Updating heat policy file
The heat policy is out of date. This patch updates the policy file to match heat master. There have been several modifications to the heat policy rules checked in the heat views. The previously used policies were a mix of fantasy, out-dated policy rules and just error. After instrumenting the heat code to verify policy usage, the new rule checks align with heat master policy use. Change-Id: I17eb7d2945924167f3a62440b7e12b9b313d0f5d
This commit is contained in:
parent
00e1c59be0
commit
af627907d5
@ -1,13 +1,14 @@
|
|||||||
{
|
{
|
||||||
"context_is_admin": "role:admin",
|
"context_is_admin": "role:admin",
|
||||||
"deny_stack_user": "not role:heat_stack_user",
|
"deny_stack_user": "not role:heat_stack_user",
|
||||||
|
"deny_everybody": "!",
|
||||||
|
|
||||||
"cloudformation:ListStacks": "rule:deny_stack_user",
|
"cloudformation:ListStacks": "rule:deny_stack_user",
|
||||||
"cloudformation:CreateStack": "rule:deny_stack_user",
|
"cloudformation:CreateStack": "rule:deny_stack_user",
|
||||||
"cloudformation:PreviewStack": "rule:deny_stack_user",
|
|
||||||
"cloudformation:DescribeStacks": "rule:deny_stack_user",
|
"cloudformation:DescribeStacks": "rule:deny_stack_user",
|
||||||
"cloudformation:DeleteStack": "rule:deny_stack_user",
|
"cloudformation:DeleteStack": "rule:deny_stack_user",
|
||||||
"cloudformation:UpdateStack": "rule:deny_stack_user",
|
"cloudformation:UpdateStack": "rule:deny_stack_user",
|
||||||
|
"cloudformation:CancelUpdateStack": "rule:deny_stack_user",
|
||||||
"cloudformation:DescribeStackEvents": "rule:deny_stack_user",
|
"cloudformation:DescribeStackEvents": "rule:deny_stack_user",
|
||||||
"cloudformation:ValidateTemplate": "rule:deny_stack_user",
|
"cloudformation:ValidateTemplate": "rule:deny_stack_user",
|
||||||
"cloudformation:GetTemplate": "rule:deny_stack_user",
|
"cloudformation:GetTemplate": "rule:deny_stack_user",
|
||||||
@ -15,9 +16,6 @@
|
|||||||
"cloudformation:DescribeStackResource": "",
|
"cloudformation:DescribeStackResource": "",
|
||||||
"cloudformation:DescribeStackResources": "rule:deny_stack_user",
|
"cloudformation:DescribeStackResources": "rule:deny_stack_user",
|
||||||
"cloudformation:ListStackResources": "rule:deny_stack_user",
|
"cloudformation:ListStackResources": "rule:deny_stack_user",
|
||||||
"cloudformation:CheckStack": "rule:deny_stack_user",
|
|
||||||
"cloudformation:SuspendStack": "rule:deny_stack_user",
|
|
||||||
"cloudformation:ResumeStack": "rule:deny_stack_user",
|
|
||||||
|
|
||||||
"cloudwatch:DeleteAlarms": "rule:deny_stack_user",
|
"cloudwatch:DeleteAlarms": "rule:deny_stack_user",
|
||||||
"cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
|
"cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
|
||||||
@ -37,20 +35,58 @@
|
|||||||
"events:show": "rule:deny_stack_user",
|
"events:show": "rule:deny_stack_user",
|
||||||
"resource:index": "rule:deny_stack_user",
|
"resource:index": "rule:deny_stack_user",
|
||||||
"resource:metadata": "",
|
"resource:metadata": "",
|
||||||
|
"resource:signal": "",
|
||||||
|
"resource:mark_unhealthy": "rule:deny_stack_user",
|
||||||
"resource:show": "rule:deny_stack_user",
|
"resource:show": "rule:deny_stack_user",
|
||||||
"stacks:abandon": "rule:deny_stack_user",
|
"stacks:abandon": "rule:deny_stack_user",
|
||||||
"stacks:create": "rule:deny_stack_user",
|
"stacks:create": "rule:deny_stack_user",
|
||||||
"stacks:delete": "rule:deny_stack_user",
