diff options
| author | Radomir Dopieralski <openstack@sheep.art.pl> | 2021-11-22 13:42:29 +0100 |
|---|---|---|
| committer | Vishal Manchanda <manchandavishal143@gmail.com> | 2022-03-24 17:32:13 +0000 |
| commit | f5620931d6de2a1951a7c76edd5b2ec801b32f0a (patch) | |
| tree | 89b558296c012de33b990bdc83463145ef2592d4 | |
| parent | dddb33a0a852a1f8d4357df058fd0b2cbbe04499 (diff) | |
| download | horizon-f5620931d6de2a1951a7c76edd5b2ec801b32f0a.tar.gz | |
Add SYSTEM_SCOPE_SERVICES setting that hides panels
Since not all services are ready to use the system scope token,
we need a way to disable and enable the use of system scope
token on a per-service basis. This setting let us configure
which services should use the system scope token. By default
the list is empty and system scope token is not used at all.
Change-Id: I5e0cdc7288221571f183a37b800c19dc4cff5707
(cherry picked from commit 6c814b241d7465113a6edfc023fa6ef9314f4591)
20 files changed, 131 insertions, 3 deletions
diff --git a/doc/source/configuration/settings.rst b/doc/source/configuration/settings.rst index 0d577c1bc..7c84f656f 100644 --- a/doc/source/configuration/settings.rst +++ b/doc/source/configuration/settings.rst @@ -2656,3 +2656,16 @@ generated ``kubeconfig`` file. .. seealso:: `KUBECONFIG_ENABLED`_ to enable the ``kubeconfig`` file generation. + + +SYSTEM_SCOPE_SERVICES +--------------------- +.. versionadded:: 21.1.0(Yoga) + +Default: ``[]`` + +A list of names of services for which the system scope token should be used. +If empty, system scope will be removed from the context switching menu. If not +empty, the context switching menu will show a "system scope" option, and the +admin panels for the services listed will be moved to that context, no longer +showing up in the project context. diff --git a/openstack_dashboard/dashboards/admin/aggregates/panel.py b/openstack_dashboard/dashboards/admin/aggregates/panel.py index 4d553ea87..315bef2e0 100644 --- a/openstack_dashboard/dashboards/admin/aggregates/panel.py +++ b/openstack_dashboard/dashboards/admin/aggregates/panel.py @@ -12,6 +12,7 @@ import logging +from django.conf import settings from django.utils.translation import gettext_lazy as _ import horizon @@ -25,3 +26,9 @@ class Aggregates(horizon.Panel): slug = 'aggregates' policy_rules = (("compute", "compute_extension:aggregates"),) permissions = ('openstack.services.compute',) + + def allowed(self, context): + if (('compute' in settings.SYSTEM_SCOPE_SERVICES) != + bool(context['request'].user.system_scoped)): + return False + return super().allowed(context) diff --git a/openstack_dashboard/dashboards/admin/defaults/panel.py b/openstack_dashboard/dashboards/admin/defaults/panel.py index 9dfee0267..2d9597388 100644 --- a/openstack_dashboard/dashboards/admin/defaults/panel.py +++ b/openstack_dashboard/dashboards/admin/defaults/panel.py @@ -12,6 +12,7 @@ # License for the specific language governing permissions and limitations # under the License. +from django.conf import settings from django.utils.translation import gettext_lazy as _ import horizon @@ -22,3 +23,9 @@ class Defaults(horizon.Panel): slug = 'defaults' policy_rules = (("compute", "context_is_admin"), ("volume", "context_is_admin"),) + + def allowed(self, context): + if (('compute' in settings.SYSTEM_SCOPE_SERVICES) != + bool(context['request'].user.system_scoped)): + return False + return super().allowed(context) diff --git a/openstack_dashboard/dashboards/admin/flavors/panel.py b/openstack_dashboard/dashboards/admin/flavors/panel.py index 772e73aed..3cf3203b4 100644 --- a/openstack_dashboard/dashboards/admin/flavors/panel.py +++ b/openstack_dashboard/dashboards/admin/flavors/panel.py @@ -16,6 +16,7 @@ # License for the specific language governing permissions and limitations # under the License. +from django.conf import settings from django.utils.translation import gettext_lazy as _ import horizon @@ -26,3 +27,9 @@ class Flavors(horizon.Panel): slug = 'flavors' permissions = ('openstack.services.compute',) policy_rules = (("compute", "context_is_admin"),) + + def