Updating heat policy file

The heat policy is out of date. This patch updates the policy file
to match heat master.

There have been several modifications to the heat policy rules
checked in the heat views. The previously used policies were a
mix of fantasy, out-dated policy rules and just error. After
instrumenting the heat code to verify policy usage, the new
rule checks align with heat master policy use.

Change-Id: I17eb7d2945924167f3a62440b7e12b9b313d0f5d
This commit is contained in:
David Lyle 2016-06-03 15:30:04 -06:00
parent 00e1c59be0
commit af627907d5
4 changed files with 71 additions and 25 deletions

View File

@ -1,13 +1,14 @@
{ {
"context_is_admin": "role:admin", "context_is_admin": "role:admin",
"deny_stack_user": "not role:heat_stack_user", "deny_stack_user": "not role:heat_stack_user",
"deny_everybody": "!",
"cloudformation:ListStacks": "rule:deny_stack_user", "cloudformation:ListStacks": "rule:deny_stack_user",
"cloudformation:CreateStack": "rule:deny_stack_user", "cloudformation:CreateStack": "rule:deny_stack_user",
"cloudformation:PreviewStack": "rule:deny_stack_user",
"cloudformation:DescribeStacks": "rule:deny_stack_user", "cloudformation:DescribeStacks": "rule:deny_stack_user",
"cloudformation:DeleteStack": "rule:deny_stack_user", "cloudformation:DeleteStack": "rule:deny_stack_user",
"cloudformation:UpdateStack": "rule:deny_stack_user", "cloudformation:UpdateStack": "rule:deny_stack_user",
"cloudformation:CancelUpdateStack": "rule:deny_stack_user",
"cloudformation:DescribeStackEvents": "rule:deny_stack_user", "cloudformation:DescribeStackEvents": "rule:deny_stack_user",
"cloudformation:ValidateTemplate": "rule:deny_stack_user", "cloudformation:ValidateTemplate": "rule:deny_stack_user",
"cloudformation:GetTemplate": "rule:deny_stack_user", "cloudformation:GetTemplate": "rule:deny_stack_user",
@ -15,9 +16,6 @@
"cloudformation:DescribeStackResource": "", "cloudformation:DescribeStackResource": "",
"cloudformation:DescribeStackResources": "rule:deny_stack_user", "cloudformation:DescribeStackResources": "rule:deny_stack_user",
"cloudformation:ListStackResources": "rule:deny_stack_user", "cloudformation:ListStackResources": "rule:deny_stack_user",
"cloudformation:CheckStack": "rule:deny_stack_user",
"cloudformation:SuspendStack": "rule:deny_stack_user",
"cloudformation:ResumeStack": "rule:deny_stack_user",
"cloudwatch:DeleteAlarms": "rule:deny_stack_user", "cloudwatch:DeleteAlarms": "rule:deny_stack_user",
"cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user", "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
@ -37,20 +35,58 @@
"events:show": "rule:deny_stack_user", "events:show": "rule:deny_stack_user",
"resource:index": "rule:deny_stack_user", "resource:index": "rule:deny_stack_user",
"resource:metadata": "", "resource:metadata": "",
"resource:signal": "",
"resource:mark_unhealthy": "rule:deny_stack_user",
"resource:show": "rule:deny_stack_user", "resource:show": "rule:deny_stack_user",
"stacks:abandon": "rule:deny_stack_user", "stacks:abandon": "rule:deny_stack_user",
"stacks:create": "rule:deny_stack_user", "stacks:create": "rule:deny_stack_user",
"stacks:delete": "rule:deny_stack_user", "stacks:delete": "rule:deny_stack_user",
"stacks:detail": "rule:deny_stack_user", "stacks:detail": "rule:deny_stack_user",
"stacks:export": "rule:deny_stack_user",
"stacks:generate_template": "rule:deny_stack_user", "stacks:generate_template": "rule:deny_stack_user",
"stacks:global_index": "rule:deny_everybody",
"stacks:index": "rule:deny_stack_user", "stacks:index": "rule:deny_stack_user",
"stacks:list_resource_types": "rule:deny_stack_user", "stacks:list_resource_types": "rule:deny_stack_user",
"stacks:list_template_versions": "rule:deny_stack_user", "stacks:list_template_versions": "rule:deny_stack_user",
"stacks:list_template_functions": "rule:deny_stack_user", "stacks:list_template_functions": "rule:deny_stack_user",
"stacks:lookup": "rule:deny_stack_user", "stacks:lookup": "",
"stacks:preview": "rule:deny_stack_user",
"stacks:resource_schema": "rule:deny_stack_user", "stacks:resource_schema": "rule:deny_stack_user",
"stacks:show": "rule:deny_stack_user", "stacks:show": "rule:deny_stack_user",
"stacks:template": "rule:deny_stack_user", "stacks:template": "rule:deny_stack_user",
"stacks:environment": "rule:deny_stack_user",
"stacks:update": "rule:deny_stack_user", "stacks:update": "rule:deny_stack_user",
"stacks:validate_template": "rule:deny_stack_user" "stacks:update_patch": "rule:deny_stack_user",
} "stacks:preview_update": "rule:deny_stack_user",
"stacks:preview_update_patch": "rule:deny_stack_user",
"stacks:validate_template": "rule:deny_stack_user",
"stacks:snapshot": "rule:deny_stack_user",
"stacks:show_snapshot": "rule:deny_stack_user",
"stacks:delete_snapshot": "rule:deny_stack_user",
"stacks:list_snapshots": "rule:deny_stack_user",
"stacks:restore_snapshot": "rule:deny_stack_user",
"stacks:list_outputs": "rule:deny_stack_user",
"stacks:show_output": "rule:deny_stack_user",
"software_configs:global_index": "rule:deny_everybody",
"software_configs:index": "rule:deny_stack_user",
"software_configs:create": "rule:deny_stack_user",
"software_configs:show": "rule:deny_stack_user",
"software_configs:delete": "rule:deny_stack_user",
"software_deployments:index": "rule:deny_stack_user",
"software_deployments:create": "rule:deny_stack_user",
"software_deployments:show": "rule:deny_stack_user",
"software_deployments:update": "rule:deny_stack_user",
"software_deployments:delete": "rule:deny_stack_user",
"software_deployments:metadata": "",
"service:index": "rule:context_is_admin",
"resource_types:OS::Nova::Flavor": "rule:context_is_admin",
"resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin",
"resource_types:OS::Cinder::VolumeType": "rule:context_is_admin",
"resource_types:OS::Manila::ShareType": "rule:context_is_admin",
"resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin",
"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin",
"resource_types:OS::Nova::HostAggregate": "rule:context_is_admin"
}

View File

@ -33,7 +33,8 @@ class LaunchStack(tables.LinkAction):
url = "horizon:project:stacks:select_template" url = "horizon:project:stacks:select_template"
classes = ("ajax-modal",) classes = ("ajax-modal",)
icon = "plus" icon = "plus"
policy_rules = (("orchestration", "cloudformation:CreateStack"),) policy_rules = (("orchestration", "stacks:validate_template"),
("orchestration", "stacks:create"),)
class PreviewStack(tables.LinkAction): class PreviewStack(tables.LinkAction):
@ -42,13 +43,14 @@ class PreviewStack(tables.LinkAction):
url = "horizon:project:stacks:preview_template" url = "horizon:project:stacks:preview_template"
classes = ("ajax-modal",) classes = ("ajax-modal",)
icon = "eye" icon = "eye"
policy_rules = (("orchestration", "cloudformation:PreviewStack"),) policy_rules = (("orchestration", "stacks:validate_template"),
("orchestration", "stacks:preview"),)
class CheckStack(tables.BatchAction): class CheckStack(tables.BatchAction):
name = "check" name = "check"
verbose_name = _("Check Stack") verbose_name = _("Check Stack")
policy_rules = (("orchestration", "cloudformation:CheckStack"),) policy_rules = (("orchestration", "actions:action"),)
icon = "check-square" icon = "check-square"
@staticmethod @staticmethod
@ -74,7 +76,7 @@ class CheckStack(tables.BatchAction):
class SuspendStack(tables.BatchAction): class SuspendStack(tables.BatchAction):
name = "suspend" name = "suspend"
verbose_name = _("Suspend Stack") verbose_name = _("Suspend Stack")
policy_rules = (("orchestration", "cloudformation:SuspendStack"),) policy_rules = (("orchestration", "actions:action"),)
icon = "pause" icon = "pause"
@staticmethod @staticmethod
@ -100,7 +102,7 @@ class SuspendStack(tables.BatchAction):
class ResumeStack(tables.BatchAction): class ResumeStack(tables.BatchAction):
name = "resume" name = "resume"
verbose_name = _("Resume Stack") verbose_name = _("Resume Stack")
policy_rules = (("orchestration", "cloudformation:ResumeStack"),) policy_rules = (("orchestration", "actions:action"),)
icon = "play" icon = "play"
@staticmethod @staticmethod
@ -151,7 +153,7 @@ class DeleteStack(tables.DeleteAction):
count count
) )
policy_rules = (("orchestration", "cloudformation:DeleteStack"),) policy_rules = (("orchestration", "stacks:delete"),)
def delete(self, request, stack_id): def delete(self, request, stack_id):
api.heat.stack_delete(request, stack_id) api.heat.stack_delete(request, stack_id)

