From 38cfb1aed9d0ff9ec02a6b875f6029e1ac4b3fa4 Mon Sep 17 00:00:00 2001 From: Summer Long Date: Tue, 18 Feb 2014 11:11:22 +1000 Subject: [PATCH] Added sample files for the Dashboard service Added keystone_policy.json and nova_policy.json samples for the dashboard, and placed under new section. Change-Id: I2e9de8ee7aded42d292b610e03a9fd4dc7fe67b4 Partial-Bug: #1281348 --- .../samples/dashboard-keystone_policy.json | 381 ++++++++++++++++++ doc/common/samples/dashboard-nova_policy.json | 249 ++++++++++++ .../ch_dashboardconfigure.xml | 1 + ...n_dashboard-sample-configuration-files.xml | 33 ++ 4 files changed, 664 insertions(+) create mode 100644 doc/common/samples/dashboard-keystone_policy.json create mode 100644 doc/common/samples/dashboard-nova_policy.json create mode 100644 doc/config-reference/dashboard/section_dashboard-sample-configuration-files.xml diff --git a/doc/common/samples/dashboard-keystone_policy.json b/doc/common/samples/dashboard-keystone_policy.json new file mode 100644 index 0000000000..cec3eeb1b1 --- /dev/null +++ b/doc/common/samples/dashboard-keystone_policy.json @@ -0,0 +1,381 @@ +{ + "admin_required":[ + [ + "role:admin" + ], + [ + "is_admin:1" + ] + ], + "service_role":[ + [ + "role:service" + ] + ], + "service_or_admin":[ + [ + "rule:admin_required" + ], + [ + "rule:service_role" + ] + ], + "owner":[ + [ + "user_id:%(user_id)s" + ] + ], + "admin_or_owner":[ + [ + "rule:admin_required" + ], + [ + "rule:owner" + ] + ], + "default":[ + [ + "rule:admin_required" + ] + ], + "identity:get_service":[ + [ + "rule:admin_required" + ] + ], + "identity:list_services":[ + [ + "rule:admin_required" + ] + ], + "identity:create_service":[ + [ + "rule:admin_required" + ] + ], + "identity:update_service":[ + [ + "rule:admin_required" + ] + ], + "identity:delete_service":[ + [ + "rule:admin_required" + ] + ], + "identity:get_endpoint":[ + [ + "rule:admin_required" + ] + ], + "identity:list_endpoints":[ + [ + "rule:admin_required" + ] + ], + "identity:create_endpoint":[ + [ + "rule:admin_required" + ] + ], + "identity:update_endpoint":[ + [ + "rule:admin_required" + ] + ], + "identity:delete_endpoint":[ + [ + "rule:admin_required" + ] + ], + "identity:get_domain":[ + [ + "rule:admin_required" + ] + ], + "identity:list_domains":[ + [ + "rule:admin_required" + ] + ], + "identity:create_domain":[ + [ + "rule:admin_required" + ] + ], + "identity:update_domain":[ + [ + "rule:admin_required" + ] + ], + "identity:delete_domain":[ + [ + "rule:admin_required" + ] + ], + "identity:get_project":[ + [ + "rule:admin_required" + ] + ], + "identity:list_projects":[ + [ + "rule:admin_required" + ] + ], + "identity:list_user_projects":[ + [ + "rule:admin_or_owner" + ] + ], + "identity:create_project":[ + [ + "rule:admin_required" + ] + ], + "identity:update_project":[ + [ + "rule:admin_required" + ] + ], + "identity:delete_project":[ + [ + "rule:admin_required" + ] + ], + "identity:get_user":[ + [ + "rule:admin_required" + ] + ], + "identity:list_users":[ + [ + "rule:admin_required" + ] + ], + "identity:create_user":[ + [ + "rule:admin_required" + ] + ], + "identity:update_user":[ + [ + "rule:admin_or_owner" + ] + ], + "identity:delete_user":[ + [ + "rule:admin_required" + ] + ], + "identity:get_group":[ + [ + "rule:admin_required" + ] + ], + "identity:list_groups":[ + [ + "rule:admin_required" + ] + ], + "identity:list_groups_for_user":[ + [ + "rule:admin_or_owner" + ] + ], + "identity:create_group":[ + [ + "rule:admin_required" + ] + ], + "identity:update_group":[ + [ + "rule:admin_required" + ] + ], + "identity:delete_group":[ + [ + "rule:admin_required" + ] + ], + "identity:list_users_in_group":[ + [ + "rule:admin_required" + ] + ], + "identity:remove_user_from_group":[ + [ + "rule:admin_required" + ] + ], + "identity:check_user_in_group":[ + [ + "rule:admin_required" + ] + ], + "identity:add_user_to_group":[ + [ + "rule:admin_required" + ] + ], + "identity:get_credential":[ + [ + "rule:admin_required" + ] + ], + "identity:list_credentials":[ + [ + "rule:admin_required" + ] + ], + "identity:create_credential":[ + [ + "rule:admin_required" + ] + ], + "identity:update_credential":[ + [ + "rule:admin_required" + ] + ], + "identity:delete_credential":[ + [ + "rule:admin_required" + ] + ], + "identity:get_role":[ + [ + "rule:admin_required" + ] + ], + "identity:list_roles":[ + [ + "rule:admin_required" + ] + ], + "identity:create_role":[ + [ + "rule:admin_required" + ] + ], + "identity:update_role":[ + [ + "rule:admin_required" + ] + ], + "identity:delete_role":[ + [ + "rule:admin_required" + ] + ], + "identity:check_grant":[ + [ + "rule:admin_required" + ] + ], + "identity:list_grants":[ + [ + "rule:admin_required" + ] + ], + "identity:create_grant":[ + [ + "rule:admin_required" + ] + ], + "identity:revoke_grant":[ + [ + "rule:admin_required" + ] + ], + "identity:list_role_assignments":[ + [ + "rule:admin_required" + ] + ], + "identity:get_policy":[ + [ + "rule:admin_required" + ] + ], + "identity:list_policies":[ + [ + "rule:admin_required" + ] + ], + "identity:create_policy":[ + [ + "rule:admin_required" + ] + ], + "identity:update_policy":[ + [ + "rule:admin_required" + ] + ], + "identity:delete_policy":[ + [ + "rule:admin_required" + ] + ], + "identity:check_token":[ + [ + "rule:admin_required" + ] + ], + "identity:validate_token":[ + [ + "rule:service_or_admin" + ] + ], + "identity:validate_token_head":[ + [ + "rule:service_or_admin" + ] + ], + "identity:revocation_list":[ + [ + "rule:service_or_admin" + ] + ], + "identity:revoke_token":[ + [ + "rule:admin_or_owner" + ] + ], + "identity:create_trust":[ + [ + "user_id:%(trust.trustor_user_id)s" + ] + ], + "identity:get_trust":[ + [ + "rule:admin_or_owner" + ] + ], + "identity:list_trusts":[ + [ + "@" + ] + ], + "identity:list_roles_for_trust":[ + [ + "@" + ] + ], + "identity:check_role_for_trust":[ + [ + "@" + ] + ], + "identity:get_role_for_trust":[ + [ + "@" + ] + ], + "identity:delete_trust":[ + [ + "@" + ] + ] +} \ No newline at end of file diff --git a/doc/common/samples/dashboard-nova_policy.json b/doc/common/samples/dashboard-nova_policy.json new file mode 100644 index 0000000000..9fa96104d2 --- /dev/null +++ b/doc/common/samples/dashboard-nova_policy.json @@ -0,0 +1,249 @@ +{ + "context_is_admin":"role:admin", + "admin_or_owner":"is_admin:True or project_id:%(project_id)s", + "default":"rule:admin_or_owner", + "cells_scheduler_filter:TargetCellFilter":"is_admin:True", + "compute:create":"", + "compute:create:attach_network":"", + "compute:create:attach_volume":"", + "compute:create:forced_host":"is_admin:True", + "compute:get_all":"", + "compute:get_all_tenants":"", + "compute:unlock_override":"rule:admin_api", + "compute:shelve":"", + "compute:shelve_offload":"", + "compute:unshelve":"", + "admin_api":"is_admin:True", + "compute_extension:accounts":"rule:admin_api", + "compute_extension:admin_actions":"rule:admin_api", + "compute_extension:admin_actions:pause":"rule:admin_or_owner", + "compute_extension:admin_actions:unpause":"rule:admin_or_owner", + "compute_extension:admin_actions:suspend":"rule:admin_or_owner", + "compute_extension:admin_actions:resume":"rule:admin_or_owner", + "compute_extension:admin_actions:lock":"rule:admin_or_owner", + "compute_extension:admin_actions:unlock":"rule:admin_or_owner", + "compute_extension:admin_actions:resetNetwork":"rule:admin_api", + "compute_extension:admin_actions:injectNetworkInfo":"rule:admin_api", + "compute_extension:admin_actions:createBackup":"rule:admin_or_owner", + "compute_extension:admin_actions:migrateLive":"rule:admin_api", + "compute_extension:admin_actions:resetState":"rule:admin_api", + "compute_extension:admin_actions:migrate":"rule:admin_api", + "compute_extension:v3:os-admin-actions":"rule:admin_api", + "compute_extension:v3:os-admin-actions:pause":"rule:admin_or_owner", + "compute_extension