'policy_file': self.policy_file,
'api_port': self.api_port,
'token_file': self.token_file}
with open(self.config_file, 'w') as temp_file:
@ -364,8 +359,6 @@ class HeatContainerLauncher(HeatBaseLauncher):
'conf': self.paste_file},
'--volume', '%(inst_tmp)s:%(inst_tmp)s:Z' % {'inst_tmp':
self.install_dir},
'--volume', '%(pfile)s:%(pfile)s:ro' % {'pfile':
self.policy_file},
self.all_container_image, 'heat-all'
]
log.debug(' '.join(cmd))
@ -752,7 +745,6 @@ class HeatPodLauncher(HeatContainerLauncher):
pod_vars = {
"install_dir": self.install_dir,
"heat_dir": self.heat_dir,
"policy_file": self.policy_file,
"ctlplane_ip": self.host,
"api_port": self.api_port,
"api_image": self.api_container_image,

93
tripleoclient/noauth_policy.json

@ -1,93 +0,0 @@
{
"context_is_admin": "@",
"deny_stack_user": "@",
"deny_everybody": "@",
"cloudformation:ListStacks": "rule:deny_stack_user",
"cloudformation:CreateStack": "rule:deny_stack_user",
"cloudformation:DescribeStacks": "rule:deny_stack_user",
"cloudformation:DeleteStack": "rule:deny_stack_user",
"cloudformation:UpdateStack": "rule:deny_stack_user",
"cloudformation:CancelUpdateStack": "rule:deny_stack_user",
"cloudformation:DescribeStackEvents": "rule:deny_stack_user",
"cloudformation:ValidateTemplate": "rule:deny_stack_user",
"cloudformation:GetTemplate": "rule:deny_stack_user",
"cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
"cloudformation:DescribeStackResource": "",
"cloudformation:DescribeStackResources": "rule:deny_stack_user",
"cloudformation:ListStackResources": "rule:deny_stack_user",
"cloudwatch:DeleteAlarms": "rule:deny_stack_user",
"cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
"cloudwatch:DescribeAlarms": "rule:deny_stack_user",
"cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
"cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
"cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
"cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
"cloudwatch:ListMetrics": "rule:deny_stack_user",
"cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
"cloudwatch:PutMetricData": "",
"cloudwatch:SetAlarmState": "rule:deny_stack_user",
"actions:action": "rule:deny_stack_user",
"build_info:build_info": "rule:deny_stack_user",
"events:index": "rule:deny_stack_user",
"events:show": "rule:deny_stack_user",
"resource:index": "rule:deny_stack_user",
"resource:metadata": "",
"resource:signal": "",
"resource:mark_unhealthy": "rule:deny_stack_user",
"resource:show": "rule:deny_stack_user",
"stacks:abandon": "rule:deny_stack_user",
"stacks:create": "rule:deny_stack_user",
"stacks:delete": "rule:deny_stack_user",
"stacks:detail": "rule:deny_stack_user",
"stacks:export": "rule:deny_stack_user",
"stacks:generate_template": "rule:deny_stack_user",
"stacks:global_index": "rule:deny_everybody",
"stacks:index": "rule:deny_stack_user",
"stacks:list_resource_types": "rule:deny_stack_user",
"stacks:list_template_versions": "rule:deny_stack_user",
"stacks:list_template_functions": "rule:deny_stack_user",
"stacks:lookup": "",
"stacks:preview": "rule:deny_stack_user",
"stacks:resource_schema": "rule:deny_stack_user",
"stacks:show": "rule:deny_stack_user",
"stacks:template": "rule:deny_stack_user",
"stacks:environment": "rule:deny_stack_user",
"stacks:files": "rule:deny_stack_user",
"stacks:update": "rule:deny_stack_user",
"stacks:update_patch": "rule:deny_stack_user",
"stacks:preview_update": "rule:deny_stack_user",
"stacks:preview_update_patch": "rule:deny_stack_user",
"stacks:validate_template": "rule:deny_stack_user",
"stacks:snapshot": "rule:deny_stack_user",
"stacks:show_snapshot": "rule:deny_stack_user",
"stacks:delete_snapshot": "rule:deny_stack_user",
"stacks:list_snapshots": "rule:deny_stack_user",
"stacks:restore_snapshot": "rule:deny_stack_user",
"stacks:list_outputs": "rule:deny_stack_user",
"stacks:show_output": "rule:deny_stack_user",
"software_configs:global_index": "rule:deny_everybody",
"software_configs:index": "rule:deny_stack_user",
"software_configs:create": "rule:deny_stack_user",
"software_configs:show": "rule:deny_stack_user",
"software_configs:delete": "rule:deny_stack_user",
"software_deployments:index": "rule:deny_stack_user",
"software_deployments:create": "rule:deny_stack_user",
"software_deployments:show": "rule:deny_stack_user",
"software_deployments:update": "rule:deny_stack_user",
"software_deployments:delete": "rule:deny_stack_user",
"software_deployments:metadata": "",
"service:index": "rule:context_is_admin",
"resource_types:OS::Nova::Flavor": "rule:context_is_admin",
"resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin",
"resource_types:OS::Cinder::VolumeType": "rule:context_is_admin",
"resource_types:OS::Manila::ShareType": "rule:context_is_admin",
"resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin",
"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin",
"resource_types:OS::Nova::HostAggregate": "rule:context_is_admin"
}
Loading…
Cancel
Save