Updating heat policy file

The heat policy is out of date. This patch updates the policy file
to match heat master.

There have been several modifications to the heat policy rules
checked in the heat views. The previously used policies were a
mix of fantasy, out-dated policy rules and just error. After
instrumenting the heat code to verify policy usage, the new
rule checks align with heat master policy use.

Change-Id: I17eb7d2945924167f3a62440b7e12b9b313d0f5d
This commit is contained in:
David Lyle 2016-06-03 15:30:04 -06:00
parent 00e1c59be0
commit af627907d5
4 changed files with 71 additions and 25 deletions

View File

@ -1,13 +1,14 @@
{
"context_is_admin": "role:admin",
"deny_stack_user": "not role:heat_stack_user",
"deny_everybody": "!",
"cloudformation:ListStacks": "rule:deny_stack_user",
"cloudformation:CreateStack": "rule:deny_stack_user",
"cloudformation:PreviewStack": "rule:deny_stack_user",
"cloudformation:DescribeStacks": "rule:deny_stack_user",
"cloudformation:DeleteStack": "rule:deny_stack_user",
"cloudformation:UpdateStack": "rule:deny_stack_user",
"cloudformation:CancelUpdateStack": "rule:deny_stack_user",
"cloudformation:DescribeStackEvents": "rule:deny_stack_user",
"cloudformation:ValidateTemplate": "rule:deny_stack_user",
"cloudformation:GetTemplate": "rule:deny_stack_user",
@ -15,9 +16,6 @@
"cloudformation:DescribeStackResource": "",
"cloudformation:DescribeStackResources": "rule:deny_stack_user",
"cloudformation:ListStackResources": "rule:deny_stack_user",
"cloudformation:CheckStack": "rule:deny_stack_user",
"cloudformation:SuspendStack": "rule:deny_stack_user",
"cloudformation:ResumeStack": "rule:deny_stack_user",
"cloudwatch:DeleteAlarms": "rule:deny_stack_user",
"cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
@ -37,20 +35,58 @@
"events:show": "rule:deny_stack_user",
"resource:index": "rule:deny_stack_user",
"resource:metadata": "",
"resource:signal": "",
"resource:mark_unhealthy": "rule:deny_stack_user",
"resource:show": "rule:deny_stack_user",
"stacks:abandon": "rule:deny_stack_user",
"stacks:create": "rule:deny_stack_user",
"stacks:delete": "rule:deny_stack_user",
"stacks:detail": "rule:deny_stack_user",
"stacks:export": "rule:deny_stack_user",
"stacks:generate_template": "rule:deny_stack_user",
"stacks:global_index": "rule:deny_everybody",
"stacks:index": "rule:deny_stack_user",
"stacks:list_resource_types": "rule:deny_stack_user",
"stacks:list_template_versions": "rule:deny_stack_user",
"stacks:list_template_functions": "rule:deny_stack_user",
"stacks:lookup": "rule:deny_stack_user",
"stacks:lookup": "",
"stacks:preview": "rule:deny_stack_user",
"stacks:resource_schema": "rule:deny_stack_user",
"stacks:show": "rule:deny_stack_user",
"stacks:template": "rule:deny_stack_user",
"stacks:environment": "rule:deny_stack_user",
"stacks:update": "rule:deny_stack_user",
"stacks:validate_template": "rule:deny_stack_user"
"stacks:update_patch": "rule:deny_stack_user",
"stacks:preview_update": "rule:deny_stack_user",
"stacks:preview_update_patch": "rule:deny_stack_user",
"stacks:validate_template": "rule:deny_stack_user",
"stacks:snapshot": "rule:deny_stack_user",
"stacks:show_snapshot": "rule:deny_stack_user",
"stacks:delete_snapshot": "rule:deny_stack_user",
"stacks:list_snapshots": "rule:deny_stack_user",
"stacks:restore_snapshot": "rule:deny_stack_user",
"stacks:list_outputs": "rule:deny_stack_user",
"stacks:show_output": "rule:deny_stack_user",
"software_configs:global_index": "rule:deny_everybody",
"software_configs:index": "rule:deny_stack_user",
"software_configs:create": "rule:deny_stack_user",
"software_configs:show": "rule:deny_stack_user",
"software_configs:delete": "rule:deny_stack_user",
"software_deployments:index": "rule:deny_stack_user",
"software_deployments:create": "rule:deny_stack_user",
"software_deployments:show": "rule:deny_stack_user",
"software_deployments:update": "rule:deny_stack_user",
"software_deployments:delete": "rule:deny_stack_user",
"software_deployments:metadata": "",
"service:index": "rule:context_is_admin",
"resource_types:OS::Nova::Flavor": "rule:context_is_admin",
"resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin",
"resource_types:OS::Cinder::VolumeType": "rule:context_is_admin",
"resource_types:OS::Manila::ShareType": "rule:context_is_admin",
"resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin",
"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin",
"resource_types:OS::Nova::HostAggregate": "rule:context_is_admin"
}

