Policy.json should be defined by user
User can override and add values to policy.json by creating flat
key-value structure under glance:server:policy.
Change-Id: I4db6b17ab1ff925aa20cd3565417a4b35ed4561e
diff --git a/.kitchen.yml b/.kitchen.yml
index 8178b6e..f10eeff 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -18,6 +18,9 @@
- name: linux
repo: git
source: https://github.com/salt-formulas/salt-formula-linux
+ - name: keystone
+ repo: git
+ source: https://github.com/salt-formulas/salt-formula-keystone
state_top:
base:
"*":
diff --git a/README.rst b/README.rst
index dac4563..c791b9a 100644
--- a/README.rst
+++ b/README.rst
@@ -64,6 +64,17 @@
* *limit_param_default* is the default *limit* parameter that
applies if the request didn't defined it explicitly.
+Configuration of policy.json file
+
+.. code-block:: yaml
+
+ glance:
+ server:
+ ....
+ policy:
+ publicize_image: "role:admin"
+ # Add key without value to remove line from policy.json
+ add_member:
Keystone and cinder region
.. code-block:: yaml
diff --git a/glance/files/mitaka/policy.json b/glance/files/mitaka/policy.json
deleted file mode 100644
index f49bc08..0000000
--- a/glance/files/mitaka/policy.json
+++ /dev/null
@@ -1,61 +0,0 @@
-{
- "context_is_admin": "role:admin",
- "default": "",
-
- "add_image": "",
- "delete_image": "",
- "get_image": "",
- "get_images": "",
- "modify_image": "",
- "publicize_image": "role:admin",
- "copy_from": "",
-
- "download_image": "",
- "upload_image": "",
-
- "delete_image_location": "",
- "get_image_location": "",
- "set_image_location": "",
-
- "add_member": "",
- "delete_member": "",
- "get_member": "",
- "get_members": "",
- "modify_member": "",
-
- "manage_image_cache": "role:admin",
-
- "get_task": "role:admin",
- "get_tasks": "role:admin",
- "add_task": "role:admin",
- "modify_task": "role:admin",
-
- "deactivate": "",
- "reactivate": "",
-
- "get_metadef_namespace": "",
- "get_metadef_namespaces":"",
- "modify_metadef_namespace":"",
- "add_metadef_namespace":"",
-
- "get_metadef_object":"",
- "get_metadef_objects":"",
- "modify_metadef_object":"",
- "add_metadef_object":"",
-
- "list_metadef_resource_types":"",
- "get_metadef_resource_type":"",
- "add_metadef_resource_type_association":"",
-
- "get_metadef_property":"",
- "get_metadef_properties":"",
- "modify_metadef_property":"",
- "add_metadef_property":"",
-
- "get_metadef_tag":"",
- "get_metadef_tags":"",
- "modify_metadef_tag":"",
- "add_metadef_tag":"",
- "add_metadef_tags":""
-
-}
diff --git a/glance/files/newton/policy.json b/glance/files/newton/policy.json
deleted file mode 100644
index 0a058c1..0000000
--- a/glance/files/newton/policy.json
+++ /dev/null
@@ -1,61 +0,0 @@
-{
- "context_is_admin": "role:admin",
- "default": "role:admin",
-
- "add_image": "",
- "delete_image": "",
- "get_image": "",
- "get_images": "",
- "modify_image": "",
- "publicize_image": "role:admin",
- "copy_from": "",
-
- "download_image": "",
- "upload_image": "",
-
- "delete_image_location": "",
- "get_image_location": "",
- "set_image_location": "",
-
- "add_member": "",
- "delete_member": "",
- "get_member": "",
- "get_members": "",
