From 2e500d38c2f4c6779dd06f5a841e1b268055e7ab Mon Sep 17 00:00:00 2001
From: Arif Ali <arif.ali@canonical.com>
Date: Fri, 3 Jul 2020 15:41:55 +0100
Subject: [PATCH] Policyd override implementation

This patchset implements policy overrides for aodh. Updates
xenial-ocata and trusty-mitaka functional tests

Change-Id: Ic2477ed4ccc05c5bef384c4d9dc9a1776de9f6f6
Closed-Bug: #1741723
---
 src/README.md                        | 28 ++++++++++++++
 src/config.yaml                      |  9 +++++
 src/lib/charm/openstack/aodh.py      |  7 +++-
 src/metadata.yaml                    |  5 +++
 src/tests/bundles/trusty-mitaka.yaml |  2 +-
 src/tests/bundles/xenial-ocata.yaml  | 56 +++++++++++++++++++++++++++-
 6 files changed, 104 insertions(+), 3 deletions(-)
 create mode 100644 src/config.yaml

diff --git a/src/README.md b/src/README.md
index 1be732b..8a877f0 100644
--- a/src/README.md
+++ b/src/README.md
@@ -14,8 +14,36 @@ Aodh relies on services from the mongodb, rabbitmq-server and keystone charms:
     juju add-relation aodh mysql
     juju add-relation aodh keystone
 
+## Policy Overrides
+
+Policy overrides is an **advanced** feature that allows an operator to override
+the default policy of an OpenStack service. The policies that the service
+supports, the defaults it implements in its code, and the defaults that a charm
+may include should all be clearly understood before proceeding.
+
+> **Caution**: It is possible to break the system (for tenants and other
+  services) if policies are incorrectly applied to the service.
+
+Policy statements are placed in a YAML file. This file (or files) is then (ZIP)
+compressed into a single file and used as an application resource. The override
+is then enabled via a Boolean charm option.
+
+Here are the essential commands (filenames are arbitrary):
+
+    zip overrides.zip override-file.yaml
+    juju attach-resource aodh policyd-override=overrides.zip
+    juju config aodh use-policyd-override=true
+
+See appendix [Policy Overrides][cdg-appendix-n] in the [OpenStack Charms
+Deployment Guide][cdg] for a thorough treatment of this feature.
+
 # Bugs
 
 Please report bugs on [Launchpad](https://bugs.launchpad.net/charm-aodh/+filebug).
 
 For general questions please refer to the OpenStack [Charm Guide](https://docs.openstack.org/charm-guide/latest/).
+
+<!-- LINKS -->
+
+[cdg]: https://docs.openstack.org/project-deploy-guide/charm-deployment-guide
+[cdg-appendix-n]: https://docs.openstack.org/project-deploy-guide/charm-deployment-guide/latest/app-policy-overrides.html
\ No newline at end of file
diff --git a/src/config.yaml b/src/config.yaml
new file mode 100644
index 0000000..9661b16
--- /dev/null
+++ b/src/config.yaml
@@ -0,0 +1,9 @@
+options:
+  use-policyd-override:
+    type: boolean
+    default: False
+    description: |
+      If True then use the resource file named 'policyd-override' to install
+      override YAML files in the service's policy.d directory.  The resource
+      file should be a ZIP file containing at least one yaml file with a .yaml
+      or .yml extension.  If False then remove the overrides.
diff --git a/src/lib/charm/openstack/aodh.py b/src/lib/charm/openstack/aodh.py
index 5336710..f543e71 100644
--- a/src/lib/charm/openstack/aodh.py
+++ b/src/lib/charm/openstack/aodh.py
@@ -21,6 +21,7 @@ import charmhelpers.core.host as ch_host
 import charms_openstack.charm
 import charms_openstack.adapters
 import charms_openstack.ip as os_ip
+import charms_openstack.plugins
 
 AODH_DIR = '/etc/aodh'
 AODH_CONF = os.path.join(AODH_DIR, 'aodh.conf')
@@ -49,7 +50,8 @@ class AodhAdapters(charms_openstack.adapters.OpenStackAPIRelationAdapters):
             charm_instance=charm_instance)
 
