Add group to policy management

The move of policy.json into code means the file may not exist. We've
added support to ensure that the file exists in the openstacklib but we
need to make sure the permissions are right for each service. This adds
the group information to the policies so it works right.

Change-Id: I2101ddb29e48733a5a5982daafe074ce1c983e9c
Co-Authored-By: Alex Schultz <aschultz@redhat.com>

manifests/params.pp

@@ -7,6 +7,7 @@ class glance::params {
 
   $cache_cleaner_command = 'glance-cache-cleaner'
   $cache_pruner_command  = 'glance-cache-pruner'
+  $group                 = 'glance'
 
   case $::osfamily {
     'RedHat': {

manifests/policy.pp

@@ -23,19 +23,22 @@
 #   (optional) Path to the glance policy.json file
 #   Defaults to /etc/glance/policy.json
 #
-class glance::policy(
+class glance::policy (
   $policies    = {},
   $policy_path = '/etc/glance/policy.json',
 ) {
 
   include ::glance::deps
+  include ::glance::params
 
   validate_hash($policies)
 
   Openstacklib::Policy::Base {
-    file_path => $policy_path,
-    require   => Anchor['glance::config::begin'],
-    notify    => Anchor['glance::config::end'],
+    file_path  => $policy_path,
+    file_user  => 'root',
+    file_group => $::glance::params::group,
+    require    => Anchor['glance::config::begin'],
+    notify     => Anchor['glance::config::end'],
   }
 
   create_resources('openstacklib::policy::base', $policies)

spec/classes/glance_policy_spec.rb

@@ -17,8 +17,10 @@ describe 'glance::policy' do
 
     it 'set up the policies' do
       is_expected.to contain_openstacklib__policy__base('context_is_admin').with({
-        :key   => 'context_is_admin',
-        :value => 'foo:bar'
+        :key        => 'context_is_admin',
+        :value      => 'foo:bar',
+        :file_user  => 'root',
+        :file_group => 'glance',
       })
       is_expected.to contain_oslo__policy('glance_api_config').with(
         :policy_file => '/etc/glance/policy.json',