allowed(self, context): + if (('compute' in settings.SYSTEM_SCOPE_SERVICES) != + bool(context['request'].user.system_scoped)): + return False + return super().allowed(context) diff --git a/openstack_dashboard/dashboards/admin/floating_ips/panel.py b/openstack_dashboard/dashboards/admin/floating_ips/panel.py index 9d117b077..3a8e5b80a 100644 --- a/openstack_dashboard/dashboards/admin/floating_ips/panel.py +++ b/openstack_dashboard/dashboards/admin/floating_ips/panel.py @@ -13,6 +13,7 @@ # License for the specific language governing permissions and limitations # under the License. +from django.conf import settings from django.utils.translation import gettext_lazy as _ import horizon @@ -30,3 +31,9 @@ class AdminFloatingIps(horizon.Panel): def can_register(): return setting_utils.get_dict_config( 'OPENSTACK_NEUTRON_NETWORK', 'enable_router') + + def allowed(self, context): + if (('network' in settings.SYSTEM_SCOPE_SERVICES) != + bool(context['request'].user.system_scoped)): + return False + return super().allowed(context) diff --git a/openstack_dashboard/dashboards/admin/hypervisors/panel.py b/openstack_dashboard/dashboards/admin/hypervisors/panel.py index 5b29a5ec4..d02097bf9 100644 --- a/openstack_dashboard/dashboards/admin/hypervisors/panel.py +++ b/openstack_dashboard/dashboards/admin/hypervisors/panel.py @@ -12,6 +12,7 @@ # License for the specific language governing permissions and limitations # under the License. +from django.conf import settings from django.utils.translation import gettext_lazy as _ import horizon @@ -22,3 +23,9 @@ class Hypervisors(horizon.Panel): slug = 'hypervisors' permissions = ('openstack.services.compute',) policy_rules = (("compute", "os_compute_api:os-hypervisors"),) + + def allowed(self, context): + if (('compute' in settings.SYSTEM_SCOPE_SERVICES) != + bool(context['request'].user.system_scoped)): + return False + return super().allowed(context) diff --git a/openstack_dashboard/dashboards/admin/images/panel.py b/openstack_dashboard/dashboards/admin/images/panel.py index 2f6505ba9..b6f9a55ff 100644 --- a/openstack_dashboard/dashboards/admin/images/panel.py +++ b/openstack_dashboard/dashboards/admin/images/panel.py @@ -16,6 +16,7 @@ # License for the specific language governing permissions and limitations # under the License. +from django.conf import settings from django.utils.translation import gettext_lazy as _ import horizon @@ -27,3 +28,9 @@ class Images(horizon.Panel): permissions = ('openstack.services.image',) policy_rules = ((("image", "context_is_admin"), ("image", "get_images")),) + + def allowed(self, context): + if (('compute' in settings.SYSTEM_SCOPE_SERVICES) != + bool(context['request'].user.system_scoped)): + return False + return super().allowed(context) diff --git a/openstack_dashboard/dashboards/admin/info/panel.py b/openstack_dashboard/dashboards/admin/info/panel.py index d314a8fd4..9aa04aff2 100644 --- a/openstack_dashboard/dashboards/admin/info/panel.py +++ b/openstack_dashboard/dashboards/admin/info/panel.py @@ -16,6 +16,7 @@ # License for the specific language governing permissions and limitations # under the License. +from django.conf import settings from django.utils.translation import gettext_lazy as _ import horizon @@ -27,3 +28,9 @@ class Info(horizon.Panel): policy_rules = (("compute", "context_is_admin"), ("volume", "context_is_admin"), ("network", "context_is_admin"),) + + def allowed(self, context): + if (('compute' in settings.SYSTEM_SCOPE_SERVICES) != + bool(context['request'].user.system_scoped)): + return False + return super().allowed(context) diff --git a/openstack_dashboard/dashboards/admin/instances/panel.py b/openstack_dashboard/dashboards/admin/instances/panel.py index b0eb71169..0a4c21b97 100644 --- a/openstack_dashboard/dashboards/admin/instances/panel.py +++ b/openstack_dashboard/dashboards/admin/instances/panel.py @@ -16,6 +16,7 @@ # License for the specific language governing permissions and limitations # under the License. +from django.conf import settings from django.utils.translation import gettext_lazy as _ import horizon @@ -27,3 +28,9 @@ class Instances(horizon.Panel): permissions = ('openstack.services.compute',) policy_rules = ((("compute", "context_is_admin"), ("compute", "os_compute_api:servers:detail")),) + + def allowed(self, context): + if (('compute' in settings.SYSTEM_SCOPE_SERVICES) != + bool(context['request'].user.system_scoped)): + return False + return super().allowed(context) diff --git a/openstack_dashboard/dashboards/admin/metadata_defs/panel.py b/openstack_dashboard/dashboards/admin/metadata_defs/panel.py index 3baa4b1e1..32d8f7892 100644 --- a/openstack_dashboard/dashboards/admin/metadata_defs/panel.py +++ b/openstack_dashboard/dashboards/admin/metadata_defs/panel.py @@ -13,6 +13,7 @@ # License for the specific language governing permissions and limitations # under the License. +from django.conf import settings from django.utils.translation import gettext_lazy as _ import horizon @@ -30,3 +31,9 @@ class MetadataDefinitions(horizon.Panel): @staticmethod def can_register(): return glance.VERSIONS.active >= 2 + + def allowed(self, context): + if (('image' in settings.SYSTEM_SCOPE_SERVICES) != + bool(context['request'].user.system_scoped)): + return False + return super().allowed(context) diff --git a/openstack_dashboard/dashboards/admin/networks/panel.py b/openstack_dashboard/dashboards/admin/networks/panel.py index f1ce7638e..821ce2101 100644 --- a/openstack_dashboard/dashboards/admin/networks/panel.py +++ b/openstack_dashboard/dashboards/admin/networks/panel.py @@ -12,6 +12,7 @@ # License for the specific language governing permissions and limitations # under the License. +from django.conf import settings from django.utils.translation import gettext_lazy as _ import horizon @@ -22,3 +23,9 @@ class Networks(horizon.Panel): slug = 'networks' permissions = ('openstack.services.network',) policy_rules = (("network", "context_is_admin"),) + + def allowed(self, context): + if (('network' in settings.SYSTEM_SCOPE_SERVICES) != + bool(context['request'].user.system_scoped)): + return False + return super().allowed(context) diff --git a/openstack_dashboard/dashboards/admin/overview/panel.py b/openstack_dashboard/dashboards/admin/overview/panel.py index afd55aa39..b7f67a673 100644 --- a/openstack_dashboard/dashboards/admin/overview/panel.py +++ b/openstack_dashboard/dashboards/admin/overview/panel.py @@ -16,6 +16,7 @@ # License for the specific language governing permissions and limitations # under the License. +from django.conf import settings from django.utils.translation import gettext_lazy as _ import horizon @@ -30,5 +31,11 @@ class Overview(horizon.Panel): ('compute', 'context_is_admin')),) permissions = ('openstack.services.compute',) + def allowed(self, context): + if (('compute' in settings.SYSTEM_SCOPE_SERVICES) != + bool(context['request'].user.system_scoped)): + return False + return super().allowed(context) + dashboard.Admin.register(Overview) diff --git a/openstack_dashboard/dashboards/admin/rbac_policies/panel.py b/openstack_dashboard/dashboards/admin/rbac_policies/panel.py index 18a7a6f57..b3198db39 100644 --- a/openstack_dashboard/dashboards/admin/rbac_policies/panel.py +++ b/openstack_dashboard/dashboards/admin/rbac_policies/panel.py @@ -12,6 +12,7 @@ import logging +from django.conf import settings from django.utils.translation import gettext_lazy as _ import horizon @@ -29,6 +30,9 @@ class RBACPolicies(horizon.Panel): policy_rules = (("network", "context_is_admin"),) def allowed(self, context): + if (('network' in settings.SYSTEM_SCOPE_SERVICES) != + bool(context['request'].user.system_scoped)): + return False request = context['request'] try: return ( diff --git a/openstack_dashboard/dashboards/admin/routers/panel.py b/openstack_dashboard/dashboards/admin/routers/panel.py index 3dc5444b1..304737e24 100644 --- a/openstack_dashboard/dashboards/admin/routers/panel.py +++ b/openstack_dashboard/dashboards/admin/routers/panel.py @@ -12,6 +12,7 @@ # License for the specific language governing permissions and limitations # under the License. +from django.conf import settings from django.utils.translation