|
"stacks:delete": "rule:deny_stack_user",
|
||||||
"stacks:detail": "rule:deny_stack_user",
|
"stacks:detail": "rule:deny_stack_user",
|
||||||
|
"stacks:export": "rule:deny_stack_user",
|
||||||
"stacks:generate_template": "rule:deny_stack_user",
|
"stacks:generate_template": "rule:deny_stack_user",
|
||||||
|
"stacks:global_index": "rule:deny_everybody",
|
||||||
"stacks:index": "rule:deny_stack_user",
|
"stacks:index": "rule:deny_stack_user",
|
||||||
"stacks:list_resource_types": "rule:deny_stack_user",
|
"stacks:list_resource_types": "rule:deny_stack_user",
|
||||||
"stacks:list_template_versions": "rule:deny_stack_user",
|
"stacks:list_template_versions": "rule:deny_stack_user",
|
||||||
"stacks:list_template_functions": "rule:deny_stack_user",
|
"stacks:list_template_functions": "rule:deny_stack_user",
|
||||||
"stacks:lookup": "rule:deny_stack_user",
|
"stacks:lookup": "",
|
||||||
|
"stacks:preview": "rule:deny_stack_user",
|
||||||
"stacks:resource_schema": "rule:deny_stack_user",
|
"stacks:resource_schema": "rule:deny_stack_user",
|
||||||
"stacks:show": "rule:deny_stack_user",
|
"stacks:show": "rule:deny_stack_user",
|
||||||
"stacks:template": "rule:deny_stack_user",
|
"stacks:template": "rule:deny_stack_user",
|
||||||
|
"stacks:environment": "rule:deny_stack_user",
|
||||||
"stacks:update": "rule:deny_stack_user",
|
"stacks:update": "rule:deny_stack_user",
|
||||||
"stacks:validate_template": "rule:deny_stack_user"
|
"stacks:update_patch": "rule:deny_stack_user",
|
||||||
}
|
"stacks:preview_update": "rule:deny_stack_user",
|
||||||
|
"stacks:preview_update_patch": "rule:deny_stack_user",
|
||||||
|
"stacks:validate_template": "rule:deny_stack_user",
|
||||||
|
"stacks:snapshot": "rule:deny_stack_user",
|
||||||
|
"stacks:show_snapshot": "rule:deny_stack_user",
|
||||||
|
"stacks:delete_snapshot": "rule:deny_stack_user",
|
||||||
|
"stacks:list_snapshots": "rule:deny_stack_user",
|
||||||
|
"stacks:restore_snapshot": "rule:deny_stack_user",
|
||||||
|
"stacks:list_outputs": "rule:deny_stack_user",
|
||||||
|
"stacks:show_output": "rule:deny_stack_user",
|
||||||
|
|
||||||
|
"software_configs:global_index": "rule:deny_everybody",
|
||||||
|
"software_configs:index": "rule:deny_stack_user",
|
||||||
|
"software_configs:create": "rule:deny_stack_user",
|
||||||
|
"software_configs:show": "rule:deny_stack_user",
|
||||||
|
"software_configs:delete": "rule:deny_stack_user",
|
||||||
|
"software_deployments:index": "rule:deny_stack_user",
|
||||||
|
"software_deployments:create": "rule:deny_stack_user",
|
||||||
|
"software_deployments:show": "rule:deny_stack_user",
|
||||||
|
"software_deployments:update": "rule:deny_stack_user",
|
||||||
|
"software_deployments:delete": "rule:deny_stack_user",
|
||||||
|
"software_deployments:metadata": "",
|
||||||
|
|
||||||
|
"service:index": "rule:context_is_admin",
|
||||||
|
|
||||||
|
"resource_types:OS::Nova::Flavor": "rule:context_is_admin",
|
||||||
|
"resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin",
|
||||||
|
"resource_types:OS::Cinder::VolumeType": "rule:context_is_admin",
|
||||||
|
"resource_types:OS::Manila::ShareType": "rule:context_is_admin",
|
||||||
|
"resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin",
|
||||||
|
"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin",
|
||||||
|
"resource_types:OS::Nova::HostAggregate": "rule:context_is_admin"
|
||||||
|
}
|
||||||
|
