From 8a4521399c032fb933ba4616c482b27aefa3f5e1 Mon Sep 17 00:00:00 2001
From: Sudarshan Acharya <sudarshan.acharya@gmail.com>
Date: Fri, 17 Apr 2015 16:11:46 +0000
Subject: [PATCH] Applying copy_update to all policy.json files

Adding support for dynamically updating the policy files for
nova, glance, neutron, cinder and heat. Uses the copy_update
plugin to detect any updates and applies the changes to the default
policy.json

Implements: blueprint dynamically-manage-policy.json
Change-Id: I573229d6f18a5fe32460b2373ab8b2c36ac722b4
---
 defaults/main.yml             |  7 +++++++
 tasks/cinder_post_install.yml | 16 +++++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 3920f81d..9904c6bb 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -156,6 +156,13 @@ cinder_client_socket_timeout: 900
 #     - ip: "127.0.0.1"
 #       share: "/vol/cinder"
 
+## Policy vars
+# Provide a list of access controls to update the default policy.json with. These changes will be merged
+# with the access controls in the default policy.json. E.g.
+#cinder_policy_overrides:
+#  "volume:create": ""
+#  "volume:delete": ""
+
 # Common apt packages
 cinder_apt_packages:
   - dmeventd
diff --git a/tasks/cinder_post_install.yml b/tasks/cinder_post_install.yml
index 1c5dfe07..65a63084 100644
--- a/tasks/cinder_post_install.yml
+++ b/tasks/cinder_post_install.yml
@@ -34,7 +34,6 @@
     owner: "{{ cinder_system_user_name }}"
     group: "{{ cinder_system_group_name }}"
   with_items:
-    - { src: "policy.json", dest: "/etc/cinder/policy.json" }
     - { src: "volume.filters", dest: "/etc/cinder/rootwrap.d/volume.filters" }
     - { src: "rootwrap.conf", dest: "/etc/cinder/rootwrap.conf" }
   notify:
@@ -42,6 +41,21 @@
   tags:
     - cinder-config
 
+- name: Apply updates to Policy file
+  copy_updates:
+    content="{{ item.content }}"
+    updates="{{ item.policy_data }}"
+    dest="{{ item.dest }}"
+    owner="{{ cinder_system_user_name }}"
+    group="{{ cinder_system_group_name }}"
+    mode="{{ item.mode|default('0644') }}"
+  with_items:
+    - { content: "{{ lookup('file', 'policy.json') | b64encode }}", policy_data: "{{ cinder_policy_overrides|default('') }}", dest: "/etc/cinder/policy.json" }
+  notify:
+    - Restart cinder services
+  tags:
+    - cinder-config
+
 - name: Ensure cinder tgt include
   lineinfile:
     dest: /etc/tgt/targets.conf