Add custom policies in service.json

Include custom policy.json files in service-api.json.j2 files Change-Id: Ic55bfc6f61131aa72c3497ce8b2282056bcc7f92 Partially-Implements: blueprint custom-policies
2016-11-18 17:36:00 +00:00 · 2016-11-18 17:36:00 +00:00 · 775d8019b6
commit 775d8019b6
parent 58150b05ae
86 changed files with 603 additions and 1 deletions
--- a/ansible/roles/aodh/templates/aodh-api.json.j2
+++ b/ansible/roles/aodh/templates/aodh-api.json.j2
@ -14,6 +14,13 @@
            "dest": "/etc/{{ aodh_dir }}/wsgi-aodh.conf",
            "owner": "root",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/aodh/policy.json",
+            "owner": "aodh",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/aodh/templates/aodh-evaluator.json.j2
+++ b/ansible/roles/aodh/templates/aodh-evaluator.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/aodh/aodh.conf",
            "owner": "aodh",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/aodh/policy.json",
+            "owner": "aodh",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/aodh/templates/aodh-listener.json.j2
+++ b/ansible/roles/aodh/templates/aodh-listener.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/aodh/aodh.conf",
            "owner": "aodh",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/aodh/policy.json",
+            "owner": "aodh",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/aodh/templates/aodh-notifier.json.j2
+++ b/ansible/roles/aodh/templates/aodh-notifier.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/aodh/aodh.conf",
            "owner": "aodh",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/aodh/policy.json",
+            "owner": "aodh",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/barbican/templates/barbican-api.json.j2
+++ b/ansible/roles/barbican/templates/barbican-api.json.j2
@ -18,6 +18,13 @@
            "dest": "/etc/barbican/barbican-api-paste.ini",
            "owner": "barbican",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/barbican/policy.json",
+            "owner": "barbican",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/barbican/templates/barbican-keystone-listener.json.j2
+++ b/ansible/roles/barbican/templates/barbican-keystone-listener.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/barbican/barbican.conf",
            "owner": "barbican",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/barbican/policy.json",
+            "owner": "barbican",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/barbican/templates/barbican-worker.json.j2
+++ b/ansible/roles/barbican/templates/barbican-worker.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/barbican/barbican.conf",
            "owner": "barbican",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/barbican/policy.json",
+            "owner": "barbican",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/ceilometer/templates/ceilometer-api.json.j2
+++ b/ansible/roles/ceilometer/templates/ceilometer-api.json.j2
@ -15,6 +15,13 @@
            "dest": "/etc/{{ apache_dir }}/{{ apache_file }}",
            "owner": "ceilometer",
            "perm": "0644"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/ceilometer/policy.json",
+            "owner": "ceilometer",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/ceilometer/templates/ceilometer-central.json.j2
+++ b/ansible/roles/ceilometer/templates/ceilometer-central.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/ceilometer/ceilometer.conf",
            "owner": "ceilometer",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/ceilometer/policy.json",
+            "owner": "ceilometer",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/ceilometer/templates/ceilometer-collector.json.j2
+++ b/ansible/roles/ceilometer/templates/ceilometer-collector.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/ceilometer/ceilometer.conf",
            "owner": "ceilometer",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/ceilometer/policy.json",
+            "owner": "ceilometer",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/ceilometer/templates/ceilometer-compute.json.j2
+++ b/ansible/roles/ceilometer/templates/ceilometer-compute.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/ceilometer/ceilometer.conf",
            "owner": "ceilometer",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/ceilometer/policy.json",
+            "owner": "ceilometer",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/ceilometer/templates/ceilometer-notification.json.j2
+++ b/ansible/roles/ceilometer/templates/ceilometer-notification.json.j2
@ -24,6 +24,13 @@
            "dest": "/etc/ceilometer/pipeline.yaml",
            "owner": "ceilometer",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/ceilometer/policy.json",
+            "owner": "ceilometer",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/cinder/templates/cinder-api.json.j2
+++ b/ansible/roles/cinder/templates/cinder-api.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/cinder/cinder.conf",
            "owner": "cinder",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/cinder/policy.json",
+            "owner": "cinder",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/cinder/templates/cinder-backup.json.j2
+++ b/ansible/roles/cinder/templates/cinder-backup.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/cinder/cinder.conf",
            "owner": "cinder",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/cinder/policy.json",
+            "owner": "cinder",
+            "perm": "0600",
+            "optional": true
