Remove admin role name 'admin' hardcode

Because of hardcoding name as the 'admin' was impossible to use administrative panel with a custom administrative role name. This fix replaces hardcoding the name of the administrative role with RBAC policy check. DocImpact Related commit: https://review.openstack.org/#/c/123745/ Change-Id: I05c8fc750c56f6f6bb49a435662e821eb0d6ba30 Closes-Bug: #1161144
2014-09-30 14:53:21 +04:00 · 2014-09-30 14:53:21 +04:00 · ce5fb26bf5
parent caa5e91059
commit ce5fb26bf5
7 changed files with 19 additions and 9 deletions
--- a/doc/source/quickstart.rst
+++ b/doc/source/quickstart.rst
@ -297,7 +297,8 @@ you register it in a ``panel.py`` file like so::
    class Images(horizon.Panel):
        name = "Images"
        slug = 'images'
-        permissions = ('openstack.roles.admin', 'my.other.permission',)
+        permissions = ('openstack.roles.admin', 'my.openstack.permission',)
+        policy_rules = (('endpoint', 'endpoint:rule'),)


    # You could also register your panel with another application's dashboard
--- a/doc/source/topics/customizing.rst
+++ b/doc/source/topics/customizing.rst
@ -441,12 +441,6 @@ Or get the instances panel::
    projects_dashboard = horizon.get_dashboard("project")
    instances_panel = projects_dashboard.get_panel("instances")

-And limit access to users with the Keystone Admin role::
-
-    permissions = list(getattr(instances_panel, 'permissions', []))
-    permissions.append('openstack.roles.admin')
-    instances_panel.permissions = tuple(permissions)
-
 Or just remove it entirely::

    projects_dashboard.unregister(instances_panel.__class__)
--- a/openstack_dashboard/dashboards/admin/dashboard.py
+++ b/openstack_dashboard/dashboards/admin/dashboard.py
@ -15,12 +15,23 @@
 from django.utils.translation import ugettext_lazy as _

 import horizon
+from openstack_dashboard import settings


 class Admin(horizon.Dashboard):
    name = _("Admin")
    slug = "admin"
-    permissions = ('openstack.roles.admin',)
-    policy_rules = (("identity", "cloud_admin"),)
+
+    if getattr(settings, 'POLICY_CHECK_FUNCTION', None):
+        policy_rules = (('identity', 'admin_required'),
+                        ('image', 'context_is_admin'),
+                        ('volume', 'context_is_admin'),
+                        ('compute', 'context_is_admin'),
+                        ('network', 'context_is_admin'),
+                        ('orchestration', 'context_is_admin'),
+                        ('telemetry', 'context_is_admin'),)
+    else:
+        permissions = ('openstack.roles.admin',)
+

 horizon.register(Admin)
--- a/openstack_dashboard/dashboards/admin/hypervisors/panel.py
+++ b/openstack_dashboard/dashboards/admin/hypervisors/panel.py
@ -21,3 +21,4 @@ class Hypervisors(horizon.Panel):
    name = _("Hypervisors")
    slug = 'hypervisors'
    permissions = ('openstack.services.compute',)
+    policy_rules = (("compute", "compute_extension:hypervisors"),)
--- a/openstack_dashboard/dashboards/admin/instances/panel.py
+++ b/openstack_dashboard/dashboards/admin/instances/panel.py
@ -25,3 +25,4 @@ class Instances(horizon.Panel):
    name = _("Instances")
    slug = 'instances'
    permissions = ('openstack.services.compute',)
+    policy_rules = (("compute", "compute:get_all"),)
--- a/openstack_dashboard/dashboards/admin/metadata_defs/panel.py
+++ b/openstack_dashboard/dashboards/admin/metadata_defs/panel.py
@ -23,6 +23,7 @@ from openstack_dashboard.api import glance
 class MetadataDefinitions(horizon.Panel):
    name = _("Metadata Definitions")
    slug = 'metadata_defs'
+    policy_rules = (("image", "get_metadef_namespaces"),)

    @staticmethod
    def can_register():
--- a/openstack_dashboard/dashboards/admin/overview/panel.py
+++ b/openstack_dashboard/dashboards/admin/overview/panel.py
@ -26,6 +26,7 @@ from openstack_dashboard.dashboards.admin import dashboard
 class Overview(horizon.Panel):
    name = _("Overview")
    slug = 'overview'
+    policy_rules = (('identity', 'identity:list_projects'),)


 dashboard.Admin.register(Overview)