Import FWaaS policy file from Horizon

This import covers FWaaS v1 only. Change-Id: Iec579212ef0cc16b9de3d5cb54399f77f4888dff
2017-07-08 23:56:08 +00:00 · 2017-07-08 23:56:08 +00:00 · 2ca7971f90
parent 0158596aea
commit 2ca7971f90
4 changed files with 98 additions and 17 deletions
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -24,6 +24,38 @@ function configure_neutron_fwaas_dashboard {
        (cd $FWAAS_DASHBOARD_DIR/neutron_fwaas_dashboard; \
         DJANGO_SETTINGS_MODULE=openstack_dashboard.settings ../manage.py compilemessages)
    fi
+    # Add policy file for FWaaS
+    _set_policy_file $DEST/horizon/openstack_dashboard/local/local_settings.py \
+        neutron-fwaas $FWAAS_DASHBOARD_DIR/etc/neutron-fwaas-policy.json
+}
+
+function _ensure_policy_file {
+    local file=$1
+
+    # Look for POLICY_FILES dict.
+    start=$(grep -nE '^\s*POLICY_FILES\s*=\s*' $file | cut -d : -f 1)
+    if [ ! -n "$start" ]; then
+        # If POLICY_FILES is not found, define it.
+        cat <<EOF >> $file
+POLICY_FILES = {
+    'identity': 'keystone_policy.json',
+    'compute': 'nova_policy.json',
+    'volume': 'cinder_policy.json',
+    'image': 'glance_policy.json',
+    'orchestration': 'heat_policy.json',
+    'network': 'neutron_policy.json',
+}
+EOF
+    fi
+}
+
+function _set_policy_file {
+    local file=$1
+    local policy_name=$2
+    local policy_file=$3
+
+    _ensure_policy_file $file
+    echo "POLICY_FILES['$policy_name'] = '$policy_file'" >> $file
 }

 # check for service enabled
--- a/doc/source/install/index.rst
+++ b/doc/source/install/index.rst
@ -60,6 +60,24 @@ Enable the horizon plugin.
   <https://docs.openstack.org/developer/horizon/install/settings.html#pluggable-settings>`__
   in the horizon documentation.

+Configure the policy file for Neutron FWaaS dashboard
+in OpenStack Dashboard ``local_settings.py``.
+``<fwaas-dashboard-config-dir>`` is a directory which contains
+configurations for Neutron FWaaS dashboard and the locaiton varies
+across distributions or deployments.
+
+.. code-block:: python
+
+   POLICY_FILES['neutron-fwaas'] = '<fwaas-dashboard-config-dir>/etc/neutron-fwaas-policy.json'
+
+.. note::
+
+   If you do not configure ``POLICY_FILES`` in your ``local_settings.py``,
+   you also need to define the default ``POLICY_FILES`` in
+   ``local_settings.py``. If you use the example ``local_settings.py`` file
+   from horizon, what you need is to uncomment ``POLICY_FILES`` (which contains
+   the default values).
+
 Compile the message catalogs of Neutron VPNaaS dashboard.

 .. code-block:: console
--- a/etc/neutron-fwaas-policy.json
+++ b/etc/neutron-fwaas-policy.json
@ -0,0 +1,31 @@
+{
+    "context_is_admin":  "role:admin",
+    "owner": "tenant_id:%(tenant_id)s",
+    "admin_or_owner": "rule:context_is_admin or rule:owner",
+    "admin_only": "rule:context_is_admin",
+    "shared_firewalls": "field:firewalls:shared=True",
+    "shared_firewall_policies": "field:firewall_policies:shared=True",
+    "default": "rule:admin_or_owner",
+
+    "create_firewall": "",
+    "get_firewall": "rule:admin_or_owner",
+    "create_firewall:shared": "rule:admin_only",
+    "get_firewall:shared": "rule:admin_only",
+    "update_firewall": "rule:admin_or_owner",
+    "update_firewall:shared": "rule:admin_only",
+    "delete_firewall": "rule:admin_or_owner",
+
+    "create_firewall_policy": "",
+    "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies",
+    "create_firewall_policy:shared": "rule:admin_or_owner",
+    "update_firewall_policy": "rule:admin_or_owner",
+    "delete_firewall_policy": "rule:admin_or_owner",
+
+    "insert_rule": "rule:admin_or_owner",
+    "remove_rule": "rule:admin_or_owner",
+
+    "create_firewall_rule": "",
+    "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
+    "update_firewall_rule": "rule:admin_or_owner",
+    "delete_firewall_rule": "rule:admin_or_owner"
+}
--- a/neutron_fwaas_dashboard/dashboards/project/firewalls/tables.py
+++ b/neutron_fwaas_dashboard/dashboards/project/firewalls/tables.py
@ -36,7 +36,7 @@ class AddRuleLink(tables.LinkAction):
    url = "horizon:project:firewalls:addrule"
    classes = ("ajax-modal",)
    icon = "plus"
-    policy_rules = (("network", "create_firewall_rule"),)
+    policy_rules = (("neutron-fwaas", "create_firewall_rule"),)


 class AddPolicyLink(tables.LinkAction):
@ -45,7 +45,7 @@ class AddPolicyLink(tables.LinkAction):
    url = "horizon:project:firewalls:addpolicy"
    classes = ("ajax-modal", "btn-addpolicy",)
    icon = "plus"
-    policy_rules = (("network", "create_firewall_policy"),)
+    policy_rules = (("neutron-fwaas", "create_firewall_policy"),)


 class AddFirewallLink(tables.LinkAction):
@ -54,12 +54,12 @@ class AddFirewallLink(tables.LinkAction):
    url = "horizon:project:firewalls:addfirewall"
    classes = ("ajax-modal",)
    icon = "plus"
-    policy_rules = (("network", "create_firewall"),)
+    policy_rules = (("neutron-fwaas", "create_firewall"),)


 class DeleteRuleLink(policy.PolicyTargetMixin, tables.DeleteAction):
    name = "deleterule"
-    policy_rules = (("network", "delete_firewall_rule"),)
+    policy_rules = (("neutron-fwaas", "delete_firewall_rule"),)

