Drop noauth_policy and use the default
This drops the noauth policy file and instead uses the heat defaults in the code. This would avoid us moving to the new yaml based policy files. Change-Id: Idd72ce488ff73d956bf16f95121e713bab65fbc3
This commit is contained in:
parent
4894911a10
commit
761b791b8b
@ -77,9 +77,6 @@ spec:
|
|||||||
- mountPath: /token_file.json
|
- mountPath: /token_file.json
|
||||||
name: heat-token-file
|
name: heat-token-file
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- mountPath: /etc/heat/noauth_policy.json
|
|
||||||
name: heat-noauth-policy
|
|
||||||
readOnly: true
|
|
||||||
workingDir: /
|
workingDir: /
|
||||||
volumes:
|
volumes:
|
||||||
- hostPath:
|
- hostPath:
|
||||||
@ -98,8 +95,4 @@ spec:
|
|||||||
path: {{ heat_dir }}/token_file.json
|
path: {{ heat_dir }}/token_file.json
|
||||||
type: File
|
type: File
|
||||||
name: heat-token-file
|
name: heat-token-file
|
||||||
- hostPath:
|
|
||||||
path: {{ policy_file }}
|
|
||||||
type: File
|
|
||||||
name: heat-noauth-policy
|
|
||||||
status: {}
|
status: {}
|
||||||
|
@ -36,9 +36,6 @@ connection = {{ db_connection }}
|
|||||||
api_paste_config = /etc/heat/api-paste.ini
|
api_paste_config = /etc/heat/api-paste.ini
|
||||||
flavor = noauth
|
flavor = noauth
|
||||||
|
|
||||||
[oslo_policy]
|
|
||||||
policy_file = /etc/heat/noauth_policy.json
|
|
||||||
|
|
||||||
[yaql]
|
[yaql]
|
||||||
limit_iterators=9000
|
limit_iterators=9000
|
||||||
memory_quota=900000
|
memory_quota=900000
|
||||||
|
@ -204,8 +204,6 @@ class HeatBaseLauncher(object):
|
|||||||
self.paste_file = os.path.join(self.install_dir, 'api-paste.ini')
|
self.paste_file = os.path.join(self.install_dir, 'api-paste.ini')
|
||||||
self.token_file = os.path.join(self.install_dir, 'token_file.json')
|
self.token_file = os.path.join(self.install_dir, 'token_file.json')
|
||||||
|
|
||||||
self.policy_file = os.path.join(os.path.dirname(__file__),
|
|
||||||
'noauth_policy.json')
|
|
||||||
self.user = user
|
self.user = user
|
||||||
self._write_fake_keystone_token(self.api_port, self.token_file)
|
self._write_fake_keystone_token(self.api_port, self.token_file)
|
||||||
self._write_heat_config()
|
self._write_heat_config()
|
||||||
@ -260,14 +258,11 @@ connection = sqlite:///%(sqlite_db)s.db
|
|||||||
flavor = noauth
|
flavor = noauth
|
||||||
api_paste_config = api-paste.ini
|
api_paste_config = api-paste.ini
|
||||||
|
|
||||||
[oslo_policy]
|
|
||||||
policy_file = %(policy_file)s
|
|
||||||
|
|
||||||
[yaql]
|
[yaql]
|
||||||
memory_quota=900000
|
memory_quota=900000
|
||||||
limit_iterators=9000
|
limit_iterators=9000
|
||||||
''' % {'sqlite_db': self.sql_db, 'log_file': self.log_file,
|
''' % {'sqlite_db': self.sql_db, 'log_file': self.log_file,
|
||||||
'api_port': self.api_port, 'policy_file': self.policy_file,
|
'api_port': self.api_port,
|
||||||
'token_file': self.token_file}
|
'token_file': self.token_file}
|
||||||
|
|
||||||
with open(self.config_file, 'w') as temp_file:
|
with open(self.config_file, 'w') as temp_file:
|
||||||
@ -364,8 +359,6 @@ class HeatContainerLauncher(HeatBaseLauncher):
|
|||||||
'conf': self.paste_file},
|
'conf': self.paste_file},
|
||||||
'--volume', '%(inst_tmp)s:%(inst_tmp)s:Z' % {'inst_tmp':
|
'--volume', '%(inst_tmp)s:%(inst_tmp)s:Z' % {'inst_tmp':
|
||||||
self.install_dir},
|
self.install_dir},
|
||||||
'--volume', '%(pfile)s:%(pfile)s:ro' % {'pfile':
|
|
||||||
self.policy_file},
|
|
||||||
self.all_container_image, 'heat-all'
|
self.all_container_image, 'heat-all'
|
||||||
]
|
]
|
||||||
log.debug(' '.join(cmd))
|
log.debug(' '.join(cmd))
|
||||||
@ -752,7 +745,6 @@ class HeatPodLauncher(HeatContainerLauncher):
|
|||||||
pod_vars = {
|
pod_vars = {
|
||||||
"install_dir": self.install_dir,
|
"install_dir": self.install_dir,
|
||||||
"heat_dir": self.heat_dir,
|
"heat_dir": self.heat_dir,
|
||||||
"policy_file": self.policy_file,
|
|
||||||
"ctlplane_ip": self.host,
|
"ctlplane_ip": self.host,
|
||||||
"api_port": self.api_port,
|
"api_port": self.api_port,
|
||||||
"api_image": self.api_container_image,
|
"api_image": self.api_container_image,
|
||||||
|
@ -1,93 +0,0 @@
|
|||||||
{
|
|
||||||
"context_is_admin": "@",
|
|
||||||
"deny_stack_user": "@",
|
|
||||||
"deny_everybody": "@",
|
|
||||||
|
|
||||||
"cloudformation:ListStacks": "rule:deny_stack_user",
|
|
||||||
"cloudformation:CreateStack": "rule:deny_stack_user",
|
|
||||||
"cloudformation:DescribeStacks": "rule:deny_stack_user",
|
|
||||||