        }{% if cinder_backend_ceph | bool %},
        {
            "source": "{{ container_config_directory }}/ceph.*",
--- a/ansible/roles/cinder/templates/cinder-scheduler.json.j2
+++ b/ansible/roles/cinder/templates/cinder-scheduler.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/cinder/cinder.conf",
            "owner": "cinder",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/cinder/policy.json",
+            "owner": "cinder",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/cinder/templates/cinder-volume.json.j2
+++ b/ansible/roles/cinder/templates/cinder-volume.json.j2
@ -27,6 +27,13 @@
            "owner": "cinder",
            "perm": "0600",
            "optional": {{ (not enable_cinder_backend_nfs | bool) | string | lower }}
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/cinder/policy.json",
+            "owner": "cinder",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/cloudkitty/templates/cloudkitty-api.json.j2
+++ b/ansible/roles/cloudkitty/templates/cloudkitty-api.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/cloudkitty/cloudkitty.conf",
            "owner": "cloudkitty",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/cloudkitty/policy.json",
+            "owner": "cloudkitty",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/cloudkitty/templates/cloudkitty-processor.json.j2
+++ b/ansible/roles/cloudkitty/templates/cloudkitty-processor.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/cloudkitty/cloudkitty.conf",
            "owner": "cloudkitty",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/cloudkitty/policy.json",
+            "owner": "cloudkitty",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/congress/templates/congress-api.json.j2
+++ b/ansible/roles/congress/templates/congress-api.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/congress/congress.conf",
            "owner": "congress",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/congress/policy.json",
+            "owner": "congress",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/congress/templates/congress-datasource.json.j2
+++ b/ansible/roles/congress/templates/congress-datasource.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/congress/congress.conf",
            "owner": "congress",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/congress/policy.json",
+            "owner": "congress",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/congress/templates/congress-policy-engine.json.j2
+++ b/ansible/roles/congress/templates/congress-policy-engine.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/congress/congress.conf",
            "owner": "congress",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/congress/policy.json",
+            "owner": "congress",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/glance/templates/glance-api.json.j2
+++ b/ansible/roles/glance/templates/glance-api.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/glance/glance-api.conf",
            "owner": "glance",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/glance/policy.json",
+            "owner": "glance",
+            "perm": "0600",
+            "optional": true
        }{% if glance_backend_ceph | bool %},
        {
            "source": "{{ container_config_directory }}/ceph.*",
--- a/ansible/roles/glance/templates/glance-registry.json.j2
+++ b/ansible/roles/glance/templates/glance-registry.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/glance/glance-registry.conf",
            "owner": "glance",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/glance/policy.json",
+            "owner": "glance",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/gnocchi/templates/gnocchi-api.json.j2
+++ b/ansible/roles/gnocchi/templates/gnocchi-api.json.j2
@ -20,6 +20,13 @@
            "dest": "/etc/{{ gnocchi_dir }}/wsgi-gnocchi.conf",
            "owner": "gnocchi",
            "perm": "0644"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/gnocchi/policy.json",
+            "owner": "gnocchi",
+            "perm": "0600",
+            "optional": true
        }{% if gnocchi_backend_storage == 'ceph' %},
        {
            "source": "{{ container_config_directory }}/ceph.conf",
--- a/ansible/roles/gnocchi/templates/gnocchi-metricd.json.j2
+++ b/ansible/roles/gnocchi/templates/gnocchi-metricd.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/gnocchi/gnocchi.conf",
            "owner": "gnocchi",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/gnocchi/policy.json",
+            "owner": "gnocchi",
+            "perm": "0600",
+            "optional": true
        }{% if gnocchi_backend_storage == 'ceph' %},
        {
            "source": "{{ container_config_directory }}/ceph.conf",
--- a/ansible/roles/gnocchi/templates/gnocchi-statsd.json.j2
+++ b/ansible/roles/gnocchi/templates/gnocchi-statsd.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/gnocchi/gnocchi.conf",
            "owner": "gnocchi",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/gnocchi/policy.json",
+            "owner": "gnocchi",
+            "perm": "0600",
+            "optional": true
        }{% if gnocchi_backend_storage == 'ceph' %},
        {
            "source": "{{ container_config_directory }}/ceph.conf",
--- a/ansible/roles/heat/templates/heat-api-cfn.json.j2
+++ b/ansible/roles/heat/templates/heat-api-cfn.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/heat/heat.conf",
            "owner": "heat",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/heat/policy.json",
