openstack
/
python-tripleoclient
Code Issues Proposed changes

Drop noauth_policy and use the default 

This drops the noauth policy file and instead uses the heat
defaults in the code. This would avoid us moving to the
new yaml based policy files.

Change-Id: Idd72ce488ff73d956bf16f95121e713bab65fbc3
This commit is contained in:
ramishra 2021-06-23 11:34:46 +05:30
parent 4894911a10
commit 761b791b8b
4 changed files with 1 additions and 112 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
templates/ephemeral-heat/heat-pod.yaml.j2
View File

@ -77,9 +77,6 @@ spec:
- mountPath: /token_file.json - mountPath: /token_file.json
name: heat-token-file name: heat-token-file
readOnly: true readOnly: true
- mountPath: /etc/heat/noauth_policy.json
name: heat-noauth-policy
readOnly: true
workingDir: / workingDir: /
volumes: volumes:
- hostPath: - hostPath:
@ -98,8 +95,4 @@ spec:
path: {{ heat_dir }}/token_file.json path: {{ heat_dir }}/token_file.json
type: File type: File
name: heat-token-file name: heat-token-file
- hostPath:
path: {{ policy_file }}
type: File
name: heat-noauth-policy
status: {} status: {}

3
templates/ephemeral-heat/heat.conf.j2
View File

@ -36,9 +36,6 @@ connection = {{ db_connection }}
api_paste_config = /etc/heat/api-paste.ini api_paste_config = /etc/heat/api-paste.ini
flavor = noauth flavor = noauth
[oslo_policy]
policy_file = /etc/heat/noauth_policy.json
[yaql] [yaql]
limit_iterators=9000 limit_iterators=9000
memory_quota=900000 memory_quota=900000

10
tripleoclient/heat_launcher.py
View File

@ -204,8 +204,6 @@ class HeatBaseLauncher(object):
self.paste_file = os.path.join(self.install_dir, 'api-paste.ini') self.paste_file = os.path.join(self.install_dir, 'api-paste.ini')
self.token_file = os.path.join(self.install_dir, 'token_file.json') self.token_file = os.path.join(self.install_dir, 'token_file.json')
self.policy_file = os.path.join(os.path.dirname(__file__),
'noauth_policy.json')
self.user = user self.user = user
self._write_fake_keystone_token(self.api_port, self.token_file) self._write_fake_keystone_token(self.api_port, self.token_file)
self._write_heat_config() self._write_heat_config()
@ -260,14 +258,11 @@ connection = sqlite:///%(sqlite_db)s.db
flavor = noauth flavor = noauth
api_paste_config = api-paste.ini api_paste_config = api-paste.ini
[oslo_policy]
policy_file = %(policy_file)s
[yaql] [yaql]
memory_quota=900000 memory_quota=900000
limit_iterators=9000 limit_iterators=9000
''' % {'sqlite_db': self.sql_db, 'log_file': self.log_file, ''' % {'sqlite_db': self.sql_db, 'log_file': self.log_file,
'api_port': self.api_port, 'policy_file': self.policy_file, 'api_port': self.api_port,
'token_file': self.token_file} 'token_file': self.token_file}
with open(self.config_file, 'w') as temp_file: with open(self.config_file, 'w') as temp_file:
@ -364,8 +359,6 @@ class HeatContainerLauncher(HeatBaseLauncher):
'conf': self.paste_file}, 'conf': self.paste_file},
'--volume', '%(inst_tmp)s:%(inst_tmp)s:Z' % {'inst_tmp': '--volume', '%(inst_tmp)s:%(inst_tmp)s:Z' % {'inst_tmp':
self.install_dir}, self.install_dir},
'--volume', '%(pfile)s:%(pfile)s:ro' % {'pfile':
self.policy_file},
self.all_container_image, 'heat-all' self.all_container_image, 'heat-all'
] ]
log.debug(' '.join(cmd)) log.debug(' '.join(cmd))
@ -752,7 +745,6 @@ class HeatPodLauncher(HeatContainerLauncher):
pod_vars = { pod_vars = {
"install_dir": self.install_dir, "install_dir": self.install_dir,
"heat_dir": self.heat_dir, "heat_dir": self.heat_dir,
"policy_file": self.policy_file,
"ctlplane_ip": self.host, "ctlplane_ip": self.host,
"api_port": self.api_port, "api_port": self.api_port,
"api_image": self.api_container_image, "api_image": self.api_container_image,

