Add SYSTEM_SCOPE_SERVICES setting that hides panels

Since not all services are ready to use the system scope token,
we need a way to disable and enable the use of system scope
token on a per-service basis. This setting let us configure
which services should use the system scope token. By default
the list is empty and system scope token is not used at all.

Change-Id: I5e0cdc7288221571f183a37b800c19dc4cff5707
This commit is contained in:
Radomir Dopieralski 2021-11-22 13:42:29 +01:00
parent ba079cbe38
commit 6c814b241d
20 changed files with 131 additions and 3 deletions

View File

@ -2656,3 +2656,16 @@ generated ``kubeconfig`` file.
.. seealso:: .. seealso::
`KUBECONFIG_ENABLED`_ to enable the ``kubeconfig`` file generation. `KUBECONFIG_ENABLED`_ to enable the ``kubeconfig`` file generation.
SYSTEM_SCOPE_SERVICES
---------------------
.. versionadded:: 21.1.0(Yoga)
Default: ``[]``
A list of names of services for which the system scope token should be used.
If empty, system scope will be removed from the context switching menu. If not
empty, the context switching menu will show a "system scope" option, and the
admin panels for the services listed will be moved to that context, no longer
showing up in the project context.

View File

@ -12,6 +12,7 @@
import logging import logging
from django.conf import settings
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
import horizon import horizon
@ -25,3 +26,9 @@ class Aggregates(horizon.Panel):
slug = 'aggregates' slug = 'aggregates'
policy_rules = (("compute", "compute_extension:aggregates"),) policy_rules = (("compute", "compute_extension:aggregates"),)
permissions = ('openstack.services.compute',) permissions = ('openstack.services.compute',)
def allowed(self, context):
if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
bool(context['request'].user.system_scoped)):
return False
return super().allowed(context)

View File

@ -12,6 +12,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from django.conf import settings
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
import horizon import horizon
@ -22,3 +23,9 @@ class Defaults(horizon.Panel):
slug = 'defaults' slug = 'defaults'
policy_rules = (("compute", "context_is_admin"), policy_rules = (("compute", "context_is_admin"),
("volume", "context_is_admin"),) ("volume", "context_is_admin"),)
def allowed(self, context):
if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
bool(context['request'].user.system_scoped)):
return False
return super().allowed(context)

View File

@ -16,6 +16,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from django.conf import settings
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
import horizon import horizon
@ -26,3 +27,9 @@ class Flavors(horizon.Panel):
slug = 'flavors' slug = 'flavors'
permissions = ('openstack.services.compute',) permissions = ('openstack.services.compute',)
policy_rules = (("compute", "context_is_admin"),) policy_rules = (("compute", "context_is_admin"),)
def allowed(self, context):
if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
bool(context['request'].user.system_scoped)):
return False
return super().allowed(context)

View File

@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from django.conf import settings
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
import horizon import horizon
@ -30,3 +31,9 @@ class AdminFloatingIps(horizon.Panel):
def can_register(): def can_register():
return setting_utils.get_dict_config( return setting_utils.get_dict_config(
'OPENSTACK_NEUTRON_NETWORK', 'enable_router') 'OPENSTACK_NEUTRON_NETWORK', 'enable_router')
def allowed(self, context):
if (('network' in settings.SYSTEM_SCOPE_SERVICES) !=
bool(context['request'].user.system_scoped)):
return False
return super().allowed(context)

View File

@ -12,6 +12,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from django.conf import settings
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
import horizon import horizon
@ -22,3 +23,9 @@ class Hypervisors(horizon.Panel):
slug = 'hypervisors' slug = 'hypervisors'
permissions = ('openstack.services.compute',) permissions = ('openstack.services.compute',)
policy_rules = (("compute", "os_compute_api:os-hypervisors"),) policy_rules = (("compute", "os_compute_api:os-hypervisors"),)
def allowed(self, context):
if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
bool(context['request'].user.system_scoped)):
return False
return super().allowed(context)

View File

@ -16,6 +16,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from django.conf import settings
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
import horizon import horizon
@ -27,3 +28,9 @@ class Images(horizon.Panel):
permissions = ('openstack.services.image',) permissions = ('openstack.services.image',)
policy_rules = ((("image", "context_is_admin"), policy_rules = ((("image", "context_is_admin"),
("image", "get_images")),) ("image", "get_images")),)
def allowed(self, context):
if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
bool(context['request'].user.system_scoped)):
return False
return super().allowed(context)

View File

@ -16,6 +16,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from django.conf import settings
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
import horizon import horizon
@ -27,3 +28,9 @@ class Info(horizon.Panel):
policy_rules = (("compute", "context_is_admin"), policy_rules = (("compute", "context_is_admin"),
("volume", "context_is_admin"), ("volume", "context_is_admin"),
("network", "context_is_admin"),) ("network", "context_is_admin"),)
def allowed(self, context):
if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
bool(context['request'].user.system_scoped)):
return False
return super().allowed(context)

View File

@ -16,6 +16,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from django.conf import settings
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
import horizon import horizon
@ -27,3 +28,9 @@ class Instances(horizon.Panel):
permissions = ('openstack.services.compute',) permissions = ('openstack.services.compute',)
policy_rules = ((("compute", "context_is_admin"), policy_rules = ((("compute", "context_is_admin"),
("compute", "os_compute_api:servers:detail")),) ("compute", "os_compute_api:servers:detail")),)
def allowed(self, context):
if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
bool(context['request'].user.system_scoped)):
return False
return super().allowed(context)