- "modify_member": "",
-
- "manage_image_cache": "role:admin",
-
- "get_task": "role:admin",
- "get_tasks": "role:admin",
- "add_task": "role:admin",
- "modify_task": "role:admin",
-
- "deactivate": "",
- "reactivate": "",
-
- "get_metadef_namespace": "",
- "get_metadef_namespaces":"",
- "modify_metadef_namespace":"",
- "add_metadef_namespace":"",
-
- "get_metadef_object":"",
- "get_metadef_objects":"",
- "modify_metadef_object":"",
- "add_metadef_object":"",
-
- "list_metadef_resource_types":"",
- "get_metadef_resource_type":"",
- "add_metadef_resource_type_association":"",
-
- "get_metadef_property":"",
- "get_metadef_properties":"",
- "modify_metadef_property":"",
- "add_metadef_property":"",
-
- "get_metadef_tag":"",
- "get_metadef_tags":"",
- "modify_metadef_tag":"",
- "add_metadef_tag":"",
- "add_metadef_tags":""
-
-}
diff --git a/glance/files/ocata/policy.json b/glance/files/ocata/policy.json
deleted file mode 100644
index fba54a7..0000000
--- a/glance/files/ocata/policy.json
+++ /dev/null
@@ -1,62 +0,0 @@
-{
- "context_is_admin": "role:admin",
- "default": "role:admin",
-
- "add_image": "",
- "delete_image": "",
- "get_image": "",
- "get_images": "",
- "modify_image": "",
- "publicize_image": "role:admin",
- "communitize_image": "",
- "copy_from": "",
-
- "download_image": "",
- "upload_image": "",
-
- "delete_image_location": "",
- "get_image_location": "",
- "set_image_location": "",
-
- "add_member": "",
- "delete_member": "",
- "get_member": "",
- "get_members": "",
- "modify_member": "",
-
- "manage_image_cache": "role:admin",
-
- "get_task": "role:admin",
- "get_tasks": "role:admin",
- "add_task": "role:admin",
- "modify_task": "role:admin",
-
- "deactivate": "",
- "reactivate": "",
-
- "get_metadef_namespace": "",
- "get_metadef_namespaces":"",
- "modify_metadef_namespace":"",
- "add_metadef_namespace":"",
-
- "get_metadef_object":"",
- "get_metadef_objects":"",
- "modify_metadef_object":"",
- "add_metadef_object":"",
-
- "list_metadef_resource_types":"",
- "get_metadef_resource_type":"",
- "add_metadef_resource_type_association":"",
-
- "get_metadef_property":"",
- "get_metadef_properties":"",
- "modify_metadef_property":"",
- "add_metadef_property":"",
-
- "get_metadef_tag":"",
- "get_metadef_tags":"",
- "modify_metadef_tag":"",
- "add_metadef_tag":"",
- "add_metadef_tags":""
-
-}
diff --git a/glance/meta/config.yml b/glance/meta/config.yml
index e3d054a..984d6de 100644
--- a/glance/meta/config.yml
+++ b/glance/meta/config.yml
@@ -19,7 +19,4 @@
glance-registry-paste.ini:
source: "salt://glance/files/{{ server.version }}/glance-registry-paste.ini"
template: jinja
- policy.json:
- source: "salt://glance/files/{{ server.version }}/policy.json"
- template: jinja
- {%- endif %}
\ No newline at end of file
+ {%- endif %}
diff --git a/glance/server.sls b/glance/server.sls
index b9f7bc9..46215f1 100644
--- a/glance/server.sls
+++ b/glance/server.sls
@@ -210,19 +210,28 @@
{%- endfor %}
-{%- if server.policy is defined %}
+{%- for name, rule in server.get('policy', {}).iteritems() %}
-{%- for key, policy in server.policy.iteritems() %}
+{%- if rule != None %}
+rule_{{ name }}_present:
