Update barbican policy management
PROD-34318
Change-Id: I1efb619fd085458b55fbaeba7d1b43e76ca9e37c
diff --git a/.kitchen.yml b/.kitchen.yml
index fcb455a..b585287 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -19,6 +19,10 @@
repo: git
source: https://gerrit.mcp.mirantis.com/salt-formulas/apache
branch: <%=ENV['GERRIT_BRANCH'] || 'release/2019.2.0' %>
+ - name: keystone
+ repo: git
+ source: https://gerrit.mcp.mirantis.com/salt-formulas/keystone
+ branch: <%=ENV['GERRIT_BRANCH'] || 'release/2019.2.0' %>
- name: oslo_templates
repo: git
source: https://gerrit.mcp.mirantis.com/salt-formulas/oslo-templates
diff --git a/README.rst b/README.rst
index 29d1578..04ccd70 100644
--- a/README.rst
+++ b/README.rst
@@ -238,6 +238,19 @@
cacert_file: /etc/openstack/mysql-ca.pem
+Change default service policy configuration:
+--------------------------------------------
+
+.. code-block:: yaml
+
+ barbican:
+ server:
+ policy:
+ creator: 'role:creator'
+ audit: 'role:audit'
+ # Add key without value to remove line from policy.json
+ quotas:get:
+
Configuring plugins
-------------------
diff --git a/barbican/server.sls b/barbican/server.sls
index d79683b..c1960f8 100644
--- a/barbican/server.sls
+++ b/barbican/server.sls
@@ -57,8 +57,7 @@
- pkg: barbican_server_packages
- sls: barbican.db.offline_sync
-{%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata", "pike"] %}
-{#- Since Queens release `policy.json` is changed to `policy.yaml`. But default option in `oslo_policy` is `policy.json` #}
+{%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata"] %}
/etc/barbican/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}:
file.managed:
- mode: 0640
@@ -73,17 +72,25 @@
barbican_keystone_rule_{{ name }}_present:
keystone_policy.rule_present:
- path: /etc/barbican/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
- - name: {{ name }}
- - rule: "{{ rule }}"
+ - name: '{{ name }}'
+ - rule: '{{ rule }}'
- require:
- pkg: barbican_server_packages
+ {%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata"] %}
+ - file: /etc/barbican/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
+ {%- endif %}
+
{%- else %}
barbican_keystone_rule_{{ name }}_absent:
keystone_policy.rule_absent:
- path: /etc/barbican/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
- - name: {{ name }}
+ - name: '{{ name }}'
- require:
- pkg: barbican_server_packages
+ {%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata"] %}
+ - file: /etc/barbican/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
+ {%- endif %}
+
{%- endif %}
{%- endfor %}
diff --git a/metadata.yml b/metadata.yml
index 1be09cc..c8f9be8 100644
--- a/metadata.yml
+++ b/metadata.yml
@@ -4,3 +4,5 @@
dependencies:
- name: apache
source: "https://gerrit.mcp.mirantis.com/salt-formulas/apache"
+ - name: keystone
+ source: "https://gerrit.mcp.mirantis.com/salt-formulas/keystone"
diff --git a/tests/pillar/control_single.sls b/tests/pillar/control_single.sls
index 9b1c642..d1143d6 100644
--- a/tests/pillar/control_single.sls
+++ b/tests/pillar/control_single.sls
@@ -94,6 +94,9 @@
enabled: false
ossyslog:
enabled: false
+ policy:
+ creator: 'role:creator'
+ audit: 'role:audit'
configmap:
DEFAULT:
max_allowed_secret_in_bytes: 10000