From e8de2a5f0b2faeb0774e60d5c5c8ff15b1139c02 Mon Sep 17 00:00:00 2001 From: Aleksandr Chudinov Date: Thu, 22 Feb 2024 09:14:15 +0200 Subject: [PATCH] Add property protection configuration Allows to configure property protection according to https://docs.openstack.org/glance/latest/admin/property-protections.html Change-Id: I9b4c0985969a4945ce8a1058206376b0347fbb27 --- defaults/main.yml | 17 +++++++++++++++++ ...ce_property_protection-458102a81be747f5.yaml | 7 +++++++ tasks/glance_post_install.yml | 15 +++++++++++++++ templates/glance-api.conf.j2 | 4 ++++ 4 files changed, 43 insertions(+) create mode 100644 releasenotes/notes/glance_property_protection-458102a81be747f5.yaml diff --git a/defaults/main.yml b/defaults/main.yml index 9413edbc..852cdc88 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -392,3 +392,20 @@ glance_pki_install_certificates: # Define user-provided SSL certificates # glance_user_ssl_cert: # glance_user_ssl_key: + +# Glance property protection +glance_property_protection_file: "property-protection.conf" +glance_property_protection_rule_format: roles +# Expected dict structure example: +# glance_property_protection_file_overrides: +# protected_property1: +# create: admin,member +# read: admin,member,reader +# update: admin +# delete: admin +# .*: +# create: admin,member +# read: admin,member,reader +# update: admin,member +# delete: admin,member +glance_property_protection_file_overrides: {} diff --git a/releasenotes/notes/glance_property_protection-458102a81be747f5.yaml b/releasenotes/notes/glance_property_protection-458102a81be747f5.yaml new file mode 100644 index 00000000..8dac37c1 --- /dev/null +++ b/releasenotes/notes/glance_property_protection-458102a81be747f5.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Added property protection configuration, managed with new variables: + ``glance_property_protection_file_overrides`` (should be configured + for a configuration to run, look in Default variables for an example), + ``glance_property_protection_rule_format``, ``glance_property_protection_file``. diff --git a/tasks/glance_post_install.yml b/tasks/glance_post_install.yml index 4c1eb804..7681e3f2 100644 --- a/tasks/glance_post_install.yml +++ b/tasks/glance_post_install.yml @@ -77,6 +77,21 @@ tags: - glance-policy-override +- name: Implement property protection + openstack.config_template.config_template: + dest: "{{ glance_etc_dir }}/{{ glance_property_protection_file }}" + config_type: "ini" + owner: "root" + group: "{{ glance_system_group_name }}" + mode: "0640" + config_overrides: "{{ glance_property_protection_file_overrides }}" + when: glance_property_protection_file_overrides | length > 0 + tags: + - glance-property-protection + notify: + - Restart glance services + - Restart uwsgi services + - name: Deploy Glance image import configuration file template: src: "{{ glance_glance_image_import_conf_location }}" diff --git a/templates/glance-api.conf.j2 b/templates/glance-api.conf.j2 index 13fd8a16..eb823175 100644 --- a/templates/glance-api.conf.j2 +++ b/templates/glance-api.conf.j2 @@ -29,6 +29,10 @@ show_multiple_locations = {{ glance_show_multiple_locations }} enabled_backends = {% for backend in glance_available_stores %}{{ backend['name'] }}:{{ backend['type'] }}{% if not loop.last %},{% endif %}{% endfor %} +{% if glance_property_protection_file_overrides | length > 0 %} +property_protection_file = {{ glance_property_protection_file }} +property_protection_rule_format = {{ glance_property_protection_rule_format }} +{% endif %} [task] task_executor = {{ glance_task_executor }}