[goal] Deprecate the JSON formatted policy file

As per the community goal of migrating the policy file the format from JSON to YAML[1], we need to replace policy.json to policy.yaml and remove deprecated policy.json. config_template has been choosen instead of the copy, since it can properly handle content that has been lookuped. We make a separate task not to restart service when it's not needed. [1] https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/787199 Change-Id: Idd28e5df99bfcf51bad2b785be41221eb0fe5142
2021-03-22 18:17:49 +02:00 · 2021-03-22 18:17:49 +02:00 · e7b394dd58
commit e7b394dd58
parent 50b83c7927
5 changed files with 33 additions and 20 deletions
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -21,6 +21,14 @@
  listen:
    - "venv changed"

+# NOTE (noonedeadpunk): Remove this task after Xena release
+- name: Remove obsoleted policy.json
+  file:
+    path: "/etc/octavia/policy.json"
+    state: absent
+  listen:
+    - Restart octavia services
+
 - name: Start octavia services
  service:
    name: "{{ item.service_name }}"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -209,6 +209,7 @@
  tags:
    - octavia-install
    - octavia-config
+    - octavia-policy-override

 - import_tasks: octavia_amp_image.yml
  when:
--- a/tasks/octavia_policy.yml
+++ b/tasks/octavia_policy.yml
@ -13,16 +13,21 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- name: Set legacy role policies
+- name: Implement policy.yaml if there are overrides configured
  config_template:
-    src: policy.json.j2
-    dest: /etc/octavia/policy.json
+    dest: /etc/octavia/policy.yaml
    owner: "{{ octavia_system_user_name }}"
    group: "{{ octavia_system_group_name }}"
    mode: "0640"
-    config_overrides: "{{ octavia_policy_overrides }}"
-    config_type: "json"
-  notify:
-    - Restart octavia services
-    - Restart uwsgi services
-  when: octavia_legacy_policy
+    content: "{{ (octavia_legacy_policy | bool) | ternary(_octavia_legacy_policies, {}) | combine(octavia_policy_overrides) }}"
+    config_type: "yaml"
+  when:
+    - (octavia_policy_overrides | length > 0) or (octavia_legacy_policy | bool)
+
+- name: Remove legacy policy.yaml file
+  file:
+    path: "/etc/octavia/policy.yaml"
+    state: absent
+  when:
+    - octavia_policy_overrides | length == 0
+    - not octavia_legacy_policy | bool
--- a/templates/policy.json.j2
+++ b/templates/policy.json.j2
@ -1,11 +0,0 @@
-{
-    "context_is_admin": "role:admin or role:load-balancer_admin",
-    "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
-
-    "load-balancer:read": "rule:admin_or_owner",
-    "load-balancer:read-global": "is_admin:True",
-    "load-balancer:write": "rule:admin_or_owner",
-    "load-balancer:read-quota": "rule:admin_or_owner",
-    "load-balancer:read-quota-global": "is_admin:True",
-    "load-balancer:write-quota": "is_admin:True"
-}
--- a/vars/main.yml
+++ b/vars/main.yml
@ -62,3 +62,13 @@ uwsgi_octavia_services: |-
  {%   endif %}
  {% endfor %}
  {{ services }}
+
+_octavia_legacy_policies:
+    "context_is_admin": "role:admin or role:load-balancer_admin"
+    "admin_or_owner": "is_admin:True or project_id:%(project_id)s"
+    "load-balancer:read": "rule:admin_or_owner"
+    "load-balancer:read-global": "is_admin:True"
+    "load-balancer:write": "rule:admin_or_owner"
+    "load-balancer:read-quota": "rule:admin_or_owner"
+    "load-balancer:read-quota-global": "is_admin:True"
+    "load-balancer:write-quota": "is_admin:True"