Only implement policy.json if an override is configured

With Ia64eac1eb4e30457b323c6ab99d26d3d40c28060 merged there is no longer a default policy.json file in the venv, so we need to change how we implement the file, and should only do so if there is a config override configured for it. Depends-On: https://review.openstack.org/628979 Change-Id: I87da4f747965e549d9c64d1dccd24613efa648da
2019-01-08 12:22:30 -06:00 · 2019-01-08 12:22:30 -06:00 · e741ee9ec4
parent 0533fa085a
commit e741ee9ec4
2 changed files with 7 additions and 94 deletions
--- a/tasks/barbican_post_install.yml
+++ b/tasks/barbican_post_install.yml
@ -27,10 +27,6 @@
      destination: "{{ barbican_etc_directory }}/barbican.conf"
      config_overrides: "{{ barbican_config_overrides }}"
      config_type: "ini"
-    - source: "policy.json.j2"
-      destination: "{{ barbican_etc_directory }}/policy.json"
-      config_overrides: "{{ barbican_policy_overrides }}"
-      config_type: "json"
    - source: "barbican-api-paste.ini.j2"
      destination: "{{ barbican_etc_directory }}/barbican-api-paste.ini"
      config_overrides: "{{ barbican_paste_overrides }}"
@ -44,3 +40,10 @@
      config_overrides: "{{ barbican_vassals_api_overrides }}"
      config_type: "ini"
  notify: Restart barbican services
+
+- name: Implement policy.json if there are overrides configured
+  copy:
+    content: "{{ barbican_policy_overrides | to_nice_json }}"
+    dest: "{{ barbican_etc_directory }}/policy.json"
+  when:
+    - barbican_policy_overrides != {}
--- a/templates/policy.json.j2
+++ b/templates/policy.json.j2
@ -1,90 +0,0 @@
-{
-    "admin": "role:admin",
-    "observer": "role:observer",
-    "creator": "role:creator",
-    "audit": "role:audit",
-    "service_admin": "role:key-manager:service-admin",
-    "admin_or_user_does_not_work": "project_id:%(project_id)s",
-    "admin_or_user": "rule:admin or project_id:%(project_id)s",
-    "admin_or_creator": "rule:admin or rule:creator",
-    "all_but_audit": "rule:admin or rule:observer or rule:creator",
-    "all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin",
-    "secret_project_match": "project:%(target.secret.project_id)s",
-    "secret_acl_read": "'read':%(target.secret.read)s",
-    "secret_private_read": "'False':%(target.secret.read_project_access)s",
-    "secret_creator_user": "user:%(target.secret.creator_id)s",
-    "container_project_match": "project:%(target.container.project_id)s",
-    "container_acl_read": "'read':%(target.container.read)s",
-    "container_private_read": "'False':%(target.container.read_project_access)s",
-    "container_creator_user": "user:%(target.container.creator_id)s",
-
-    "secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read",
-    "secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read",
-    "container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read",
-    "secret_project_admin": "rule:admin and rule:secret_project_match",
-    "secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user",
-    "container_project_admin": "rule:admin and rule:container_project_match",
-    "container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user",
-
-    "version:get": "@",
-    "secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
-    "secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
-    "secret:put": "rule:admin_or_creator and rule:secret_project_match",
-    "secret:delete": "rule:secret_project_admin or rule:secret_project_creator",
-    "secrets:post": "rule:admin_or_creator",
-    "secrets:get": "rule:all_but_audit",
-    "orders:post": "rule:admin_or_creator",
-    "orders:get": "rule:all_but_audit",
-    "order:get": "rule:all_users",
-    "order:put": "rule:admin_or_creator",
-    "order:delete": "rule:admin",
-    "consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
-    "consumers:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
-    "consumers:post": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
-    "consumers:delete": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
-    "containers:post": "rule:admin_or_creator",
-    "containers:get": "rule:all_but_audit",
-    "container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
-    "container:delete": "rule:container_project_admin or rule:container_project_creator",
-    "container_secret:post": "rule:admin",
-    "container_secret:delete": "rule:admin",
-    "transport_key:get": "rule:all_users",
-    "transport_key:delete": "rule:admin",
-    "transport_keys:get": "rule:all_users",
-    "transport_keys:post": "rule:admin",
-    "certificate_authorities:get_limited": "rule:all_users",
-    "certificate_authorities:get_all": "rule:admin",
-    "certificate_authorities:post": "rule:admin",
-    "certificate_authorities:get_preferred_ca": "rule:all_users",
-    "certificate_authorities:get_global_preferred_ca": "rule:service_admin",
-    "certificate_authorities:unset_global_preferred": "rule:service_admin",
-    "certificate_authority:delete": "rule:admin",
-    "certificate_authority:get": "rule:all_users",
-    "certificate_authority:get_cacert": "rule:all_users",
-    "certificate_authority:get_ca_cert_chain": "rule:all_users",
-    "certificate_authority:get_projects": "rule:service_admin",
-    "certificate_authority:add_to_project": "rule:admin",
-    "certificate_authority:remove_from_project": "rule:admin",
-    "certificate_authority:set_preferred": "rule:admin",
-    "certificate_authority:set_global_preferred": "rule:service_admin",
-    "secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator",
-    "secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator",
-    "secret_acls:get": "rule:all_but_audit and rule:secret_project_match",
-    "container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator",
-    "container_acls:delete": "rule:container_project_admin or rule:container_project_creator",
-    "container_acls:get": "rule:all_but_audit and rule:container_project_match",
-    "quotas:get": "rule:all_users",
-    "project_quotas:get": "rule:service_admin",
-    "project_quotas:put": "rule:service_admin",
-    "project_quotas:delete": "rule:service_admin",
-    "secret_meta:get": "rule:all_but_audit",
-    "secret_meta:post": "rule:admin_or_creator",
-    "secret_meta:put": "rule:admin_or_creator",
-    "secret_meta:delete": "rule:admin_or_creator",
-    "secretstores:get": "rule:admin",
-    "secretstores:get_global_default": "rule:admin",
-    "secretstores:get_preferred": "rule:admin",
-    "secretstore_preferred:post": "rule:admin",
-    "secretstore_preferred:delete": "rule:admin",
-    "secretstore:get": "rule:admin"
-}