Adds warning banner for admin users in project dash.

This is a bandaid until the underlying bugs in Nova get fixed. Fixes bug 968696. Change-Id: I735453482023dabc28069a4a8796aa43001f1891
openstack · Jun 19, 2012 · 41307a3 · 41307a3
1 parent f6f2a91
commit 41307a3
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 2 deletions.
diff --git a/horizon/dashboards/nova/overview/urls.py b/horizon/dashboards/nova/overview/urls.py
@@ -19,10 +19,11 @@
 #    under the License.
 
 
-from django.conf.urls.defaults import *
+from django.conf.urls.defaults import url, patterns
 
-from .views import ProjectOverview
+from .views import ProjectOverview, WarningView
 
 urlpatterns = patterns('horizon.dashboards.nova.overview.views',
     url(r'^$', ProjectOverview.as_view(), name='index'),
+    url(r'^warning$', WarningView.as_view(), name='warning'),
 )
diff --git a/horizon/dashboards/nova/overview/views.py b/horizon/dashboards/nova/overview/views.py
@@ -18,6 +18,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from django.views.generic import TemplateView
+
 from horizon import usage
 
 
@@ -29,3 +31,7 @@ class ProjectOverview(usage.UsageView):
     def get_data(self):
         super(ProjectOverview, self).get_data()
         return self.usage.get_instances()
+
+
+class WarningView(TemplateView):
+    template_name = "nova/_warning.html"
diff --git a/horizon/dashboards/nova/templates/nova/_warning.html b/horizon/dashboards/nova/templates/nova/_warning.html
@@ -0,0 +1,26 @@
+{% load i18n %}
+
+<div id="admin_warning_detail" class="modal hide">
+  <div class="modal-header">
+    <button type="button" class="close" data-dismiss="modal">&times;</button>
+    <h3>{% trans "You currently have the power to damage your OpenStack cloud..." %}</h3>
+  </div>
+  <div class="modal-body">
+    <p>{% blocktrans %}Due to inconsistencies in the way Nova interacts with Keystone, a user with an admin role has access to all resources in the system (volumes, snapshots, keypairs, etc.), even in the Project dashboard where they should only see a properly-scoped subset of those resources.{% endblocktrans %}</p>
+    <p>{% blocktrans %}This means that Nova allows an admin user in the Project Dashboard to successfully take actions which otherwise should not be permitted, causing irresolvable conflicts in Nova.{% endblocktrans %}</p>
+    <p>{% blocktrans %}A list of the known problems are as follows:{% endblocktrans %}</p>
+    <ul>
+      <li>{% blocktrans %}Attaching a volume owned by project A to an instance in project B can completely hang Nova.{% endblocktrans %}</li>
+      <li>{% blocktrans %}Assigning keypairs owned by project A to an instance in project B can result in failed instances, problems in retrieving instance details for non-admin users, and/or security holes should the instance succeed in spawning.{% endblocktrans %}</li>
+      <li>{% blocktrans %}Attempting to launch an instance in project A from a snapshot or volume snapshot owned by project B can hang Nova.{% endblocktrans %}</li>
+      <li>{% blocktrans %}Attempting to boot from a volume owned by project A in project B can hang Nova.{% endblocktrans %}</li>
+    </ul>
+    <p>{% blocktrans %}This is only a list of the reported inconsistencies. There may be others.{% endblocktrans %}</p>
+    <p><strong>{% blocktrans %}The recommended practice until this problem is resolved is to keep your admin users and regular users separate. Create an "admin" project that admin users have access to, and do not grant your admin users the admin role on any other projects.{% endblocktrans %}</strong></p>
+    <p>{% blocktrans %}To follow the status of this bug, take a look at the following items on launchpad:{% endblocktrans %} <a href="https://bugs.launchpad.net/horizon/+bug/967882">BUG: Scoping problems for Nova resources</a>, <a href="https://bugs.launchpad.net/horizon/+bug/968696">BUG: "Admin"-ness not properly scoped</a>, <a href="https://blueprints.launchpad.net/nova/+spec/differentiate-admin">BLUEPRINT: Differentiate system-wide admins</a>.</p>
+    <p>{% blocktrans %}Thank you for reading this warning and operating your cloud responsibly.{% endblocktrans %}</p>
+  </div>
+  <div class="modal-footer">
+    <a href="#" class="btn" data-dismiss="modal">{% trans "Close" %}</a>
+  </div>
+</div>
diff --git a/horizon/dashboards/nova/templates/nova/base.html b/horizon/dashboards/nova/templates/nova/base.html
@@ -1,4 +1,20 @@
 {% extends 'base.html' %}
+{% load i18n %}
+
+{% block content %}
+{% if request.user.is_admin %}
+<div class="warning">
+  <div class="warning-text">
+    <h3 class="alert-error">
+        <strong>{% trans "Caution" %}:</strong>
+        <span>{% trans "You are acting as an admin user in the project dashboard." %}</span>
+    </h3>
+    <a href="{% url horizon:nova:overview:warning %}" class="btn btn-small btn-danger ajax-modal">{% trans "Learn More" %}</a>
+  </div>
+</div>
+{% endif %}
+{{ block.super }}
+{% endblock %}
 
 {% block sidebar %}
   {% include 'horizon/common/_sidebar.html' %}

diff --git a/openstack_dashboard/static/dashboard/less/horizon.less b/openstack_dashboard/static/dashboard/less/horizon.less
@@ -1193,3 +1193,25 @@ label.log-length {
 .split_five div.control-group select {
   width: 120px;
 }
+
+.warning {
+  background-color: @errorBackground;
+  border-bottom: 1px solid @red;
+  padding: 5px 10px;
+  .warning-text {
+    text-align: center;
+    h3, a {
+      display: inline-block;
+    }
+    h3 {
+      vertical-align: bottom;
+    }
+  }
+}
+#admin_warning_detail {
+  ul {
+    list-style: circle;
+    padding-left: 20px;
+    margin-bottom: 10px;
+  }
+}