Add ability to get policies from pillar
Related: PROD-34318
Change-Id: If3595d6a8f16c1d873a685381786aced5f2901e3
diff --git a/horizon/files/policy/pike b/horizon/files/policy/pike
index d5e8ce2..9130dbe 120000
--- a/horizon/files/policy/pike
+++ b/horizon/files/policy/pike
@@ -1 +1 @@
-ocata
\ No newline at end of file
+queens
\ No newline at end of file
diff --git a/horizon/files/policy/queens/designate_policy.json b/horizon/files/policy/queens/designate_policy.json
new file mode 100644
index 0000000..d27f435
--- /dev/null
+++ b/horizon/files/policy/queens/designate_policy.json
@@ -0,0 +1,113 @@
+{
+ "admin": "role:admin or is_admin:True",
+ "primary_zone": "target.zone_type:SECONDARY",
+ "owner": "tenant:%(tenant_id)s",
+ "admin_or_owner": "rule:admin or rule:owner",
+ "default": "rule:admin_or_owner",
+ "target": "tenant:%(target_tenant_id)s",
+ "owner_or_target": "rule:target or rule:owner",
+ "admin_or_owner_or_target": "rule:owner_or_target or rule:admin",
+ "admin_or_target": "rule:admin or rule:target",
+ "zone_primary_or_admin": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)",
+
+ "create_blacklist": "rule:admin",
+ "find_blacklist": "rule:admin",
+ "find_blacklists": "rule:admin",
+ "get_blacklist": "rule:admin",
+ "update_blacklist": "rule:admin",
+ "delete_blacklist": "rule:admin",
+ "use_blacklisted_zone": "rule:admin",
+
+ "all_tenants": "rule:admin",
+
+ "edit_managed_records": "rule:admin",
+
+ "use_low_ttl": "rule:admin",
+
+ "use_sudo": "rule:admin",
+
+ "diagnostics_ping": "rule:admin",
+ "diagnostics_sync_zones": "rule:admin",
+ "diagnostics_sync_zone": "rule:admin",
+ "diagnostics_sync_record": "rule:admin",
+
+ "create_pool": "rule:admin",
+ "find_pools": "rule:admin",
+ "find_pool": "rule:admin",
+ "get_pool": "rule:admin",
+ "update_pool": "rule:admin",
+ "delete_pool": "rule:admin",
+ "zone_create_forced_pool": "rule:admin",
+
+ "get_quotas": "rule:admin_or_owner",
+ "get_quota": "rule:admin_or_owner",
+ "set_quota": "rule:admin",
+ "reset_quotas": "rule:admin",
+
+ "find_records": "rule:admin_or_owner",
+ "count_records": "rule:admin_or_owner",
+ "create_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)",
+ "get_recordsets": "rule:admin_or_owner",
+ "get_recordset": "rule:admin_or_owner",
+ "update_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)",
+ "delete_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)",
+ "count_recordset": "rule:admin_or_owner",
+
+ "find_service_status": "rule:admin",
+ "find_service_statuses": "rule:admin",
+ "update_service_status": "rule:admin",
+
+ "find_tenants": "rule:admin",
+ "get_tenant": "rule:admin",
+ "count_tenants": "rule:admin",
+
+ "create_tld": "rule:admin",
+ "find_tlds": "rule:admin",
+ "get_tld": "rule:admin",
+ "update_tld": "rule:admin",
+ "delete_tld": "rule:admin",
+
+ "create_tsigkey": "rule:admin",
+ "find_tsigkeys": "rule:admin",
+ "get_tsigkey": "rule:admin",
+ "update_tsigkey": "rule:admin",
+ "delete_tsigkey": "rule:admin",
+
+ "create_zone": "rule:admin_or_owner",
+ "get_zones": "rule:admin_or_owner",
+ "get_zone": "rule:admin_or_owner",
+ "get_zone_servers": "rule:admin_or_owner",
+ "find_zones": "rule:admin_or_owner",
+ "update_zone": "rule:admin_or_owner",
+ "delete_zone": "rule:admin_or_owner",
+ "xfr_zone": "rule:admin_or_owner",
+ "abandon_zone": "rule:admin",
+ "count_zones": "rule:admin_or_owner",
+ "count_zones_pending_notify": "rule:admin_or_owner",
+ "purge_zones": "rule:admin",
+ "touch_zone": "rule:admin_or_owner",
+
+ "zone_export": "rule:admin_or_owner",
+ "create_zone_export": "rule:admin_or_owner",
+ "find_zone_exports": "rule:admin_or_owner",
+ "get_zone_export": "rule:admin_or_owner",
+ "update_zone_export": "rule:admin_or_owner",
+ "create_zone_import": "rule:admin_or_owner",
+ "find_zone_imports": "rule:admin_or_owner",
+ "get_zone_import": "rule:admin_or_owner",
+ "update_zone_import": "rule:admin_or_owner",