import gettext_lazy as _ import horizon @@ -29,3 +30,9 @@ class Routers(horizon.Panel): def can_register(): return setting_utils.get_dict_config( 'OPENSTACK_NEUTRON_NETWORK', 'enable_router') + + def allowed(self, context): + if (('network' in settings.SYSTEM_SCOPE_SERVICES) != + bool(context['request'].user.system_scoped)): + return False + return super().allowed(context) diff --git a/openstack_dashboard/dashboards/admin/trunks/panel.py b/openstack_dashboard/dashboards/admin/trunks/panel.py index 8d5f702a0..b312c72f5 100644 --- a/openstack_dashboard/dashboards/admin/trunks/panel.py +++ b/openstack_dashboard/dashboards/admin/trunks/panel.py @@ -14,6 +14,7 @@ import logging +from django.conf import settings from django.utils.translation import gettext_lazy as _ import horizon @@ -30,6 +31,9 @@ class Trunks(horizon.Panel): policy_rules = (("trunk", "context_is_admin"),) def allowed(self, context): + if (('network' in settings.SYSTEM_SCOPE_SERVICES) != + bool(context['request'].user.system_scoped)): + return False request = context['request'] try: return ( diff --git a/openstack_dashboard/dashboards/identity/dashboard.py b/openstack_dashboard/dashboards/identity/dashboard.py index 63d61bf56..9e2893fff 100644 --- a/openstack_dashboard/dashboards/identity/dashboard.py +++ b/openstack_dashboard/dashboards/identity/dashboard.py @@ -13,6 +13,7 @@ # under the License. +from django.conf import settings from django.utils.translation import gettext_lazy as _ import horizon @@ -22,5 +23,11 @@ class Identity(horizon.Dashboard): name = _("Identity") slug = "identity" + def can_access(self, context): + if (('identity' in settings.SYSTEM_SCOPE_SERVICES) != + bool(context['request'].user.system_scoped)): + return False + return super().can_access(context) + horizon.register(Identity) diff --git a/openstack_dashboard/defaults.py b/openstack_dashboard/defaults.py index 30d7785b8..4ed8d1fc5 100644 --- a/openstack_dashboard/defaults.py +++ b/openstack_dashboard/defaults.py @@ -551,3 +551,8 @@ REST_API_ADDITIONAL_SETTINGS = [] KUBECONFIG_ENABLED = False KUBECONFIG_KUBERNETES_URL = "" KUBECONFIG_CERTIFICATE_AUTHORITY_DATA = "" + + +# Services may require a System Scope token for certain operations. This +# settings enables the use of the system scope token on per-service basis. +SYSTEM_SCOPE_SERVICES = [] diff --git a/openstack_dashboard/templates/header/_context_selection.html b/openstack_dashboard/templates/header/_context_selection.html index e75b2962f..080b8a381 100644 --- a/openstack_dashboard/templates/header/_context_selection.html +++ b/openstack_dashboard/templates/header/_context_selection.html @@ -31,8 +31,8 @@ {% endif %} - {% is_system_user as system_user %} - {% if system_user %} + {% show_systems as system_scope_enabled %} + {% if system_scope_enabled %} <li> {% show_system_list %} </li> diff --git a/openstack_dashboard/templatetags/context_selection.py b/openstack_dashboard/templatetags/context_selection.py index 08cf1b903..afcdaa933 100644 --- a/openstack_dashboard/templatetags/context_selection.py +++ b/openstack_dashboard/templatetags/context_selection.py @@ -42,7 +42,9 @@ def is_multidomain(): @register.simple_tag(takes_context=True) -def is_system_user(context): +def show_systems(context): + if not settings.SYSTEM_SCOPE_SERVICES: + return False try: request = context['request'] except KeyError: diff --git a/releasenotes/notes/feature-system-scope-a88a07b7f414b3d6.yaml b/releasenotes/notes/feature-system-scope-a88a07b7f414b3d6.yaml new file mode 100644 index 000000000..dc02a760e --- /dev/null +++ b/releasenotes/notes/feature-system-scope-a88a07b7f414b3d6.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + Horizon can now use a system scope token when performing admin operations. + To enable that, a new setting, SYSTEM_SCOPE_SERVICES, has to list the + OpenStack services for which this feature is to be enabled. When that + setting is not empty, a new option, "system scope" will appear in the + context switching menu, and the panels for the listed services will be + moved into that context in the main menu. |