:v3:os-admin-actions:unpause":"rule:admin_or_owner", + "compute_extension:v3:os-admin-actions:suspend":"rule:admin_or_owner", + "compute_extension:v3:os-admin-actions:resume":"rule:admin_or_owner", + "compute_extension:v3:os-admin-actions:lock":"rule:admin_or_owner", + "compute_extension:v3:os-admin-actions:unlock":"rule:admin_or_owner", + "compute_extension:v3:os-admin-actions:reset_network":"rule:admin_api", + "compute_extension:v3:os-admin-actions:inject_network_info":"rule:admin_api", + "compute_extension:v3:os-admin-actions:create_backup":"rule:admin_or_owner", + "compute_extension:v3:os-admin-actions:migrate_live":"rule:admin_api", + "compute_extension:v3:os-admin-actions:reset_state":"rule:admin_api", + "compute_extension:v3:os-admin-actions:migrate":"rule:admin_api", + "compute_extension:v3:os-admin-password":"", + "compute_extension:aggregates":"rule:admin_api", + "compute_extension:v3:os-aggregates":"rule:admin_api", + "compute_extension:agents":"rule:admin_api", + "compute_extension:v3:os-agents":"rule:admin_api", + "compute_extension:attach_interfaces":"", + "compute_extension:v3:os-attach-interfaces":"", + "compute_extension:baremetal_nodes":"rule:admin_api", + "compute_extension:v3:os-baremetal-nodes":"rule:admin_api", + "compute_extension:cells":"rule:admin_api", + "compute_extension:v3:os-cells":"rule:admin_api", + "compute_extension:certificates":"", + "compute_extension:v3:os-certificates":"", + "compute_extension:cloudpipe":"rule:admin_api", + "compute_extension:cloudpipe_update":"rule:admin_api", + "compute_extension:console_output":"", + "compute_extension:v3:consoles:discoverable":"", + "compute_extension:v3:os-console-output":"", + "compute_extension:consoles":"", + "compute_extension:v3:os-remote-consoles":"", + "compute_extension:coverage_ext":"rule:admin_api", + "compute_extension:v3:os-coverage":"rule:admin_api", + "compute_extension:createserverext":"", + "compute_extension:deferred_delete":"", + "compute_extension:v3:os-deferred-delete":"", + "compute_extension:disk_config":"", + "compute_extension:evacuate":"rule:admin_api", + "compute_extension:v3:os-evacuate":"rule:admin_api", + "compute_extension:extended_server_attributes":"rule:admin_api", + "compute_extension:v3:os-extended-server-attributes":"rule:admin_api", + "compute_extension:extended_status":"", + "compute_extension:v3:os-extended-status":"", + "compute_extension:extended_availability_zone":"", + "compute_extension:v3:os-extended-availability-zone":"", + "compute_extension:extended_ips":"", + "compute_extension:extended_ips_mac":"", + "compute_extension:extended_vif_net":"", + "compute_extension:v3:extension_info:discoverable":"", + "compute_extension:extended_volumes":"", + "compute_extension:v3:os-extended-volumes":"", + "compute_extension:v3:os-extended-volumes:attach":"", + "compute_extension:v3:os-extended-volumes:detach":"", + "compute_extension:fixed_ips":"rule:admin_api", + "compute_extension:v3:os-fixed-ips:discoverable":"", + "compute_extension:v3:os-fixed-ips":"rule:admin_api", + "compute_extension:flavor_access":"", + "compute_extension:v3:os-flavor-access":"", + "compute_extension:flavor_disabled":"", + "compute_extension:v3:os-flavor-disabled":"", + "compute_extension:flavor_rxtx":"", + "compute_extension:v3:os-flavor-rxtx":"", + "compute_extension:flavor_swap":"", + "compute_extension:flavorextradata":"", + "compute_extension:flavorextraspecs:index":"", + "compute_extension:flavorextraspecs:show":"", + "compute_extension:flavorextraspecs:create":"rule:admin_api", + "compute_extension:flavorextraspecs:update":"rule:admin_api", + "compute_extension:flavorextraspecs:delete":"rule:admin_api", + "compute_extension:v3:flavor-extra-specs:index":"", + "compute_extension:v3:flavor-extra-specs:show":"", + "compute_extension:v3:flavor-extra-specs:create":"rule:admin_api", + "compute_extension:v3:flavor-extra-specs:update":"rule:admin_api", + "compute_extension