+
+ "create_zone_transfer_accept": "rule:admin_or_owner OR tenant:%(target_tenant_id)s OR None:%(target_tenant_id)s",
+ "get_zone_transfer_accept": "rule:admin_or_owner",
+ "find_zone_transfer_accepts": "rule:admin",
+ "find_zone_transfer_accept": "rule:admin",
+ "update_zone_transfer_accept": "rule:admin",
+ "delete_zone_transfer_accept": "rule:admin",
+ "create_zone_transfer_request": "rule:admin_or_owner",
+ "get_zone_transfer_request": "rule:admin_or_owner OR tenant:%(target_tenant_id)s OR None:%(target_tenant_id)s",
+ "get_zone_transfer_request_detailed": "rule:admin_or_owner",
+ "find_zone_transfer_requests": "@",
+ "find_zone_transfer_request": "@",
+ "update_zone_transfer_request": "rule:admin_or_owner",
+ "delete_zone_transfer_request": "rule:admin_or_owner"
+}
diff --git a/horizon/server/service.sls b/horizon/server/service.sls
index 8fd3298..988320b 100644
--- a/horizon/server/service.sls
+++ b/horizon/server/service.sls
@@ -53,6 +53,18 @@
{%- endif %}
+ {%- elif policy.get('source', 'file') == 'pillar' %}
+
+horizon_policy_{{ policy_name }}_pillar:
+ file.serialize:
+ - name: {{ policy.get('path', server.get('policy_files_path')) }}/{{ policy.get('name') }}
+ - dataset: {{ policy.get('pillar', {}) }}
+ - formatter: JSON
+ - mode: 640
+ - group: horizon
+ - require:
+ - file: horizon_config
+
{%- elif policy.get('source', 'file') == 'file' %}
horizon_policy_{{ policy_name }}_file:
diff --git a/horizon/upgrade/render_config.sls b/horizon/upgrade/render_config.sls
index 0f626d9..b16ebff 100644
--- a/horizon/upgrade/render_config.sls
+++ b/horizon/upgrade/render_config.sls
@@ -36,6 +36,16 @@
{%- endif %}
+{%- elif policy.get('source', 'file') == 'pillar' %}
+
+horizon_policy_{{ policy_name }}_pillar:
+ file.serialize:
+ - name: {{ policy.get('path', server.get('policy_files_path')) }}/{{ policy.get('name') }}
+ - dataset: {{ policy.get('pillar', {}) }}
+ - formatter: JSON
+ - require:
+ - file: horizon_config
+
{%- elif policy.get('source', 'file') == 'file' %}
horizon_policy_{{ policy_name }}_file:
diff --git a/metadata/service/server/cluster.yml b/metadata/service/server/cluster.yml
index 2320576..ffad810 100644
--- a/metadata/service/server/cluster.yml
+++ b/metadata/service/server/cluster.yml
@@ -10,7 +10,10 @@
horizon_identity_encryption: none
horizon_identity_endpoint_type: internalURL
neutron_enable_bgp_vpn: false
+ designate_enabled: false
+ manila_enabled: false
octavia_enabled: false
+ telemetry_enabled: true
horizon:
server:
enabled: true
@@ -82,7 +85,7 @@
telemetry:
source: file
name: ceilometer_policy.json
- enabled: true
+ enabled: ${_param:telemetry_enabled}
orchestration:
source: file
name: heat_policy.json
@@ -95,4 +98,11 @@
source: file
name: octavia_policy.json
enabled: ${_param:octavia_enabled}
-
+ designate:
+ source: file
+ name: designate_policy.json
+ enabled: ${_param:designate_enabled}
+ manila:
+ source: file
+ name: manila_policy.json
+ enabled: ${_param:manila_enabled}
diff --git a/metadata/service/server/single.yml b/metadata/service/server/single.yml
index 1a21465..e51fb6b 100644
--- a/metadata/service/server/single.yml
+++ b/metadata/service/server/single.yml
@@ -10,7 +10,10 @@
horizon_identity_encryption: none
horizon_identity_endpoint_type: internalURL
neutron_enable_bgp_vpn: false
+ designate_enabled: false
+ manila_enabled: false
octavia_enabled: false
+ telemetry_enabled: true
horizon:
server:
enabled: true
@@ -78,7 +81,7 @@
telemetry:
source: file
name: ceilometer_policy.json
- enabled: true
+ enabled: ${_param:telemetry_enabled}
orchestration:
source: file
name: heat_policy.json
@@ -91,3 +94,11 @@
source: file
name: octavia_policy.json
enabled: ${_param:octavia_enabled}
+ designate:
+ source: file
+ name: designate_policy.json
+ enabled: ${_param:designate_enabled}
+ manila:
+ source: file
+ name: manila_policy.json
+ enabled: ${_param:manila_enabled}