Andrew Bogott has submitted this change and it was merged.
Change subject: Add a Horizon-specific nova policy file.
......................................................................
Add a Horizon-specific nova policy file.
This should allow us to disable features that don't work
right in Horizon yet.
Change-Id: I08c7f395d6bf218c07e751af4f7bf9a6071b1a61
---
A modules/openstack/files/icehouse/horizon/nova_policy.json
M modules/openstack/manifests/horizon/service.pp
M modules/openstack/templates/icehouse/horizon/local_settings.py.erb
3 files changed, 141 insertions(+), 4 deletions(-)
Approvals:
Andrew Bogott: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/openstack/files/icehouse/horizon/nova_policy.json
b/modules/openstack/files/icehouse/horizon/nova_policy.json
new file mode 100644
index 0000000..7cc5c6b
--- /dev/null
+++ b/modules/openstack/files/icehouse/horizon/nova_policy.json
@@ -0,0 +1,125 @@
+{
+ "context_is_admin": [["role:admin"]],
+ "admin_or_owner": [["is_admin:True"], ["project_id:%(project_id)s"]],
+ "default": [["rule:admin_or_owner"]],
+
+
+ # Only admins (that is, Ops) should be able to create instances, since
it's broken
+ # and only useful for test and development.
+ "compute:create": "role:admin",
+ "compute:delete": "role:admin",
+ "compute:create:attach_network": "role:admin",
+ "compute:create:attach_volume": "role:admin",
+ "compute:start": "rule:admin",
+ "compute:stop": "rule:admin",
+ "compute:get_all": [],
+
+
+ "admin_api": [["is_admin:True"]],
+ "compute_extension:accounts": [["rule:admin_api"]],
+ "compute_extension:admin_actions": [["rule:admin_api"]],
+ "compute_extension:admin_actions:pause": [["rule:admin_or_owner"]],
+ "compute_extension:admin_actions:unpause": [["rule:admin_or_owner"]],
+ "compute_extension:admin_actions:suspend": [["rule:admin_or_owner"]],
+ "compute_extension:admin_actions:resume": [["rule:admin_or_owner"]],
+ "compute_extension:admin_actions:lock": [["rule:admin_api"]],
+ "compute_extension:admin_actions:unlock": [["rule:admin_api"]],
+ "compute_extension:admin_actions:resetNetwork": [["rule:admin_api"]],
+ "compute_extension:admin_actions:injectNetworkInfo": [["rule:admin_api"]],
+ "compute_extension:admin_actions:createBackup": [["rule:admin_or_owner"]],
+ "compute_extension:admin_actions:migrateLive": [["rule:admin_api"]],
+ "compute_extension:admin_actions:resetState": [["rule:admin_api"]],
+ "compute_extension:admin_actions:migrate": [["rule:admin_api"]],
+ "compute_extension:aggregates": [["rule:admin_api"]],
+ "compute_extension:certificates": [],
+ "compute_extension:cloudpipe": [["rule:admin_api"]],
+ "compute_extension:console_output": [["role:projectadmin"]],
+ "compute_extension:consoles": [["role:projectadmin"]],
+ "compute_extension:createserverext": [["role:projectadmin"]],
+ "compute_extension:deferred_delete": [["role:projectadmin"]],
+ "compute_extension:disk_config": [["role:projectadmin"]],
+ "compute_extension:extended_server_attributes": [],
+ "compute_extension:extended_status": [],
+ "compute_extension:flavor_access": [],
+ "compute_extension:flavor_disabled": [],
+ "compute_extension:flavor_rxtx": [],
+ "compute_extension:flavor_swap": [],
+ "compute_extension:flavorextradata": [],
+ "compute_extension:flavorextraspecs": [],
+ "compute_extension:flavormanage": [["rule:admin_api"]],
+ "compute_extension:floating_ip_dns": [["role:projectadmin"]],
+ "compute_extension:floating_ip_pools": [["role:projectadmin"]],
+ "compute_extension:floating_ips": [["role:projectadmin"]],
+ "compute_extension:hosts": [["rule:admin_api"]],
+ "compute_extension:hypervisors": [["rule:admin_api"]],
+ "compute_extension:instance_usage_audit_log": [["rule:admin_api"]],
+ "compute_extension:keypairs": [["role:projectadmin"]],
+ "compute_extension:multinic": [["role:projectadmin"]],
+ "compute_extension:networks": [],
+ "compute_extension:networks:view": [],
+ "compute_extension:quotas:show": [["role:projectadmin"]],
+ "compute_extension:quotas:update": [["rule:admin_api"]],
+ "compute_extension:quota_classes": [["role:projectadmin"]],
+ "compute_extension:rescue": [["role:projectadmin"]],
+ "compute_extension:security_groups": [["role:projectadmin"]],
+ "compute_extension:server_diagnostics": [["rule:admin_api"]],
+ "compute_extension:simple_tenant_usage:show": [["rule:admin_or_owner"]],
+ "compute_extension:simple_tenant_usage:list": [["rule:admin_api"]],
+ "compute_extension:users": [["rule:admin_api"]],
+ "compute_extension:virtual_interfaces": [["role:projectadmin"]],
+ "compute_extension:virtual_storage_arrays": [["role:projectadmin"]],