+            "owner": "heat",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/heat/templates/heat-api.json.j2
+++ b/ansible/roles/heat/templates/heat-api.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/heat/heat.conf",
            "owner": "heat",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/heat/policy.json",
+            "owner": "heat",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/heat/templates/heat-engine.json.j2
+++ b/ansible/roles/heat/templates/heat-engine.json.j2
@ -12,6 +12,13 @@
            "dest": "/etc/heat/environment.d/_deprecated.yaml",
            "owner": "heat",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/heat/policy.json",
+            "owner": "heat",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/ironic/templates/ironic-api.json.j2
+++ b/ansible/roles/ironic/templates/ironic-api.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/ironic/ironic.conf",
            "owner": "ironic",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/ironic/policy.json",
+            "owner": "ironic",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/ironic/templates/ironic-conductor.json.j2
+++ b/ansible/roles/ironic/templates/ironic-conductor.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/ironic/ironic.conf",
            "owner": "ironic",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/ironic/policy.json",
+            "owner": "ironic",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/ironic/templates/ironic-inspector.json.j2
+++ b/ansible/roles/ironic/templates/ironic-inspector.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/ironic-inspector/ironic.conf",
            "owner": "ironic",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/ironic/policy.json",
+            "owner": "ironic",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/keystone/templates/keystone-fernet.json.j2
+++ b/ansible/roles/keystone/templates/keystone-fernet.json.j2
@ -36,6 +36,13 @@
            "dest": "/var/lib/keystone/.ssh/id_rsa",
            "owner": "keystone",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/keystone/policy.json",
+            "owner": "keystone",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/kuryr/templates/kuryr.json.j2
+++ b/ansible/roles/kuryr/templates/kuryr.json.j2
@ -12,6 +12,13 @@
            "dest": "/usr/lib/docker/plugins/kuryr/kuryr.spec",
            "owner": "root",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/kuryr/policy.json",
+            "owner": "kuryr",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/magnum/templates/magnum-api.json.j2
+++ b/ansible/roles/magnum/templates/magnum-api.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/magnum/magnum.conf",
            "owner": "magnum",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/magnum/policy.json",
+            "owner": "magnum",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/magnum/templates/magnum-conductor.json.j2
+++ b/ansible/roles/magnum/templates/magnum-conductor.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/magnum/magnum.conf",
            "owner": "magnum",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/magnum/policy.json",
+            "owner": "magnum",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/manila/templates/manila-api.json.j2
+++ b/ansible/roles/manila/templates/manila-api.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/manila/manila.conf",
            "owner": "manila",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/manila/policy.json",
+            "owner": "manila",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/manila/templates/manila-data.json.j2
+++ b/ansible/roles/manila/templates/manila-data.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/manila/manila.conf",
            "owner": "manila",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/manila/policy.json",
+            "owner": "manila",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/manila/templates/manila-scheduler.json.j2
+++ b/ansible/roles/manila/templates/manila-scheduler.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/manila/manila.conf",
            "owner": "manila",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/manila/policy.json",
+            "owner": "manila",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/manila/templates/manila-share.json.j2
+++ b/ansible/roles/manila/templates/manila-share.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/manila/manila.conf",
            "owner": "manila",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/manila/policy.json",
+            "owner": "manila",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/mistral/templates/mistral-api.json.j2
+++ b/ansible/roles/mistral/templates/mistral-api.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/mistral/mistral.conf",
            "owner": "mistral",
            "perm": "0644"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/mistral/policy.json",
+            "owner": "mistral",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/mistral/templates/mistral-engine.json.j2
+++ b/ansible/roles/mistral/templates/mistral-engine.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/mistral/mistral.conf",
            "owner": "mistral",
            "perm": "0644"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/mistral/policy.json",
+            "owner": "mistral",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/mistral/templates/mistral-executor.json.j2
+++ b/ansible/roles/mistral/templates/mistral-executor.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/mistral/mistral.conf",
