Add SYSTEM_SCOPE_SERVICES setting that hides panels
Since not all services are ready to use the system scope token, we need a way to disable and enable the use of system scope token on a per-service basis. This setting let us configure which services should use the system scope token. By default the list is empty and system scope token is not used at all. Change-Id: I5e0cdc7288221571f183a37b800c19dc4cff5707
This commit is contained in:
parent
ba079cbe38
commit
6c814b241d
@ -2656,3 +2656,16 @@ generated ``kubeconfig`` file.
|
|||||||
.. seealso::
|
.. seealso::
|
||||||
|
|
||||||
`KUBECONFIG_ENABLED`_ to enable the ``kubeconfig`` file generation.
|
`KUBECONFIG_ENABLED`_ to enable the ``kubeconfig`` file generation.
|
||||||
|
|
||||||
|
|
||||||
|
SYSTEM_SCOPE_SERVICES
|
||||||
|
---------------------
|
||||||
|
.. versionadded:: 21.1.0(Yoga)
|
||||||
|
|
||||||
|
Default: ``[]``
|
||||||
|
|
||||||
|
A list of names of services for which the system scope token should be used.
|
||||||
|
If empty, system scope will be removed from the context switching menu. If not
|
||||||
|
empty, the context switching menu will show a "system scope" option, and the
|
||||||
|
admin panels for the services listed will be moved to that context, no longer
|
||||||
|
showing up in the project context.
|
||||||
|
@ -12,6 +12,7 @@
|
|||||||
|
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
import horizon
|
import horizon
|
||||||
@ -25,3 +26,9 @@ class Aggregates(horizon.Panel):
|
|||||||
slug = 'aggregates'
|
slug = 'aggregates'
|
||||||
policy_rules = (("compute", "compute_extension:aggregates"),)
|
policy_rules = (("compute", "compute_extension:aggregates"),)
|
||||||
permissions = ('openstack.services.compute',)
|
permissions = ('openstack.services.compute',)
|
||||||
|
|
||||||
|
def allowed(self, context):
|
||||||
|
if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
|
||||||
|
bool(context['request'].user.system_scoped)):
|
||||||
|
return False
|
||||||
|
return super().allowed(context)
|
||||||
|
@ -12,6 +12,7 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
import horizon
|
import horizon
|
||||||
@ -22,3 +23,9 @@ class Defaults(horizon.Panel):
|
|||||||
slug = 'defaults'
|
slug = 'defaults'
|
||||||
policy_rules = (("compute", "context_is_admin"),
|
policy_rules = (("compute", "context_is_admin"),
|
||||||
("volume", "context_is_admin"),)
|
("volume", "context_is_admin"),)
|
||||||
|
|
||||||
|
def allowed(self, context):
|
||||||
|
if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
|
||||||
|
bool(context['request'].user.system_scoped)):
|
||||||
|
return False
|
||||||
|
return super().allowed(context)
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
import horizon
|
import horizon
|
||||||
@ -26,3 +27,9 @@ class Flavors(horizon.Panel):
|
|||||||
slug = 'flavors'
|
slug = 'flavors'
|
||||||
permissions = ('openstack.services.compute',)
|
permissions = ('openstack.services.compute',)
|
||||||
policy_rules = (("compute", "context_is_admin"),)
|
policy_rules = (("compute", "context_is_admin"),)
|
||||||
|
|
||||||
|
def allowed(self, context):
|
||||||
|
if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
|
||||||
|
bool(context['request'].user.system_scoped)):
|
||||||
|
return False
|
||||||
|
return super().allowed(context)
|
||||||
|
@ -13,6 +13,7 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
import horizon
|
import horizon
|
||||||
@ -30,3 +31,9 @@ class AdminFloatingIps(horizon.Panel):
|
|||||||
def can_register():
|
def can_register():
|
||||||
return setting_utils.get_dict_config(
|
return setting_utils.get_dict_config(
|
||||||
'OPENSTACK_NEUTRON_NETWORK', 'enable_router')
|
'OPENSTACK_NEUTRON_NETWORK', 'enable_router')
|
||||||
|
|
||||||
|
def allowed(self, context):
|
||||||
|
if (('network' in settings.SYSTEM_SCOPE_SERVICES) !=
|
||||||
|
bool(context['request'].user.system_scoped)):
|
||||||
|
return False
|
||||||
|
return super().allowed(context)
|
||||||
|
@ -12,6 +12,7 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
import horizon
|
import horizon
|
||||||
@ -22,3 +23,9 @@ class Hypervisors(horizon.Panel):
|
|||||||
slug = 'hypervisors'
|
slug = 'hypervisors'
|
||||||
permissions = ('openstack.services.compute',)
|
permissions = ('openstack.services.compute',)
|
||||||
policy_rules = (("compute", "os_compute_api:os-hypervisors"),)
