From af92c6ae7993ff83dcc49044421ce4b84d817891 Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@citynetwork.eu>
Date: Thu, 18 Mar 2021 20:30:40 +0200
Subject: [PATCH] [goal] Deprecate the JSON formatted policy file

As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to replace policy.json to
policy.yaml and remove deprecated policy.json.

config_template has been choosen instead of the copy, since it can
properly handle content that has been lookuped.

We make a separate task not to restart service when it's not needed.

[1] https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html

Change-Id: Ie246d803b5c4e490af76351a595aedcf2fcff62b
---
 handlers/main.yml             |  9 ++++++
 tasks/magnum_post_install.yml | 27 ++++++++++++++----
 templates/policy.json.j2      | 52 -----------------------------------
 3 files changed, 31 insertions(+), 57 deletions(-)
 delete mode 100644 templates/policy.json.j2

diff --git a/handlers/main.yml b/handlers/main.yml
index cb8d940..e5ab561 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -23,3 +23,12 @@
   with_items: "{{ filtered_magnum_services }}"
   listen:
     - "venv changed"
+
+# NOTE (noonedeadpunk): Remove this task after Xena release
+- name: Remove obsoleted policy.json
+  file:
+    path: "{{ magnum_etc_directory }}/policy.json"
+    state: absent
+  listen:
+    - "Restart magnum services"
+    - "venv changed"
diff --git a/tasks/magnum_post_install.yml b/tasks/magnum_post_install.yml
index e27a913..05b684a 100644
--- a/tasks/magnum_post_install.yml
+++ b/tasks/magnum_post_install.yml
@@ -27,10 +27,6 @@
       destination: "{{ magnum_etc_directory }}/magnum.conf"
       config_overrides: "{{ magnum_config_overrides }}"
       config_type: "ini"
-    - source: "policy.json.j2"
-      destination: "{{ magnum_etc_directory }}/policy.json"
-      config_overrides: "{{ magnum_policy_overrides }}"
-      config_type: "json"
     - source: "api-paste.ini.j2"
       destination: "{{ magnum_etc_directory }}/api-paste.ini"
       config_overrides: "{{ magnum_api_paste_ini_overrides }}"
@@ -39,7 +35,28 @@
       destination: "{{ magnum_etc_directory }}/keystone_auth_default_policy.json"
       config_overrides: "{{ magnum_keystone_auth_default_policy }}"
       config_type: "json"
-
   notify:
     - Restart magnum services
     - Restart uwsgi services
+
+- name: Implement policy.yaml
+  config_template:
+    destination: "{{ magnum_etc_directory }}/policy.yaml"
+    content: "{{ magnum_policy_overrides }}"
+    owner: "{{ magnum_system_user_name }}"
+    group: "{{ magnum_system_group_name }}"
+    mode: "0644"
+    config_type: "yaml"
+  when:
+    - magnum_policy_overrides | length > 0
+  tags:
+    - magnum-policy-override
+
+- name: Remove legacy policy.yaml file
+  file:
+    path: "{{ magnum_etc_directory }}/policy.yaml"
+    state: absent
+  when:
+    - magnum_policy_overrides | length == 0
+  tags:
+    - magnum-policy-override
diff --git a/templates/policy.json.j2 b/templates/policy.json.j2
deleted file mode 100644
index cb19ad7..0000000
--- a/templates/policy.json.j2
+++ /dev/null
@@ -1,52 +0,0 @@
-{
-    "context_is_admin":  "role:admin",
-    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
-    "default": "rule:admin_or_owner",
-    "admin_api": "rule:context_is_admin",
-    "admin_or_user": "is_admin:True or user_id:%(user_id)s",
-    "cluster_user": "user_id:%(trustee_user_id)s",
-    "deny_cluster_user": "not domain_id:%(trustee_domain_id)s",
-
-    "bay:create": "rule:deny_cluster_user",
-    "bay:delete": "rule:deny_cluster_user",
-    "bay:detail": "rule:deny_cluster_user",
-    "bay:get": "rule:deny_cluster_user",
-    "bay:get_all": "rule:deny_cluster_user",
-    "bay:update": "rule:deny_cluster_user",
-
-    "baymodel:create": "rule:deny_cluster_user",
-    "baymodel:delete": "rule:deny_cluster_user",
-    "baymodel:detail": "rule:deny_cluster_user",
-    "baymodel:get": "rule:deny_cluster_user",
-    "baymodel:get_all": "rule:deny_cluster_user",
-    "baymodel:update": "rule:deny_cluster_user",
-    "baymodel:publish": "rule:admin_api",
-
-    "cluster:create": "rule:deny_cluster_user",
-    "cluster:delete": "rule:deny_cluster_user",
-    "cluster:detail": "rule:deny_cluster_user",
-    "cluster:get": "rule:deny_cluster_user",
-    "cluster:get_all": "rule:deny_cluster_user",
-    "cluster:update": "rule:deny_cluster_user",
-
-    "clustertemplate:create": "rule:deny_cluster_user",
-    "clustertemplate:delete": "rule:deny_cluster_user",
-    "clustertemplate:detail": "rule:deny_cluster_user",
-    "clustertemplate:get": "rule:deny_cluster_user",
-    "clustertemplate:get_all": "rule:deny_cluster_user",
-    "clustertemplate:update": "rule:deny_cluster_user",
-    "clustertemplate:publish": "rule:admin_api",
-
-    "quotas:get": "rule:default",
-    "quotas:get_all": "rule:admin_api",
-    "quotas:create": "rule:admin_api",
-    "quotas:update": "rule:admin_api",
-    "quotas:delete": "rule:admin_api",
-
-    "certificate:rotate_ca": "rule:admin_or_owner",
-    "certificate:create": "rule:admin_or_user or rule:cluster_user",
-    "certificate:get": "rule:admin_or_user or rule:cluster_user",
-
-    "magnum-service:get_all": "rule:admin_api",
-    "stats:get_all": "rule:admin_or_owner"
-}