Migration logic for neutron policy-in-code
Neutron is in a process to migrate to policy-in-code. DevStack needs to be able to handle both cases with and without policy.json in the neutron repo. Note that nova assumes neutron API access with admin so user_name:neutron needs to be included in context_is_admin to make DevStack work properly. Hopefully this can be cleanup but this is a separate topic from policy-in-code. Needed-By: https://review.openstack.org/#/c/585037/ Change-Id: Id1b0600d92e839ade1790a15c372e82e8e16ee9f
This commit is contained in:
parent
0c6208c6a0
commit
80769c5714
@ -183,9 +183,14 @@ function configure_neutron_new {
|
|||||||
# Neutron API server & Neutron plugin
|
# Neutron API server & Neutron plugin
|
||||||
if is_service_enabled neutron-api; then
|
if is_service_enabled neutron-api; then
|
||||||
local policy_file=$NEUTRON_CONF_DIR/policy.json
|
local policy_file=$NEUTRON_CONF_DIR/policy.json
|
||||||
cp $NEUTRON_DIR/etc/policy.json $policy_file
|
|
||||||
# Allow neutron user to administer neutron to match neutron account
|
# Allow neutron user to administer neutron to match neutron account
|
||||||
|
# NOTE(amotoki): This is required for nova works correctly with neutron.
|
||||||
|
if [ -f $NEUTRON_DIR/etc/policy.json ]; then
|
||||||
|
cp $NEUTRON_DIR/etc/policy.json $policy_file
|
||||||
sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $policy_file
|
sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $policy_file
|
||||||
|
else
|
||||||
|
echo '{"context_is_admin": "role:admin or user_name:neutron"}' > $policy_file
|
||||||
|
fi
|
||||||
|
|
||||||
cp $NEUTRON_DIR/etc/api-paste.ini $NEUTRON_CONF_DIR/api-paste.ini
|
cp $NEUTRON_DIR/etc/api-paste.ini $NEUTRON_CONF_DIR/api-paste.ini
|
||||||
|
|
||||||
|
@ -699,10 +699,15 @@ function _configure_neutron_common {
|
|||||||
cp $NEUTRON_DIR/etc/neutron.conf.sample $NEUTRON_CONF
|
cp $NEUTRON_DIR/etc/neutron.conf.sample $NEUTRON_CONF
|
||||||
|
|
||||||
Q_POLICY_FILE=$NEUTRON_CONF_DIR/policy.json
|
Q_POLICY_FILE=$NEUTRON_CONF_DIR/policy.json
|
||||||
cp $NEUTRON_DIR/etc/policy.json $Q_POLICY_FILE
|
|
||||||
|
|
||||||
# allow neutron user to administer neutron to match neutron account
|
# allow neutron user to administer neutron to match neutron account
|
||||||
|
# NOTE(amotoki): This is required for nova works correctly with neutron.
|
||||||
|
if [ -f $NEUTRON_DIR/etc/policy.json ]; then
|
||||||
|
cp $NEUTRON_DIR/etc/policy.json $Q_POLICY_FILE
|
||||||
sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $Q_POLICY_FILE
|
sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $Q_POLICY_FILE
|
||||||
|
else
|
||||||
|
echo '{"context_is_admin": "role:admin or user_name:neutron"}' > $Q_POLICY_FILE
|
||||||
|
fi
|
||||||
|
|
||||||
# Set plugin-specific variables ``Q_DB_NAME``, ``Q_PLUGIN_CLASS``.
|
# Set plugin-specific variables ``Q_DB_NAME``, ``Q_PLUGIN_CLASS``.
|
||||||
# For main plugin config file, set ``Q_PLUGIN_CONF_PATH``, ``Q_PLUGIN_CONF_FILENAME``.
|
# For main plugin config file, set ``Q_PLUGIN_CONF_PATH``, ``Q_PLUGIN_CONF_FILENAME``.
|
||||||
|
Loading…
Reference in New Issue
Block a user