Drop noauth_policy and use the default

This drops the noauth policy file and instead uses the heat defaults in the code. This would avoid us moving to the new yaml based policy files. Change-Id: Idd72ce488ff73d956bf16f95121e713bab65fbc3
2021-06-23 11:34:46 +05:30 · 2021-06-23 11:34:46 +05:30 · 761b791b8b
commit 761b791b8b
parent 4894911a10
4 changed files with 1 additions and 112 deletions
--- a/templates/ephemeral-heat/heat-pod.yaml.j2
+++ b/templates/ephemeral-heat/heat-pod.yaml.j2
@ -77,9 +77,6 @@ spec:
    - mountPath: /token_file.json
      name: heat-token-file
      readOnly: true
-    - mountPath: /etc/heat/noauth_policy.json
-      name: heat-noauth-policy
-      readOnly: true
    workingDir: /
  volumes:
  - hostPath:
@ -98,8 +95,4 @@ spec:
      path: {{ heat_dir }}/token_file.json
      type: File
    name: heat-token-file
-  - hostPath:
-      path: {{ policy_file }}
-      type: File
-    name: heat-noauth-policy
 status: {}
--- a/templates/ephemeral-heat/heat.conf.j2
+++ b/templates/ephemeral-heat/heat.conf.j2
@ -36,9 +36,6 @@ connection = {{ db_connection }}
 api_paste_config = /etc/heat/api-paste.ini
 flavor = noauth

-[oslo_policy]
-policy_file = /etc/heat/noauth_policy.json
-
 [yaql]
 limit_iterators=9000
 memory_quota=900000
--- a/tripleoclient/heat_launcher.py
+++ b/tripleoclient/heat_launcher.py
@ -204,8 +204,6 @@ class HeatBaseLauncher(object):
        self.paste_file = os.path.join(self.install_dir, 'api-paste.ini')
        self.token_file = os.path.join(self.install_dir, 'token_file.json')

-        self.policy_file = os.path.join(os.path.dirname(__file__),
-                                        'noauth_policy.json')
        self.user = user
        self._write_fake_keystone_token(self.api_port, self.token_file)
        self._write_heat_config()
@ -260,14 +258,11 @@ connection = sqlite:///%(sqlite_db)s.db
 flavor = noauth
 api_paste_config = api-paste.ini

-[oslo_policy]
-policy_file = %(policy_file)s
-
 [yaql]
 memory_quota=900000
 limit_iterators=9000
        ''' % {'sqlite_db': self.sql_db, 'log_file': self.log_file,
-               'api_port': self.api_port, 'policy_file': self.policy_file,
+               'api_port': self.api_port,
               'token_file': self.token_file}