            "owner": "mistral",
            "perm": "0644"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/mistral/policy.json",
+            "owner": "mistral",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/murano/templates/murano-api.json.j2
+++ b/ansible/roles/murano/templates/murano-api.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/murano/murano.conf",
            "owner": "murano",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/murano/policy.json",
+            "owner": "murano",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/murano/templates/murano-engine.json.j2
+++ b/ansible/roles/murano/templates/murano-engine.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/murano/murano.conf",
            "owner": "murano",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/murano/policy.json",
+            "owner": "murano",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/neutron/templates/neutron-dhcp-agent.json.j2
+++ b/ansible/roles/neutron/templates/neutron-dhcp-agent.json.j2
@ -24,6 +24,13 @@
            "dest": "/etc/neutron/dnsmasq.conf",
            "owner": "neutron",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/neutron/policy.json",
+            "owner": "neutron",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/neutron/templates/neutron-l3-agent.json.j2
+++ b/ansible/roles/neutron/templates/neutron-l3-agent.json.j2
@ -24,6 +24,13 @@
            "dest": "/etc/neutron/l3_agent.ini",
            "owner": "neutron",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/neutron/policy.json",
+            "owner": "neutron",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/neutron/templates/neutron-lbaas-agent.json.j2
+++ b/ansible/roles/neutron/templates/neutron-lbaas-agent.json.j2
@ -18,6 +18,13 @@
            "dest": "/etc/neutron/plugins/ml2/ml2_conf.ini",
            "owner": "neutron",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/neutron/policy.json",
+            "owner": "neutron",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/neutron/templates/neutron-linuxbridge-agent.json.j2
+++ b/ansible/roles/neutron/templates/neutron-linuxbridge-agent.json.j2
@ -12,6 +12,13 @@
            "dest": "/etc/neutron/plugins/ml2/ml2_conf.ini",
            "owner": "neutron",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/neutron/policy.json",
+            "owner": "neutron",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/neutron/templates/neutron-metadata-agent.json.j2
+++ b/ansible/roles/neutron/templates/neutron-metadata-agent.json.j2
@ -18,6 +18,13 @@
            "dest": "/etc/neutron/metadata_agent.ini",
            "owner": "neutron",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/neutron/policy.json",
+            "owner": "neutron",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/neutron/templates/neutron-openvswitch-agent.json.j2
+++ b/ansible/roles/neutron/templates/neutron-openvswitch-agent.json.j2
@ -12,6 +12,13 @@
            "dest": "/etc/neutron/plugins/ml2/ml2_conf.ini",
            "owner": "neutron",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/neutron/policy.json",
+            "owner": "neutron",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/neutron/templates/neutron-server.json.j2
+++ b/ansible/roles/neutron/templates/neutron-server.json.j2
@ -24,6 +24,13 @@
            "dest": "/etc/neutron/plugins/ml2/ml2_conf.ini",
            "owner": "neutron",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/neutron/policy.json",
+            "owner": "neutron",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/neutron/templates/neutron-vpnaas-agent.json.j2
+++ b/ansible/roles/neutron/templates/neutron-vpnaas-agent.json.j2
@ -30,6 +30,13 @@
            "dest": "/etc/neutron/vpnaas_agent.ini",
            "owner": "neutron",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/neutron/policy.json",
+            "owner": "neutron",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/nova/templates/nova-api.json.j2
+++ b/ansible/roles/nova/templates/nova-api.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/nova/nova.conf",
            "owner": "nova",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/nova/policy.json",
+            "owner": "nova",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/nova/templates/nova-compute-ironic.json.j2
+++ b/ansible/roles/nova/templates/nova-compute-ironic.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/nova/nova.conf",
            "owner": "nova",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/nova/policy.json",
+            "owner": "nova",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/nova/templates/nova-compute.json.j2
+++ b/ansible/roles/nova/templates/nova-compute.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/nova/nova.conf",
            "owner": "nova",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/nova/policy.json",
+            "owner": "nova",
+            "perm": "0600",
+            "optional": true
        }{% if nova_backend == "rbd" %},
        {
            "source": "{{ container_config_directory }}/ceph.*",
--- a/ansible/roles/nova/templates/nova-conductor.json.j2
+++ b/ansible/roles/nova/templates/nova-conductor.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/nova/nova.conf",
            "owner": "nova",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/nova/policy.json",
+            "owner": "nova",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/nova/templates/nova-consoleauth.json.j2
