f7f7690444
In preparation for the STX-Openstack upversion to ANTELOPE, there's a need to decouple the Openstack packages from the Platform ones, so that the development can occur without impacting the current version. This decoupling allows the platform and applications to leverage different versions of OpenStack releases for their respective packages. On this upversion process, we can't upversion one package at a time, since that would certainly break the build, testing and usage of StarlingX. We need to have a way in which the development of STX-O can occur without impacting the rest of the platform. To achieve this, a new folder named "openstack" has been created under the openstack-armada-app repo, containing all packages from the upstream repository, under the openstack folder [1]. This ensures that the ongoing upversion process does not disrupt the platform's functionalities and prevents any potential breakages during the transition. It should be noted that this change only serves as a placeholder for future upversions and does not impact the current packages, as they're not going to be delivered to the ISO, or the STX-O Helm charts, until the upversion is completed. This commit lays the groundwork for future work on the STX-O upversion, promoting flexibility and modularization within the StarlingX packages. The SRC_DIR and the BASE_SRCREV were updated for each package in order for the build to work. The BASE_SRCREV was set to the latest merged change by the time that this review was created [2] After the work on the upversion and the STX-O clients containerization is done, the 48138 task (under this same story) can be worked on to completely remove the STX-O clients from the platform. [1] https://opendev.org/starlingx/upstream/src/branch/master/openstack [2] https://review.opendev.org/c/starlingx/openstack-armada-app/+/885301 Test Plan: PASS: Make sure that the packages are not found if they're commented on the debian_pkg_dirs file PASS: Make sure that the images are not found if they're commented on the debian_stable_docker_images.inc PASS: Make sure packages can be build: - openstack-pkg-tools - rabbitmq-server - python-wsme - openstack-ras - python-openstacksdk - python-oslo-messaging - python-osc-lib - barbican - keystone - horizon - python-aodhclient - python-barbicanclient - python-cinderclient - python-glanceclient - python-gnocchiclient - python-heatclient - python-ironicclient - python-keystoneclient - python-neutronclient - python-novaclient - python-openstackclient - python-pankoclient PASS: Make sure images can be build: - stx-aodh - stx-ironic - stx-barbican - stx-ceilometer - stx-cinder - stx-glance - stx-gnocchi - stx-heat - stx-horizon - stx-keystone - stx-neutron - stx-nova - stx-openstackclients - stx-placement - stx-platformclients Story: 2010774 Task: 48115 Change-Id: I077a814382fb21bd4b36fac7c20ee041718433f3 Signed-off-by: Lucas de Ataides <lucas.deataidesbarreto@windriver.com>
161 lines
6.1 KiB
Diff
161 lines
6.1 KiB
Diff
From 218ede4b67d7a19c8ddb5e39d68de402523c05e5 Mon Sep 17 00:00:00 2001
|
|
From: Takamasa Takenaka <takamasa.takenaka@windriver.com>
|
|
Date: Mon, 6 Dec 2021 16:04:00 -0300
|
|
Subject: [PATCH] Use policy_rules for user role assignment and group tabs
|
|
|
|
This patch is ported from the following patches:
|
|
- https://review.opendev.org/c/openstack/horizon/+/775014
|
|
- https://review.opendev.org/c/openstack/horizon/+/783307
|
|
|
|
Signed-off-by: Takamasa Takenaka <takamasa.takenaka@windriver.com>
|
|
---
|
|
horizon/tabs/base.py | 15 ++++++++--
|
|
horizon/test/unit/tabs/test_tabs.py | 30 +++++++++++++++++--
|
|
.../dashboards/identity/users/tabs.py | 2 ++
|
|
3 files changed, 41 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/horizon/tabs/base.py b/horizon/tabs/base.py
|
|
index 5ef7fdd..9a511f0 100644
|
|
--- a/horizon/tabs/base.py
|
|
+++ b/horizon/tabs/base.py
|
|
@@ -23,6 +23,7 @@ from django.utils import module_loading
|
|
|
|
from horizon import exceptions
|
|
from horizon.utils import html
|
|
+from horizon.utils import settings as utils_settings
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
@@ -307,8 +308,9 @@ class Tab(html.HTMLElement):
|
|
preload = True
|
|
_active = None
|
|
permissions = []
|
|
+ policy_rules = None
|
|
|
|
- def __init__(self, tab_group, request=None):
|
|
+ def __init__(self, tab_group, request=None, policy_rules=None):
|
|
super(Tab, self).__init__()
|
|
# Priority: constructor, class-defined, fallback
|
|
if not self.name:
|
|
@@ -321,6 +323,7 @@ class Tab(html.HTMLElement):
|
|
self._allowed = self.allowed(request) and (
|
|
self._has_permissions(request))
|
|
self._enabled = self.enabled(request)
|
|
+ self.policy_rules = policy_rules or []
|
|
|
|
def __repr__(self):
|
|
return "<%s: %s>" % (self.__class__.__name__, self.slug)
|
|
@@ -437,9 +440,15 @@ class Tab(html.HTMLElement):
|
|
|
|
Tab instances can override this method to specify conditions under
|
|
which this tab should not be shown at all by returning ``False``.
|
|
-
|
|
- The default behavior is to return ``True`` for all cases.