93
tripleoclient/noauth_policy.json
View File

@ -1,93 +0,0 @@
{
"context_is_admin": "@",
"deny_stack_user": "@",
"deny_everybody": "@",
"cloudformation:ListStacks": "rule:deny_stack_user",
"cloudformation:CreateStack": "rule:deny_stack_user",
"cloudformation:DescribeStacks": "rule:deny_stack_user",
"cloudformation:DeleteStack": "rule:deny_stack_user",
"cloudformation:UpdateStack": "rule:deny_stack_user",
"cloudformation:CancelUpdateStack": "rule:deny_stack_user",
"cloudformation:DescribeStackEvents": "rule:deny_stack_user",
"cloudformation:ValidateTemplate": "rule:deny_stack_user",
"cloudformation:GetTemplate": "rule:deny_stack_user",
"cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
"cloudformation:DescribeStackResource": "",
"cloudformation:DescribeStackResources": "rule:deny_stack_user",
"cloudformation:ListStackResources": "rule:deny_stack_user",
"cloudwatch:DeleteAlarms": "rule:deny_stack_user",
"cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
"cloudwatch:DescribeAlarms": "rule:deny_stack_user",
"cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
"cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
"cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
"cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
"cloudwatch:ListMetrics": "rule:deny_stack_user",
"cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
"cloudwatch:PutMetricData": "",
"cloudwatch:SetAlarmState": "rule:deny_stack_user",
"actions:action": "rule:deny_stack_user",
"build_info:build_info": "rule:deny_stack_user",
"events:index": "rule:deny_stack_user",
"events:show": "rule:deny_stack_user",
"resource:index": "rule:deny_stack_user",
"resource:metadata": "",
"resource:signal": "",
"resource:mark_unhealthy": "rule:deny_stack_user",
"resource:show": "rule:deny_stack_user",
"stacks:abandon": "rule:deny_stack_user",
"stacks:create": "rule:deny_stack_user",
"stacks:delete": "rule:deny_stack_user",
"stacks:detail": "rule:deny_stack_user",
"stacks:export": "rule:deny_stack_user",
"stacks:generate_template": "rule:deny_stack_user",
"stacks:global_index": "rule:deny_everybody",
"stacks:index": "rule:deny_stack_user",
"stacks:list_resource_types": "rule:deny_stack_user",
"stacks:list_template_versions": "rule:deny_stack_user",
"stacks:list_template_functions": "rule:deny_stack_user",
"stacks:lookup": "",
"stacks:preview": "rule:deny_stack_user",
"stacks:resource_schema": "rule:deny_stack_user",
"stacks:show": "rule:deny_stack_user",
"stacks:template": "rule:deny_stack_user",
"stacks:environment": "rule:deny_stack_user",
"stacks:files": "rule:deny_stack_user",
"stacks:update": "rule:deny_stack_user",
"stacks:update_patch": "rule:deny_stack_user",
"stacks:preview_update": "rule:deny_stack_user",
"stacks:preview_update_patch": "rule:deny_stack_user",
"stacks:validate_template": "rule:deny_stack_user",
"stacks:snapshot": "rule:deny_stack_user",
"stacks:show_snapshot": "rule:deny_stack_user",
"stacks:delete_snapshot": "rule:deny_stack_user",
"stacks:list_snapshots": "rule:deny_stack_user",
"stacks:restore_snapshot": "rule:deny_stack_user",
"stacks:list_outputs": "rule:deny_stack_user",
"stacks:show_output": "rule:deny_stack_user",
"software_configs:global_index": "rule:deny_everybody",
"software_configs:index": "rule:deny_stack_user",
"software_configs:create": "rule:deny_stack_user",
"software_configs:show": "rule:deny_stack_user",
"software_configs:delete": "rule:deny_stack_user",
"software_deployments:index": "rule:deny_stack_user",
"software_deployments:create": "rule:deny_stack_user",
"software_deployments:show": "rule:deny_stack_user",
"software_deployments:update": "rule:deny_stack_user",
"software_deployments:delete": "rule:deny_stack_user",
"software_deployments:metadata": "",
"service:index": "rule:context_is_admin",
"resource_types:OS::Nova::Flavor": "rule:context_is_admin",
"resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin",
"resource_types:OS::Cinder::VolumeType": "rule:context_is_admin",
"resource_types:OS::Manila::ShareType": "rule:context_is_admin",
"resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin",
"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin",
"resource_types:OS::Nova::HostAggregate": "rule:context_is_admin"
}