Policyd override implementation

This patchset implements policy overrides for gnocchi

Change-Id: Ie7a02c536d5085cd2548b84d94b7a6bf8ac6a315
Closed-Bug: #1741723

src/README.md

@@ -36,4 +36,32 @@ Gnocchi is configured to be deployed by default with Ceph, however,
 it can also connect to an S3 storage backend. To configure Gnocchi with S3,
 configuration options (`storage-backend`, `s3-region-name`, `s3-endpoint-url`,
 `s3-access-key-id` and `s3-secret-access-key`) must be provided.
-Please take a look at `config.yaml` for more details.
+Please take a look at `config.yaml` for more details.
+
+## Policy Overrides
+
+Policy overrides is an **advanced** feature that allows an operator to override
+the default policy of an OpenStack service. The policies that the service
+supports, the defaults it implements in its code, and the defaults that a charm
+may include should all be clearly understood before proceeding.
+
+> **Caution**: It is possible to break the system (for tenants and other
+  services) if policies are incorrectly applied to the service.
+
+Policy statements are placed in a YAML file. This file (or files) is then (ZIP)
+compressed into a single file and used as an application resource. The override
+is then enabled via a Boolean charm option.
+
+Here are the essential commands (filenames are arbitrary):
+
+    zip overrides.zip override-file.yaml
+    juju attach-resource gnocchi policyd-override=overrides.zip
+    juju config gnocchi use-policyd-override=true
+
+See appendix [Policy Overrides][cdg-appendix-n] in the [OpenStack Charms
+Deployment Guide][cdg] for a thorough treatment of this feature.
+
+<!-- LINKS -->
+
+[cdg]: https://docs.openstack.org/project-deploy-guide/charm-deployment-guide
+[cdg-appendix-n]: https://docs.openstack.org/project-deploy-guide/charm-deployment-guide/latest/app-policy-overrides.html

src/config.yaml

@@ -40,4 +40,12 @@ options:
     default: 50
     description: |
       The maximum number of connections to keep in a connection pool. (integer value).
-      Minimum value: 1
+      Minimum value: 1
+  use-policyd-override:
+    type: boolean
+    default: False
+    description: |
+      If True then use the resource file named 'policyd-override' to install
+      override YAML files in the service's policy.d directory.  The resource
+      file should be a ZIP file containing at least one yaml file with a .yaml
+      or .yml extension.  If False then remove the overrides.

src/lib/charm/openstack/gnocchi.py

@@ -109,7 +109,8 @@ class GnocchiCharmRelationAdapters(adapters.OpenStackAPIRelationAdapters):
     }
 
 
-class GnocchiCharmBase(charms_openstack.charm.HAOpenStackCharm,
+class GnocchiCharmBase(charms_openstack.plugins.PolicydOverridePlugin,
+                       charms_openstack.charm.HAOpenStackCharm,
                        charms_openstack.plugins.BaseOpenStackCephCharm):
 
     """
@@ -136,6 +137,9 @@ class GnocchiCharmBase(charms_openstack.charm.HAOpenStackCharm,
 
     adapters_class = GnocchiCharmRelationAdapters
 
+    # policyd override constants
+    policyd_service_name = 'gnocchi'
+
     def enable_webserver_site(self):
         """Enable Gnocchi Webserver sites if rendered or installed"""
         pass

src/metadata.yaml

@@ -24,3 +24,8 @@ requires:
   storage-ceph:
     interface: ceph-client
     optional: True
+resources:
+  policyd-override:
+    type: file
+    filename: policyd-override.zip
+    description: The policy.d overrides file