diff --git a/playbooks/roles/os_cinder/defaults/main.yml b/playbooks/roles/os_cinder/defaults/main.yml index 3920f81d6e..9904c6bbb7 100644 --- a/playbooks/roles/os_cinder/defaults/main.yml +++ b/playbooks/roles/os_cinder/defaults/main.yml @@ -156,6 +156,13 @@ cinder_client_socket_timeout: 900 # - ip: "127.0.0.1" # share: "/vol/cinder" +## Policy vars +# Provide a list of access controls to update the default policy.json with. These changes will be merged +# with the access controls in the default policy.json. E.g. +#cinder_policy_overrides: +# "volume:create": "" +# "volume:delete": "" + # Common apt packages cinder_apt_packages: - dmeventd diff --git a/playbooks/roles/os_cinder/tasks/cinder_post_install.yml b/playbooks/roles/os_cinder/tasks/cinder_post_install.yml index 1c5dfe077c..65a6308492 100644 --- a/playbooks/roles/os_cinder/tasks/cinder_post_install.yml +++ b/playbooks/roles/os_cinder/tasks/cinder_post_install.yml @@ -34,7 +34,6 @@ owner: "{{ cinder_system_user_name }}" group: "{{ cinder_system_group_name }}" with_items: - - { src: "policy.json", dest: "/etc/cinder/policy.json" } - { src: "volume.filters", dest: "/etc/cinder/rootwrap.d/volume.filters" } - { src: "rootwrap.conf", dest: "/etc/cinder/rootwrap.conf" } notify: @@ -42,6 +41,21 @@ tags: - cinder-config +- name: Apply updates to Policy file + copy_updates: + content="{{ item.content }}" + updates="{{ item.policy_data }}" + dest="{{ item.dest }}" + owner="{{ cinder_system_user_name }}" + group="{{ cinder_system_group_name }}" + mode="{{ item.mode|default('0644') }}" + with_items: + - { content: "{{ lookup('file', 'policy.json') | b64encode }}", policy_data: "{{ cinder_policy_overrides|default('') }}", dest: "/etc/cinder/policy.json" } + notify: + - Restart cinder services + tags: + - cinder-config + - name: Ensure cinder tgt include lineinfile: dest: /etc/tgt/targets.conf diff --git a/playbooks/roles/os_glance/defaults/main.yml b/playbooks/roles/os_glance/defaults/main.yml index fe46649af0..bb58d22574 100644 --- a/playbooks/roles/os_glance/defaults/main.yml +++ b/playbooks/roles/os_glance/defaults/main.yml @@ -119,6 +119,13 @@ glance_policy_dirs: policy.d # type: "nfs" ## This can be nfs or nfs4 # options: "_netdev,auto" ## Mount options +## Policy vars +# Provide a list of access controls to update the default policy.json with. These changes will be merged +# with the access controls in the default policy.json. E.g. +#glance_policy_overrides: +# "add_image": "" +# "delete_image": "" + # Common apt packages glance_apt_packages: - rpcbind diff --git a/playbooks/roles/os_glance/tasks/glance_post_install.yml b/playbooks/roles/os_glance/tasks/glance_post_install.yml index cd1582200a..98f0f3edab 100644 --- a/playbooks/roles/os_glance/tasks/glance_post_install.yml +++ b/playbooks/roles/os_glance/tasks/glance_post_install.yml @@ -59,7 +59,6 @@ owner: "{{ glance_system_user_name }}" group: "{{ glance_system_group_name }}" with_items: - - { src: "policy.json", dest: "/etc/glance/policy.json" } - { src: "schema.json", dest: "/etc/glance/schema.json" } - { src: "schema.json", dest: "/etc/glance/schema-image.json" } notify: @@ -68,6 +67,22 @@ tags: - glance-config +- name: Apply updates to Policy file + copy_updates: + content="{{ item.content }}" + updates="{{ item.policy_data }}" + dest="{{ item.dest }}" + owner="{{ glance_system_user_name }}" + group="{{ glance_system_group_name }}" + mode="{{ item.mode|default('0644') }}" + with_items: + - { content: "{{ lookup('file', 'policy.json') | b64encode }}", policy_data: "{{ glance_policy_overrides|default('') }}", dest: "/etc/glance/policy.json" } + notify: + - Restart glance api + - Restart glance registry + tags: + - glance-config + - name: Create nfs shares local path file: path: "{{ item.local_path }}" diff --git a/playbooks/roles/os_heat/defaults/main.yml b/playbooks/roles/os_heat/defaults/main.yml index dc1abfab2d..4124b0033f 100644 --- a/playbooks/roles/os_heat/defaults/main.yml +++ b/playbooks/roles/os_heat/defaults/main.yml @@ -122,6 +122,13 @@ heat_plugin_dirs: - /usr/lib/heat - /usr/local/lib/heat +## Policy vars +# Provide a list of access controls to update the default policy.json with. These changes will be merged +# with the access controls in the default policy.json. E.g. +#heat_policy_overrides: +# "cloudformation:ListStacks": "rule:deny_stack_user" +# "cloudformation:CreateStack": "rule:deny_stack_user" + heat_apt_packages: - rsync - libxslt1.1 diff --git a/playbooks/roles/os_heat/tasks/heat_post_install.yml b/playbooks/roles/os_heat/tasks/heat_post_install.yml index 7f60b1f3f5..9e7081d854 100644 --- a/playbooks/roles/os_heat/tasks/heat_post_install.yml +++ b/playbooks/roles/os_heat/tasks/heat_post_install.yml @@ -35,10 +35,24 @@ group: "{{ heat_system_group_name }}" with_items: - { src: "environment.d/default.yaml", dest: "/etc/heat/environment.d/default.yaml" } - - { src: "policy.json", dest: "/etc/heat/policy.json" } - { src: "templates/AWS_CloudWatch_Alarm.yaml", dest: "/etc/heat/templates/AWS_CloudWatch_Alarm.yaml" } - { src: "templates/AWS_RDS_DBInstance.yaml", dest: "/etc/heat/templates/AWS_RDS_DBInstance.yaml" } notify: - Restart heat services tags: - heat-config + +- name: Apply updates to Policy file + copy_updates: + content="{{ item.content }}" + updates="{{ item.policy_data }}" + dest="{{ item.dest }}" + owner="{{ heat_system_user_name }}" + group="{{ heat_system_group_name }}" + mode="{{ item.mode|default('0644') }}" + with_items: + - { content: "{{ lookup('file', 'policy.json') | b64encode }}", policy_data: "{{ heat_policy_overrides|default('') }}", dest: "/etc/heat/policy.json" } + notify: + - Restart heat services + tags: + - heat-config diff --git a/playbooks/roles/os_neutron/defaults/main.yml b/playbooks/roles/os_neutron/defaults/main.yml index 3f847b132c..d04f862bd7 100644 --- a/playbooks/roles/os_neutron/defaults/main.yml +++ b/playbooks/roles/os_neutron/defaults/main.yml @@ -202,6 +202,13 @@ neutron_dnsmasq_lease_max: 16777216 ## RPC neutron_rpc_backend: rabbit +## Policy vars +# Provide a list of access controls to update the default policy.json with. These changes will be merged +# with the access controls in the default policy.json. E.g. +#neutron_policy_overrides: +# "create_subnet": "rule:admin_or_network_owner" +# "get_subnet": "rule:admin_or_owner or rule:shared" + neutron_apt_packages: - conntrackd - conntrack diff --git a/playbooks/roles/os_neutron/tasks/neutron_post_install.yml b/playbooks/roles/os_neutron/tasks/neutron_post_install.yml index aefdcccf75..22210ca50b 100644 --- a/playbooks/roles/os_neutron/tasks/neutron_post_install.yml +++ b/playbooks/roles/os_neutron/tasks/neutron_post_install.yml @@ -67,7 +67,6 @@ group: "{{ neutron_system_group_name }}" with_items: - { src: "api-paste.ini", dest: "/etc/neutron/api-paste.ini" } - - { src: "policy.json", dest: "/etc/neutron/policy.json" } - { src: "rootwrap.conf", dest: "/etc/neutron/rootwrap.conf" } - { src: "rootwrap.d/debug.filters", dest: "/etc/neutron/rootwrap.d/debug.filters" } - { src: "rootwrap.d/dhcp.filters", dest: "/etc/neutron/rootwrap.d/dhcp.filters" } @@ -85,6 +84,21 @@ tags: - neutron-config +- name: Apply updates to Policy file + copy_updates: + content="{{ item.content }}" + updates="{{ item.policy_data }}" + dest="{{ item.dest }}" + owner="{{ neutron_system_user_name }}" + group="{{ neutron_system_group_name }}" + mode="{{ item.mode|default('0644') }}" + with_items: + - { content: "{{ lookup('file', 'policy.json') | b64encode }}", policy_data: "{{ neutron_policy_overrides|default('') }}", dest: "/etc/neutron/policy.json" } + notify: + - Restart neutron services + tags: + - neutron-config + - name: Drop iptables checksum fix copy: src: "post-up-checksum-rules" diff --git a/playbooks/roles/os_nova/defaults/main.yml b/playbooks/roles/os_nova/defaults/main.yml index c56738d483..7d8fdd9f4c 100644 --- a/playbooks/roles/os_nova/defaults/main.yml +++ b/playbooks/roles/os_nova/defaults/main.yml @@ -210,6 +210,14 @@ nova_scheduler_program_name: nova-scheduler # nova_metadata_workers: 16 +## Policy vars +# Provide a list of access controls to update the default policy.json with. These changes will be merged +# with the access controls in the default policy.json. E.g. +#nova_policy_overrides: +# "compute:create": "" +# "compute:create:attach_network": "" + + ## Service Names nova_service_names: - "{{ nova_metadata_program_name }}" diff --git a/playbooks/roles/os_nova/tasks/nova_post_install.yml b/playbooks/roles/os_nova/tasks/nova_post_install.yml index 72b1bfcb0e..540433bc4f 100644 --- a/playbooks/roles/os_nova/tasks/nova_post_install.yml +++ b/playbooks/roles/os_nova/tasks/nova_post_install.yml @@ -26,7 +26,6 @@ - { src: "rootwrap.d/baremetal-deploy-helper.filters", dest: "/etc/nova/rootwrap.d/baremetal-deploy-helper.filters" } - { src: "rootwrap.d/compute.filters", dest: "/etc/nova/rootwrap.d/compute.filters" } - { src: "rootwrap.d/network.filters", dest: "/etc/nova/rootwrap.d/network.filters" } - - { src: "policy.json", dest: "/etc/nova/policy.json" } - { src: "api-paste.ini", dest: "/etc/nova/api-paste.ini" } notify: Restart nova services tags: @@ -45,3 +44,20 @@ tags: - nova-config - nova-post-install + +- name: Apply updates to Policy file + copy_updates: + content="{{ item.content }}" + updates="{{ item.policy_data }}" + dest="{{ item.dest }}" + owner="{{ nova_system_user_name }}" + group="{{ nova_system_group_name }}" + mode="{{ item.mode|default('0644') }}" + with_items: + - { content: "{{ lookup('file', 'policy.json') | b64encode }}", policy_data: "{{ nova_policy_overrides|default('') }}", dest: "/etc/nova/policy.json" } + notify: + - Restart nova services + tags: + - nova-config + - nova-post-install +