commit fa2ae1b291f097eb49ee4e3c18c49c30e3803171
author Martin Polreich <polreichmartin@gmail.com> Tue Dec 17 13:50:04 2019 +0100
committer Ivan Berezovskiy <iberezovskiy@mirantis.com> Thu Jan 23 10:07:40 2020 +0000
tree 0e0d653fe249839def0b9dbc5d470c031e385eb0
parent dc1400e9a2e7d37def26844dfefac060e48a9244

Update keystone policy management

Related: PROD-34318

Change-Id: I0a4b1fc49457b2543e34b02e198dbbf3dd450c57

README.rst

diff --git a/README.rst b/README.rst
index d265440..5b4e3d7 100644
--- a/README.rst
+++ b/README.rst
@@ -805,6 +805,20 @@
           ossyslog:
             enabled: true
 
+
+Change default service policy configuration:
+--------------------------------------------
+
+.. code-block:: yaml
+
+    keystone:
+      server:
+        policy:
+          admin_or_token_subject: 'rule:token_subject'
+          service_admin_or_token_subject": 'rule:service_or_admin'
+          # Add key without value to remove line from policy.json
+          identity:get_region:
+
 Usage
 =====
 

keystone/server.sls

diff --git a/keystone/server.sls b/keystone/server.sls
index 3e17d79..9521465 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -179,41 +179,35 @@
 
 /etc/keystone/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}:
   file.managed:
-  - mode: 0640
-  - user: root
-  - group: keystone
-  - require:
-    - pkg: keystone_packages
-  - watch_in:
-    - service: {{ keystone_service }}
+    - mode: 0640
+    - user: root
+    - group: keystone
+    - require:
+      - pkg: keystone_packages
 
-{%- for name, rule in server.get('policy', {}).items() %}
+{%- for name, rule in server.get('policy', {}).iteritems() %}
 
-{%- if rule != None %}
-
-keystone_rule_{{ name }}_present:
+  {%- if rule != None %}
+keystone_keystone_rule_{{ name }}_present:
   keystone_policy.rule_present:
   - path: /etc/keystone/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
   - name: {{ name }}
   - rule: {{ rule }}
   - require:
     - pkg: keystone_packages
-  - watch_in:
-    - service: {{ keystone_service }}
+    - file: /etc/keystone/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
 
-{%- else %}
+  {%- else %}
 
-keystone_rule_{{ name }}_absent:
+keystone_keystone_rule_{{ name }}_absent:
   keystone_policy.rule_absent:
   - path: /etc/keystone/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
   - name: {{ name }}
   - require:
     - pkg: keystone_packages
-  - watch_in:
-    - service: {{ keystone_service }}
+    - file: /etc/keystone/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
 
-{%- endif %}
-
+  {%- endif %}
 {%- endfor %}
 
 {%- if server.get("domain", {}) %}

tests/pillar/single.sls

diff --git a/tests/pillar/single.sls b/tests/pillar/single.sls
index ba1ef77..eec5c16 100644
--- a/tests/pillar/single.sls
+++ b/tests/pillar/single.sls
@@ -173,7 +173,9 @@
       host: 127.0.0.1
       port: 11211
     policy:
-      policy_file: 'policy.json'
+      admin_or_token_subject: 'rule:token_subject'
+      service_admin_or_token_subject": 'rule:service_or_admin'
+      identity:get_region:
     domain:
       testing:
         description: "Test domain"