:v3:flavor-extra-specs:delete":"rule:admin_api", + "compute_extension:flavormanage":"rule:admin_api", + "compute_extension:floating_ip_dns":"", + "compute_extension:floating_ip_pools":"", + "compute_extension:floating_ips":"", + "compute_extension:floating_ips_bulk":"rule:admin_api", + "compute_extension:fping":"", + "compute_extension:fping:all_tenants":"rule:admin_api", + "compute_extension:hide_server_addresses":"is_admin:False", + "compute_extension:v3:os-hide-server-addresses":"is_admin:False", + "compute_extension:hosts":"rule:admin_api", + "compute_extension:v3:os-hosts":"rule:admin_api", + "compute_extension:hypervisors":"rule:admin_api", + "compute_extension:v3:os-hypervisors":"rule:admin_api", + "compute_extension:image_size":"", + "compute_extension:v3:os-image-metadata":"", + "compute_extension:v3:os-images":"", + "compute_extension:instance_actions":"", + "compute_extension:v3:os-instance-actions":"", + "compute_extension:instance_actions:events":"rule:admin_api", + "compute_extension:v3:os-instance-actions:events":"rule:admin_api", + "compute_extension:instance_usage_audit_log":"rule:admin_api", + "compute_extension:v3:os-instance-usage-audit-log":"rule:admin_api", + "compute_extension:v3:ips:discoverable":"", + "compute_extension:keypairs":"", + "compute_extension:keypairs:index":"", + "compute_extension:keypairs:show":"", + "compute_extension:keypairs:create":"", + "compute_extension:keypairs:delete":"", + "compute_extension:v3:os-keypairs:discoverable":"", + "compute_extension:v3:os-keypairs":"", + "compute_extension:v3:os-keypairs:index":"", + "compute_extension:v3:os-keypairs:show":"", + "compute_extension:v3:os-keypairs:create":"", + "compute_extension:v3:os-keypairs:delete":"", + "compute_extension:multinic":"", + "compute_extension:v3:os-multinic":"", + "compute_extension:networks":"rule:admin_api", + "compute_extension:networks:view":"", + "compute_extension:networks_associate":"rule:admin_api", + "compute_extension:quotas:show":"", + "compute_extension:quotas:update":"rule:admin_api", + "compute_extension:quotas:delete":"rule:admin_api", + "compute_extension:v3:os-quota-sets:show":"", + "compute_extension:v3:os-quota-sets:update":"rule:admin_api", + "compute_extension:v3:os-quota-sets:delete":"rule:admin_api", + "compute_extension:quota_classes":"", + "compute_extension:v3:os-quota-class-sets":"", + "compute_extension:rescue":"", + "compute_extension:v3:os-rescue":"", + "compute_extension:security_group_default_rules":"rule:admin_api", + "compute_extension:security_groups":"", + "compute_extension:v3:os-security-groups":"", + "compute_extension:server_diagnostics":"rule:admin_api", + "compute_extension:v3:os-server-diagnostics":"rule:admin_api", + "compute_extension:server_password":"", + "compute_extension:v3:os-server-password":"", + "compute_extension:server_usage":"", + "compute_extension:v3:os-server-usage":"", + "compute_extension:services":"rule:admin_api", + "compute_extension:v3:os-services":"rule:admin_api", + "compute_extension:v3:servers:discoverable":"", + "compute_extension:shelve":"", + "compute_extension:shelveOffload":"rule:admin_api", + "compute_extension:v3:os-shelve:shelve":"", + "compute_extension:v3:os-shelve:shelve_offload":"rule:admin_api", + "compute_extension:simple_tenant_usage:show":"rule:admin_or_owner", + "compute_extension:v3:os-simple-tenant-usage:show":"rule:admin_or_owner", + "compute_extension:simple_tenant_usage:list":"rule:admin_api", + "compute_extension:v3:os-simple-tenant-usage:list":"rule:admin_api", + "compute_extension:unshelve":"", + "compute_extension:v3:os-shelve:unshelve":"", + "compute_extension:users":"rule:admin_api", + "compute_extension:virtual_interfaces":"", + "compute_extension:virtual_storage_arrays":"", + "compute_extension:volumes":"", + "compute_extension:volume_attachments:index":"", + "compute_extension:volume_attachments:show":"", + "compute_extension:volume_attachments:create":"", + "compute_extension:volume_attachments:update":"", + "compute_extension:volume_attachments:delete":"", + "compute_extension:volumetypes":"", + "compute_extension:availability_zone:list":"", + "compute_extension:v3:os-availability-zone:list":"", + "compute_extension:availability_zone:detail":"rule:admin_api", + "compute_extension:v3:os-availability-zone:detail":"rule:admin_api", + "compute_extension:used_limits_for_admin":"rule:admin_api", + "compute_extension:v3:os-used-limits":"", + "compute_extension:v3:os-used-limits:tenant":"rule:admin_api", + "compute_extension:migrations:index":"rule:admin_api", + "compute_extension:v3:os-migrations:index":"rule:admin_api", + "volume:create":"", + "volume:get_all":"", + "volume:get_volume_metadata":"", + "volume:get_snapshot":"", + "volume:get_all_snapshots":"", + "volume_extension:types_manage":"rule:admin_api", + "volume_extension:types_extra_specs":"rule:admin_api", + "volume_extension:volume_admin_actions:reset_status":"rule:admin_api", + "volume_extension:snapshot_admin_actions:reset_status":"rule:admin_api", + "volume_extension:volume_admin_actions:force_delete":"rule:admin_api", + "network:get_all":"", + "network:get":"", + "network:create":"", + "network:delete":"", + "network:associate":"", + "network:disassociate":"", + "network:get_vifs_by_instance":"", + "network:allocate_for_instance":"", + "network:deallocate_for_instance":"", + "network:validate_networks":"", + "network:get_instance_uuids_by_ip_filter":"", + "network:get_instance_id_by_floating_address":"", + "network:setup_networks_on_host":"", + "network:get_backdoor_port":"", + "network:get_floating_ip":"", + "network:get_floating_ip_pools":"", + "network:get_floating_ip_by_address":"", + "network:get_floating_ips_by_project":"", + "network:get_floating_ips_by_fixed_address":"", + "network:allocate_floating_ip":"", + "network:deallocate_floating_ip":"", + "network:associate_floating_ip":"", + "network:disassociate_floating_ip":"", + "network:release_floating_ip":"", + "network:migrate_instance_start":"", + "network:migrate_instance_finish":"", + "network:get_fixed_ip":"", + "network:get_fixed_ip_by_address":"", + "network:add_fixed_ip_to_instance":"", + "network:remove_fixed_ip_from_instance":"", + "network:add_network_to_project":"", + "network:get_instance_nw_info":"", + "network:get_dns_domains":"", + "network:add_dns_entry":"", + "network:modify_dns_entry":"", + "network:delete_dns_entry":"", + "network:get_dns_entries_by_address":"", + "network:get_dns_entries_by_name":"", + "network:create_private_dns_domain":"", + "network:create_public_dns_domain":"", + "network:delete_dns_domain":"" +} + diff --git a/doc/config-reference/ch_dashboardconfigure.xml b/doc/config-reference/ch_dashboardconfigure.xml index b6f9229fd0..cd9651891e 100644 --- a/doc/config-reference/ch_dashboardconfigure.xml +++ b/doc/config-reference/ch_dashboardconfigure.xml @@ -8,4 +8,5 @@ dashboard with Apache web server. + diff --git a/doc/config-reference/dashboard/section_dashboard-sample-configuration-files.xml b/doc/config-reference/dashboard/section_dashboard-sample-configuration-files.xml new file mode 100644 index 0000000000..cee952d6a9 --- /dev/null +++ b/doc/config-reference/dashboard/section_dashboard-sample-configuration-files.xml @@ -0,0 +1,33 @@ + +
+ Additional sample configuration files + Find the following files in /etc/openstack-dashboard. +
+ keystone_policy.json + The keystone_policy.json file + defines additional access controls for the dashboard that + apply to the Identity Service. + + The keystone_policy.json file + must match the Identity Service + /etc/keystone/policy.json + policy file. + + +
+
+ nova_policy.json + The nova_policy.json file defines + additional access controls for the dashboard that apply to + the Compute service. + + The nova_policy.json file must + match the Compute /etc/nova/policy.json + policy file. + + +
+