View File

@ -33,7 +33,8 @@ class LaunchStack(tables.LinkAction):
url = "horizon:project:stacks:select_template"
classes = ("ajax-modal",)
icon = "plus"
policy_rules = (("orchestration", "cloudformation:CreateStack"),)
policy_rules = (("orchestration", "stacks:validate_template"),
("orchestration", "stacks:create"),)
class PreviewStack(tables.LinkAction):
@ -42,13 +43,14 @@ class PreviewStack(tables.LinkAction):
url = "horizon:project:stacks:preview_template"
classes = ("ajax-modal",)
icon = "eye"
policy_rules = (("orchestration", "cloudformation:PreviewStack"),)
policy_rules = (("orchestration", "stacks:validate_template"),
("orchestration", "stacks:preview"),)
class CheckStack(tables.BatchAction):
name = "check"
verbose_name = _("Check Stack")
policy_rules = (("orchestration", "cloudformation:CheckStack"),)
policy_rules = (("orchestration", "actions:action"),)
icon = "check-square"
@staticmethod
@ -74,7 +76,7 @@ class CheckStack(tables.BatchAction):
class SuspendStack(tables.BatchAction):
name = "suspend"
verbose_name = _("Suspend Stack")
policy_rules = (("orchestration", "cloudformation:SuspendStack"),)
policy_rules = (("orchestration", "actions:action"),)
icon = "pause"
@staticmethod
@ -100,7 +102,7 @@ class SuspendStack(tables.BatchAction):
class ResumeStack(tables.BatchAction):
name = "resume"
verbose_name = _("Resume Stack")
policy_rules = (("orchestration", "cloudformation:ResumeStack"),)
policy_rules = (("orchestration", "actions:action"),)
icon = "play"
@staticmethod
@ -151,7 +153,7 @@ class DeleteStack(tables.DeleteAction):
count
)
policy_rules = (("orchestration", "cloudformation:DeleteStack"),)
policy_rules = (("orchestration", "stacks:delete"),)
def delete(self, request, stack_id):
api.heat.stack_delete(request, stack_id)

View File

@ -37,8 +37,10 @@ class StackTopologyTab(tabs.Tab):
def allowed(self, request):
return policy.check(
(("orchestration", "cloudformation:DescribeStacks"),
("orchestration", "cloudformation:ListStackResources"),),
(("orchestration", "stacks:template"),
("orchestration", "stacks:lookup"),
("orchestration", "stacks:show"),
("orchestration", "resources:index"),),
request)
def get_context_data(self, request):
@ -56,7 +58,9 @@ class StackOverviewTab(tabs.Tab):
def allowed(self, request):
return policy.check(
(("orchestration", "cloudformation:DescribeStacks"),),
(("orchestration", "stacks:template"),
("orchestration", "stacks:lookup"),
("orchestration", "stacks:show"),),
request)
def get_context_data(self, request):
@ -68,11 +72,6 @@ class ResourceOverviewTab(tabs.Tab):
slug = "resource_overview"
template_name = "project/stacks/_resource_overview.html"
def allowed(self, request):
return policy.check(
(("orchestration", "cloudformation:DescribeStackResource"),),
request)
def get_context_data(self, request):
resource = self.tab_group.kwargs['resource']
resource_url = mappings.resource_to_url(resource)
@ -90,7 +89,10 @@ class StackEventsTab(tabs.Tab):
def allowed(self, request):
return policy.check(
(("orchestration", "cloudformation:DescribeStackEvents"),),
(("orchestration", "stacks:template"),
("orchestration", "stacks:lookup"),
("orchestration", "stacks:show"),
("orchestration", "events:index"),),
request)
def get_context_data(self, request):
@ -118,7 +120,10 @@ class StackResourcesTab(tabs.Tab):
def allowed(self, request):
return policy.check(
(("orchestration", "cloudformation:ListStackResources"),),
(("orchestration", "stacks:template"),
("orchestration", "stacks:lookup"),
("orchestration", "stacks:show"),
("orchestration", "resource:index"),),
request)
def get_context_data(self, request):
@ -146,7 +151,9 @@ class StackTemplateTab(tabs.Tab):
def allowed(self, request):
return policy.check(
(("orchestration", "cloudformation:DescribeStacks"),),
(("orchestration", "stacks:template"),
("orchestration", "stacks:lookup"),
("orchestration", "stacks:show"),),
request)
def get_context_data(self, request):

View File

@ -20,3 +20,4 @@ class TemplateVersions(horizon.Panel):
name = _("Template Versions")
slug = "stacks.template_versions"
permissions = ('openstack.services.orchestration',)
policy_rules = (("orchestration", "stacks:list_template_versions"),)