Enhance workflow actions with policy rules

Registered by Timur Sufiev on 2014-12-26

Summary
=======
Add policy rules mechanism to workflow actions for determining which workflow steps are visible for a specific user.

Motivation
========
Policy rules are a more flexible way (than permissions) to determine what Dashboards/Panels/Table actions are visible for the given user. But workflow actions (and thus workflow steps) do not use them. As a consequence, there are situations when according to the backend service policies (e.g. Neutron) an action represented by a workflow step is denied for the user (e.g. user is not permitted to create subnets), yet he sees the corresponding steps in Horizon, provides and submits the data which leads to an error from Neutron side. More appropriate behavior here for Horizon would be to not show to the user the workflow steps he is not able to complete - and if these steps are required for successfully completing the workflow, make him unable to start the workflow itself.

Description
=========
First, add additional policies check besides permissions when determining steps for the workflow. Then, if some visible steps depend on data contributed by the steps which has been filtered out, then rendering such workflow should fail from the beginning because it won't be possible to complete it.

UX
===
N/A

Testing
======
Add one test for testing the workflow step being filtered out by policy_rules. Fix existing workflow steps to pass successfully (mock policy.check function).

Outside Dependencies
==================
N/A.

Requirements Update Required
========================
N/A.

Doc Impact
=========
N/A

Blueprint information

Status:
Complete
Approver:
David Lyle
Priority:
Medium
Drafter:
Timur Sufiev
Direction:
Approved
Assignee:
Timur Sufiev
Definition:
Approved
Series goal:
Accepted for 10.0.0-newton
Implementation:
Implemented
Milestone target:
None
Started by
David Lyle on 2016-06-08
Completed by
David Lyle on 2016-10-28

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/add-policy-rules-to-workflow-actions,n,z

Addressed by: https://review.openstack.org/144152
    Enhance policy rules to workflow actions

Gerrit topic: https://review.openstack.org/#q,topic:bp/add-policy-rules-to-workflow-actions-patch5,n,z

Addressed by: https://review.openstack.org/144153
    Prevent creation of subnet via RBAC during new network creation

Addressed by: https://review.openstack.org/342323
    Revert "Prevent creation of subnet via RBAC during new network creation"

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.