|
policy_rules = (("compute", "os_compute_api:os-hypervisors"),)
|
||||||
|
|
||||||
|
def allowed(self, context):
|
||||||
|
if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
|
||||||
|
bool(context['request'].user.system_scoped)):
|
||||||
|
return False
|
||||||
|
return super().allowed(context)
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
import horizon
|
import horizon
|
||||||
@ -27,3 +28,9 @@ class Images(horizon.Panel):
|
|||||||
permissions = ('openstack.services.image',)
|
permissions = ('openstack.services.image',)
|
||||||
policy_rules = ((("image", "context_is_admin"),
|
policy_rules = ((("image", "context_is_admin"),
|
||||||
("image", "get_images")),)
|
("image", "get_images")),)
|
||||||
|
|
||||||
|
def allowed(self, context):
|
||||||
|
if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
|
||||||
|
bool(context['request'].user.system_scoped)):
|
||||||
|
return False
|
||||||
|
return super().allowed(context)
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
import horizon
|
import horizon
|
||||||
@ -27,3 +28,9 @@ class Info(horizon.Panel):
|
|||||||
policy_rules = (("compute", "context_is_admin"),
|
policy_rules = (("compute", "context_is_admin"),
|
||||||
("volume", "context_is_admin"),
|
("volume", "context_is_admin"),
|
||||||
("network", "context_is_admin"),)
|
("network", "context_is_admin"),)
|
||||||
|
|
||||||
|
def allowed(self, context):
|
||||||
|
if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
|
||||||
|
bool(context['request'].user.system_scoped)):
|
||||||
|
return False
|
||||||
|
return super().allowed(context)
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
import horizon
|
import horizon
|
||||||
@ -27,3 +28,9 @@ class Instances(horizon.Panel):
|
|||||||
permissions = ('openstack.services.compute',)
|
permissions = ('openstack.services.compute',)
|
||||||
policy_rules = ((("compute", "context_is_admin"),
|
policy_rules = ((("compute", "context_is_admin"),
|
||||||
("compute", "os_compute_api:servers:detail")),)
|
("compute", "os_compute_api:servers:detail")),)
|
||||||
|
|
||||||
|
def allowed(self, context):
|
||||||
|
if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
|
||||||
|
bool(context['request'].user.system_scoped)):
|
||||||
|
return False
|
||||||
|
return super().allowed(context)
|
||||||
|
@ -13,6 +13,7 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
import horizon
|
import horizon
|
||||||
@ -30,3 +31,9 @@ class MetadataDefinitions(horizon.Panel):
|
|||||||
@staticmethod
|
@staticmethod
|
||||||
def can_register():
|
def can_register():
|
||||||
return glance.VERSIONS.active >= 2
|
return glance.VERSIONS.active >= 2
|
||||||
|
|
||||||
|
def allowed(self, context):
|
||||||
|
if (('image' in settings.SYSTEM_SCOPE_SERVICES) !=
|
||||||
|
bool(context['request'].user.system_scoped)):
|
||||||
|
return False
|
||||||
|
return super().allowed(context)
|
||||||
|
@ -12,6 +12,7 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
import horizon
|
import horizon
|
||||||
@ -22,3 +23,9 @@ class Networks(horizon.Panel):
|
|||||||
slug = 'networks'
|
slug = 'networks'
|
||||||
permissions = ('openstack.services.network',)
|
permissions = ('openstack.services.network',)
|
||||||
policy_rules = (("network", "context_is_admin"),)
|
policy_rules = (("network", "context_is_admin"),)
|
||||||
|
|
||||||
|
def allowed(self, context):
|
||||||
|
if (('network' in settings.SYSTEM_SCOPE_SERVICES) !=
|
||||||
|
bool(context['request'].user.system_scoped)):
|
||||||
|
return False
|
||||||
|
return super().allowed(context)
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
import horizon
|
import horizon
|
||||||
@ -30,5 +31,11 @@ class Overview(horizon.Panel):
|
|||||||
('compute', 'context_is_admin')),)
|
('compute', 'context_is_admin')),)
|
||||||
permissions = ('openstack.services.compute',)
|
permissions = ('openstack.services.compute',)
|
||||||
|
|
||||||
|
def allowed(self, context):
|
||||||
|
if (('compute' in settings.SYSTEM_SCOPE_SERVICES) !=
|
||||||
|
bool(context['request'].user.system_scoped)):
|
||||||
|
return False
|
||||||
|
return super().allowed(context)
|
||||||
|
|
||||||
|
|
||||||
dashboard.Admin.register(Overview)
|
dashboard.Admin.register(Overview)
|
||||||
|
@ -12,6 +12,7 @@
|
|||||||
|
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