 
-class AodhCharm(charms_openstack.charm.HAOpenStackCharm):
+class AodhCharm(charms_openstack.plugins.PolicydOverridePlugin,
+                charms_openstack.charm.HAOpenStackCharm):
 
     # Internal name of charm + keystone endpoint
     service_name = name = 'aodh'
@@ -119,6 +121,9 @@ class AodhCharm(charms_openstack.charm.HAOpenStackCharm):
 
     group = 'aodh'
 
+    # policyd override constants
+    policyd_service_name = 'aodh'
+
     @staticmethod
     def reload_and_restart():
         if ch_host.init_is_systemd():
diff --git a/src/metadata.yaml b/src/metadata.yaml
index a970b05..37fef89 100644
--- a/src/metadata.yaml
+++ b/src/metadata.yaml
@@ -22,3 +22,8 @@ subordinate: false
 requires:
   mongodb:
     interface: mongodb
+resources:
+  policyd-override:
+    type: file
+    filename: policyd-override.zip
+    description: The policy.d overrides file
\ No newline at end of file
diff --git a/src/tests/bundles/trusty-mitaka.yaml b/src/tests/bundles/trusty-mitaka.yaml
index 2d114b7..8f4a481 100644
--- a/src/tests/bundles/trusty-mitaka.yaml
+++ b/src/tests/bundles/trusty-mitaka.yaml
@@ -52,7 +52,7 @@ applications:
     to:
       - '4'
   mongodb:
-    charm: cs:trusty/mongodb
+    charm: cs:trusty/mongodb-53
     num_units: 1
     to:
       - '5'
diff --git a/src/tests/bundles/xenial-ocata.yaml b/src/tests/bundles/xenial-ocata.yaml
index 1528964..c4c20bc 100644
--- a/src/tests/bundles/xenial-ocata.yaml
+++ b/src/tests/bundles/xenial-ocata.yaml
@@ -11,6 +11,14 @@ machines:
   3: {}
   4: {}
   5: {}
+  6: {}
+  7: {}
+  8: {}
+  9: {}
+  10: {}
+  11: {}
+  12: {}
+  13: {}
 
 # We specify machine placements for these to improve iteration
 # time, given that machine "0" comes up way before machine "7"
@@ -51,14 +59,50 @@ applications:
       openstack-origin: *openstack-origin
     to:
       - '4'
+  ceph-osd:
+    charm: cs:~openstack-charmers-next/ceph-osd
+    num_units: 3
+    storage:
+      osd-devices: 'cinder,10G'
+    options:
+      source: *openstack-origin
+    to:
+      - '5'
+      - '6'
+      - '7'
+  ceph-mon:
+    charm: cs:~openstack-charmers-next/ceph-mon
+    num_units: 3
+    options:
+      expected-osd-count: 3
+      monitor-count: '3'
+      source: *openstack-origin
+    to:
+      - '8'
+      - '9'
+      - '10'
+  gnocchi:
+    charm: cs:~openstack-charmers-next/gnocchi
+    num_units: 1
+    options:
+      openstack-origin: *openstack-origin
+    to:
+      - '11'
+  memcached:
+    charm: cs:~memcached-team/memcached
+    num_units: 1
+    to:
+      - '12'
   mongodb:
     charm: cs:xenial/mongodb
     num_units: 1
     to:
-      - '5'
+      - '13'
 relations:
   - - 'keystone:shared-db'
     - 'percona-cluster:shared-db'
+  - - 'ceph-osd:mon'
+    - 'ceph-mon:osd'
   - - 'aodh:shared-db'
     - 'percona-cluster:shared-db'
   - - 'aodh:amqp'
@@ -75,3 +119,13 @@ relations:
     - 'mongodb:database'
   - - 'ceilometer:identity-service'
     - 'keystone:identity-service'
+  - - 'ceilometer:metric-service'
+    - 'gnocchi:metric-service'
+  - - 'gnocchi:identity-service'
+    - 'keystone:identity-service'
+  - - 'gnocchi:shared-db'
+    - 'percona-cluster:shared-db'
+  - - 'gnocchi:storage-ceph'
+    - 'ceph-mon:client'
+  - - 'gnocchi:coordinator-memcached'
+    - 'memcached:cache'