        with open(self.config_file, 'w') as temp_file:
@ -364,8 +359,6 @@ class HeatContainerLauncher(HeatBaseLauncher):
                'conf': self.paste_file},
            '--volume', '%(inst_tmp)s:%(inst_tmp)s:Z' % {'inst_tmp':
                                                         self.install_dir},
-            '--volume', '%(pfile)s:%(pfile)s:ro' % {'pfile':
-                                                    self.policy_file},
            self.all_container_image, 'heat-all'
        ]
        log.debug(' '.join(cmd))
@ -752,7 +745,6 @@ class HeatPodLauncher(HeatContainerLauncher):
        pod_vars = {
            "install_dir": self.install_dir,
            "heat_dir": self.heat_dir,
-            "policy_file": self.policy_file,
            "ctlplane_ip": self.host,
            "api_port": self.api_port,
            "api_image": self.api_container_image,
--- a/tripleoclient/noauth_policy.json
+++ b/tripleoclient/noauth_policy.json
@ -1,93 +0,0 @@
-{
-    "context_is_admin":  "@",
-    "deny_stack_user": "@",
-    "deny_everybody": "@",
-
-    "cloudformation:ListStacks": "rule:deny_stack_user",
-    "cloudformation:CreateStack": "rule:deny_stack_user",
-    "cloudformation:DescribeStacks": "rule:deny_stack_user",
-    "cloudformation:DeleteStack": "rule:deny_stack_user",
-    "cloudformation:UpdateStack": "rule:deny_stack_user",
-    "cloudformation:CancelUpdateStack": "rule:deny_stack_user",
-    "cloudformation:DescribeStackEvents": "rule:deny_stack_user",
-    "cloudformation:ValidateTemplate": "rule:deny_stack_user",
-    "cloudformation:GetTemplate": "rule:deny_stack_user",
-    "cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
-    "cloudformation:DescribeStackResource": "",
-    "cloudformation:DescribeStackResources": "rule:deny_stack_user",
-    "cloudformation:ListStackResources": "rule:deny_stack_user",
-
-    "cloudwatch:DeleteAlarms": "rule:deny_stack_user",
-    "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
-    "cloudwatch:DescribeAlarms": "rule:deny_stack_user",
-    "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
-    "cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
-    "cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
-    "cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
-    "cloudwatch:ListMetrics": "rule:deny_stack_user",
-    "cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
-    "cloudwatch:PutMetricData": "",
-    "cloudwatch:SetAlarmState": "rule:deny_stack_user",
-
-    "actions:action": "rule:deny_stack_user",
-    "build_info:build_info": "rule:deny_stack_user",
-    "events:index": "rule:deny_stack_user",
-    "events:show": "rule:deny_stack_user",
-    "resource:index": "rule:deny_stack_user",
-    "resource:metadata": "",
-    "resource:signal": "",
-    "resource:mark_unhealthy": "rule:deny_stack_user",
-    "resource:show": "rule:deny_stack_user",
-    "stacks:abandon": "rule:deny_stack_user",
-    "stacks:create": "rule:deny_stack_user",
-    "stacks:delete": "rule:deny_stack_user",
-    "stacks:detail": "rule:deny_stack_user",
-    "stacks:export": "rule:deny_stack_user",
-    "stacks:generate_template": "rule:deny_stack_user",
-    "stacks:global_index": "rule:deny_everybody",
-    "stacks:index": "rule:deny_stack_user",
-    "stacks:list_resource_types": "rule:deny_stack_user",
-    "stacks:list_template_versions": "rule:deny_stack_user",
-    "stacks:list_template_functions": "rule:deny_stack_user",
-    "stacks:lookup": "",
-    "stacks:preview": "rule:deny_stack_user",
-    "stacks:resource_schema": "rule:deny_stack_user",
-    "stacks:show": "rule:deny_stack_user",
-    "stacks:template": "rule:deny_stack_user",
-    "stacks:environment": "rule:deny_stack_user",
-    "stacks:files": "rule:deny_stack_user",
-    "stacks:update": "rule:deny_stack_user",
-    "stacks:update_patch": "rule:deny_stack_user",
-    "stacks:preview_update": "rule:deny_stack_user",
-    "stacks:preview_update_patch": "rule:deny_stack_user",
-    "stacks:validate_template": "rule:deny_stack_user",
-    "stacks:snapshot": "rule:deny_stack_user",
-    "stacks:show_snapshot": "rule:deny_stack_user",
-    "stacks:delete_snapshot": "rule:deny_stack_user",
-    "stacks:list_snapshots": "rule:deny_stack_user",
-    "stacks:restore_snapshot": "rule:deny_stack_user",
-    "stacks:list_outputs": "rule:deny_stack_user",
-    "stacks:show_output": "rule:deny_stack_user",
-
-    "software_configs:global_index": "rule:deny_everybody",
-    "software_configs:index": "rule:deny_stack_user",
-    "software_configs:create": "rule:deny_stack_user",
-    "software_configs:show": "rule:deny_stack_user",
-    "software_configs:delete": "rule:deny_stack_user",
-    "software_deployments:index": "rule:deny_stack_user",
-    "software_deployments:create": "rule:deny_stack_user",
-    "software_deployments:show": "rule:deny_stack_user",
-    "software_deployments:update": "rule:deny_stack_user",
-    "software_deployments:delete": "rule:deny_stack_user",
-    "software_deployments:metadata": "",
-
-    "service:index": "rule:context_is_admin",
-
-    "resource_types:OS::Nova::Flavor": "rule:context_is_admin",
-    "resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin",
-    "resource_types:OS::Cinder::VolumeType": "rule:context_is_admin",
-    "resource_types:OS::Manila::ShareType": "rule:context_is_admin",
-    "resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin",
-    "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin",
-    "resource_types:OS::Nova::HostAggregate": "rule:context_is_admin"
-}