diff --git a/doc/source/configuration/settings.rst b/doc/source/configuration/settings.rst index c964552acf..832b42cbb4 100644 --- a/doc/source/configuration/settings.rst +++ b/doc/source/configuration/settings.rst @@ -773,22 +773,24 @@ POLICY_DIRS .. versionadded:: 13.0.0(Queens) -Default: ``{}`` +Default: + +.. code-block:: python + + { + 'volume': ['cinder_policy.d'], + } Specifies a list of policy directories per service types. The directories are relative to `POLICY_FILES_PATH`_. Services whose additional policies are defined here must be defined in `POLICY_FILES`_ too. Otherwise, additional policies specified in ``POLICY_DIRS`` are not loaded. -Example: +.. note:: -.. code-block:: python - - { - 'identity': ['keystone_policy.d'], - 'compute': ['nova_policy.d'], - 'network': ['neutron_policy.d'], - } + ``cinder_policy.d`` is registered by default + to maintain policies which have ben dropped from nova and cinder + but horizon still uses. We recommend not to drop them. POLICY_FILES ------------ @@ -800,11 +802,11 @@ Default: .. code-block:: python { - 'identity': 'keystone_policy.json', 'compute': 'nova_policy.json', - 'volume': 'cinder_policy.json', + 'identity': 'keystone_policy.json', 'image': 'glance_policy.json', 'network': 'neutron_policy.json', + 'volume': 'cinder_policy.json', } This should essentially be the mapping of the contents of `POLICY_FILES_PATH`_ diff --git a/openstack_dashboard/conf/cinder_policy.d/consistencygroup.yaml b/openstack_dashboard/conf/cinder_policy.d/consistencygroup.yaml new file mode 100644 index 0000000000..6d907b972b --- /dev/null +++ b/openstack_dashboard/conf/cinder_policy.d/consistencygroup.yaml @@ -0,0 +1,10 @@ +# extra policies for consistency group +"consistencygroup:create" : "" +"consistencygroup:create_cgsnapshot" : "" +"consistencygroup:delete": "" +"consistencygroup:delete_cgsnapshot": "" +"consistencygroup:get": "" +"consistencygroup:get_all": "" +"consistencygroup:get_all_cgsnapshots": "" +"consistencygroup:get_cgsnapshot": "" +"consistencygroup:update": "" diff --git a/openstack_dashboard/conf/cinder_policy.json b/openstack_dashboard/conf/cinder_policy.json index 144866294f..52808ef2d4 100644 --- a/openstack_dashboard/conf/cinder_policy.json +++ b/openstack_dashboard/conf/cinder_policy.json @@ -1,113 +1,136 @@ { "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner", - - "admin_api": "is_admin:True", - - "volume:create": "", - "volume:delete": "rule:admin_or_owner", - "volume:get": "rule:admin_or_owner", - "volume:get_all": "rule:admin_or_owner", - "volume:get_volume_metadata": "rule:admin_or_owner", - "volume:delete_volume_metadata": "rule:admin_or_owner", - "volume:update_volume_metadata": "rule:admin_or_owner", - "volume:get_volume_admin_metadata": "rule:admin_api", - "volume:update_volume_admin_metadata": "rule:admin_api", - "volume:get_snapshot": "rule:admin_or_owner", - "volume:get_all_snapshots": "rule:admin_or_owner", - "volume:create_snapshot": "rule:admin_or_owner", - "volume:delete_snapshot": "rule:admin_or_owner", - "volume:update_snapshot": "rule:admin_or_owner", + "admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s", + "admin_api": "is_admin:True or (role:admin and is_admin_project:True)", + "volume:attachment_create": "", + "volume:attachment_update": "rule:admin_or_owner", + "volume:attachment_delete": "rule:admin_or_owner", + "message:get_all": "rule:admin_or_owner", + "message:get": "rule:admin_or_owner", + "message:delete": "rule:admin_or_owner", + "clusters:get_all": "rule:admin_api", + "clusters:get": "rule:admin_api", + "clusters:update": "rule:admin_api", + "workers:cleanup": "rule:admin_api", "volume:get_snapshot_metadata": "rule:admin_or_owner", - "volume:delete_snapshot_metadata": "rule:admin_or_owner", "volume:update_snapshot_metadata": "rule:admin_or_owner", - "volume:extend": "rule:admin_or_owner", - "volume:update_readonly_flag": "rule:admin_or_owner", - "volume:retype": "rule:admin_or_owner", - "volume:update": "rule:admin_or_owner", - + "volume:delete_snapshot_metadata": "rule:admin_or_owner", + "volume:get_all_snapshots": "rule:admin_or_owner", + "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner", + "volume:create_snapshot": "rule:admin_or_owner", + "volume:get_snapshot": "rule:admin_or_owner", + "volume:update_snapshot": "rule:admin_or_owner", + "volume:delete_snapshot": "rule:admin_or_owner", + "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api", + "snapshot_extension:snapshot_actions:update_snapshot_status": "", + "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api", + "snapshot_extension:list_manageable": "rule:admin_api", + "snapshot_extension:snapshot_manage": "rule:admin_api", + "snapshot_extension:snapshot_unmanage": "rule:admin_api", + "backup:get_all": "rule:admin_or_owner", + "backup:backup_project_attribute": "rule:admin_api", + "backup:create": "", + "backup:get": "rule:admin_or_owner", + "backup:update": "rule:admin_or_owner", + "backup:delete": "rule:admin_or_owner", + "backup:restore": "rule:admin_or_owner", + "backup:backup-import": "rule:admin_api", + "backup:export-import": "rule:admin_api", + "volume_extension:backup_admin_actions:reset_status": "rule:admin_api", + "volume_extension:backup_admin_actions:force_delete": "rule:admin_api", + "group:get_all": "rule:admin_or_owner", + "group:create": "", + "group:get": "rule:admin_or_owner", + "group:update": "rule:admin_or_owner", + "group:group_types_manage": "rule:admin_api", + "group:access_group_types_specs": "rule:admin_api", + "group:group_types_specs": "rule:admin_api", + "group:get_all_group_snapshots": "rule:admin_or_owner", + "group:create_group_snapshot": "", + "group:get_group_snapshot": "rule:admin_or_owner", + "group:delete_group_snapshot": "rule:admin_or_owner", + "group:update_group_snapshot": "rule:admin_or_owner", + "group:reset_group_snapshot_status": "rule:admin_or_owner", + "group:delete": "rule:admin_or_owner", + "group:reset_status": "rule:admin_api", + "group:enable_replication": "rule:admin_or_owner", + "group:disable_replication": "rule:admin_or_owner", + "group:failover_replication": "rule:admin_or_owner", + "group:list_replication_targets": "rule:admin_or_owner", + "volume_extension:qos_specs_manage:get_all": "rule:admin_api", + "volume_extension:qos_specs_manage:get": "rule:admin_api", + "volume_extension:qos_specs_manage:create": "rule:admin_api", + "volume_extension:qos_specs_manage:update": "rule:admin_api", + "volume_extension:qos_specs_manage:delete": "rule:admin_api", + "volume_extension:quota_classes": "rule:admin_api", + "volume_extension:quotas:show": "rule:admin_or_owner", + "volume_extension:quotas:update": "rule:admin_api", + "volume_extension:quotas:delete": "rule:admin_api", + "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api", + "volume_extension:capabilities": "rule:admin_api", + "volume_extension:services:index": "rule:admin_api", + "volume_extension:services:update": "rule:admin_api", + "volume:freeze_host": "rule:admin_api", + "volume:thaw_host": "rule:admin_api", + "volume:failover_host": "rule:admin_api", + "scheduler_extension:scheduler_stats:get_pools": "rule:admin_api", + "volume_extension:hosts": "rule:admin_api", + "limits_extension:used_limits": "rule:admin_or_owner", + "volume_extension:list_manageable": "rule:admin_api", + "volume_extension:volume_manage": "rule:admin_api", + "volume_extension:volume_unmanage": "rule:admin_api", "volume_extension:types_manage": "rule:admin_api", - "volume_extension:types_extra_specs": "rule:admin_api", - "volume_extension:access_types_qos_specs_id": "rule:admin_api", + "volume_extension:volume_type_encryption": "rule:admin_api", "volume_extension:access_types_extra_specs": "rule:admin_api", + "volume_extension:access_types_qos_specs_id": "rule:admin_api", "volume_extension:volume_type_access": "rule:admin_or_owner", "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api", "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api", - "volume_extension:volume_type_encryption": "rule:admin_api", - "volume_extension:volume_encryption_metadata": "rule:admin_or_owner", - "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner", - "volume_extension:volume_image_metadata": "rule:admin_or_owner", - - "volume_extension:quotas:show": "", - "volume_extension:quotas:update": "rule:admin_api", - "volume_extension:quotas:delete": "rule:admin_api", - "volume_extension:quota_classes": "rule:admin_api", - "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api", - + "volume:extend": "rule:admin_or_owner", + "volume:extend_attached_volume": "rule:admin_or_owner", + "volume:revert_to_snapshot": "rule:admin_or_owner", "volume_extension:volume_admin_actions:reset_status": "rule:admin_api", - "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api", - "volume_extension:backup_admin_actions:reset_status": "rule:admin_api", + "volume:retype": "rule:admin_or_owner", + "volume:update_readonly_flag": "rule:admin_or_owner", "volume_extension:volume_admin_actions:force_delete": "rule:admin_api", - "volume_extension:volume_admin_actions:force_detach": "rule:admin_api", - "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api", - "volume_extension:backup_admin_actions:force_delete": "rule:admin_api", - "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api", - "