Taken over policy file for heat from Horizon repository.

In future, Heat relevant files(like GUI, api client, policy files, ...)
will be split out from Horizon repository.

But now this repository does not have Heat policy file so I've copied
it from Horizon latest repository.

This review request also includes following changes.
- Added installation procedure document relates to heat_policy.json.
- Modified plugin.sh to install heat_policy.json.

Change-Id: I8dd386e392eb4467b03efd68c7959371d4b9576d
This commit is contained in:
Keiichi Hikita 2017-11-16 11:08:03 +09:00
parent 569d70a09a
commit ba1ccf4d9b
4 changed files with 113 additions and 0 deletions

View File

@ -26,6 +26,11 @@ Set up your ``local.conf`` to enable heat-dashboard::
[[local|localrc]]
enable_plugin heat-dashboard https://git.openstack.org/openstack/heat-dashboard
.. note::
You also need to install Heat itself into DevStack to use Heat Dashboard.
Manual Installation
-------------------
@ -59,6 +64,11 @@ Enable heat-dashboard plugin in your Horizon environment::
cp heat-dashboard/heat_dashboard/enabled/* \
horizon/openstack_dashboard/local/enabled
Copy Heat policy file to your Horizon environment::
cp heat-dashboard/etc/heat_policy.json \
horizon/openstack_dashboard/conf
Finally you can launch Horizon with Heat Dashboard plugin::
cd horizon

View File

@ -16,6 +16,7 @@ function install_heat_dashboard {
function configure_heat_dashboard {
cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/enabled/* ${DEST}/horizon/openstack_dashboard/local/enabled/
cp -a ${HEAT_DASHBOARD_DIR}/etc/heat_policy.json ${DEST}/horizon/conf/
# NOTE: If locale directory does not exist, compilemessages will fail,
# so check for an existence of locale directory is required.
if [ -d ${HEAT_DASHBOARD_DIR}/heat_dashboard/locale ]; then

View File

@ -6,6 +6,11 @@ Set up your ``local.conf`` to enable heat-dashboard::
[[local|localrc]]
enable_plugin heat-dashboard https://git.openstack.org/openstack/heat-dashboard
.. note::
You also need to install Heat itself into DevStack to use Heat Dashboard.
Manual Installation
-------------------
@ -39,6 +44,11 @@ Enable heat-dashboard plugin in your Horizon environment::
cp heat-dashboard/heat_dashboard/enabled/* \
horizon/openstack_dashboard/local/enabled
Copy Heat policy file to your Horizon environment::
cp heat-dashboard/etc/heat_policy.json \
horizon/openstack_dashboard/conf
Finally you can launch Horizon with Heat Dashboard plugin::
cd horizon

92
etc/heat_policy.json Normal file
View File

@ -0,0 +1,92 @@
{
"context_is_admin": "role:admin",
"deny_stack_user": "not role:heat_stack_user",
"deny_everybody": "!",
"cloudformation:ListStacks": "rule:deny_stack_user",
"cloudformation:CreateStack": "rule:deny_stack_user",
"cloudformation:DescribeStacks": "rule:deny_stack_user",
"cloudformation:DeleteStack": "rule:deny_stack_user",
"cloudformation:UpdateStack": "rule:deny_stack_user",
"cloudformation:CancelUpdateStack": "rule:deny_stack_user",
"cloudformation:DescribeStackEvents": "rule:deny_stack_user",
"cloudformation:ValidateTemplate": "rule:deny_stack_user",
"cloudformation:GetTemplate": "rule:deny_stack_user",
"cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
"cloudformation:DescribeStackResource": "",
"cloudformation:DescribeStackResources": "rule:deny_stack_user",
"cloudformation:ListStackResources": "rule:deny_stack_user",
"cloudwatch:DeleteAlarms": "rule:deny_stack_user",
"cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
"cloudwatch:DescribeAlarms": "rule:deny_stack_user",
"cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
"cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
"cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
"cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
"cloudwatch:ListMetrics": "rule:deny_stack_user",
"cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
"cloudwatch:PutMetricData": "",
"cloudwatch:SetAlarmState": "rule:deny_stack_user",
"actions:action": "rule:deny_stack_user",
"build_info:build_info": "rule:deny_stack_user",
"events:index": "rule:deny_stack_user",
"events:show": "rule:deny_stack_user",
"resource:index": "rule:deny_stack_user",
"resource:metadata": "",
"resource:signal": "",
"resource:mark_unhealthy": "rule:deny_stack_user",
"resource:show": "rule:deny_stack_user",
"stacks:abandon": "rule:deny_stack_user",
"stacks:create": "rule:deny_stack_user",
"stacks:delete": "rule:deny_stack_user",
"stacks:detail": "rule:deny_stack_user",
"stacks:export": "rule:deny_stack_user",
"stacks:generate_template": "rule:deny_stack_user",
"stacks:global_index": "rule:deny_everybody",
"stacks:index": "rule:deny_stack_user",
"stacks:list_resource_types": "rule:deny_stack_user",
"stacks:list_template_versions": "rule:deny_stack_user",
"stacks:list_template_functions": "rule:deny_stack_user",
"stacks:lookup": "",
"stacks:preview": "rule:deny_stack_user",
"stacks:resource_schema": "rule:deny_stack_user",
"stacks:show": "rule:deny_stack_user",
"stacks:template": "rule:deny_stack_user",
"stacks:environment": "rule:deny_stack_user",
"stacks:update": "rule:deny_stack_user",
"stacks:update_patch": "rule:deny_stack_user",
"stacks:preview_update": "rule:deny_stack_user",
"stacks:preview_update_patch": "rule:deny_stack_user",
"stacks:validate_template": "rule:deny_stack_user",
"stacks:snapshot": "rule:deny_stack_user",
"stacks:show_snapshot": "rule:deny_stack_user",
"stacks:delete_snapshot": "rule:deny_stack_user",
"stacks:list_snapshots": "rule:deny_stack_user",
"stacks:restore_snapshot": "rule:deny_stack_user",
"stacks:list_outputs": "rule:deny_stack_user",
"stacks:show_output": "rule:deny_stack_user",
"software_configs:global_index": "rule:deny_everybody",
"software_configs:index": "rule:deny_stack_user",
"software_configs:create": "rule:deny_stack_user",
"software_configs:show": "rule:deny_stack_user",
"software_configs:delete": "rule:deny_stack_user",
"software_deployments:index": "rule:deny_stack_user",
"software_deployments:create": "rule:deny_stack_user",
"software_deployments:show": "rule:deny_stack_user",
"software_deployments:update": "rule:deny_stack_user",
"software_deployments:delete": "rule:deny_stack_user",
"software_deployments:metadata": "",
"service:index": "rule:context_is_admin",
"resource_types:OS::Nova::Flavor": "rule:context_is_admin",
"resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin",
"resource_types:OS::Cinder::VolumeType": "rule:context_is_admin",
"resource_types:OS::Manila::ShareType": "rule:context_is_admin",
"resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin",
"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin",
"resource_types:OS::Nova::HostAggregate": "rule:context_is_admin"
}