forked from davidcusatis/horizon-customization
/
horizon_customization.py
77 lines (63 loc) · 3.42 KB
/
horizon_customization.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
import horizon
from openstack_dashboard.dashboards.identity.projects import workflows
from openstack_dashboard.api import keystone
workflows.CreateProjectQuotaAction.permissions = ((
"openstack.roles.admin",
"openstack.roles.cloud_admin"
),
"openstack.services.compute")
workflows.UpdateProjectQuotaAction.permissions = ((
"openstack.roles.admin",
"openstack.roles.cloud_admin"
),
"openstack.services.compute")
# expose host aggregates to cloud_admin
# Default permissions for admin_dashboard are not set
# if POLICY_CHECK_FUNCTION is set:
# https://review.openstack.org/#/c/123741/ ... admin/dashboard.py
# We will set admin_dashboard.permissions here:
admin_dashboard = horizon.get_dashboard("admin")
# set admin dashboard visible to both admin, and cloud_admin
admin_dashboard.permissions = (('openstack.roles.admin',
'openstack.roles.cloud_admin',),)
# expose various panels to cloud_admin that require extra perms
for apanel in ['hypervisors', 'instances']:
panel = admin_dashboard.get_panel(apanel)
panel_permissions = list(getattr(panel, 'permissions', []))
# perms already has admin, it's a similar case as with the dashboard
panel_permissions[0] = (panel_permissions[0],) + \
('openstack.roles.cloud_admin',)
panel.permissions = tuple(panel_permissions)
# hide specific admin panels from cloud_admin
admin_panels_to_remove = ['info', 'metadata_defs', 'networks', 'routers',
'aggregates']
for p in admin_panels_to_remove:
panel = admin_dashboard.get_panel(p)
panel_permissions = list(getattr(panel, 'permissions', []))
panel_permissions.append('openstack.roles.admin')
panel.permissions = tuple(panel_permissions)
# hide identity/domains panel from non full admins
identity_dashboard = horizon.get_dashboard('identity')
domains = identity_dashboard.get_panel('domains')
domains_permissions = list(getattr(domains, 'permissions', []))
domains_permissions.append('openstack.roles.admin')
domains.permissions = tuple(domains_permissions)
# hide project/stacks/resource types panel from non full admins
project_dashboard = horizon.get_dashboard('project')
resource_types = project_dashboard.get_panel('stacks.resource_types')
resource_type_permissions = list(getattr(resource_types, 'permissions', []))
resource_type_permissions.append('openstack.roles.admin')
resource_types.permissions = tuple(resource_type_permissions)
original_get_default_domain = keystone.get_default_domain
# Set federated user domain
# This a work around for this bug https://bugs.launchpad.net/horizon/+bug/1627062
def _new_get_default_domain(request, get_name=True):
domain = original_get_default_domain(request, get_name)
if request.user.is_federated:
# If user is federated, we should use the domain of the project
# that the user is scoped to.
project = keystone.tenant_get(request, request.user.project_id)
domain.id = project.domain_id
domain.name = keystone.domain_get(request, domain.id).name
return domain
keystone.get_default_domain = _new_get_default_domain