Update heat policy management
Related: PROD-34318
Change-Id: I7415238dbbd46b8d6a6639a86a2dafed99e623b7
diff --git a/.kitchen.yml b/.kitchen.yml
index 496733f..9e2c611 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -32,6 +32,7 @@
base:
"*":
- heat
+ - release
verifier:
name: inspec
diff --git a/README.rst b/README.rst
index 19a6229..21bba9c 100644
--- a/README.rst
+++ b/README.rst
@@ -313,7 +313,19 @@
pool_max_overflow: 30
pool_recycle: 600
-.. code-block::
+
+Change default service policy configuration:
+--------------------------------------------
+
+.. code-block:: yaml
+
+ heat:
+ server:
+ policy:
+ deny_stack_user: not role:heat_stack_user
+ deny_everybody: '!'
+ # Add key without value to remove line from policy.json
+ cloudformation:ListStacks:
Upgrades
========
diff --git a/heat/server.sls b/heat/server.sls
index 402e0f6..6d66abf 100644
--- a/heat/server.sls
+++ b/heat/server.sls
@@ -113,8 +113,7 @@
{% endif %}
-{%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata", "pike"] %}
-{#- Since Queens release `policy.json` is changed to `policy.yaml`. But default option in `oslo_policy` is `policy.json` #}
+{%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata"] %}
/etc/heat/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}:
file.managed:
- mode: 0640
@@ -126,7 +125,7 @@
{%- for name, rule in server.get('policy', {}).iteritems() %}
-{%- if rule != None %}
+ {%- if rule != None %}
heat_keystone_rule_{{ name }}_present:
keystone_policy.rule_present:
- path: /etc/heat/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
@@ -134,8 +133,11 @@
- rule: {{ rule }}
- require:
- pkg: heat_server_packages
+ {%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata"] %}
+ - file: /etc/heat/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
+ {%- endif %}
-{%- else %}
+ {%- else %}
heat_keystone_rule_{{ name }}_absent:
keystone_policy.rule_absent:
@@ -143,9 +145,11 @@
- name: {{ name }}
- require:
- pkg: heat_server_packages
+ {%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata"] %}
+ - file: /etc/heat/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
+ {%- endif %}
-{%- endif %}
-
+ {%- endif %}
{%- endfor %}
{%- if grains.get('virtual_subtype', None) == "Docker" %}