[goal] Deprecate the JSON formatted policy file
As per the community goal of migrating the policy file the format from JSON to YAML[1], we need to replace policy.json to policy.yaml and remove deprecated policy.json. config_template has been choosen instead of the copy, since it can properly handle content that has been lookuped. We make a separate task not to restart service when it's not needed. [1] https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html Change-Id: Ie246d803b5c4e490af76351a595aedcf2fcff62b
This commit is contained in:
parent
c0f9229980
commit
af92c6ae79
|
@ -23,3 +23,12 @@
|
|||
with_items: "{{ filtered_magnum_services }}"
|
||||
listen:
|
||||
- "venv changed"
|
||||
|
||||
# NOTE (noonedeadpunk): Remove this task after Xena release
|
||||
- name: Remove obsoleted policy.json
|
||||
file:
|
||||
path: "{{ magnum_etc_directory }}/policy.json"
|
||||
state: absent
|
||||
listen:
|
||||
- "Restart magnum services"
|
||||
- "venv changed"
|
||||
|
|
|
@ -27,10 +27,6 @@
|
|||
destination: "{{ magnum_etc_directory }}/magnum.conf"
|
||||
config_overrides: "{{ magnum_config_overrides }}"
|
||||
config_type: "ini"
|
||||
- source: "policy.json.j2"
|
||||
destination: "{{ magnum_etc_directory }}/policy.json"
|
||||
config_overrides: "{{ magnum_policy_overrides }}"
|
||||
config_type: "json"
|
||||
- source: "api-paste.ini.j2"
|
||||
destination: "{{ magnum_etc_directory }}/api-paste.ini"
|
||||
config_overrides: "{{ magnum_api_paste_ini_overrides }}"
|
||||
|
@ -39,7 +35,28 @@
|
|||
destination: "{{ magnum_etc_directory }}/keystone_auth_default_policy.json"
|
||||
config_overrides: "{{ magnum_keystone_auth_default_policy }}"
|
||||
config_type: "json"
|
||||
|
||||
notify:
|
||||
- Restart magnum services
|
||||
- Restart uwsgi services
|
||||
|
||||
- name: Implement policy.yaml
|
||||
config_template:
|
||||
destination: "{{ magnum_etc_directory }}/policy.yaml"
|
||||
content: "{{ magnum_policy_overrides }}"
|
||||
owner: "{{ magnum_system_user_name }}"
|
||||
group: "{{ magnum_system_group_name }}"
|
||||
mode: "0644"
|
||||
config_type: "yaml"
|
||||
when:
|
||||
- magnum_policy_overrides | length > 0
|
||||
tags:
|
||||
- magnum-policy-override
|
||||
|
||||
- name: Remove legacy policy.yaml file
|
||||
file:
|
||||
path: "{{ magnum_etc_directory }}/policy.yaml"
|
||||
state: absent
|
||||
when:
|
||||
- magnum_policy_overrides | length == 0
|
||||
tags:
|
||||
- magnum-policy-override
|
||||
|
|
|
@ -1,52 +0,0 @@
|
|||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||
"default": "rule:admin_or_owner",
|
||||
"admin_api": "rule:context_is_admin",
|
||||
"admin_or_user": "is_admin:True or user_id:%(user_id)s",
|
||||
"cluster_user": "user_id:%(trustee_user_id)s",
|
||||
"deny_cluster_user": "not domain_id:%(trustee_domain_id)s",
|
||||
|
||||
"bay:create": "rule:deny_cluster_user",
|
||||
"bay:delete": "rule:deny_cluster_user",
|
||||
"bay:detail": "rule:deny_cluster_user",
|
||||
"bay:get": "rule:deny_cluster_user",
|
||||
"bay:get_all": "rule:deny_cluster_user",
|
||||
"bay:update": "rule:deny_cluster_user",
|
||||
|
||||
"baymodel:create": "rule:deny_cluster_user",
|
||||
"baymodel:delete": "rule:deny_cluster_user",
|
||||
"baymodel:detail": "rule:deny_cluster_user",
|
||||
"baymodel:get": "rule:deny_cluster_user",
|
||||
"baymodel:get_all": "rule:deny_cluster_user",
|
||||
"baymodel:update": "rule:deny_cluster_user",
|
||||
"baymodel:publish": "rule:admin_api",
|
||||
|
||||
"cluster:create": "rule:deny_cluster_user",
|
||||
"cluster:delete": "rule:deny_cluster_user",
|
||||
"cluster:detail": "rule:deny_cluster_user",
|
||||
"cluster:get": "rule:deny_cluster_user",
|
||||
"cluster:get_all": "rule:deny_cluster_user",
|
||||
"cluster:update": "rule:deny_cluster_user",
|
||||
|
||||
"clustertemplate:create": "rule:deny_cluster_user",
|
||||
"clustertemplate:delete": "rule:deny_cluster_user",
|
||||
"clustertemplate:detail": "rule:deny_cluster_user",
|
||||
"clustertemplate:get": "rule:deny_cluster_user",
|
||||
"clustertemplate:get_all": "rule:deny_cluster_user",
|
||||
"clustertemplate:update": "rule:deny_cluster_user",
|
||||
"clustertemplate:publish": "rule:admin_api",
|
||||
|
||||
"quotas:get": "rule:default",
|
||||
"quotas:get_all": "rule:admin_api",
|
||||
"quotas:create": "rule:admin_api",
|
||||
"quotas:update": "rule:admin_api",
|
||||
"quotas:delete": "rule:admin_api",
|
||||
|
||||
"certificate:rotate_ca": "rule:admin_or_owner",
|
||||
"certificate:create": "rule:admin_or_user or rule:cluster_user",
|
||||
"certificate:get": "rule:admin_or_user or rule:cluster_user",
|
||||
|
||||
"magnum-service:get_all": "rule:admin_api",
|
||||
"stats:get_all": "rule:admin_or_owner"
|
||||
}
|
Loading…
Reference in New Issue