+++ b/ansible/roles/nova/templates/nova-consoleauth.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/nova/nova.conf",
            "owner": "nova",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/nova/policy.json",
+            "owner": "nova",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/nova/templates/nova-novncproxy.json.j2
+++ b/ansible/roles/nova/templates/nova-novncproxy.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/nova/nova.conf",
            "owner": "nova",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/nova/policy.json",
+            "owner": "nova",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/nova/templates/nova-scheduler.json.j2
+++ b/ansible/roles/nova/templates/nova-scheduler.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/nova/nova.conf",
            "owner": "nova",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/nova/policy.json",
+            "owner": "nova",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/nova/templates/nova-spicehtml5proxy.json.j2
+++ b/ansible/roles/nova/templates/nova-spicehtml5proxy.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/nova/nova.conf",
            "owner": "nova",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/nova/policy.json",
+            "owner": "nova",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/rally/templates/rally.json.j2
+++ b/ansible/roles/rally/templates/rally.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/rally/rally.conf",
            "owner": "rally",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/rally/policy.json",
+            "owner": "rally",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/sahara/templates/sahara-api.json.j2
+++ b/ansible/roles/sahara/templates/sahara-api.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/sahara/sahara.conf",
            "owner": "sahara",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/sahara/policy.json",
+            "owner": "sahara",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/sahara/templates/sahara-engine.json.j2
+++ b/ansible/roles/sahara/templates/sahara-engine.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/sahara/sahara.conf",
            "owner": "sahara",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/sahara/policy.json",
+            "owner": "sahara",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/searchlight/templates/searchlight-api.json.j2
+++ b/ansible/roles/searchlight/templates/searchlight-api.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/searchlight/searchlight.conf",
            "owner": "searchlight",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/searchlight/policy.json",
+            "owner": "searchlight",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/searchlight/templates/searchlight-listener.json.j2
+++ b/ansible/roles/searchlight/templates/searchlight-listener.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/searchlight/searchlight.conf",
            "owner": "searchlight",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/searchlight/policy.json",
+            "owner": "searchlight",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/senlin/templates/senlin-api.json.j2
+++ b/ansible/roles/senlin/templates/senlin-api.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/senlin/senlin.conf",
            "owner": "senlin",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/senlin/policy.json",
+            "owner": "senlin",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/senlin/templates/senlin-engine.json.j2
+++ b/ansible/roles/senlin/templates/senlin-engine.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/senlin/senlin.conf",
            "owner": "senlin",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/senlin/policy.json",
+            "owner": "senlin",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/swift/templates/swift-account-auditor.json.j2
+++ b/ansible/roles/swift/templates/swift-account-auditor.json.j2
@ -18,6 +18,13 @@
            "dest": "/etc/swift/account-auditor.conf",
            "owner": "swift",
            "perm": "0640"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/swift/policy.json",
+            "owner": "swift",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/swift/templates/swift-account-reaper.json.j2
+++ b/ansible/roles/swift/templates/swift-account-reaper.json.j2
@ -18,6 +18,13 @@
            "dest": "/etc/swift/account-reaper.conf",
            "owner": "swift",
            "perm": "0640"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/swift/policy.json",
+            "owner": "swift",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/swift/templates/swift-account-replicator.json.j2
+++ b/ansible/roles/swift/templates/swift-account-replicator.json.j2
@ -18,6 +18,13 @@
            "dest": "/etc/swift/account-replicator.conf",
            "owner": "swift",
            "perm": "0640"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/swift/policy.json",
+            "owner": "swift",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/swift/templates/swift-account-server.json.j2
+++ b/ansible/roles/swift/templates/swift-account-server.json.j2
@ -18,6 +18,13 @@
            "dest": "/etc/swift/account-server.conf",
            "owner": "swift",
            "perm": "0640"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/swift/policy.json",
+            "owner": "swift",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/swift/templates/swift-container-auditor.json.j2
+++ b/ansible/roles/swift/templates/swift-container-auditor.json.j2