@ -33,7 +33,8 @@ class LaunchStack(tables.LinkAction):
|
|||||||
url = "horizon:project:stacks:select_template"
|
url = "horizon:project:stacks:select_template"
|
||||||
classes = ("ajax-modal",)
|
classes = ("ajax-modal",)
|
||||||
icon = "plus"
|
icon = "plus"
|
||||||
policy_rules = (("orchestration", "cloudformation:CreateStack"),)
|
policy_rules = (("orchestration", "stacks:validate_template"),
|
||||||
|
("orchestration", "stacks:create"),)
|
||||||
|
|
||||||
|
|
||||||
class PreviewStack(tables.LinkAction):
|
class PreviewStack(tables.LinkAction):
|
||||||
@ -42,13 +43,14 @@ class PreviewStack(tables.LinkAction):
|
|||||||
url = "horizon:project:stacks:preview_template"
|
url = "horizon:project:stacks:preview_template"
|
||||||
classes = ("ajax-modal",)
|
classes = ("ajax-modal",)
|
||||||
icon = "eye"
|
icon = "eye"
|
||||||
policy_rules = (("orchestration", "cloudformation:PreviewStack"),)
|
policy_rules = (("orchestration", "stacks:validate_template"),
|
||||||
|
("orchestration", "stacks:preview"),)
|
||||||
|
|
||||||
|
|
||||||
class CheckStack(tables.BatchAction):
|
class CheckStack(tables.BatchAction):
|
||||||
name = "check"
|
name = "check"
|
||||||
verbose_name = _("Check Stack")
|
verbose_name = _("Check Stack")
|
||||||
policy_rules = (("orchestration", "cloudformation:CheckStack"),)
|
policy_rules = (("orchestration", "actions:action"),)
|
||||||
icon = "check-square"
|
icon = "check-square"
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
@ -74,7 +76,7 @@ class CheckStack(tables.BatchAction):
|
|||||||
class SuspendStack(tables.BatchAction):
|
class SuspendStack(tables.BatchAction):
|
||||||
name = "suspend"
|
name = "suspend"
|
||||||
verbose_name = _("Suspend Stack")
|
verbose_name = _("Suspend Stack")
|
||||||
policy_rules = (("orchestration", "cloudformation:SuspendStack"),)
|
policy_rules = (("orchestration", "actions:action"),)
|
||||||
icon = "pause"
|
icon = "pause"
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
@ -100,7 +102,7 @@ class SuspendStack(tables.BatchAction):
|
|||||||
class ResumeStack(tables.BatchAction):
|
class ResumeStack(tables.BatchAction):
|
||||||
name = "resume"
|
name = "resume"
|
||||||
verbose_name = _("Resume Stack")
|
verbose_name = _("Resume Stack")
|
||||||
policy_rules = (("orchestration", "cloudformation:ResumeStack"),)
|
policy_rules = (("orchestration", "actions:action"),)
|
||||||
icon = "play"
|
icon = "play"
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
@ -151,7 +153,7 @@ class DeleteStack(tables.DeleteAction):
|
|||||||
count
|
count
|
||||||
)
|
)
|
||||||
|
|
||||||
policy_rules = (("orchestration", "cloudformation:DeleteStack"),)
|
policy_rules = (("orchestration", "stacks:delete"),)
|
||||||
|
|
||||||
def delete(self, request, stack_id):
|
def delete(self, request, stack_id):
|
||||||
api.heat.stack_delete(request, stack_id)
|
api.heat.stack_delete(request, stack_id)
|
||||||
|
@ -37,8 +37,10 @@ class StackTopologyTab(tabs.Tab):
|
|||||||
|
|
||||||
def allowed(self, request):
|
def allowed(self, request):
|
||||||
return policy.check(
|
return policy.check(
|
||||||
(("orchestration", "cloudformation:DescribeStacks"),
|
(("orchestration", "stacks:template"),
|
||||||
("orchestration", "cloudformation:ListStackResources"),),
|
("orchestration", "stacks:lookup"),
|
||||||
|
("orchestration", "stacks:show"),
|
||||||
|
("orchestration", "resources:index"),),
|
||||||
request)
|
request)
|
||||||
|
|
||||||