    @staticmethod
    def action_present(count):
@ -91,7 +91,7 @@ class DeleteRuleLink(policy.PolicyTargetMixin, tables.DeleteAction):

 class DeletePolicyLink(policy.PolicyTargetMixin, tables.DeleteAction):
    name = "deletepolicy"
-    policy_rules = (("network", "delete_firewall_policy"),)
+    policy_rules = (("neutron-fwaas", "delete_firewall_policy"),)

    @staticmethod
    def action_present(count):
@ -119,7 +119,7 @@ class DeletePolicyLink(policy.PolicyTargetMixin, tables.DeleteAction):
 class DeleteFirewallLink(policy.PolicyTargetMixin,
                         tables.DeleteAction):
    name = "deletefirewall"
-    policy_rules = (("network", "delete_firewall"),)
+    policy_rules = (("neutron-fwaas", "delete_firewall"),)

    @staticmethod
    def action_present(count):
@ -148,7 +148,7 @@ class UpdateRuleLink(policy.PolicyTargetMixin, tables.LinkAction):
    name = "updaterule"
    verbose_name = _("Edit Rule")
    classes = ("ajax-modal", "btn-update",)
-    policy_rules = (("network", "update_firewall_rule"),)
+    policy_rules = (("neutron-fwaas", "update_firewall_rule"),)

    def get_link_url(self, rule):
        base_url = reverse("horizon:project:firewalls:updaterule",
@ -160,7 +160,7 @@ class UpdatePolicyLink(policy.PolicyTargetMixin, tables.LinkAction):
    name = "updatepolicy"
    verbose_name = _("Edit Policy")
    classes = ("ajax-modal", "btn-update",)
-    policy_rules = (("network", "update_firewall_policy"),)
+    policy_rules = (("neutron-fwaas", "update_firewall_policy"),)

    def get_link_url(self, policy):
        base_url = reverse("horizon:project:firewalls:updatepolicy",
@ -172,7 +172,7 @@ class UpdateFirewallLink(policy.PolicyTargetMixin, tables.LinkAction):
    name = "updatefirewall"
    verbose_name = _("Edit Firewall")
    classes = ("ajax-modal", "btn-update",)
-    policy_rules = (("network", "update_firewall"),)
+    policy_rules = (("neutron-fwaas", "update_firewall"),)

    def get_link_url(self, firewall):
        base_url = reverse("horizon:project:firewalls:updatefirewall",
@ -192,8 +192,8 @@ class InsertRuleToPolicyLink(policy.PolicyTargetMixin,
    name = "insertrule"
    verbose_name = _("Insert Rule")
    classes = ("ajax-modal", "btn-update",)
-    policy_rules = (("network", "get_firewall_policy"),
-                    ("network", "insert_rule"),)
+    policy_rules = (("neutron-fwaas", "get_firewall_policy"),
+                    ("neutron-fwaas", "insert_rule"),)

    def get_link_url(self, policy):
        base_url = reverse("horizon:project:firewalls:insertrule",
@ -206,8 +206,8 @@ class RemoveRuleFromPolicyLink(policy.PolicyTargetMixin,
    name = "removerule"
    verbose_name = _("Remove Rule")
    classes = ("ajax-modal",)
-    policy_rules = (("network", "get_firewall_policy"),
-                    ("network", "remove_rule"),)
+    policy_rules = (("neutron-fwaas", "get_firewall_policy"),
+                    ("neutron-fwaas", "remove_rule"),)
    action_type = "danger"

    def get_link_url(self, policy):
@ -226,8 +226,8 @@ class AddRouterToFirewallLink(policy.PolicyTargetMixin,
    name = "addrouter"
    verbose_name = _("Add Router")
    classes = ("ajax-modal", "btn-update",)
-    policy_rules = (("network", "get_firewall"),
-                    ("network", "add_router"),)
+    policy_rules = (("neutron-fwaas", "get_firewall"),
+                    ("neutron-fwaas", "add_router"),)

    def get_link_url(self, firewall):
        base_url = reverse("horizon:project:firewalls:addrouter",
@ -249,8 +249,8 @@ class RemoveRouterFromFirewallLink(policy.PolicyTargetMixin,
    name = "removerouter"
    verbose_name = _("Remove Router")
    classes = ("ajax-modal", "btn-update",)
-    policy_rules = (("network", "get_firewall"),
-                    ("network", "remove_router"),)
+    policy_rules = (("neutron-fwaas", "get_firewall"),
+                    ("neutron-fwaas", "remove_router"),)

    def get_link_url(self, firewall):
        base_url = reverse("horizon:project:firewalls:removerouter",