Add property protection configuration

Allows to configure property protection according to https://docs.openstack.org/glance/latest/admin/property-protections.html Change-Id: I9b4c0985969a4945ce8a1058206376b0347fbb27
2024-02-22 09:14:15 +02:00 · 2024-02-22 09:14:15 +02:00 · e8de2a5f0b
parent f375f499c0
commit e8de2a5f0b
4 changed files with 43 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -392,3 +392,20 @@ glance_pki_install_certificates:
 # Define user-provided SSL certificates
 # glance_user_ssl_cert: <path to cert on ansible deployment host>
 # glance_user_ssl_key: <path to cert on ansible deployment host>
+
+# Glance property protection
+glance_property_protection_file: "property-protection.conf"
+glance_property_protection_rule_format: roles
+# Expected dict structure example:
+# glance_property_protection_file_overrides:
+#   protected_property1:
+#     create: admin,member
+#     read: admin,member,reader
+#     update: admin
+#     delete: admin
+#   .*:
+#     create: admin,member
+#     read: admin,member,reader
+#     update: admin,member
+#     delete: admin,member
+glance_property_protection_file_overrides: {}
--- a/releasenotes/notes/glance_property_protection-458102a81be747f5.yaml
+++ b/releasenotes/notes/glance_property_protection-458102a81be747f5.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Added property protection configuration, managed with new variables:
+    ``glance_property_protection_file_overrides`` (should be configured
+    for a configuration to run, look in Default variables for an example),
+    ``glance_property_protection_rule_format``, ``glance_property_protection_file``.
--- a/tasks/glance_post_install.yml
+++ b/tasks/glance_post_install.yml
@ -77,6 +77,21 @@
  tags:
    - glance-policy-override

+- name: Implement property protection
+  openstack.config_template.config_template:
+    dest: "{{ glance_etc_dir }}/{{ glance_property_protection_file }}"
+    config_type: "ini"
+    owner: "root"
+    group: "{{ glance_system_group_name }}"
+    mode: "0640"
+    config_overrides: "{{ glance_property_protection_file_overrides }}"
+  when: glance_property_protection_file_overrides | length > 0
+  tags:
+    - glance-property-protection
+  notify:
+    - Restart glance services
+    - Restart uwsgi services
+
 - name: Deploy Glance image import configuration file
  template:
    src: "{{ glance_glance_image_import_conf_location }}"
--- a/templates/glance-api.conf.j2
+++ b/templates/glance-api.conf.j2
@ -29,6 +29,10 @@ show_multiple_locations = {{ glance_show_multiple_locations }}

 enabled_backends = {% for backend in glance_available_stores %}{{ backend['name'] }}:{{ backend['type'] }}{% if not loop.last %},{% endif %}{% endfor %}

+{% if glance_property_protection_file_overrides | length > 0 %}
+property_protection_file = {{ glance_property_protection_file }}
+property_protection_rule_format = {{ glance_property_protection_rule_format }}
+{% endif %}

 [task]
 task_executor = {{ glance_task_executor }}