View File

@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from django.conf import settings
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
import horizon import horizon
@ -30,3 +31,9 @@ class MetadataDefinitions(horizon.Panel):
@staticmethod @staticmethod
def can_register(): def can_register():
return glance.VERSIONS.active >= 2 return glance.VERSIONS.active >= 2
def allowed(self, context):
if (('image' in settings.SYSTEM_SCOPE_SERVICES) !=
bool(context['request'].user.system_scoped)):
return False
return super().allowed(context)

View File

@ -12,6 +12,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from django.conf import settings
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
import horizon import horizon
@ -22,3 +23,9 @@ class Networks(horizon.Panel):
slug = 'networks' slug = 'networks'
permissions = ('openstack.services.network',) permissions = ('openstack.services.network',)
policy_rules = (("network", "context_is_admin"),) policy_rules = (("network", "context_is_admin"),)
def allowed(self, context):
if (('network' in settings.SYSTEM_SCOPE_SERVICES) !=
bool(context['request'].user.system_scoped)):
return False
return super().allowed(context)

View File

@ -16,6 +16,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from django.conf import settings
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
import horizon import horizon
@ -30,5 +31,11 @@ class Overview(horizon.Panel):
('compute', 'context_is_admin')),) ('compute', 'context_is_admin')),)
permissions = ('openstack.services.compute',) permissions = ('openstack.services.compute',)
def allowed(self, context):
if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
bool(context['request'].user.system_scoped)):
return False
return super().allowed(context)
dashboard.Admin.register(Overview) dashboard.Admin.register(Overview)

View File

@ -12,6 +12,7 @@
import logging import logging
from django.conf import settings
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
import horizon import horizon
@ -29,6 +30,9 @@ class RBACPolicies(horizon.Panel):
policy_rules = (("network", "context_is_admin"),) policy_rules = (("network", "context_is_admin"),)
def allowed(self, context): def allowed(self, context):
if (('network' in settings.SYSTEM_SCOPE_SERVICES) !=
bool(context['request'].user.system_scoped)):
return False
request = context['request'] request = context['request']
try: try:
return ( return (

View File

@ -12,6 +12,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from django.conf import settings
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
import horizon import horizon
@ -29,3 +30,9 @@ class Routers(horizon.Panel):
def can_register(): def can_register():
return setting_utils.get_dict_config( return setting_utils.get_dict_config(
'OPENSTACK_NEUTRON_NETWORK', 'enable_router') 'OPENSTACK_NEUTRON_NETWORK', 'enable_router')
def allowed(self, context):
if (('network' in settings.SYSTEM_SCOPE_SERVICES) !=
bool(context['request'].user.system_scoped)):
return False
return super().allowed(context)

View File

@ -14,6 +14,7 @@
import logging import logging
from django.conf import settings
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
import horizon import horizon
@ -30,6 +31,9 @@ class Trunks(horizon.Panel):
policy_rules = (("trunk", "context_is_admin"),) policy_rules = (("trunk", "context_is_admin"),)
def allowed(self, context): def allowed(self, context):
if (('network' in settings.SYSTEM_SCOPE_SERVICES) !=
bool(context['request'].user.system_scoped)):
return False
request = context['request'] request = context['request']
try: try:
return ( return (

View File

@ -13,6 +13,7 @@
# under the License. # under the License.
from django.conf import settings
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
import horizon import horizon
@ -22,5 +23,11 @@ class Identity(horizon.Dashboard):
name = _("Identity") name = _("Identity")
slug = "identity" slug = "identity"
def can_access(self, context):
if (('identity' in settings.SYSTEM_SCOPE_SERVICES) !=
bool(context['request'].user.system_scoped)):
return False
return super().can_access(context)
horizon.register(Identity) horizon.register(Identity)

View File

@ -551,3 +551,8 @@ REST_API_ADDITIONAL_SETTINGS = []
KUBECONFIG_ENABLED = False KUBECONFIG_ENABLED = False
KUBECONFIG_KUBERNETES_URL = "" KUBECONFIG_KUBERNETES_URL = ""
KUBECONFIG_CERTIFICATE_AUTHORITY_DATA = "" KUBECONFIG_CERTIFICATE_AUTHORITY_DATA = ""
# Services may require a System Scope token for certain operations. This
# settings enables the use of the system scope token on per-service basis.
SYSTEM_SCOPE_SERVICES = []

View File

@ -31,8 +31,8 @@
{% endif %} {% endif %}
{% is_system_user as system_user %} {% show_systems as system_scope_enabled %}
{% if system_user %} {% if system_scope_enabled %}
<li> <li>
{% show_system_list %} {% show_system_list %}
</li> </li>

View File

@ -42,7 +42,9 @@ def is_multidomain():
@register.simple_tag(takes_context=True) @register.simple_tag(takes_context=True)
def is_system_user(context): def show_systems(context):
if not settings.SYSTEM_SCOPE_SERVICES:
return False
try: try:
request = context['request'] request = context['request']
except KeyError: except KeyError:

View File

@ -0,0 +1,9 @@
---
features:
- |
Horizon can now use a system scope token when performing admin operations.
To enable that, a new setting, SYSTEM_SCOPE_SERVICES, has to list the
OpenStack services for which this feature is to be enabled. When that
setting is not empty, a new option, "system scope" will appear in the
context switching menu, and the panels for the listed services will be
moved into that context in the main menu.