commit 39511ef49db87443e22d66856391456b560904a6
author Martin Polreich <polreichmartin@gmail.com> Tue Dec 17 10:49:01 2019 +0100
committer Ivan Berezovskiy <iberezovskiy@mirantis.com> Fri Jan 24 09:14:51 2020 +0000
tree c00d99d0542a262cebf1e278c85287ea9eaf94ef
parent 4f3840e2cd49f5953f9b469946e4c3411e0ca319

Update glance policy management

Related: PROD-34318

Change-Id: I9be49b2af345baa713e44b58a5e37aa1601226f6

README.rst

diff --git a/README.rst b/README.rst
index 456fc74..f15bff7 100644
--- a/README.rst
+++ b/README.rst
@@ -493,8 +493,8 @@
         ...
         show_multiple_locations: True
 
-Change default resource quotas using configmap template settings
-========
+Change default resource quotas using configmap template settings:
+-----------------------------------------------------------------
 
 .. code-block:: yaml
 
@@ -516,6 +516,20 @@
               image_location_quota: 10
               user_storage_quota: 0
 
+Change default service policy configuration:
+--------------------------------------------
+
+.. code-block:: yaml
+
+    glance:
+      server:
+        policy:
+          manage_image_cache: 'role:admin'
+          get_task: 'role:admin'
+          # Add key without value to remove line from policy.json
+          modify_member:
+
+
 Usage
 =====
 

glance/server.sls

diff --git a/glance/server.sls b/glance/server.sls
index 2b84c9e..ef48371 100644
--- a/glance/server.sls
+++ b/glance/server.sls
@@ -408,8 +408,7 @@
     - service: glance_services
 {%- endif %}
 
-{%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata", "pike"] %}
-{#- Since Queens release `policy.json` is changed to `policy.yaml`. But default option in `oslo_policy` is `policy.json` #}
+{%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata"] %}
 /etc/glance/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}:
   file.managed:
     - mode: 0640
@@ -419,9 +418,9 @@
       - pkg: glance_packages
 {%- endif %}
 
-{%- for name, rule in server.get('policy', {}).items() %}
+{%- for name, rule in server.get('policy', {}).iteritems() %}
 
-{%- if rule != None %}
+  {%- if rule != None %}
 glance_keystone_rule_{{ name }}_present:
   keystone_policy.rule_present:
   - path: /etc/glance/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
@@ -429,8 +428,11 @@
   - rule: {{ rule }}
   - require:
     - pkg: glance_packages
+    {%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata"] %}
+    - file: /etc/glance/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
+    {%- endif %}
 
-{%- else %}
+  {%- else %}
 
 glance_keystone_rule_{{ name }}_absent:
   keystone_policy.rule_absent:
@@ -438,9 +440,11 @@
   - name: {{ name }}
   - require:
     - pkg: glance_packages
+    {%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata"] %}
+    - file: /etc/glance/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
+    {%- endif %}
 
-{%- endif %}
-
+  {%- endif %}
 {%- endfor %}
 
 {%- if server.message_queue.get('ssl',{}).get('enabled', False) %}