From 3e03f500b2007f808faf0f9aedbf4cefed451421 Mon Sep 17 00:00:00 2001 From: Eyal Date: Tue, 26 Dec 2017 16:38:15 +0200 Subject: [PATCH] heat moved to policy in code create a policy.yaml to change the default behavior Change-Id: I84708d64188c2fa6d8555182e024efec85edbe2c --- devstack/gate_hook.sh | 2 +- devstack/plugin.sh | 19 ++-- devstack/post_test_hook.sh | 4 +- .../tests/resources/heat/policy.json-tempest | 94 ------------------- 4 files changed, 10 insertions(+), 109 deletions(-) delete mode 100644 vitrage_tempest_tests/tests/resources/heat/policy.json-tempest diff --git a/devstack/gate_hook.sh b/devstack/gate_hook.sh index 7afa5154d..dfdac0614 100644 --- a/devstack/gate_hook.sh +++ b/devstack/gate_hook.sh @@ -56,7 +56,7 @@ notification_driver = messagingv2 [DEFAULT] notification_topics = notifications,vitrage_notifications notification_driver = messagingv2 -policy_file = /etc/heat/policy.json-tempest +policy_file = /etc/heat/policy.yaml [[post-config|\$AODH_CONF]] [oslo_messaging_notifications] diff --git a/devstack/plugin.sh b/devstack/plugin.sh index a1152bd7d..e733d708c 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -1,6 +1,6 @@ # Install and start **Vitrage** service in devstack # -# To enable vitrage in devstack add an entry to local.conf that +# To enable vitragebehaviortack add an entry to local.conf that # looks like # # [[local|localrc]] @@ -342,18 +342,11 @@ function stop_vitrage { function modify_heat_global_index_policy_rule { if is_service_enabled heat; then - # Allow to list all stacks - local policy_file=$HEAT_CONF_DIR/policy.json - local rule_to_change='"stacks:global_index": "rule:deny_everybody"' - local rule_to_add='"stacks:global_index": "rule:deny_stack_user"' - - # replace only if exists deny_everybody - if grep -q "$rule_to_change" $policy_file; then - sed -i "s/$rule_to_change/$rule_to_add/" $policy_file - # add only if not exists deny_stack_user - elif ! grep -q "$rule_to_add" $policy_file; then - sed -i "/}/i\\ \\ \\ ,$rule_to_add" $policy_file - fi + cat << EOF > /etc/heat/policy.yaml +# List stacks globally. +# GET /v1/{tenant_id}/stacks +"stacks:global_index": "rule:deny_stack_user" +EOF fi } diff --git a/devstack/post_test_hook.sh b/devstack/post_test_hook.sh index d376ec66c..5fee8b333 100644 --- a/devstack/post_test_hook.sh +++ b/devstack/post_test_hook.sh @@ -28,13 +28,15 @@ sudo cp -rf $DEVSTACK_PATH/vitrage/vitrage_tempest_tests/tests/resources/static_ sudo cp -rf $DEVSTACK_PATH/vitrage/vitrage_tempest_tests/tests/resources/heat/heat_template.yaml /etc/vitrage/ sudo cp -rf $DEVSTACK_PATH/vitrage/vitrage_tempest_tests/tests/resources/heat/heat_nested_template.yaml /etc/vitrage/ sudo cp -rf $DEVSTACK_PATH/vitrage/vitrage_tempest_tests/tests/resources/heat/server.yaml /etc/vitrage/ -sudo cp -rf $DEVSTACK_PATH/vitrage/vitrage_tempest_tests/tests/resources/heat/policy.json-tempest /etc/heat/ sudo cp -rf $DEVSTACK_PATH/vitrage/vitrage_tempest_tests/tests/resources/templates/api/* /etc/vitrage/templates/ sudo cp $DEVSTACK_PATH/tempest/etc/logging.conf.sample $DEVSTACK_PATH/tempest/etc/logging.conf # copied the templates need to restart sudo systemctl restart devstack@vitrage-graph.service +# wait for 30 seconds +sleep 30 + if [ "$DEVSTACK_GATE_USE_PYTHON3" == "True" ]; then export PYTHON=python3 fi diff --git a/vitrage_tempest_tests/tests/resources/heat/policy.json-tempest b/vitrage_tempest_tests/tests/resources/heat/policy.json-tempest deleted file mode 100644 index 36e5e98ea..000000000 --- a/vitrage_tempest_tests/tests/resources/heat/policy.json-tempest +++ /dev/null @@ -1,94 +0,0 @@ -{ - "context_is_admin": "role:admin and is_admin_project:True", - "project_admin": "role:admin", - "deny_stack_user": "not