"cloudformation:DeleteStack": "rule:deny_stack_user",
|
|
||||||
"cloudformation:UpdateStack": "rule:deny_stack_user",
|
|
||||||
"cloudformation:CancelUpdateStack": "rule:deny_stack_user",
|
|
||||||
"cloudformation:DescribeStackEvents": "rule:deny_stack_user",
|
|
||||||
"cloudformation:ValidateTemplate": "rule:deny_stack_user",
|
|
||||||
"cloudformation:GetTemplate": "rule:deny_stack_user",
|
|
||||||
"cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
|
|
||||||
"cloudformation:DescribeStackResource": "",
|
|
||||||
"cloudformation:DescribeStackResources": "rule:deny_stack_user",
|
|
||||||
"cloudformation:ListStackResources": "rule:deny_stack_user",
|
|
||||||
|
|
||||||
"cloudwatch:DeleteAlarms": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:DescribeAlarms": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:ListMetrics": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
|
|
||||||
"cloudwatch:PutMetricData": "",
|
|
||||||
"cloudwatch:SetAlarmState": "rule:deny_stack_user",
|
|
||||||
|
|
||||||
"actions:action": "rule:deny_stack_user",
|
|
||||||
"build_info:build_info": "rule:deny_stack_user",
|
|
||||||
"events:index": "rule:deny_stack_user",
|
|
||||||
"events:show": "rule:deny_stack_user",
|
|
||||||
"resource:index": "rule:deny_stack_user",
|
|
||||||
"resource:metadata": "",
|
|
||||||
"resource:signal": "",
|
|
||||||
"resource:mark_unhealthy": "rule:deny_stack_user",
|
|
||||||
"resource:show": "rule:deny_stack_user",
|
|
||||||
"stacks:abandon": "rule:deny_stack_user",
|
|
||||||
"stacks:create": "rule:deny_stack_user",
|
|
||||||
"stacks:delete": "rule:deny_stack_user",
|
|
||||||
"stacks:detail": "rule:deny_stack_user",
|
|
||||||
"stacks:export": "rule:deny_stack_user",
|
|
||||||
"stacks:generate_template": "rule:deny_stack_user",
|
|
||||||
"stacks:global_index": "rule:deny_everybody",
|
|
||||||
"stacks:index": "rule:deny_stack_user",
|
|
||||||
"stacks:list_resource_types": "rule:deny_stack_user",
|
|
||||||
"stacks:list_template_versions": "rule:deny_stack_user",
|
|
||||||
"stacks:list_template_functions": "rule:deny_stack_user",
|
|
||||||
"stacks:lookup": "",
|
|
||||||
"stacks:preview": "rule:deny_stack_user",
|
|
||||||
"stacks:resource_schema": "rule:deny_stack_user",
|
|
||||||
"stacks:show": "rule:deny_stack_user",
|
|
||||||
"stacks:template": "rule:deny_stack_user",
|
|
||||||
"stacks:environment": "rule:deny_stack_user",
|
|
||||||
"stacks:files": "rule:deny_stack_user",
|
|
||||||
"stacks:update": "rule:deny_stack_user",
|
|
||||||
"stacks:update_patch": "rule:deny_stack_user",
|
|
||||||
"stacks:preview_update": "rule:deny_stack_user",
|
|
||||||
"stacks:preview_update_patch": "rule:deny_stack_user",
|
|
||||||
"stacks:validate_template": "rule:deny_stack_user",
|
|
||||||
"stacks:snapshot": "rule:deny_stack_user",
|
|
||||||
"stacks:show_snapshot": "rule:deny_stack_user",
|
|
||||||
"stacks:delete_snapshot": "rule:deny_stack_user",
|
|
||||||
"stacks:list_snapshots": "rule:deny_stack_user",
|
|
||||||
"stacks:restore_snapshot": "rule:deny_stack_user",
|
|
||||||
"stacks:list_outputs": "rule:deny_stack_user",
|
|
||||||
"stacks:show_output": "rule:deny_stack_user",
|
|
||||||
|
|
||||||
"software_configs:global_index": "rule:deny_everybody",
|
|
||||||
"software_configs:index": "rule:deny_stack_user",
|
|
||||||
"software_configs:create": "rule:deny_stack_user",
|
|
||||||
"software_configs:show": "rule:deny_stack_user",
|
|
||||||
"software_configs:delete": "rule:deny_stack_user",
|
|
||||||
"software_deployments:index": "rule:deny_stack_user",
|
|
||||||
"software_deployments:create": "rule:deny_stack_user",
|
|
||||||
"software_deployments:show": "rule:deny_stack_user",
|
|
||||||
"software_deployments:update": "rule:deny_stack_user",
|
|
||||||
"software_deployments:delete": "rule:deny_stack_user",
|
|
||||||
"software_deployments:metadata": "",
|
|
||||||
|
|
||||||
"service:index": "rule:context_is_admin",
|
|
||||||
|
|
||||||
"resource_types:OS::Nova::Flavor": "rule:context_is_admin",
|
|
||||||
"resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin",
|
|
||||||
"resource_types:OS::Cinder::VolumeType": "rule:context_is_admin",
|
|
||||||
"resource_types:OS::Manila::ShareType": "rule:context_is_admin",
|
|
||||||
"resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin",
|
|
||||||
"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin",
|
|
||||||
"resource_types:OS::Nova::HostAggregate": "rule:context_is_admin"
|
|
||||||
}
|
|
Loading…
x
Reference in New Issue
Block a user