[MediaWiki-commits] [Gerrit] Add a Horizon-specific nova policy file. - change (operations/puppet)

Andrew Bogott (Code Review) Tue, 31 Mar 2015 18:02:28 -0700

Andrew Bogott has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/201088


Change subject: Add a Horizon-specific nova policy file.
......................................................................

Add a Horizon-specific nova policy file.

This should allow us to disable features that don't work
right in Horizon yet.

Change-Id: I08c7f395d6bf218c07e751af4f7bf9a6071b1a61
---
A modules/openstack/files/icehouse/horizon/nova_policy.json
M modules/openstack/manifests/horizon/service.pp
M modules/openstack/templates/icehouse/horizon/local_settings.py.erb
3 files changed, 140 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/88/201088/1

diff --git a/modules/openstack/files/icehouse/horizon/nova_policy.json 
b/modules/openstack/files/icehouse/horizon/nova_policy.json
new file mode 100644
index 0000000..7cc5c6b
--- /dev/null
+++ b/modules/openstack/files/icehouse/horizon/nova_policy.json
@@ -0,0 +1,125 @@
+{
+    "context_is_admin":  [["role:admin"]],
+    "admin_or_owner":  [["is_admin:True"], ["project_id:%(project_id)s"]],
+    "default": [["rule:admin_or_owner"]],
+
+
+    # Only admins (that is, Ops) should be able to create instances, since 
it's broken
+    #  and only useful for test and development.
+    "compute:create": "role:admin",
+    "compute:delete": "role:admin",
+    "compute:create:attach_network": "role:admin",
+    "compute:create:attach_volume": "role:admin",
+    "compute:start": "rule:admin",
+    "compute:stop": "rule:admin",
+    "compute:get_all": [],
+
+
+    "admin_api": [["is_admin:True"]],
+    "compute_extension:accounts": [["rule:admin_api"]],
+    "compute_extension:admin_actions": [["rule:admin_api"]],
+    "compute_extension:admin_actions:pause": [["rule:admin_or_owner"]],
+    "compute_extension:admin_actions:unpause": [["rule:admin_or_owner"]],
+    "compute_extension:admin_actions:suspend": [["rule:admin_or_owner"]],
+    "compute_extension:admin_actions:resume": [["rule:admin_or_owner"]],
+    "compute_extension:admin_actions:lock": [["rule:admin_api"]],
+    "compute_extension:admin_actions:unlock": [["rule:admin_api"]],
+    "compute_extension:admin_actions:resetNetwork": [["rule:admin_api"]],
+    "compute_extension:admin_actions:injectNetworkInfo": [["rule:admin_api"]],
+    "compute_extension:admin_actions:createBackup": [["rule:admin_or_owner"]],
+    "compute_extension:admin_actions:migrateLive": [["rule:admin_api"]],
+    "compute_extension:admin_actions:resetState": [["rule:admin_api"]],
+    "compute_extension:admin_actions:migrate": [["rule:admin_api"]],
+    "compute_extension:aggregates": [["rule:admin_api"]],
+    "compute_extension:certificates": [],
+    "compute_extension:cloudpipe": [["rule:admin_api"]],
+    "compute_extension:console_output": [["role:projectadmin"]],
+    "compute_extension:consoles": [["role:projectadmin"]],
+    "compute_extension:createserverext": [["role:projectadmin"]],
+    "compute_extension:deferred_delete": [["role:projectadmin"]],
+    "compute_extension:disk_config": [["role:projectadmin"]],
+    "compute_extension:extended_server_attributes": [],
+    "compute_extension:extended_status": [],
+    "compute_extension:flavor_access": [],
+    "compute_extension:flavor_disabled": [],
+    "compute_extension:flavor_rxtx": [],
+    "compute_extension:flavor_swap": [],
+    "compute_extension:flavorextradata": [],
+    "compute_extension:flavorextraspecs": [],
+    "compute_extension:flavormanage": [["rule:admin_api"]],
+    "compute_extension:floating_ip_dns": [["role:projectadmin"]],
+    "compute_extension:floating_ip_pools": [["role:projectadmin"]],
+    "compute_extension:floating_ips": [["role:projectadmin"]],
+    "compute_extension:hosts": [["rule:admin_api"]],
+    "compute_extension:hypervisors": [["rule:admin_api"]],
+    "compute_extension:instance_usage_audit_log": [["rule:admin_api"]],
+    "compute_extension:keypairs": [["role:projectadmin"]],
+    "compute_extension:multinic": [["role:projectadmin"]],
+    "compute_extension:networks": [],
+    "compute_extension:networks:view": [],
+    "compute_extension:quotas:show": [["role:projectadmin"]],
+    "compute_extension:quotas:update": [["rule:admin_api"]],
+    "compute_extension:quota_classes": [["role:projectadmin"]],
+    "compute_extension:rescue": [["role:projectadmin"]],
+    "compute_extension:security_groups": [["role:projectadmin"]],
+    "compute_extension:server_diagnostics": [["rule:admin_api"]],
+    "compute_extension:simple_tenant_usage:show": [["rule:admin_or_owner"]],
+    "compute_extension:simple_tenant_usage:list": [["rule:admin_api"]],
+    "compute_extension:users": [["rule:admin_api"]],
+    "compute_extension:virtual_interfaces": [["role:projectadmin"]],
+    "compute_extension:virtual_storage_arrays": [["role:projectadmin"]],
+    "compute_extension:volumes": [["role:projectadmin"]],
+    "compute_extension:volumetypes": [["role:projectadmin"]],
+
+
+    "volume:create": [["role:projectadmin"]],
+    "volume:get_all": [],
+    "volume:get_volume_metadata": [],
+    "volume:get_snapshot": [],
+    "volume:get_all_snapshots": [],
+
+
+    "volume_extension:types_manage": [["rule:admin_api"]],
+    "volume_extension:types_extra_specs": [["rule:admin_api"]],
+    "volume_extension:volume_admin_actions:reset_status": [["rule:admin_api"]],
+    "volume_extension:snapshot_admin_actions:reset_status": 
[["rule:admin_api"]],
+    "volume_extension:volume_admin_actions:force_delete": [["rule:admin_api"]],
+
+
+    "network:get_all_networks": [],
+    "network:get_network": [],
+    "network:delete_network": [["role:projectadmin"]],
+    "network:disassociate_network": [["role:projectadmin"]],
+    "network:get_vifs_by_instance": [],
+    "network:allocate_for_instance": [["role:projectadmin"]],
+    "network:deallocate_for_instance": [["role:projectadmin"]],
+    "network:validate_networks": [],
+    "network:get_instance_uuids_by_ip_filter": [],
+
+    "network:get_floating_ip": [],
+    "network:get_floating_ip_pools": [],
+    "network:get_floating_ip_by_address": [],
+    "network:get_floating_ips_by_project": [],
+    "network:get_floating_ips_by_fixed_address": [],
+    "network:allocate_floating_ip": [["role:projectadmin"]],
+    "network:deallocate_floating_ip": [["role:projectadmin"]],
+    "network:associate_floating_ip": [["role:projectadmin"]],
+    "network:disassociate_floating_ip": [["role:projectadmin"]],
+
+    "network:get_fixed_ip": [],
+    "network:get_fixed_ip_by_address": [],
+    "network:add_fixed_ip_to_instance": [["role:projectadmin"]],
+    "network:remove_fixed_ip_from_instance": [["role:projectadmin"]],
+    "network:add_network_to_project": [["role:projectadmin"]],
+    "network:get_instance_nw_info": [],
+
+    "network:get_dns_domains": [],
+    "network:add_dns_entry": [["role:projectadmin"]],
+    "network:modify_dns_entry": [["role:projectadmin"]],
+    "network:delete_dns_entry": [["role:projectadmin"]],
+    "network:get_dns_entries_by_address": [],
+    "network:get_dns_entries_by_name": [],
+    "network:create_private_dns_domain": [["role:projectadmin"]],
+    "network:create_public_dns_domain": [["role:projectadmin"]],
+    "network:delete_dns_domain": [["role:projectadmin"]]
+}
diff --git a/modules/openstack/manifests/horizon/service.pp 
b/modules/openstack/manifests/horizon/service.pp
index c1b50fa..4f1a647 100644
--- a/modules/openstack/manifests/horizon/service.pp
+++ b/modules/openstack/manifests/horizon/service.pp
@@ -43,6 +43,18 @@
         mode    => '0440',
     }
 