View File

@ -37,8 +37,10 @@ class StackTopologyTab(tabs.Tab):
def allowed(self, request): def allowed(self, request):
return policy.check( return policy.check(
(("orchestration", "cloudformation:DescribeStacks"), (("orchestration", "stacks:template"),
("orchestration", "cloudformation:ListStackResources"),), ("orchestration", "stacks:lookup"),
("orchestration", "stacks:show"),
("orchestration", "resources:index"),),
request) request)
def get_context_data(self, request): def get_context_data(self, request):
@ -56,7 +58,9 @@ class StackOverviewTab(tabs.Tab):
def allowed(self, request): def allowed(self, request):
return policy.check( return policy.check(
(("orchestration", "cloudformation:DescribeStacks"),), (("orchestration", "stacks:template"),
("orchestration", "stacks:lookup"),
("orchestration", "stacks:show"),),
request) request)
def get_context_data(self, request): def get_context_data(self, request):
@ -68,11 +72,6 @@ class ResourceOverviewTab(tabs.Tab):
slug = "resource_overview" slug = "resource_overview"
template_name = "project/stacks/_resource_overview.html" template_name = "project/stacks/_resource_overview.html"
def allowed(self, request):
return policy.check(
(("orchestration", "cloudformation:DescribeStackResource"),),
request)
def get_context_data(self, request): def get_context_data(self, request):
resource = self.tab_group.kwargs['resource'] resource = self.tab_group.kwargs['resource']
resource_url = mappings.resource_to_url(resource) resource_url = mappings.resource_to_url(resource)
@ -90,7 +89,10 @@ class StackEventsTab(tabs.Tab):
def allowed(self, request): def allowed(self, request):
return policy.check( return policy.check(
(("orchestration", "cloudformation:DescribeStackEvents"),), (("orchestration", "stacks:template"),
("orchestration", "stacks:lookup"),
("orchestration", "stacks:show"),
("orchestration", "events:index"),),
request) request)
def get_context_data(self, request): def get_context_data(self, request):
@ -118,7 +120,10 @@ class StackResourcesTab(tabs.Tab):
def allowed(self, request): def allowed(self, request):
return policy.check( return policy.check(
(("orchestration", "cloudformation:ListStackResources"),), (("orchestration", "stacks:template"),
("orchestration", "stacks:lookup"),
("orchestration", "stacks:show"),
("orchestration", "resource:index"),),
request) request)
def get_context_data(self, request): def get_context_data(self, request):
@ -146,7 +151,9 @@ class StackTemplateTab(tabs.Tab):
def allowed(self, request): def allowed(self, request):
return policy.check( return policy.check(
(("orchestration", "cloudformation:DescribeStacks"),), (("orchestration", "stacks:template"),
("orchestration", "stacks:lookup"),
("orchestration", "stacks:show"),),
request) request)
def get_context_data(self, request): def get_context_data(self, request):

View File

@ -20,3 +20,4 @@ class TemplateVersions(horizon.Panel):
name = _("Template Versions") name = _("Template Versions")
slug = "stacks.template_versions" slug = "stacks.template_versions"
permissions = ('openstack.services.orchestration',) permissions = ('openstack.services.orchestration',)
policy_rules = (("orchestration", "stacks:list_template_versions"),)