def get_context_data(self, request):
|
def get_context_data(self, request):
|
||||||
@ -56,7 +58,9 @@ class StackOverviewTab(tabs.Tab):
|
|||||||
|
|
||||||
def allowed(self, request):
|
def allowed(self, request):
|
||||||
return policy.check(
|
return policy.check(
|
||||||
(("orchestration", "cloudformation:DescribeStacks"),),
|
(("orchestration", "stacks:template"),
|
||||||
|
("orchestration", "stacks:lookup"),
|
||||||
|
("orchestration", "stacks:show"),),
|
||||||
request)
|
request)
|
||||||
|
|
||||||
def get_context_data(self, request):
|
def get_context_data(self, request):
|
||||||
@ -68,11 +72,6 @@ class ResourceOverviewTab(tabs.Tab):
|
|||||||
slug = "resource_overview"
|
slug = "resource_overview"
|
||||||
template_name = "project/stacks/_resource_overview.html"
|
template_name = "project/stacks/_resource_overview.html"
|
||||||
|
|
||||||
def allowed(self, request):
|
|
||||||
return policy.check(
|
|
||||||
(("orchestration", "cloudformation:DescribeStackResource"),),
|
|
||||||
request)
|
|
||||||
|
|
||||||
def get_context_data(self, request):
|
def get_context_data(self, request):
|
||||||
resource = self.tab_group.kwargs['resource']
|
resource = self.tab_group.kwargs['resource']
|
||||||
resource_url = mappings.resource_to_url(resource)
|
resource_url = mappings.resource_to_url(resource)
|
||||||
@ -90,7 +89,10 @@ class StackEventsTab(tabs.Tab):
|
|||||||
|
|
||||||
def allowed(self, request):
|
def allowed(self, request):
|
||||||
return policy.check(
|
return policy.check(
|
||||||
(("orchestration", "cloudformation:DescribeStackEvents"),),
|
(("orchestration", "stacks:template"),
|
||||||
|
("orchestration", "stacks:lookup"),
|
||||||
|
("orchestration", "stacks:show"),
|
||||||
|
("orchestration", "events:index"),),
|
||||||
request)
|
request)
|
||||||
|
|
||||||
def get_context_data(self, request):
|
def get_context_data(self, request):
|
||||||
@ -118,7 +120,10 @@ class StackResourcesTab(tabs.Tab):
|
|||||||
|
|
||||||
def allowed(self, request):
|
def allowed(self, request):
|
||||||
return policy.check(
|
return policy.check(
|
||||||
(("orchestration", "cloudformation:ListStackResources"),),
|
(("orchestration", "stacks:template"),
|
||||||
|
("orchestration", "stacks:lookup"),
|
||||||
|
("orchestration", "stacks:show"),
|
||||||
|
("orchestration", "resource:index"),),
|
||||||
request)
|
request)
|
||||||
|
|
||||||
def get_context_data(self, request):
|
def get_context_data(self, request):
|
||||||
@ -146,7 +151,9 @@ class StackTemplateTab(tabs.Tab):
|
|||||||
|
|
||||||
def allowed(self, request):
|
def allowed(self, request):
|
||||||
return policy.check(
|
return policy.check(
|
||||||
(("orchestration", "cloudformation:DescribeStacks"),),
|
(("orchestration", "stacks:template"),
|
||||||
|
("orchestration", "stacks:lookup"),
|
||||||
|
("orchestration", "stacks:show"),),
|
||||||
request)
|
request)
|
||||||
|
|
||||||
def get_context_data(self, request):
|
def get_context_data(self, request):
|
||||||
|
@ -20,3 +20,4 @@ class TemplateVersions(horizon.Panel):
|
|||||||
name = _("Template Versions")
|
name = _("Template Versions")
|
||||||
slug = "stacks.template_versions"
|
slug = "stacks.template_versions"
|
||||||
permissions = ('openstack.services.orchestration',)
|
permissions = ('openstack.services.orchestration',)
|
||||||
|
policy_rules = (("orchestration", "stacks:list_template_versions"),)
|
||||||
|
Loading…
x
Reference in New Issue
Block a user