+ "compute_extension:volumes": [["role:projectadmin"]],
+ "compute_extension:volumetypes": [["role:projectadmin"]],
+
+
+ "volume:create": [["role:projectadmin"]],
+ "volume:get_all": [],
+ "volume:get_volume_metadata": [],
+ "volume:get_snapshot": [],
+ "volume:get_all_snapshots": [],
+
+
+ "volume_extension:types_manage": [["rule:admin_api"]],
+ "volume_extension:types_extra_specs": [["rule:admin_api"]],
+ "volume_extension:volume_admin_actions:reset_status": [["rule:admin_api"]],
+ "volume_extension:snapshot_admin_actions:reset_status":
[["rule:admin_api"]],
+ "volume_extension:volume_admin_actions:force_delete": [["rule:admin_api"]],
+
+
+ "network:get_all_networks": [],
+ "network:get_network": [],
+ "network:delete_network": [["role:projectadmin"]],
+ "network:disassociate_network": [["role:projectadmin"]],
+ "network:get_vifs_by_instance": [],
+ "network:allocate_for_instance": [["role:projectadmin"]],
+ "network:deallocate_for_instance": [["role:projectadmin"]],
+ "network:validate_networks": [],
+ "network:get_instance_uuids_by_ip_filter": [],
+
+ "network:get_floating_ip": [],
+ "network:get_floating_ip_pools": [],
+ "network:get_floating_ip_by_address": [],
+ "network:get_floating_ips_by_project": [],
+ "network:get_floating_ips_by_fixed_address": [],
+ "network:allocate_floating_ip": [["role:projectadmin"]],
+ "network:deallocate_floating_ip": [["role:projectadmin"]],
+ "network:associate_floating_ip": [["role:projectadmin"]],
+ "network:disassociate_floating_ip": [["role:projectadmin"]],
+
+ "network:get_fixed_ip": [],
+ "network:get_fixed_ip_by_address": [],
+ "network:add_fixed_ip_to_instance": [["role:projectadmin"]],
+ "network:remove_fixed_ip_from_instance": [["role:projectadmin"]],
+ "network:add_network_to_project": [["role:projectadmin"]],
+ "network:get_instance_nw_info": [],
+
+ "network:get_dns_domains": [],
+ "network:add_dns_entry": [["role:projectadmin"]],
+ "network:modify_dns_entry": [["role:projectadmin"]],
+ "network:delete_dns_entry": [["role:projectadmin"]],
+ "network:get_dns_entries_by_address": [],
+ "network:get_dns_entries_by_name": [],
+ "network:create_private_dns_domain": [["role:projectadmin"]],
+ "network:create_public_dns_domain": [["role:projectadmin"]],
+ "network:delete_dns_domain": [["role:projectadmin"]]
+}
diff --git a/modules/openstack/manifests/horizon/service.pp
b/modules/openstack/manifests/horizon/service.pp
index c1b50fa..3699a0a 100644
--- a/modules/openstack/manifests/horizon/service.pp
+++ b/modules/openstack/manifests/horizon/service.pp
@@ -43,6 +43,18 @@
mode => '0440',
}
+ # In the perfect future, Horizon policies will be the same
+ # files that the respective services use. In the meantime, though
+ # it's useful to be able to disable not-yet-supported horizon features.
+ file { '/etc/openstack-dashboard/nova_policy.py':
+ source =>
"puppet:///modules/openstack/${openstack_version}/horison/nova_policy.json",
+ owner => 'horizon',
+ group => 'horizon',
+ notify => Service['apache2'],
+ require => Package['openstack-dashboard'],
+ mode => '0440',
+ }
+
file {
['/usr/share/openstack-dashboard/openstack_dashboard/static/dashboard/img/logo.png',
'/usr/share/openstack-dashboard/openstack_dashboard/static/dashboard/img/logo-splash.png']:
source =>
'puppet:///modules/openstack/horizon/216px-Wikimedia_labs_dashboard_logo.png',
diff --git a/modules/openstack/templates/icehouse/horizon/local_settings.py.erb
b/modules/openstack/templates/icehouse/horizon/local_settings.py.erb
index 9e14d9a..80803b4 100644
--- a/modules/openstack/templates/icehouse/horizon/local_settings.py.erb
+++ b/modules/openstack/templates/icehouse/horizon/local_settings.py.erb
@@ -274,14 +274,14 @@
# target installation.
# Path to directory containing policy.json files
-#POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf")
+POLICY_FILES_PATH = '/etc/openstack-dashboard/'
# Map of local copy of service policy files
-#POLICY_FILES = {
+POLICY_FILES = {
# 'identity': 'keystone_policy.json',
-# 'compute': 'nova_policy.json',
+ 'compute': 'nova_policy.json',
# 'volume': 'cinder_policy.json',
# 'image': 'glance_policy.json',
-#}
+}
# Trove user and database extension support. By default support for
# creating users and databases on database instances is turned on.
--
To view, visit https://gerrit.wikimedia.org/r/201088
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I08c7f395d6bf218c07e751af4f7bf9a6071b1a61
Gerrit-PatchSet: 7
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org>
Gerrit-Reviewer: Alex Monk <kren...@gmail.com>
Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
