Applying copy_update to all policy.json files

Adding support for dynamically updating the policy files for nova, glance, neutron, cinder and heat. Uses the copy_update plugin to detect any updates and applies the changes to the default policy.json Implements: blueprint dynamically-manage-policy.json Change-Id: I573229d6f18a5fe32460b2373ab8b2c36ac722b4
2015-04-17 16:11:46 +00:00 · 2015-04-17 16:11:46 +00:00 · e7931323aa
commit e7931323aa
parent fcc4144692
10 changed files with 114 additions and 5 deletions
--- a/playbooks/roles/os_cinder/defaults/main.yml
+++ b/playbooks/roles/os_cinder/defaults/main.yml
@ -156,6 +156,13 @@ cinder_client_socket_timeout: 900
 #     - ip: "127.0.0.1"
 #       share: "/vol/cinder"

+## Policy vars
+# Provide a list of access controls to update the default policy.json with. These changes will be merged
+# with the access controls in the default policy.json. E.g.
+#cinder_policy_overrides:
+#  "volume:create": ""
+#  "volume:delete": ""
+
 # Common apt packages
 cinder_apt_packages:
  - dmeventd
--- a/playbooks/roles/os_cinder/tasks/cinder_post_install.yml
+++ b/playbooks/roles/os_cinder/tasks/cinder_post_install.yml
@ -34,7 +34,6 @@
    owner: "{{ cinder_system_user_name }}"
    group: "{{ cinder_system_group_name }}"
  with_items:
-    - { src: "policy.json", dest: "/etc/cinder/policy.json" }
    - { src: "volume.filters", dest: "/etc/cinder/rootwrap.d/volume.filters" }
    - { src: "rootwrap.conf", dest: "/etc/cinder/rootwrap.conf" }
  notify:
@ -42,6 +41,21 @@
  tags:
    - cinder-config

+- name: Apply updates to Policy file
+  copy_updates:
+    content="{{ item.content }}"
+    updates="{{ item.policy_data }}"
+    dest="{{ item.dest }}"
+    owner="{{ cinder_system_user_name }}"
+    group="{{ cinder_system_group_name }}"
+    mode="{{ item.mode|default('0644') }}"
+  with_items:
+    - { content: "{{ lookup('file', 'policy.json') | b64encode }}", policy_data: "{{ cinder_policy_overrides|default('') }}", dest: "/etc/cinder/policy.json" }
+  notify:
+    - Restart cinder services
+  tags:
+    - cinder-config
+
 - name: Ensure cinder tgt include
  lineinfile:
    dest: /etc/tgt/targets.conf
--- a/playbooks/roles/os_glance/defaults/main.yml
+++ b/playbooks/roles/os_glance/defaults/main.yml
@ -119,6 +119,13 @@ glance_policy_dirs: policy.d
 #     type: "nfs"                           ## This can be nfs or nfs4
 #     options: "_netdev,auto"               ## Mount options

+## Policy vars
+# Provide a list of access controls to update the default policy.json with. These changes will be merged
+# with the access controls in the default policy.json. E.g.
+#glance_policy_overrides:
+#  "add_image": ""
+#  "delete_image": ""
+
 # Common apt packages
 glance_apt_packages:
  - rpcbind
--- a/playbooks/roles/os_glance/tasks/glance_post_install.yml
+++ b/playbooks/roles/os_glance/tasks/glance_post_install.yml
@ -59,7 +59,6 @@
    owner: "{{ glance_system_user_name }}"
    group: "{{ glance_system_group_name }}"
  with_items:
-    - { src: "policy.json", dest: "/etc/glance/policy.json" }
    - { src: "schema.json", dest: "/etc/glance/schema.json" }
    - { src: "schema.json", dest: "/etc/glance/schema-image.json" }
  notify:
@ -68,6 +67,22 @@
  tags:
    - glance-config

+- name: Apply updates to Policy file
+  copy_updates:
+    content="{{ item.content }}"
+    updates="{{ item.policy_data }}"
+    dest="{{ item.dest }}"
+    owner="{{ glance_system_user_name }}"
+    group="{{ glance_system_group_name }}"
+    mode="{{ item.mode|default('0644') }}"
+  with_items:
+    - { content: "{{ lookup('file', 'policy.json') | b64encode }}", policy_data: "{{ glance_policy_overrides|default('') }}", dest: "/etc/glance/policy.json" }
+  notify:
+    - Restart glance api
+    - Restart glance registry
+  tags:
+    - glance-config
+
 - name: Create nfs shares local path
  file:
    path: "{{ item.local_path }}"
--- a/playbooks/roles/os_heat/defaults/main.yml
+++ b/playbooks/roles/os_heat/defaults/main.yml
@ -122,6 +122,13 @@ heat_plugin_dirs:
  - /usr/lib/heat
  - /usr/local/lib/heat

