From 80769c5714770c02c300ac9f3e9c06a44791dbfc Mon Sep 17 00:00:00 2001 From: Akihiro Motoki Date: Fri, 23 Nov 2018 05:18:40 +0900 Subject: [PATCH] Migration logic for neutron policy-in-code Neutron is in a process to migrate to policy-in-code. DevStack needs to be able to handle both cases with and without policy.json in the neutron repo. Note that nova assumes neutron API access with admin so user_name:neutron needs to be included in context_is_admin to make DevStack work properly. Hopefully this can be cleanup but this is a separate topic from policy-in-code. Needed-By: https://review.openstack.org/#/c/585037/ Change-Id: Id1b0600d92e839ade1790a15c372e82e8e16ee9f --- lib/neutron | 9 +++++++-- lib/neutron-legacy | 9 +++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/lib/neutron b/lib/neutron index 4847e87f2f..62f7366e7e 100644 --- a/lib/neutron +++ b/lib/neutron @@ -183,9 +183,14 @@ function configure_neutron_new { # Neutron API server & Neutron plugin if is_service_enabled neutron-api; then local policy_file=$NEUTRON_CONF_DIR/policy.json - cp $NEUTRON_DIR/etc/policy.json $policy_file # Allow neutron user to administer neutron to match neutron account - sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $policy_file + # NOTE(amotoki): This is required for nova works correctly with neutron. + if [ -f $NEUTRON_DIR/etc/policy.json ]; then + cp $NEUTRON_DIR/etc/policy.json $policy_file + sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $policy_file + else + echo '{"context_is_admin": "role:admin or user_name:neutron"}' > $policy_file + fi cp $NEUTRON_DIR/etc/api-paste.ini $NEUTRON_CONF_DIR/api-paste.ini diff --git a/lib/neutron-legacy b/lib/neutron-legacy index be5b73ffa6..2fdb6db6f6 100644 --- a/lib/neutron-legacy +++ b/lib/neutron-legacy @@ -699,10 +699,15 @@ function _configure_neutron_common { cp $NEUTRON_DIR/etc/neutron.conf.sample $NEUTRON_CONF Q_POLICY_FILE=$NEUTRON_CONF_DIR/policy.json - cp $NEUTRON_DIR/etc/policy.json $Q_POLICY_FILE # allow neutron user to administer neutron to match neutron account - sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $Q_POLICY_FILE + # NOTE(amotoki): This is required for nova works correctly with neutron. + if [ -f $NEUTRON_DIR/etc/policy.json ]; then + cp $NEUTRON_DIR/etc/policy.json $Q_POLICY_FILE + sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $Q_POLICY_FILE + else + echo '{"context_is_admin": "role:admin or user_name:neutron"}' > $Q_POLICY_FILE + fi # Set plugin-specific variables ``Q_DB_NAME``, ``Q_PLUGIN_CLASS``. # For main plugin config file, set ``Q_PLUGIN_CONF_PATH``, ``Q_PLUGIN_CONF_FILENAME``.