+    # In the perfect future, Horizon policies will be the same
+    #  files that the respective services use.  In the meantime, though
+    #  it's useful to be able to disable not-yet-supported horizon features.
+    file { '/etc/openstack-dashboard/local_settings.py':
+        source  => 
'puppet:///modules/openstack/${openstack_version}/horison/nova_policy.json'
+        owner   => 'horizon',
+        group   => 'horizon',
+        notify  => Service['apache2'],
+        require => Package['openstack-dashboard'],
+        mode    => '0440',
+    }
+
     file { 
['/usr/share/openstack-dashboard/openstack_dashboard/static/dashboard/img/logo.png',
             
'/usr/share/openstack-dashboard/openstack_dashboard/static/dashboard/img/logo-splash.png']:
         source  => 
'puppet:///modules/openstack/horizon/216px-Wikimedia_labs_dashboard_logo.png',
diff --git a/modules/openstack/templates/icehouse/horizon/local_settings.py.erb 
b/modules/openstack/templates/icehouse/horizon/local_settings.py.erb
index 9e14d9a..cd84664 100644
--- a/modules/openstack/templates/icehouse/horizon/local_settings.py.erb
+++ b/modules/openstack/templates/icehouse/horizon/local_settings.py.erb
@@ -276,12 +276,12 @@
 # Path to directory containing policy.json files
 #POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf")
 # Map of local copy of service policy files
-#POLICY_FILES = {
+POLICY_FILES = {
 #    'identity': 'keystone_policy.json',
-#    'compute': 'nova_policy.json',
+    'compute': 'nova_policy.json',
 #    'volume': 'cinder_policy.json',
 #    'image': 'glance_policy.json',
-#}
+}
 
 # Trove user and database extension support. By default support for
 # creating users and databases on database instances is turned on.

-- 
To view, visit https://gerrit.wikimedia.org/r/201088
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I08c7f395d6bf218c07e751af4f7bf9a6071b1a61
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Add a Horizon-specific nova policy file. - change (operations/puppet)

Reply via email to