@ -18,6 +18,13 @@
            "dest": "/etc/swift/container-auditor.conf",
            "owner": "swift",
            "perm": "0640"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/swift/policy.json",
+            "owner": "swift",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/swift/templates/swift-container-replicator.json.j2
+++ b/ansible/roles/swift/templates/swift-container-replicator.json.j2
@ -18,6 +18,13 @@
            "dest": "/etc/swift/container-replicator.conf",
            "owner": "swift",
            "perm": "0640"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/swift/policy.json",
+            "owner": "swift",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/swift/templates/swift-container-server.json.j2
+++ b/ansible/roles/swift/templates/swift-container-server.json.j2
@ -18,6 +18,13 @@
            "dest": "/etc/swift/container-server.conf",
            "owner": "swift",
            "perm": "0640"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/swift/policy.json",
+            "owner": "swift",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/swift/templates/swift-container-updater.json.j2
+++ b/ansible/roles/swift/templates/swift-container-updater.json.j2
@ -24,6 +24,13 @@
            "dest": "/etc/swift/container-updater.conf",
            "owner": "swift",
            "perm": "0640"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/swift/policy.json",
+            "owner": "swift",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/swift/templates/swift-object-auditor.json.j2
+++ b/ansible/roles/swift/templates/swift-object-auditor.json.j2
@ -24,6 +24,13 @@
            "dest": "/etc/swift/object-auditor.conf",
            "owner": "swift",
            "perm": "0640"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/swift/policy.json",
+            "owner": "swift",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/swift/templates/swift-object-expirer.json.j2
+++ b/ansible/roles/swift/templates/swift-object-expirer.json.j2
@ -30,6 +30,13 @@
            "dest": "/etc/swift/object-expirer.conf",
            "owner": "swift",
            "perm": "0640"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/swift/policy.json",
+            "owner": "swift",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/swift/templates/swift-object-replicator.json.j2
+++ b/ansible/roles/swift/templates/swift-object-replicator.json.j2
@ -24,6 +24,13 @@
            "dest": "/etc/swift/object-replicator.conf",
            "owner": "swift",
            "perm": "0640"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/swift/policy.json",
+            "owner": "swift",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/swift/templates/swift-object-server.json.j2
+++ b/ansible/roles/swift/templates/swift-object-server.json.j2
@ -24,6 +24,13 @@
            "dest": "/etc/swift/object-server.conf",
            "owner": "swift",
            "perm": "0640"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/swift/policy.json",
+            "owner": "swift",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/swift/templates/swift-object-updater.json.j2
+++ b/ansible/roles/swift/templates/swift-object-updater.json.j2
@ -24,6 +24,13 @@
            "dest": "/etc/swift/object-updater.conf",
            "owner": "swift",
            "perm": "0640"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/swift/policy.json",
+            "owner": "swift",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/swift/templates/swift-proxy-server.json.j2
+++ b/ansible/roles/swift/templates/swift-proxy-server.json.j2
@ -30,6 +30,13 @@
            "dest": "/etc/swift/proxy-server.conf",
            "owner": "swift",
            "perm": "0640"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/swift/policy.json",
+            "owner": "swift",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/tempest/templates/tempest.json.j2
+++ b/ansible/roles/tempest/templates/tempest.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/tempest/tempest.conf",
            "owner": "root",
            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/tempest/policy.json",
+            "owner": "tempest",
+            "perm": "0600",
+            "optional": true
        }
    ]
 }
--- a/ansible/roles/watcher/templates/watcher-api.json.j2
+++ b/ansible/roles/watcher/templates/watcher-api.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/watcher/watcher.conf",
            "owner": "watcher",
            "perm": "0644"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/watcher/policy.json",
+            "owner": "watcher",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/watcher/templates/watcher-applier.json.j2
+++ b/ansible/roles/watcher/templates/watcher-applier.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/watcher/watcher.conf",
            "owner": "watcher",
            "perm": "0644"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/watcher/policy.json",
+            "owner": "watcher",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [
--- a/ansible/roles/watcher/templates/watcher-engine.json.j2
+++ b/ansible/roles/watcher/templates/watcher-engine.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/watcher/watcher.conf",
            "owner": "watcher",
            "perm": "0644"
+        },
+        {
+            "source": "{{ container_config_directory }}/policy.json",
+            "dest": "/etc/watcher/policy.json",
+            "owner": "watcher",
+            "perm": "0600",
+            "optional": true
        }
    ],
    "permissions": [