Merge pull request #5 from dukov/master
Policy.json should be defined by user
diff --git a/.kitchen.yml b/.kitchen.yml
index 14b02ce..6e38245 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -14,6 +14,10 @@
formula: heat
grains:
noservices: True
+ dependencies:
+ - name: keystone
+ repo: git
+ source: https://github.com/salt-formulas/salt-formula-keystone
state_top:
base:
"*":
diff --git a/README.rst b/README.rst
index 2930b2a..7f7668b 100644
--- a/README.rst
+++ b/README.rst
@@ -131,6 +131,19 @@
version: icehouse
notification: true
+Configuration of policy.json file
+
+.. code-block:: yaml
+
+ heat:
+ server:
+ ....
+ policy:
+ deny_stack_user: 'not role:heat_stack_user'
+ 'cloudformation:ValidateTemplate': 'rule:deny_stack_user'
+ # Add key without value to remove line from policy.json
+ 'cloudformation:DescribeStackResource':
+
Client-side RabbitMQ HA setup
diff --git a/heat/server.sls b/heat/server.sls
index 4c36d65..ef42efe 100644
--- a/heat/server.sls
+++ b/heat/server.sls
@@ -19,6 +19,30 @@
- require:
- pkg: heat_server_packages
+{%- for name, rule in server.get('policy', {}).iteritems() %}
+
+{%- if rule != None %}
+rule_{{ name }}_present:
+ keystone_policy.rule_present:
+ - path: /etc/heat/policy.json
+ - name: {{ name }}
+ - rule: {{ rule }}
+ - require:
+ - pkg: heat_server_packages
+
+{%- else %}
+
+rule_{{ name }}_absent:
+ keystone_policy.rule_absent:
+ - path: /etc/heat/policy.json
+ - name: {{ name }}
+ - require:
+ - pkg: heat_server_packages
+
+{%- endif %}
+
+{%- endfor %}
+
{%- if grains.get('virtual_subtype', None) == "Docker" %}
heat_entrypoint:
diff --git a/metadata.yml b/metadata.yml
index 720f1de..c67081b 100644
--- a/metadata.yml
+++ b/metadata.yml
@@ -1,3 +1,6 @@
name: "heat"
version: "2016.4.1"
source: "https://github.com/openstack/salt-formula-heat"
+dependencies:
+ - name: keystone
+ source: "https://github.com/salt-formulas/salt-formula-keystone"
diff --git a/tests/pillar/server_cluster.sls b/tests/pillar/server_cluster.sls
index 7e40d87..8a7e6df 100644
--- a/tests/pillar/server_cluster.sls
+++ b/tests/pillar/server_cluster.sls
@@ -54,3 +54,7 @@
user: openstack
password: password
virtual_host: '/openstack'
+ policy:
+ deny_stack_user: 'not role:heat_stack_user'
+ 'cloudformation:ValidateTemplate': 'rule:deny_stack_user'
+ 'cloudformation:DescribeStackResource':
diff --git a/tests/pillar/server_plugin_dirs.sls b/tests/pillar/server_plugin_dirs.sls
index a8db864..b9ef199 100644
--- a/tests/pillar/server_plugin_dirs.sls
+++ b/tests/pillar/server_plugin_dirs.sls
@@ -55,3 +55,7 @@
plugins:
- /test/dir1
- /test/dir2
+ policy:
+ deny_stack_user: 'not role:heat_stack_user'
+ 'cloudformation:ValidateTemplate': 'rule:deny_stack_user'
+ 'cloudformation:DescribeStackResource':
diff --git a/tests/pillar/server_single.sls b/tests/pillar/server_single.sls
index 2e38c5a..4f0b7a0 100644
--- a/tests/pillar/server_single.sls
+++ b/tests/pillar/server_single.sls
@@ -52,3 +52,7 @@
user: openstack
password: password
virtual_host: '/openstack'
+ policy:
+ deny_stack_user: 'not role:heat_stack_user'
+ 'cloudformation:ValidateTemplate': 'rule:deny_stack_user'
+ 'cloudformation:DescribeStackResource':