+## Policy vars
+# Provide a list of access controls to update the default policy.json with. These changes will be merged
+# with the access controls in the default policy.json. E.g.
+#heat_policy_overrides:
+#  "cloudformation:ListStacks": "rule:deny_stack_user"
+#  "cloudformation:CreateStack": "rule:deny_stack_user"
+
 heat_apt_packages:
  - rsync
  - libxslt1.1
--- a/playbooks/roles/os_heat/tasks/heat_post_install.yml
+++ b/playbooks/roles/os_heat/tasks/heat_post_install.yml
@ -35,10 +35,24 @@
    group: "{{ heat_system_group_name }}"
  with_items:
    - { src: "environment.d/default.yaml", dest: "/etc/heat/environment.d/default.yaml" }
-    - { src: "policy.json", dest: "/etc/heat/policy.json" }
    - { src: "templates/AWS_CloudWatch_Alarm.yaml", dest: "/etc/heat/templates/AWS_CloudWatch_Alarm.yaml" }
    - { src: "templates/AWS_RDS_DBInstance.yaml", dest: "/etc/heat/templates/AWS_RDS_DBInstance.yaml" }
  notify:
    - Restart heat services
  tags:
    - heat-config
+
+- name: Apply updates to Policy file
+  copy_updates:
+    content="{{ item.content }}"
+    updates="{{ item.policy_data }}"
+    dest="{{ item.dest }}"
+    owner="{{ heat_system_user_name }}"
+    group="{{ heat_system_group_name }}"
+    mode="{{ item.mode|default('0644') }}"
+  with_items:
+    - { content: "{{ lookup('file', 'policy.json') | b64encode }}", policy_data: "{{ heat_policy_overrides|default('') }}", dest: "/etc/heat/policy.json" }
+  notify:
+    - Restart heat services
+  tags:
+    - heat-config
--- a/playbooks/roles/os_neutron/defaults/main.yml
+++ b/playbooks/roles/os_neutron/defaults/main.yml
@ -202,6 +202,13 @@ neutron_dnsmasq_lease_max: 16777216
 ## RPC
 neutron_rpc_backend: rabbit

+## Policy vars
+# Provide a list of access controls to update the default policy.json with. These changes will be merged
+# with the access controls in the default policy.json. E.g.
+#neutron_policy_overrides:
+#  "create_subnet": "rule:admin_or_network_owner"
+#  "get_subnet": "rule:admin_or_owner or rule:shared"
+
 neutron_apt_packages:
  - conntrackd
  - conntrack
--- a/playbooks/roles/os_neutron/tasks/neutron_post_install.yml
+++ b/playbooks/roles/os_neutron/tasks/neutron_post_install.yml
@ -67,7 +67,6 @@
    group: "{{ neutron_system_group_name }}"
  with_items:
    - { src: "api-paste.ini", dest: "/etc/neutron/api-paste.ini" }
-    - { src: "policy.json", dest: "/etc/neutron/policy.json" }
    - { src: "rootwrap.conf", dest: "/etc/neutron/rootwrap.conf" }
    - { src: "rootwrap.d/debug.filters", dest: "/etc/neutron/rootwrap.d/debug.filters" }
    - { src: "rootwrap.d/dhcp.filters", dest: "/etc/neutron/rootwrap.d/dhcp.filters" }
@ -85,6 +84,21 @@
  tags:
    - neutron-config

+- name: Apply updates to Policy file
+  copy_updates:
+    content="{{ item.content }}"
+    updates="{{ item.policy_data }}"
+    dest="{{ item.dest }}"
+    owner="{{ neutron_system_user_name }}"
+    group="{{ neutron_system_group_name }}"
+    mode="{{ item.mode|default('0644') }}"
+  with_items:
+    - { content: "{{ lookup('file', 'policy.json') | b64encode }}", policy_data: "{{ neutron_policy_overrides|default('') }}", dest: "/etc/neutron/policy.json" }
+  notify:
+    - Restart neutron services
+  tags:
+    - neutron-config
+
 - name: Drop iptables checksum fix
  copy:
    src: "post-up-checksum-rules"
--- a/playbooks/roles/os_nova/defaults/main.yml
+++ b/playbooks/roles/os_nova/defaults/main.yml
@ -210,6 +210,14 @@ nova_scheduler_program_name: nova-scheduler
 # nova_metadata_workers: 16


+## Policy vars
+# Provide a list of access controls to update the default policy.json with. These changes will be merged
+# with the access controls in the default policy.json. E.g.
+#nova_policy_overrides:
+#  "compute:create": ""
+#  "compute:create:attach_network": ""
+
+
 ## Service Names
 nova_service_names:
  - "{{ nova_metadata_program_name }}"
--- a/playbooks/roles/os_nova/tasks/nova_post_install.yml
+++ b/playbooks/roles/os_nova/tasks/nova_post_install.yml
@ -26,7 +26,6 @@
    - { src: "rootwrap.d/baremetal-deploy-helper.filters", dest: "/etc/nova/rootwrap.d/baremetal-deploy-helper.filters" }
    - { src: "rootwrap.d/compute.filters", dest: "/etc/nova/rootwrap.d/compute.filters" }
    - { src: "rootwrap.d/network.filters", dest: "/etc/nova/rootwrap.d/network.filters" }
-    - { src: "policy.json", dest: "/etc/nova/policy.json" }
    - { src: "api-paste.ini", dest: "/etc/nova/api-paste.ini" }
  notify: Restart nova services
  tags:
@ -45,3 +44,20 @@
  tags:
    - nova-config
    - nova-post-install
+
+- name: Apply updates to Policy file
+  copy_updates:
+    content="{{ item.content }}"
+    updates="{{ item.policy_data }}"
+    dest="{{ item.dest }}"
+    owner="{{ nova_system_user_name }}"
+    group="{{ nova_system_group_name }}"
+    mode="{{ item.mode|default('0644') }}"
+  with_items:
+    - { content: "{{ lookup('file', 'policy.json') | b64encode }}", policy_data: "{{ nova_policy_overrides|default('') }}", dest: "/etc/nova/policy.json" }
+  notify:
+    - Restart nova services
+  tags:
+    - nova-config
+    - nova-post-install
+