Applying copy_update to all policy.json files

Adding support for dynamically updating the policy files for
nova, glance, neutron, cinder and heat. Uses the copy_update
plugin to detect any updates and applies the changes to the default
policy.json

Implements: blueprint dynamically-manage-policy.json
Change-Id: I573229d6f18a5fe32460b2373ab8b2c36ac722b4

defaults/main.yml

@@ -202,6 +202,13 @@ neutron_dnsmasq_lease_max: 16777216
 ## RPC
 neutron_rpc_backend: rabbit
 
+## Policy vars
+# Provide a list of access controls to update the default policy.json with. These changes will be merged
+# with the access controls in the default policy.json. E.g.
+#neutron_policy_overrides:
+#  "create_subnet": "rule:admin_or_network_owner"
+#  "get_subnet": "rule:admin_or_owner or rule:shared"
+
 neutron_apt_packages:
   - conntrackd
   - conntrack

tasks/neutron_post_install.yml

@@ -67,7 +67,6 @@
     group: "{{ neutron_system_group_name }}"
   with_items:
     - { src: "api-paste.ini", dest: "/etc/neutron/api-paste.ini" }
-    - { src: "policy.json", dest: "/etc/neutron/policy.json" }
     - { src: "rootwrap.conf", dest: "/etc/neutron/rootwrap.conf" }
     - { src: "rootwrap.d/debug.filters", dest: "/etc/neutron/rootwrap.d/debug.filters" }
     - { src: "rootwrap.d/dhcp.filters", dest: "/etc/neutron/rootwrap.d/dhcp.filters" }
@@ -85,6 +84,21 @@
   tags:
     - neutron-config
 
+- name: Apply updates to Policy file
+  copy_updates:
+    content="{{ item.content }}"
+    updates="{{ item.policy_data }}"
+    dest="{{ item.dest }}"
+    owner="{{ neutron_system_user_name }}"
+    group="{{ neutron_system_group_name }}"
+    mode="{{ item.mode|default('0644') }}"
+  with_items:
+    - { content: "{{ lookup('file', 'policy.json') | b64encode }}", policy_data: "{{ neutron_policy_overrides|default('') }}", dest: "/etc/neutron/policy.json" }
+  notify:
+    - Restart neutron services
+  tags:
+    - neutron-config
+
 - name: Drop iptables checksum fix
   copy:
     src: "post-up-checksum-rules"