Policyd override implementation

This patchset implements policy overrides for swift-proxy.  It uses
the code in charmhelpers.

Closed-Bug: #1741723
Change-Id: Ic51ee5d181558b63dfd968c5b0c7d40760a5ac59

README.md

@@ -155,6 +155,49 @@ Actions allow specific operations to be performed on a per-unit basis.
 
 To display action descriptions run `juju actions swift-proxy`.
 
+# Policy Overrides
+
+This feature allows for policy overrides using the `policy.d` directory.  This
+is an **advanced** feature and the policies that the OpenStack service supports
+should be clearly and unambiguously understood before trying to override, or
+add to, the default policies that the service uses.  The charm also has some
+policy defaults.  They should also be understood before being overridden.
+
+> **Caution**: It is possible to break the system (for tenants and other
+  services) if policies are incorrectly applied to the service.
+
+Policy overrides are YAML files that contain rules that will add to, or
+override, existing policy rules in the service.  The `policy.d` directory is
+a place to put the YAML override files.  This charm owns the
+`/etc/swift/policy.d` directory, and as such, any manual changes to it will
+be overwritten on charm upgrades.
+
+Overrides are provided to the charm using a Juju resource called
+`policyd-override`.  The resource is a ZIP file.  This file, say
+`overrides.zip`, is attached to the charm by:
+
+
+    juju attach-resource swift-proxy policyd-override=overrides.zip
+
+The policy override is enabled in the charm using:
+
+    juju config swift-proxy use-policyd-override=true
+
+When `use-policyd-override` is `True` the status line of the charm will be
+prefixed with `PO:` indicating that policies have been overridden.  If the
+installation of the policy override YAML files failed for any reason then the
+status line will be prefixed with `PO (broken):`.  The log file for the charm
+will indicate the reason.  No policy override files are installed if the `PO
+(broken):` is shown.  The status line indicates that the overrides are broken,
+not that the policy for the service has failed. The policy will be the defaults
+for the charm and service.
+
+Policy overrides on one service may affect the functionality of another
+service. Therefore, it may be necessary to provide policy overrides for
+multiple service charms to achieve a consistent set of policies across the
+OpenStack system.  The charms for the other services that may need overrides
+should be checked to ensure that they support overrides before proceeding.
+
 # Bugs
 
 Please report bugs on [Launchpad][lp-bugs-charm-swift-proxy].

config.yaml

@@ -440,3 +440,11 @@ options:
       storing the object’s replicas on up to 6 disks.
       .
       NOTE: use only when 'enable-multi-region=True'
+  use-policyd-override:
+    type: boolean
+    default: False
+    description: |
+      If True then use the resource file named 'policyd-override' to install
+      override YAML files in the service's policy.d directory.  The resource
+      file should be a ZIP file containing at least one yaml file with a .yaml
+      or .yml extension.  If False then remove the overrides.

hooks/swift_hooks.py

@@ -78,6 +78,7 @@ from lib.swift_utils import (
 from lib.swift_context import get_swift_hash
 
 import charmhelpers.contrib.openstack.utils as openstack
+import charmhelpers.contrib.openstack.policyd as policyd
 
 from charmhelpers.contrib.openstack.ha.utils import (
     generate_ha_relation_data,
@@ -167,6 +168,10 @@ def install():
     # configure a directory on webserver for distributing rings.
     ensure_www_dir_permissions(get_www_dir())
 
+    # call the policy overrides handler which will install any policy overrides
+    policyd.maybe_do_policyd_overrides(
+        openstack.os_release('swift-proxy'), 'swift')
+
 
 @hooks.hook('config-changed')
 @restart_on_change(restart_map())
@@ -222,6 +227,10 @@ def config_changed():
 
     try_initialize_swauth()
 
+    # call the policy overrides handler which will install any policy overrides
+    policyd.maybe_do_policyd_overrides(
+        openstack.os_release('swift-proxy'), 'swift')
+
 
 @hooks.hook('identity-service-relation-joined')
 def keystone_joined(relid=None):
@@ -730,6 +739,9 @@ def upgrade_charm():
     if new_packages:
         apt_install(new_packages)
     update_rsync_acls()
+    # call the policy overrides handler which will install any policy overrides
+    policyd.maybe_do_policyd_overrides(
+        openstack.os_release('swift-proxy'), 'swift')
 
 
 @hooks.hook('update-status')

metadata.yaml

@@ -52,3 +52,8 @@ requires:
 peers:
   cluster:
     interface: swift-ha
+resources:
+  policyd-override:
+    type: file
+    filename: policyd-override.zip
+    description: The policy.d overrides file

tests/tests.yaml

@@ -31,3 +31,5 @@ tests:
 tests_options:
   force_deploy:
     - focal-ussuri
+  policyd:
+    - service: swift