|
|
"""
|
|
+ if not self.policy_rules:
|
|
+ return True
|
|
+
|
|
+ policy_check = utils_settings.import_setting("POLICY_CHECK_FUNCTION")
|
|
+
|
|
+ if policy_check:
|
|
+ return policy_check(self.policy_rules, request)
|
|
+
|
|
return True
|
|
|
|
def post(self, request, *args, **kwargs):
|
|
diff --git a/horizon/test/unit/tabs/test_tabs.py b/horizon/test/unit/tabs/test_tabs.py
|
|
index 2f009e8..c499301 100644
|
|
--- a/horizon/test/unit/tabs/test_tabs.py
|
|
+++ b/horizon/test/unit/tabs/test_tabs.py
|
|
@@ -65,9 +65,16 @@ class TabDisallowed(BaseTestTab):
|
|
return False
|
|
|
|
|
|
+class TabWithPolicy(BaseTestTab):
|
|
+ slug = "tab_with_policy"
|
|
+ name = "tab only visible to admin"
|
|
+ template_name = "_tab.html"
|
|
+ policy_rules = (("compute", "role:admin"),)
|
|
+
|
|
+
|
|
class Group(horizon_tabs.TabGroup):
|
|
slug = "tab_group"
|
|
- tabs = (TabOne, TabDelayed, TabDisabled, TabDisallowed)
|
|
+ tabs = (TabOne, TabDelayed, TabDisabled, TabDisallowed, TabWithPolicy)
|
|
sticky = True
|
|
|
|
def tabs_not_available(self):
|
|
@@ -126,15 +133,19 @@ class TabWithTableView(horizon_tabs.TabbedTableView):
|
|
|
|
|
|
class TabTests(test.TestCase):
|
|
+ @override_settings(POLICY_CHECK_FUNCTION=lambda *args: True)
|
|
def test_tab_group_basics(self):
|
|
tg = Group(self.request)
|
|
|
|
# Test tab instantiation/attachment to tab group, and get_tabs method
|
|
tabs = tg.get_tabs()
|
|
# "tab_disallowed" should NOT be in this list.
|
|
+ # "tab_with_policy" should be present, since our policy check
|
|
+ # always passes
|
|
self.assertQuerysetEqual(tabs, ['<TabOne: tab_one>',
|
|
'<TabDelayed: tab_delayed>',
|
|
- '<TabDisabled: tab_disabled>'])
|
|
+ '<TabDisabled: tab_disabled>',
|
|
+ '<TabWithPolicy: tab_with_policy>'])
|
|
# Test get_id
|
|
self.assertEqual("tab_group", tg.get_id())
|
|
# get_default_classes
|
|
@@ -149,6 +160,19 @@ class TabTests(test.TestCase):
|
|
# Test get_selected_tab is None w/o GET input
|
|
self.assertIsNone(tg.get_selected_tab())
|
|
|
|
+ @override_settings(POLICY_CHECK_FUNCTION=lambda *args: False)
|
|
+ def test_failed_tab_policy(self):
|
|
+ tg = Group(self.request)
|
|
+
|
|
+ # Test tab instantiation/attachment to tab group, and get_tabs method
|
|
+ tabs = tg.get_tabs()
|
|
+ # "tab_disallowed" should NOT be in this list, it's not allowed
|
|
+ # "tab_with_policy" should also not be present as its
|
|
+ # policy check failed
|
|
+ self.assertQuerysetEqual(tabs, ['<TabOne: tab_one>',
|
|
+ '<TabDelayed: tab_delayed>',
|
|
+ '<TabDisabled: tab_disabled>'])
|
|
+
|
|
@test.update_settings(
|
|
HORIZON_CONFIG={'extra_tabs': {
|
|
'horizon.test.unit.tabs.test_tabs.GroupWithConfig': (
|
|
@@ -251,7 +275,7 @@ class TabTests(test.TestCase):
|
|
# tab group
|
|
output = tg.render()
|
|
res = http.HttpResponse(output.strip())
|
|
- self.assertContains(res, "<li", 3)
|
|
+ self.assertContains(res, "<li", 4)
|
|
|
|
# stickiness
|
|
self.assertContains(res, 'data-sticky-tabs="sticky"', 1)
|
|
diff --git a/openstack_dashboard/dashboards/identity/users/tabs.py b/openstack_dashboard/dashboards/identity/users/tabs.py
|
|
index fe8fa3b..7427519 100644
|
|
--- a/openstack_dashboard/dashboards/identity/users/tabs.py
|
|
+++ b/openstack_dashboard/dashboards/identity/users/tabs.py
|
|
@@ -89,6 +89,7 @@ class RoleAssignmentsTab(tabs.TableTab):
|
|
slug = "roleassignments"
|
|
template_name = "horizon/common/_detail_table.html"
|
|
preload = False
|
|
+ policy_rules = (("identity", "identity:list_role_assignments"),)
|
|
|
|
def allowed(self, request):
|
|
return policy.check((("identity", "identity:list_role_assignments"),),
|
|
@@ -139,6 +140,7 @@ class GroupsTab(tabs.TableTab):
|
|
slug = "groups"
|
|
template_name = "horizon/common/_detail_table.html"
|
|
preload = False
|
|
+ policy_rules = (("identity", "identity:list_groups"),)
|
|
|
|
def allowed(self, request):
|
|
return policy.check((("identity", "identity:list_groups"),),
|
|
--
|
|
2.25.1
|
|
|