import horizon
|
import horizon
|
||||||
@ -29,6 +30,9 @@ class RBACPolicies(horizon.Panel):
|
|||||||
policy_rules = (("network", "context_is_admin"),)
|
policy_rules = (("network", "context_is_admin"),)
|
||||||
|
|
||||||
def allowed(self, context):
|
def allowed(self, context):
|
||||||
|
if (('network' in settings.SYSTEM_SCOPE_SERVICES) !=
|
||||||
|
bool(context['request'].user.system_scoped)):
|
||||||
|
return False
|
||||||
request = context['request']
|
request = context['request']
|
||||||
try:
|
try:
|
||||||
return (
|
return (
|
||||||
|
@ -12,6 +12,7 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
import horizon
|
import horizon
|
||||||
@ -29,3 +30,9 @@ class Routers(horizon.Panel):
|
|||||||
def can_register():
|
def can_register():
|
||||||
return setting_utils.get_dict_config(
|
return setting_utils.get_dict_config(
|
||||||
'OPENSTACK_NEUTRON_NETWORK', 'enable_router')
|
'OPENSTACK_NEUTRON_NETWORK', 'enable_router')
|
||||||
|
|
||||||
|
def allowed(self, context):
|
||||||
|
if (('network' in settings.SYSTEM_SCOPE_SERVICES) !=
|
||||||
|
bool(context['request'].user.system_scoped)):
|
||||||
|
return False
|
||||||
|
return super().allowed(context)
|
||||||
|
@ -14,6 +14,7 @@
|
|||||||
|
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
import horizon
|
import horizon
|
||||||
@ -30,6 +31,9 @@ class Trunks(horizon.Panel):
|
|||||||
policy_rules = (("trunk", "context_is_admin"),)
|
policy_rules = (("trunk", "context_is_admin"),)
|
||||||
|
|
||||||
def allowed(self, context):
|
def allowed(self, context):
|
||||||
|
if (('network' in settings.SYSTEM_SCOPE_SERVICES) !=
|
||||||
|
bool(context['request'].user.system_scoped)):
|
||||||
|
return False
|
||||||
request = context['request']
|
request = context['request']
|
||||||
try:
|
try:
|
||||||
return (
|
return (
|
||||||
|
@ -13,6 +13,7 @@
|
|||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
import horizon
|
import horizon
|
||||||
@ -22,5 +23,11 @@ class Identity(horizon.Dashboard):
|
|||||||
name = _("Identity")
|
name = _("Identity")
|
||||||
slug = "identity"
|
slug = "identity"
|
||||||
|
|
||||||
|
def can_access(self, context):
|
||||||
|
if (('identity' in settings.SYSTEM_SCOPE_SERVICES) !=
|
||||||
|
bool(context['request'].user.system_scoped)):
|
||||||
|
return False
|
||||||
|
return super().can_access(context)
|
||||||
|
|
||||||
|
|
||||||
horizon.register(Identity)
|
horizon.register(Identity)
|
||||||
|
@ -551,3 +551,8 @@ REST_API_ADDITIONAL_SETTINGS = []
|
|||||||
KUBECONFIG_ENABLED = False
|
KUBECONFIG_ENABLED = False
|
||||||
KUBECONFIG_KUBERNETES_URL = ""
|
KUBECONFIG_KUBERNETES_URL = ""
|
||||||
KUBECONFIG_CERTIFICATE_AUTHORITY_DATA = ""
|
KUBECONFIG_CERTIFICATE_AUTHORITY_DATA = ""
|
||||||
|
|
||||||
|
|
||||||
|
# Services may require a System Scope token for certain operations. This
|
||||||
|
# settings enables the use of the system scope token on per-service basis.
|
||||||
|
SYSTEM_SCOPE_SERVICES = []
|
||||||
|
@ -31,8 +31,8 @@
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
|
||||||
{% is_system_user as system_user %}
|
{% show_systems as system_scope_enabled %}
|
||||||
{% if system_user %}
|
{% if system_scope_enabled %}
|
||||||
<li>
|
<li>
|
||||||
{% show_system_list %}
|
{% show_system_list %}
|
||||||
</li>
|
</li>
|
||||||
|
@ -42,7 +42,9 @@ def is_multidomain():
|
|||||||
|
|
||||||
|
|
||||||
@register.simple_tag(takes_context=True)
|
@register.simple_tag(takes_context=True)
|
||||||
def is_system_user(context):
|
def show_systems(context):
|
||||||
|
if not settings.SYSTEM_SCOPE_SERVICES:
|
||||||
|
return False
|
||||||
try:
|
try:
|
||||||
request = context['request']
|
request = context['request']
|
||||||
except KeyError:
|
except KeyError:
|
||||||
|
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Horizon can now use a system scope token when performing admin operations.
|
||||||
|
To enable that, a new setting, SYSTEM_SCOPE_SERVICES, has to list the
|
||||||
|
OpenStack services for which this feature is to be enabled. When that
|
||||||
|
setting is not empty, a new option, "system scope" will appear in the
|
||||||
|
context switching menu, and the panels for the listed services will be
|
||||||
|
moved into that context in the main menu.
|
Loading…
Reference in New Issue
Block a user