+ keystone_policy.rule_present:
+ - path: /etc/glance/policy.json
+ - name: {{ name }}
+ - rule: {{ rule }}
+ - require:
+ - pkg: glance_packages
-policy_{{ key }}:
- file.replace:
- - name: /etc/glance/policy.json
- - pattern: "[\"']{{ key }}[\"']:.*"
- {# unfortunatately there's no jsonify filter so we have to do magic :-( #}
- - repl: '"{{ key }}": {% if policy is iterable %}[{%- for rule in policy %}"{{ rule }}"{% if not loop.last %}, {% endif %}{%- endfor %}]{%- else %}"{{ policy }}"{%- endif %},'
+{%- else %}
-{%- endfor %}
+rule_{{ name }}_absent:
+ keystone_policy.rule_absent:
+ - path: /etc/glance/policy.json
+ - name: {{ name }}
+ - require:
+ - pkg: glance_packages
{%- endif %}
+{%- endfor %}
+
{%- endif %}
diff --git a/metadata.yml b/metadata.yml
index 3f3d02b..ba720bc 100644
--- a/metadata.yml
+++ b/metadata.yml
@@ -1,3 +1,6 @@
name: "glance"
version: "2016.4.1"
source: "https://github.com/openstack/salt-formula-glance"
+dependencies:
+ - name: keystone
+ source: "https://github.com/salt-formulas/salt-formula-keystone"
diff --git a/tests/pillar/cluster.sls b/tests/pillar/cluster.sls
index ec8f989..3b6cd0d 100644
--- a/tests/pillar/cluster.sls
+++ b/tests/pillar/cluster.sls
@@ -40,3 +40,6 @@
audit:
filter_factory: 'keystonemiddleware.audit:filter_factory'
map_file: '/etc/pycadf/glance_api_audit_map.conf'
+ policy:
+ publicize_image: "role:admin"
+ add_member:
diff --git a/tests/pillar/single.sls b/tests/pillar/single.sls
index 804c90f..6a2779c 100644
--- a/tests/pillar/single.sls
+++ b/tests/pillar/single.sls
@@ -34,3 +34,6 @@
virtual_host: '/openstack'
storage:
engine: file
+ policy:
+ publicize_image: "role:admin"
+ add_member:
diff --git a/tests/pillar/single_image_cache.sls b/tests/pillar/single_image_cache.sls
index 772dd12..0e1dff8 100644
--- a/tests/pillar/single_image_cache.sls
+++ b/tests/pillar/single_image_cache.sls
@@ -39,3 +39,6 @@
enable_management: true
directory: /var/lib/glance/image-cache/
max_size: 21474836480
+ policy:
+ publicize_image: "role:admin"
+ add_member:
diff --git a/tests/pillar/single_multiple_backends.sls b/tests/pillar/single_multiple_backends.sls
index 4a9d6a2..3ca1e4e 100644
--- a/tests/pillar/single_multiple_backends.sls
+++ b/tests/pillar/single_multiple_backends.sls
@@ -68,3 +68,6 @@
ssl_compression: false
use_trusts: false
user: 2ec7966596504f59acc3a76b3b9d9291:glance-project
+ policy:
+ publicize_image: "role:admin"
+ add_member:
diff --git a/tests/pillar/single_swift.sls b/tests/pillar/single_swift.sls
index 4fb6629..c4ca73b 100644
--- a/tests/pillar/single_swift.sls
+++ b/tests/pillar/single_swift.sls
@@ -59,3 +59,6 @@
ssl_compression: false
use_trusts: false
user: 2ec7966596504f59acc3a76b3b9d9291:glance-user
+ policy:
+ publicize_image: "role:admin"
+ add_member:
diff --git a/tests/pillar/single_swift_references.sls b/tests/pillar/single_swift_references.sls
index dcb4385..cdc8797 100644
--- a/tests/pillar/single_swift_references.sls
+++ b/tests/pillar/single_swift_references.sls
@@ -67,3 +67,6 @@
version: 2
user: 2ec7966596504f59acc3a76b3b9d9291:glance-user
key: someRandomPassword
+ policy:
+ publicize_image: "role:admin"
+ add_member: