Skip to content

Commit

Permalink
Rework hardcoded policy in admin dash
Browse files Browse the repository at this point in the history 
Since the content in a Dashboard is not hardcoded, having hardcoded
policy checks to specific services at the dashboard level is wrong.
The Dashboard was designed to evaluate all panels to determine policy
so this type of thing could be avoided. This patch moves the content
specific policy checks to the panels where they apply.

Additionally, this fix uncovered another bug where policy_rules are
wrapped in a list regardless of format. This patch adds a check and
only wraps where necessary.

Change-Id: I79314a45c3c552ebcb3bb7cc881c2467fa009c5d
Closes-Bug: #1643013
Closes-Bug: #1643074
(cherry picked from commit 43e9df8)
  • Loading branch information
@dklyle
dklyle authored and Rob Cresswell committed Dec 5, 2016
1 parent 27fb742 commit 51a039e
Show file tree
Hide file tree
Showing 14 changed files with 25 additions and 5 deletions.
5 changes: 4 additions & 1 deletion horizon/base.py
View file
Expand Up @@ -150,7 +150,10 @@ def _can_access(self, request):
# default in the policy engine, so calling each rule individually
if policy_check and self.policy_rules:
for rule in self.policy_rules:
if policy_check((rule,), request):
rule_param = rule
if not any(isinstance(r, (list, tuple)) for r in rule):
rule_param = list(rule)
if policy_check(rule_param, request):
return True
return False

Expand Down
1 change: 1 addition & 0 deletions openstack_dashboard/dashboards/admin/aggregates/panel.py
View file
Expand Up @@ -24,6 +24,7 @@
class Aggregates(horizon.Panel):
name = _("Host Aggregates")
slug = 'aggregates'
policy_rules = (("compute", "compute_extension:aggregates"),)
permissions = ('openstack.services.compute',)

def allowed(self, context):
Expand Down
2 changes: 2 additions & 0 deletions openstack_dashboard/dashboards/admin/defaults/panel.py
View file
Expand Up @@ -20,3 +20,5 @@
class Defaults(horizon.Panel):
name = _("Defaults")
slug = 'defaults'
policy_rules = (("compute", "context_is_admin"),
("volume", "context_is_admin"),)
1 change: 1 addition & 0 deletions openstack_dashboard/dashboards/admin/flavors/panel.py
View file
Expand Up @@ -25,3 +25,4 @@ class Flavors(horizon.Panel):
name = _("Flavors")
slug = 'flavors'
permissions = ('openstack.services.compute',)
policy_rules = (("compute", "context_is_admin"),)
1 change: 1 addition & 0 deletions openstack_dashboard/dashboards/admin/floating_ips/panel.py
View file
Expand Up @@ -23,6 +23,7 @@ class AdminFloatingIps(horizon.Panel):
name = _("Floating IPs")
slug = 'floating_ips'
permissions = ('openstack.services.network', )
policy_rules = (("network", "context_is_admin"),)

@staticmethod
def can_register():
Expand Down
3 changes: 2 additions & 1 deletion openstack_dashboard/dashboards/admin/images/panel.py
View file
Expand Up @@ -25,4 +25,5 @@ class Images(horizon.Panel):
name = _("Images")
slug = 'images'
permissions = ('openstack.services.image',)
policy_rules = (("image", "get_images"),)
policy_rules = ((("image", "context_is_admin"),
("image", "get_images")),)
4 changes: 4 additions & 0 deletions openstack_dashboard/dashboards/admin/info/panel.py
View file
Expand Up @@ -24,3 +24,7 @@
class Info(horizon.Panel):
name = _("System Information")
slug = 'info'
policy_rules = (("compute", "context_is_admin"),
("volume", "context_is_admin"),
("network", "context_is_admin"),
("orchestation", "context_is_admin"),)
3 changes: 2 additions & 1 deletion openstack_dashboard/dashboards/admin/instances/panel.py
View file
Expand Up @@ -25,4 +25,5 @@ class Instances(horizon.Panel):
name = _("Instances")
slug = 'instances'
permissions = ('openstack.services.compute',)
policy_rules = (("compute", "compute:get_all"),)
policy_rules = ((("compute", "context_is_admin"),
("compute", "compute:get_all")),)
3 changes: 2 additions & 1 deletion openstack_dashboard/dashboards/admin/metadata_defs/panel.py
View file
Expand Up @@ -23,7 +23,8 @@
class MetadataDefinitions(horizon.Panel):
name = _("Metadata Definitions")
slug = 'metadata_defs'
policy_rules = (("image", "get_metadef_namespaces"),)
policy_rules = ((("image", "context_is_admin"),
("image", "get_metadef_namespaces")),)
permissions = ('openstack.services.image',)

@staticmethod
Expand Down
1 change: 1 addition & 0 deletions openstack_dashboard/dashboards/admin/networks/panel.py
View file
Expand Up @@ -21,3 +21,4 @@ class Networks(horizon.Panel):
name = _("Networks")
slug = 'networks'
permissions = ('openstack.services.network',)
policy_rules = (("network", "context_is_admin"),)
1 change: 1 addition & 0 deletions openstack_dashboard/dashboards/admin/ngflavors/panel.py
View file
Expand Up @@ -22,3 +22,4 @@ class NGFlavors(horizon.Panel):
name = _("Flavors")
slug = 'ngflavors'
permissions = ('openstack.services.compute',)
policy_rules = (("compute", "context_is_admin"),)
3 changes: 2 additions & 1 deletion openstack_dashboard/dashboards/admin/overview/panel.py
View file
Expand Up @@ -26,7 +26,8 @@
class Overview(horizon.Panel):
name = _("Overview")
slug = 'overview'
policy_rules = (('identity', 'identity:list_projects'),)
policy_rules = ((('identity', 'identity:list_projects'),
('compute', 'context_is_admin')),)
permissions = ('openstack.services.compute',)


Expand Down
1 change: 1 addition & 0 deletions openstack_dashboard/dashboards/admin/routers/panel.py
View file
Expand Up @@ -22,6 +22,7 @@ class Routers(horizon.Panel):
name = _("Routers")
slug = 'routers'
permissions = ('openstack.services.network',)
policy_rules = (("network", "context_is_admin"),)

@staticmethod
def can_register():
Expand Down
1 change: 1 addition & 0 deletions openstack_dashboard/dashboards/admin/volumes/panel.py
View file
Expand Up @@ -21,3 +21,4 @@ class Volumes(horizon.Panel):
permissions = (
('openstack.services.volume', 'openstack.services.volumev2'),
)
policy_rules = (("volume", "context_is_admin"),)

0 comments on commit 51a039e

Please sign in to comment.