Policy.json should be defined by user
User can override and add values to policy.json by creating flat
key-value structure under neutron:server:policy.
Change-Id: I62dc05832a124b361a8d608326cbc6168af754c8
diff --git a/.kitchen.yml b/.kitchen.yml
index 8b89e35..d144018 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -24,6 +24,9 @@
- name: linux
repo: git
source: https://github.com/salt-formulas/salt-formula-linux
+ - name: keystone
+ repo: git
+ source: https://github.com/salt-formulas/salt-formula-keystone
state_top:
base:
"*":
diff --git a/README.rst b/README.rst
index 23072ae..e8e633f 100644
--- a/README.rst
+++ b/README.rst
@@ -59,6 +59,20 @@
because a single request may fail (timeout). This is enabled with both
parameters *allow_pagination* and *pagination_max_limit* as shown above.
+
+Configuration of policy.json file
+
+.. code-block:: yaml
+
+ neutron:
+ server:
+ ....
+ policy:
+ create_subnet: 'rule:admin_or_network_owner'
+ 'get_network:queue_id': 'rule:admin_only'
+ # Add key without value to remove line from policy.json
+ 'create_network:shared':
+
Neutron lbaas provides on the controller node
.. code-block:: yaml
diff --git a/metadata.yml b/metadata.yml
index c7e6b3b..d43d586 100644
--- a/metadata.yml
+++ b/metadata.yml
@@ -1,3 +1,6 @@
name: "neutron"
version: "2016.4.1"
source: "https://github.com/openstack/salt-formula-neutron"
+dependencies:
+ - name: keystone
+ source: "https://github.com/salt-formulas/salt-formula-keystone"
diff --git a/neutron/server.sls b/neutron/server.sls
index 2f530e2..5bf73e3 100644
--- a/neutron/server.sls
+++ b/neutron/server.sls
@@ -80,6 +80,30 @@
- require:
- pkg: neutron_server_packages
+{%- for name, rule in server.get('policy', {}).iteritems() %}
+
+{%- if rule != None %}
+rule_{{ name }}_present:
+ keystone_policy.rule_present:
+ - path: /etc/neutron/policy.json
+ - name: {{ name }}
+ - rule: {{ rule }}
+ - require:
+ - pkg: neutron_server_packages
+
+{%- else %}
+
+rule_{{ name }}_absent:
+ keystone_policy.rule_absent:
+ - path: /etc/neutron/policy.json
+ - name: {{ name }}
+ - require:
+ - pkg: neutron_server_packages
+
+{%- endif %}
+
+{%- endfor %}
+
{%- if grains.os_family == "Debian" %}
/etc/default/neutron-server:
diff --git a/tests/pillar/control_cluster.sls b/tests/pillar/control_cluster.sls
index 1aba7fd..763b549 100644
--- a/tests/pillar/control_cluster.sls
+++ b/tests/pillar/control_cluster.sls
@@ -51,4 +51,8 @@
audit:
filter_factory: 'keystonemiddleware.audit:filter_factory'
map_file: '/etc/pycadf/neutron_api_audit_map.conf'
+ policy:
+ create_subnet: 'rule:admin_or_network_owner'
+ 'get_network:queue_id': 'rule:admin_only'
+ 'create_network:shared':
diff --git a/tests/pillar/control_dvr.sls b/tests/pillar/control_dvr.sls
index 014de67..a6fc8b3 100644
--- a/tests/pillar/control_dvr.sls
+++ b/tests/pillar/control_dvr.sls
@@ -45,4 +45,8 @@
user: openstack
virtual_host: /openstack
plugin: ml2
- version: mitaka
\ No newline at end of file
+ version: mitaka
+ policy:
+ create_subnet: 'rule:admin_or_network_owner'
+ 'get_network:queue_id': 'rule:admin_only'
+ 'create_network:shared':
diff --git a/tests/pillar/control_nodvr.sls b/tests/pillar/control_nodvr.sls
index 8840b5e..0d18f6a 100644
--- a/tests/pillar/control_nodvr.sls
+++ b/tests/pillar/control_nodvr.sls
@@ -45,4 +45,8 @@
user: openstack
virtual_host: /openstack
plugin: ml2
- version: mitaka
\ No newline at end of file
+ version: mitaka
+ policy:
+ create_subnet: 'rule:admin_or_network_owner'
+ 'get_network:queue_id': 'rule:admin_only'
+ 'create_network:shared':
diff --git a/tests/pillar/control_single.sls b/tests/pillar/control_single.sls
index 1f8a28e..2eb905e 100644
--- a/tests/pillar/control_single.sls
+++ b/tests/pillar/control_single.sls
@@ -46,3 +46,7 @@
user: nova
password: password
tenant: service
+ policy:
+ create_subnet: 'rule:admin_or_network_owner'
+ 'get_network:queue_id': 'rule:admin_only'
+ 'create_network:shared':