[goal] Deprecate the JSON formatted policy file
As per the community goal of migrating the policy file the format from JSON to YAML[1], we need to replace policy.json to policy.yaml and remove deprecated policy.json. config_template has been choosen instead of the copy, since it can properly handle content that has been lookuped. We make a separate task not to restart service when it's not needed. [1] https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html Change-Id: Ie246d803b5c4e490af76351a595aedcf2fcff62b
This commit is contained in:
parent
c0f9229980
commit
af92c6ae79
|
@ -23,3 +23,12 @@
|
||||||
with_items: "{{ filtered_magnum_services }}"
|
with_items: "{{ filtered_magnum_services }}"
|
||||||
listen:
|
listen:
|
||||||
- "venv changed"
|
- "venv changed"
|
||||||
|
|
||||||
|
# NOTE (noonedeadpunk): Remove this task after Xena release
|
||||||
|
- name: Remove obsoleted policy.json
|
||||||
|
file:
|
||||||
|
path: "{{ magnum_etc_directory }}/policy.json"
|
||||||
|
state: absent
|
||||||
|
listen:
|
||||||
|
- "Restart magnum services"
|
||||||
|
- "venv changed"
|
||||||
|
|
|
@ -27,10 +27,6 @@
|
||||||
destination: "{{ magnum_etc_directory }}/magnum.conf"
|
destination: "{{ magnum_etc_directory }}/magnum.conf"
|
||||||
config_overrides: "{{ magnum_config_overrides }}"
|
config_overrides: "{{ magnum_config_overrides }}"
|
||||||
config_type: "ini"
|
config_type: "ini"
|
||||||
- source: "policy.json.j2"
|
|
||||||
destination: "{{ magnum_etc_directory }}/policy.json"
|
|
||||||
config_overrides: "{{ magnum_policy_overrides }}"
|
|
||||||
config_type: "json"
|
|
||||||
- source: "api-paste.ini.j2"
|
- source: "api-paste.ini.j2"
|
||||||
destination: "{{ magnum_etc_directory }}/api-paste.ini"
|
destination: "{{ magnum_etc_directory }}/api-paste.ini"
|
||||||
config_overrides: "{{ magnum_api_paste_ini_overrides }}"
|
config_overrides: "{{ magnum_api_paste_ini_overrides }}"
|
||||||
|
@ -39,7 +35,28 @@
|
||||||
destination: "{{ magnum_etc_directory }}/keystone_auth_default_policy.json"
|
destination: "{{ magnum_etc_directory }}/keystone_auth_default_policy.json"
|
||||||
config_overrides: "{{ magnum_keystone_auth_default_policy }}"
|
config_overrides: "{{ magnum_keystone_auth_default_policy }}"
|
||||||
config_type: "json"
|
config_type: "json"
|
||||||
|
|
||||||
notify:
|
notify:
|
||||||
- Restart magnum services
|
- Restart magnum services
|
||||||
- Restart uwsgi services
|
- Restart uwsgi services
|
||||||
|
|
||||||
|
- name: Implement policy.yaml
|
||||||
|
config_template:
|
||||||
|
destination: "{{ magnum_etc_directory }}/policy.yaml"
|
||||||
|
content: "{{ magnum_policy_overrides }}"
|
||||||
|
owner: "{{ magnum_system_user_name }}"
|
||||||
|
group: "{{ magnum_system_group_name }}"
|
||||||
|
mode: "0644"
|
||||||
|
config_type: "yaml"
|
||||||
|
when:
|
||||||
|
- magnum_policy_overrides | length > 0
|
||||||
|
tags:
|
||||||
|
- magnum-policy-override
|
||||||
|
|
||||||
|
- name: Remove legacy policy.yaml file
|
||||||
|
file:
|
||||||
|
path: "{{ magnum_etc_directory }}/policy.yaml"
|
||||||
|
state: absent
|
||||||
|
when:
|
||||||
|
- magnum_policy_overrides | length == 0
|
||||||
|
tags:
|
||||||
|
- magnum-policy-override
|
||||||
|
|
|
@ -1,52 +0,0 @@
|
||||||
{
|
|
||||||
"context_is_admin": "role:admin",
|
|
||||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
|
||||||
"default": "rule:admin_or_owner",
|
|
||||||
"admin_api": "rule:context_is_admin",
|
|
||||||
"admin_or_user": "is_admin:True or user_id:%(user_id)s",
|
|
||||||
"cluster_user": "user_id:%(trustee_user_id)s",
|
|
||||||
"deny_cluster_user": "not domain_id:%(trustee_domain_id)s",
|
|
||||||
|
|
||||||
"bay:create": "rule:deny_cluster_user",
|
|
||||||
"bay:delete": "rule:deny_cluster_user",
|
|
||||||
"bay:detail": "rule:deny_cluster_user",
|
|
||||||
"bay:get": "rule:deny_cluster_user",
|
|
||||||
"bay:get_all": "rule:deny_cluster_user",
|
|
||||||
"bay:update": "rule:deny_cluster_user",
|
|
||||||
|
|
||||||
"baymodel:create": "rule:deny_cluster_user",
|
|
||||||
"baymodel:delete": "rule:deny_cluster_user",
|
|
||||||
"baymodel:detail": "rule:deny_cluster_user",
|
|
||||||
"baymodel:get": "rule:deny_cluster_user",
|
|
||||||
"baymodel:get_all": "rule:deny_cluster_user",
|
|
||||||
"baymodel:update": "rule:deny_cluster_user",
|
|
||||||
"baymodel:publish": "rule:admin_api",
|
|
||||||
|
|
||||||
"cluster:create": "rule:deny_cluster_user",
|
|
||||||
"cluster:delete": "rule:deny_cluster_user",
|
|
||||||
"cluster:detail": "rule:deny_cluster_user",
|
|
||||||
"cluster:get": "rule:deny_cluster_user",
|
|
||||||
"cluster:get_all": "rule:deny_cluster_user",
|
|
||||||
"cluster:update": "rule:deny_cluster_user",
|
|
||||||
|
|
||||||
"clustertemplate:create": "rule:deny_cluster_user",
|
|
||||||
"clustertemplate:delete": "rule:deny_cluster_user",
|
|
||||||
"clustertemplate:detail": "rule:deny_cluster_user",
|
|
||||||
"clustertemplate:get": "rule:deny_cluster_user",
|
|
||||||
"clustertemplate:get_all": "rule:deny_cluster_user",
|
|
||||||
"clustertemplate:update": "rule:deny_cluster_user",
|
|
||||||
"clustertemplate:publish": "rule:admin_api",
|
|
||||||
|
|
||||||
"quotas:get": "rule:default",
|
|
||||||
"quotas:get_all": "rule:admin_api",
|
|
||||||
"quotas:create": "rule:admin_api",
|
|
||||||
"quotas:update": "rule:admin_api",
|
|
||||||
"quotas:delete": "rule:admin_api",
|
|
||||||
|
|
||||||
"certificate:rotate_ca": "rule:admin_or_owner",
|
|
||||||
"certificate:create": "rule:admin_or_user or rule:cluster_user",
|
|
||||||
"certificate:get": "rule:admin_or_user or rule:cluster_user",
|
|
||||||
|
|
||||||
"magnum-service:get_all": "rule:admin_api",
|
|
||||||
"stats:get_all": "rule:admin_or_owner"
|
|
||||||
}
|
|
Loading…
Reference in New Issue