From af627907d59c210d8ea015c6f5e8a0c33339b456 Mon Sep 17 00:00:00 2001 From: David Lyle Date: Fri, 3 Jun 2016 15:30:04 -0600 Subject: [PATCH] Updating heat policy file The heat policy is out of date. This patch updates the policy file to match heat master. There have been several modifications to the heat policy rules checked in the heat views. The previously used policies were a mix of fantasy, out-dated policy rules and just error. After instrumenting the heat code to verify policy usage, the new rule checks align with heat master policy use. Change-Id: I17eb7d2945924167f3a62440b7e12b9b313d0f5d --- openstack_dashboard/conf/heat_policy.json | 52 ++++++++++++++++--- .../dashboards/project/stacks/tables.py | 14 ++--- .../dashboards/project/stacks/tabs.py | 29 +++++++---- .../project/stacks/template_versions/panel.py | 1 + 4 files changed, 71 insertions(+), 25 deletions(-) diff --git a/openstack_dashboard/conf/heat_policy.json b/openstack_dashboard/conf/heat_policy.json index eb5fab695c..b40b1eef2e 100644 --- a/openstack_dashboard/conf/heat_policy.json +++ b/openstack_dashboard/conf/heat_policy.json @@ -1,13 +1,14 @@ { - "context_is_admin": "role:admin", + "context_is_admin": "role:admin", "deny_stack_user": "not role:heat_stack_user", + "deny_everybody": "!", "cloudformation:ListStacks": "rule:deny_stack_user", "cloudformation:CreateStack": "rule:deny_stack_user", - "cloudformation:PreviewStack": "rule:deny_stack_user", "cloudformation:DescribeStacks": "rule:deny_stack_user", "cloudformation:DeleteStack": "rule:deny_stack_user", "cloudformation:UpdateStack": "rule:deny_stack_user", + "cloudformation:CancelUpdateStack": "rule:deny_stack_user", "cloudformation:DescribeStackEvents": "rule:deny_stack_user", "cloudformation:ValidateTemplate": "rule:deny_stack_user", "cloudformation:GetTemplate": "rule:deny_stack_user", @@ -15,9 +16,6 @@ "cloudformation:DescribeStackResource": "", "cloudformation:DescribeStackResources": "rule:deny_stack_user", "cloudformation:ListStackResources": "rule:deny_stack_user", - "cloudformation:CheckStack": "rule:deny_stack_user", - "cloudformation:SuspendStack": "rule:deny_stack_user", - "cloudformation:ResumeStack": "rule:deny_stack_user", "cloudwatch:DeleteAlarms": "rule:deny_stack_user", "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user", @@ -37,20 +35,58 @@ "events:show": "rule:deny_stack_user", "resource:index": "rule:deny_stack_user", "resource:metadata": "", + "resource:signal": "", + "resource:mark_unhealthy": "rule:deny_stack_user", "resource:show": "rule:deny_stack_user", "stacks:abandon": "rule:deny_stack_user", "stacks:create": "rule:deny_stack_user", "stacks:delete": "rule:deny_stack_user", "stacks:detail": "rule:deny_stack_user", + "stacks:export": "rule:deny_stack_user", "stacks:generate_template": "rule:deny_stack_user", + "stacks:global_index": "rule:deny_everybody", "stacks:index": "rule:deny_stack_user", "stacks:list_resource_types": "rule:deny_stack_user", "stacks:list_template_versions": "rule:deny_stack_user", "stacks:list_template_functions": "rule:deny_stack_user", - "stacks:lookup": "rule:deny_stack_user", + "stacks:lookup": "", + "stacks:preview": "rule:deny_stack_user", "stacks:resource_schema": "rule:deny_stack_user", "stacks:show": "rule:deny_stack_user", "stacks:template": "rule:deny_stack_user", + "stacks:environment": "rule:deny_stack_user", "stacks:update": "rule:deny_stack_user", - "stacks:validate_template": "rule:deny_stack_user" -} \ No newline at end of file + "stacks:update_patch": "rule:deny_stack_user", + "stacks:preview_update": "rule:deny_stack_user", + "stacks:preview_update_patch": "rule:deny_stack_user", + "stacks:validate_template": "rule:deny_stack_user", + "stacks:snapshot": "rule:deny_stack_user", + "stacks:show_snapshot": "rule:deny_stack_user", + "stacks:delete_snapshot": "rule:deny_stack_user", + "stacks:list_snapshots": "rule:deny_stack_user", + "stacks:restore_snapshot": "rule:deny_stack_user", + "stacks:list_outputs": "rule:deny_stack_user", + "stacks:show_output": "rule:deny_stack_user", + + "software_configs:global_index": "rule:deny_everybody", + "software_configs:index": "rule:deny_stack_user", + "software_configs:create": "rule:deny_stack_user", + "software_configs:show": "rule:deny_stack_user", + "software_configs:delete": "rule:deny_stack_user", + "software_deployments:index": "rule:deny_stack_user", + "software_deployments:create": "rule:deny_stack_user", + "software_deployments:show": "rule:deny_stack_user", + "software_deployments:update": "rule:deny_stack_user", + "software_deployments:delete": "rule:deny_stack_user", + "software_deployments:metadata": "", + + "service:index": "rule:context_is_admin", + + "resource_types:OS::Nova::Flavor": "rule:context_is_admin", + "resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin", + "resource_types:OS::Cinder::VolumeType": "rule:context_is_admin", + "resource_types:OS::Manila::ShareType": "rule:context_is_admin", + "resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin", + "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin", + "resource_types:OS::Nova::HostAggregate": "rule:context_is_admin" +} diff --git a/openstack_dashboard/dashboards/project/stacks/tables.py b/openstack_dashboard/dashboards/project/stacks/tables.py index 5301cc8b1b..7202a0ec15 100644 --- a/openstack_dashboard/dashboards/project/stacks/tables.py +++ b/openstack_dashboard/dashboards/project/stacks/tables.py @@ -33,7 +33,8 @@ class LaunchStack(tables.LinkAction): url = "horizon:project:stacks:select_template" classes = ("ajax-modal",) icon = "plus" - policy_rules = (("orchestration", "cloudformation:CreateStack"),) + policy_rules = (("orchestration", "stacks:validate_template"), + ("orchestration", "stacks:create"),) class PreviewStack(tables.LinkAction): @@ -42,13 +43,14 @@ class PreviewStack(tables.LinkAction): url = "horizon:project:stacks:preview_template" classes = ("ajax-modal",) icon = "eye" - policy_rules = (("orchestration", "cloudformation:PreviewStack"),) + policy_rules = (("orchestration", "stacks:validate_template"), + ("orchestration", "stacks:preview"),) class CheckStack(tables.BatchAction): name = "check" verbose_name = _("Check Stack") - policy_rules = (("orchestration", "cloudformation:CheckStack"),) + policy_rules = (("orchestration", "actions:action"),) icon = "check-square" @staticmethod @@ -74,7 +76,7 @@ class CheckStack(tables.BatchAction): class SuspendStack(tables.BatchAction): name = "suspend" verbose_name = _("Suspend Stack") - policy_rules = (("orchestration", "cloudformation:SuspendStack"),) + policy_rules = (("orchestration", "actions:action"),) icon = "pause" @staticmethod @@ -100,7 +102,7 @@ class SuspendStack(tables.BatchAction): class ResumeStack(tables.BatchAction): name = "resume" verbose_name = _("Resume Stack") - policy_rules = (("orchestration", "cloudformation:ResumeStack"),) + policy_rules = (("orchestration", "actions:action"),) icon = "play" @staticmethod @@ -151,7 +153,7 @@ class DeleteStack(tables.DeleteAction): count ) - policy_rules = (("orchestration", "cloudformation:DeleteStack"),) + policy_rules = (("orchestration", "stacks:delete"),) def delete(self, request, stack_id): api.heat.stack_delete(request, stack_id) diff --git a/openstack_dashboard/dashboards/project/stacks/tabs.py b/openstack_dashboard/dashboards/project/stacks/tabs.py index f21ff12bd5..01e548180e 100644 --- a/openstack_dashboard/dashboards/project/stacks/tabs.py +++ b/openstack_dashboard/dashboards/project/stacks/tabs.py @@ -37,8 +37,10 @@ class StackTopologyTab(tabs.Tab): def allowed(self, request): return policy.check( - (("orchestration", "cloudformation:DescribeStacks"), - ("orchestration", "cloudformation:ListStackResources"),), + (("orchestration", "stacks:template"), + ("orchestration", "stacks:lookup"), + ("orchestration", "stacks:show"), + ("orchestration", "resources:index"),), request) def get_context_data(self, request): @@ -56,7 +58,9 @@ class StackOverviewTab(tabs.Tab): def allowed(self, request): return policy.check( - (("orchestration", "cloudformation:DescribeStacks"),), + (("orchestration", "stacks:template"), + ("orchestration", "stacks:lookup"), + ("orchestration", "stacks:show"),), request) def get_context_data(self, request): @@ -68,11 +72,6 @@ class ResourceOverviewTab(tabs.Tab): slug = "resource_overview" template_name = "project/stacks/_resource_overview.html" - def allowed(self, request): - return policy.check( - (("orchestration", "cloudformation:DescribeStackResource"),), - request) - def get_context_data(self, request): resource = self.tab_group.kwargs['resource'] resource_url = mappings.resource_to_url(resource) @@ -90,7 +89,10 @@ class StackEventsTab(tabs.Tab): def allowed(self, request): return policy.check( - (("orchestration", "cloudformation:DescribeStackEvents"),), + (("orchestration", "stacks:template"), + ("orchestration", "stacks:lookup"), + ("orchestration", "stacks:show"), + ("orchestration", "events:index"),), request) def get_context_data(self, request): @@ -118,7 +120,10 @@ class StackResourcesTab(tabs.Tab): def allowed(self, request): return policy.check( - (("orchestration", "cloudformation:ListStackResources"),), + (("orchestration", "stacks:template"), + ("orchestration", "stacks:lookup"), + ("orchestration", "stacks:show"), + ("orchestration", "resource:index"),), request) def get_context_data(self, request): @@ -146,7 +151,9 @@ class StackTemplateTab(tabs.Tab): def allowed(self, request): return policy.check( - (("orchestration", "cloudformation:DescribeStacks"),), + (("orchestration", "stacks:template"), + ("orchestration", "stacks:lookup"), + ("orchestration", "stacks:show"),), request) def get_context_data(self, request): diff --git a/openstack_dashboard/dashboards/project/stacks/template_versions/panel.py b/openstack_dashboard/dashboards/project/stacks/template_versions/panel.py index 193da6e486..3492d59a27 100644 --- a/openstack_dashboard/dashboards/project/stacks/template_versions/panel.py +++ b/openstack_dashboard/dashboards/project/stacks/template_versions/panel.py @@ -20,3 +20,4 @@ class TemplateVersions(horizon.Panel): name = _("Template Versions") slug = "stacks.template_versions" permissions = ('openstack.services.orchestration',) + policy_rules = (("orchestration", "stacks:list_template_versions"),)