Policyd override implementation

This patchset implements policy overrides for aodh. Updates xenial-ocata and trusty-mitaka functional tests Change-Id: Ic2477ed4ccc05c5bef384c4d9dc9a1776de9f6f6 Closed-Bug: #1741723
2020-07-03 15:41:55 +01:00 · 2020-07-03 15:41:55 +01:00 · 2e500d38c2
parent 994c58d9f6
commit 2e500d38c2
6 changed files with 104 additions and 3 deletions
--- a/src/README.md
+++ b/src/README.md
@ -14,8 +14,36 @@ Aodh relies on services from the mongodb, rabbitmq-server and keystone charms:
    juju add-relation aodh mysql
    juju add-relation aodh keystone

+## Policy Overrides
+
+Policy overrides is an **advanced** feature that allows an operator to override
+the default policy of an OpenStack service. The policies that the service
+supports, the defaults it implements in its code, and the defaults that a charm
+may include should all be clearly understood before proceeding.
+
+> **Caution**: It is possible to break the system (for tenants and other
+  services) if policies are incorrectly applied to the service.
+
+Policy statements are placed in a YAML file. This file (or files) is then (ZIP)
+compressed into a single file and used as an application resource. The override
+is then enabled via a Boolean charm option.
+
+Here are the essential commands (filenames are arbitrary):
+
+    zip overrides.zip override-file.yaml
+    juju attach-resource aodh policyd-override=overrides.zip
+    juju config aodh use-policyd-override=true
+
+See appendix [Policy Overrides][cdg-appendix-n] in the [OpenStack Charms
+Deployment Guide][cdg] for a thorough treatment of this feature.
+
 # Bugs

 Please report bugs on [Launchpad](https://bugs.launchpad.net/charm-aodh/+filebug).

 For general questions please refer to the OpenStack [Charm Guide](https://docs.openstack.org/charm-guide/latest/).
+
+<!-- LINKS -->
+
+[cdg]: https://docs.openstack.org/project-deploy-guide/charm-deployment-guide
+[cdg-appendix-n]: https://docs.openstack.org/project-deploy-guide/charm-deployment-guide/latest/app-policy-overrides.html
--- a/src/config.yaml
+++ b/src/config.yaml
@ -0,0 +1,9 @@
+options:
+  use-policyd-override:
+    type: boolean
+    default: False
+    description: |
+      If True then use the resource file named 'policyd-override' to install
+      override YAML files in the service's policy.d directory.  The resource
+      file should be a ZIP file containing at least one yaml file with a .yaml
+      or .yml extension.  If False then remove the overrides.
--- a/src/lib/charm/openstack/aodh.py
+++ b/src/lib/charm/openstack/aodh.py
@ -21,6 +21,7 @@ import charmhelpers.core.host as ch_host
 import charms_openstack.charm
 import charms_openstack.adapters
 import charms_openstack.ip as os_ip
+import charms_openstack.plugins

 AODH_DIR = '/etc/aodh'
 AODH_CONF = os.path.join(AODH_DIR, 'aodh.conf')
@ -49,7 +50,8 @@ class AodhAdapters(charms_openstack.adapters.OpenStackAPIRelationAdapters):
            charm_instance=charm_instance)


-class AodhCharm(charms_openstack.charm.HAOpenStackCharm):
+class AodhCharm(charms_openstack.plugins.PolicydOverridePlugin,
+                charms_openstack.charm.HAOpenStackCharm):

    # Internal name of charm + keystone endpoint
    service_name = name = 'aodh'
@ -119,6 +121,9 @@ class AodhCharm(charms_openstack.charm.HAOpenStackCharm):

    group = 'aodh'

+    # policyd override constants
+    policyd_service_name = 'aodh'
+
    @staticmethod
    def reload_and_restart():
        if ch_host.init_is_systemd():
--- a/src/metadata.yaml
+++ b/src/metadata.yaml
@ -22,3 +22,8 @@ subordinate: false
 requires:
  mongodb:
    interface: mongodb
+resources:
+  policyd-override:
+    type: file
+    filename: policyd-override.zip
+    description: The policy.d overrides file
--- a/src/tests/bundles/trusty-mitaka.yaml
+++ b/src/tests/bundles/trusty-mitaka.yaml
@ -52,7 +52,7 @@ applications:
    to:
      - '4'
  mongodb:
-    charm: cs:trusty/mongodb
+    charm: cs:trusty/mongodb-53
    num_units: 1
    to:
      - '5'
--- a/src/tests/bundles/xenial-ocata.yaml
+++ b/src/tests/bundles/xenial-ocata.yaml
@ -11,6 +11,14 @@ machines:
  3: {}
  4: {}
  5: {}
+  6: {}
+  7: {}
+  8: {}
+  9: {}
+  10: {}
+  11: {}
+  12: {}
+  13: {}

 # We specify machine placements for these to improve iteration
 # time, given that machine "0" comes up way before machine "7"
@ -51,14 +59,50 @@ applications:
      openstack-origin: *openstack-origin
    to:
      - '4'
+  ceph-osd:
+    charm: cs:~openstack-charmers-next/ceph-osd
+    num_units: 3
+    storage:
+      osd-devices: 'cinder,10G'
+    options:
+      source: *openstack-origin
+    to:
+      - '5'
+      - '6'
+      - '7'
+  ceph-mon:
+    charm: cs:~openstack-charmers-next/ceph-mon
+    num_units: 3
+    options:
+      expected-osd-count: 3
+      monitor-count: '3'
+      source: *openstack-origin
+    to:
+      - '8'
+      - '9'
+      - '10'
+  gnocchi:
+    charm: cs:~openstack-charmers-next/gnocchi
+    num_units: 1
+    options:
+      openstack-origin: *openstack-origin
+    to:
+      - '11'
+  memcached:
+    charm: cs:~memcached-team/memcached
+    num_units: 1
+    to:
+      - '12'
  mongodb:
    charm: cs:xenial/mongodb
    num_units: 1
    to:
-      - '5'
+      - '13'
 relations:
  - - 'keystone:shared-db'
    - 'percona-cluster:shared-db'
+  - - 'ceph-osd:mon'
+    - 'ceph-mon:osd'
  - - 'aodh:shared-db'
    - 'percona-cluster:shared-db'
  - - 'aodh:amqp'
@ -75,3 +119,13 @@ relations:
    - 'mongodb:database'
  - - 'ceilometer:identity-service'
    - 'keystone:identity-service'
+  - - 'ceilometer:metric-service'
+    - 'gnocchi:metric-service'
+  - - 'gnocchi:identity-service'
+    - 'keystone:identity-service'
+  - - 'gnocchi:shared-db'
+    - 'percona-cluster:shared-db'
+  - - 'gnocchi:storage-ceph'
+    - 'ceph-mon:client'
+  - - 'gnocchi:coordinator-memcached'
+    - 'memcached:cache'