role:heat_stack_user", - "deny_everybody": "!", - - "cloudformation:ListStacks": "rule:deny_stack_user", - "cloudformation:CreateStack": "rule:deny_stack_user", - "cloudformation:DescribeStacks": "rule:deny_stack_user", - "cloudformation:DeleteStack": "rule:deny_stack_user", - "cloudformation:UpdateStack": "rule:deny_stack_user", - "cloudformation:CancelUpdateStack": "rule:deny_stack_user", - "cloudformation:DescribeStackEvents": "rule:deny_stack_user", - "cloudformation:ValidateTemplate": "rule:deny_stack_user", - "cloudformation:GetTemplate": "rule:deny_stack_user", - "cloudformation:EstimateTemplateCost": "rule:deny_stack_user", - "cloudformation:DescribeStackResource": "", - "cloudformation:DescribeStackResources": "rule:deny_stack_user", - "cloudformation:ListStackResources": "rule:deny_stack_user", - - "cloudwatch:DeleteAlarms": "rule:deny_stack_user", - "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user", - "cloudwatch:DescribeAlarms": "rule:deny_stack_user", - "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user", - "cloudwatch:DisableAlarmActions": "rule:deny_stack_user", - "cloudwatch:EnableAlarmActions": "rule:deny_stack_user", - "cloudwatch:GetMetricStatistics": "rule:deny_stack_user", - "cloudwatch:ListMetrics": "rule:deny_stack_user", - "cloudwatch:PutMetricAlarm": "rule:deny_stack_user", - "cloudwatch:PutMetricData": "", - "cloudwatch:SetAlarmState": "rule:deny_stack_user", - - "actions:action": "rule:deny_stack_user", - "build_info:build_info": "rule:deny_stack_user", - "events:index": "rule:deny_stack_user", - "events:show": "rule:deny_stack_user", - "resource:index": "rule:deny_stack_user", - "resource:metadata": "", - "resource:signal": "", - "resource:mark_unhealthy": "rule:deny_stack_user", - "resource:show": "rule:deny_stack_user", - "stacks:abandon": "rule:deny_stack_user", - "stacks:create": "rule:deny_stack_user", - "stacks:delete": "rule:deny_stack_user", - "stacks:detail": "rule:deny_stack_user", - "stacks:export": "rule:deny_stack_user", - "stacks:generate_template": "rule:deny_stack_user", - "stacks:global_index": "rule:deny_stack_user", - "stacks:index": "rule:deny_stack_user", - "stacks:list_resource_types": "rule:deny_stack_user", - "stacks:list_template_versions": "rule:deny_stack_user", - "stacks:list_template_functions": "rule:deny_stack_user", - "stacks:lookup": "", - "stacks:preview": "rule:deny_stack_user", - "stacks:resource_schema": "rule:deny_stack_user", - "stacks:show": "rule:deny_stack_user", - "stacks:template": "rule:deny_stack_user", - "stacks:environment": "rule:deny_stack_user", - "stacks:files": "rule:deny_stack_user", - "stacks:update": "rule:deny_stack_user", - "stacks:update_patch": "rule:deny_stack_user", - "stacks:preview_update": "rule:deny_stack_user", - "stacks:preview_update_patch": "rule:deny_stack_user", - "stacks:validate_template": "rule:deny_stack_user", - "stacks:snapshot": "rule:deny_stack_user", - "stacks:show_snapshot": "rule:deny_stack_user", - "stacks:delete_snapshot": "rule:deny_stack_user", - "stacks:list_snapshots": "rule:deny_stack_user", - "stacks:restore_snapshot": "rule:deny_stack_user", - "stacks:list_outputs": "rule:deny_stack_user", - "stacks:show_output": "rule:deny_stack_user", - - "software_configs:global_index": "rule:deny_stack_user", - "software_configs:index": "rule:deny_stack_user", - "software_configs:create": "rule:deny_stack_user", - "software_configs:show": "rule:deny_stack_user", - "software_configs:delete": "rule:deny_stack_user", - "software_deployments:index": "rule:deny_stack_user", - "software_deployments:create": "rule:deny_stack_user", - "software_deployments:show": "rule:deny_stack_user", - "software_deployments:update": "rule:deny_stack_user", - "software_deployments:delete": "rule:deny_stack_user", - "software_deployments:metadata": "", - - "service:index": "rule:context_is_admin", - - "resource_types:OS::Nova::Flavor": "rule:project_admin", - "resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin", - "resource_types:OS::Cinder::VolumeType": "rule:project_admin", - "resource_types:OS::Manila::ShareType": "rule:project_admin", - "resource_types:OS::Neutron::QoSPolicy": "rule:project_admin", - "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin", - "resource_types:OS::Nova::HostAggregate": "rule:project_admin" -}