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api", - "volume_extension:volume_actions:upload_public": "rule:admin_api", "volume_extension:volume_actions:upload_image": "rule:admin_or_owner", - + "volume_extension:volume_admin_actions:force_detach": "rule:admin_api", + "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api", + "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api", + "volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner", + "volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner", + "volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner", + "volume_extension:volume_actions:reserve": "rule:admin_or_owner", + "volume_extension:volume_actions:unreserve": "rule:admin_or_owner", + "volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner", + "volume_extension:volume_actions:attach": "rule:admin_or_owner", + "volume_extension:volume_actions:detach": "rule:admin_or_owner", + "volume:get_all_transfers": "rule:admin_or_owner", + "volume:create_transfer": "rule:admin_or_owner", + "volume:get_transfer": "rule:admin_or_owner", + "volume:accept_transfer": "", + "volume:delete_transfer": "rule:admin_or_owner", + "volume:get_volume_metadata": "rule:admin_or_owner", + "volume:create_volume_metadata": "rule:admin_or_owner", + "volume:update_volume_metadata": "rule:admin_or_owner", + "volume:delete_volume_metadata": "rule:admin_or_owner", + "volume_extension:volume_image_metadata": "rule:admin_or_owner", + "volume:update_volume_admin_metadata": "rule:admin_api", + "volume_extension:types_extra_specs:index": "rule:admin_api", + "volume_extension:types_extra_specs:create": "rule:admin_api", + "volume_extension:types_extra_specs:show": "rule:admin_api", + "volume_extension:types_extra_specs:update": "rule:admin_api", + "volume_extension:types_extra_specs:delete": "rule:admin_api", + "volume:create": "", + "volume:create_from_image": "", + "volume:get": "rule:admin_or_owner", + "volume:get_all": "rule:admin_or_owner", + "volume:update": "rule:admin_or_owner", + "volume:delete": "rule:admin_or_owner", + "volume:force_delete": "rule:admin_api", "volume_extension:volume_host_attribute": "rule:admin_api", "volume_extension:volume_tenant_attribute": "rule:admin_or_owner", "volume_extension:volume_mig_status_attribute": "rule:admin_api", - "volume_extension:hosts": "rule:admin_api", - "volume_extension:services:index": "rule:admin_api", - "volume_extension:services:update" : "rule:admin_api", - - "volume_extension:volume_manage": "rule:admin_api", - "volume_extension:volume_unmanage": "rule:admin_api", - - "volume_extension:capabilities": "rule:admin_api", - - "volume:create_transfer": "rule:admin_or_owner", - "volume:accept_transfer": "", - "volume:delete_transfer": "rule:admin_or_owner", - "volume:get_transfer": "rule:admin_or_owner", - "volume:get_all_transfers": "rule:admin_or_owner", - - "volume_extension:replication:promote": "rule:admin_api", - "volume_extension:replication:reenable": "rule:admin_api", - - "volume:failover_host": "rule:admin_api", - "volume:freeze_host": "rule:admin_api", - "volume:thaw_host": "rule:admin_api", - - "backup:create" : "", - "backup:delete": "rule:admin_or_owner", - "backup:get": "rule:admin_or_owner", - "backup:get_all": "rule:admin_or_owner", - "backup:restore": "rule:admin_or_owner", - "backup:backup-import": "rule:admin_api", - "backup:backup-export": "rule:admin_api", - - "snapshot_extension:snapshot_actions:update_snapshot_status": "", - "snapshot_extension:snapshot_manage": "rule:admin_api", - "snapshot_extension:snapshot_unmanage": "rule:admin_api", - - "consistencygroup:create" : "", - "consistencygroup:delete": "", - "consistencygroup:update": "", - "consistencygroup:get": "", - "consistencygroup:get_all": "", - - "consistencygroup:create_cgsnapshot" : "", - "consistencygroup:delete_cgsnapshot": "", - "consistencygroup:get_cgsnapshot": "", - "consistencygroup:get_all_cgsnapshots": "", - - "scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api", - "message:delete": "rule:admin_or_owner", - "message:get": "rule:admin_or_owner", - "message:get_all": "rule:admin_or_owner" + "volume_extension:volume_encryption_metadata": "rule:admin_or_owner" } diff --git a/openstack_dashboard/settings.py b/openstack_dashboard/settings.py index 6a469ccc41..bc151664f7 100644 --- a/openstack_dashboard/settings.py +++ b/openstack_dashboard/settings.py @@ -263,7 +263,11 @@ POLICY_FILES = { 'image': 'glance_policy.json', 'network': 'neutron_policy.json', } -POLICY_DIRS = {} +# Services for which horizon has extra policies are defined +# in POLICY_DIRS by default. +POLICY_DIRS = { + 'volume': ['cinder_policy.d'], +} SECRET_KEY = None LOCAL_PATH = None