commit 7f077d467d2289058eb2270747dc81baee5a62c1
author Martin Polreich <polreichmartin@gmail.com> Thu Dec 12 14:58:43 2019 +0100
committer Ivan Berezovskiy <iberezovskiy@mirantis.com> Mon Jan 27 09:29:02 2020 +0000
tree e6d98c5170a563f88422e896fbfd3dbf45356396
parent f538c911a98b6933f2d22d1a46931628b025ef7d

Update neutron policy management

Related: PROD-34318

Change-Id: Ic2ee62da1a52076a635b79e8131803723412db4c

README.rst

diff --git a/README.rst b/README.rst
index aeb895e..6b71fc8 100644
--- a/README.rst
+++ b/README.rst
@@ -1708,6 +1708,26 @@
             agent:
               report_interval: 60
 
+
+Change default service policy configuration:
+--------------------------------------------
+
+.. code-block:: yaml
+
+    neutron:
+      server:
+        policy:
+          create_subnet: 'rule:admin_or_network_owner'
+          create_subnet:segment_id: 'rule:admin_only'
+          # Add key without value to remove line from policy.json
+          get_subnet:
+        bgpvpn_policy:
+          create_bgpvpn: 'rule:admin_only'
+          get_bgpvpn: 'rule:admin_or_owner'
+          # Add key without value to remove line from policy.json
+          get_bgpvpn:tenant_id:
+
+
 Upgrades
 ========
 

neutron/map.jinja

diff --git a/neutron/map.jinja b/neutron/map.jinja
index 68a0ba3..ad50f57 100644
--- a/neutron/map.jinja
+++ b/neutron/map.jinja
@@ -147,7 +147,8 @@
         'dpdk': false,
         'cors': {},
         'oslo_policy': {
-          'policy_file': 'policy.json'
+          'policy_file': 'policy.json',
+          'bgpvpn_policy_file': 'policy.d/bgpvpn.json'
         },
         'audit': {
           'enabled': false
@@ -175,7 +176,8 @@
         'dpdk': false,
         'cors': {},
         'oslo_policy': {
-          'policy_file': 'policy.json'
+          'policy_file': 'policy.json',
+          'bgpvpn_policy_file': 'policy.d/bgpvpn.json'
         },
         'audit': {
           'enabled': false

neutron/server.sls

diff --git a/neutron/server.sls b/neutron/server.sls
index d77a3a5..2d76248 100644
--- a/neutron/server.sls
+++ b/neutron/server.sls
@@ -238,8 +238,7 @@
 
 {%- endif %}
 
-{%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata", "pike"] %}
-{#- Since Queens release `policy.json` is changed to `policy.yaml`. But default option in `oslo_policy` is `policy.json` #}
+{%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata"] %}
 /etc/neutron/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}:
   file.managed:
     - mode: 0640
@@ -259,6 +258,9 @@
   - rule: {{ rule }}
   - require:
     - pkg: neutron_server_packages
+    {%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata"] %}
+    - file: /etc/neutron/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
+    {%- endif %}
 
 {%- else %}
 
@@ -268,6 +270,9 @@
   - name: {{ name }}
   - require:
     - pkg: neutron_server_packages
+    {%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata"] %}
+    - file: /etc/neutron/{{ server.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
+    {%- endif %}
 
 {%- endif %}
 
@@ -421,6 +426,46 @@
 
 {% endif %}
 
+{%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata"] %}
+/etc/neutron/{{ server.get('oslo_policy', {}).get('bgpvpn_policy_file', 'policy.json') }}:
+  file.managed:
+    - mode: 0640
+    - user: root
+    - group: neutron
+    - require:
+      - pkg: bgpvpn_packages
+{%- endif %}
+
+{%- for name, rule in server.get('bgpvpn_policy', {}).iteritems() %}
+
+  {%- if rule != None %}
+neutron_keystone_rule_{{ name }}_present:
+  keystone_policy.rule_present:
+  - path: /etc/neutron/{{ server.get('oslo_policy', {}).get('bgpvpn_policy_file', 'policy.json') }}
+  - name: {{ name }}
+  - rule: {{ rule }}
+  - require:
+    - pkg: bgpvpn_packages
+    {%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata"] %}
+    - file: /etc/neutron/{{ server.get('oslo_policy', {}).get('bgpvpn_policy_file', 'policy.json') }}
+    {%- endif %}
+
+  {%- else %}
+
+neutron_keystone_rule_{{ name }}_absent:
+  keystone_policy.rule_absent:
+  - path: /etc/neutron/{{ server.get('oslo_policy', {}).get('bgpvpn_policy_file', 'policy.json') }}
+  - name: {{ name }}
+  - require:
+    - pkg: bgpvpn_packages
+    {%- if server.version not in ["juno", "kilo", "liberty", "mitaka", "newton", "ocata"] %}
+    - file: /etc/neutron/{{ server.get('oslo_policy', {}).get('bgpvpn_policy_file', 'policy.json') }}
+    {%- endif %}
+
+  {%- endif %}
+
+{%- endfor %}
+
 {% endif %}
 
 {%- if server.wsgi is defined %}

tests/pillar/control_bgpvpn.sls

diff --git a/tests/pillar/control_bgpvpn.sls b/tests/pillar/control_bgpvpn.sls
index b8926fd..09d78f3 100644
--- a/tests/pillar/control_bgpvpn.sls
+++ b/tests/pillar/control_bgpvpn.sls
@@ -7,3 +7,11 @@
     bgp_vpn:
       enabled: true
       driver: bagpipe
+    policy:
+      create_subnet: 'rule:admin_or_network_owner'
+      create_subnet:segment_id: 'rule:admin_only'
+      get_subnet:
+    bgpvpn_policy:
+      create_bgpvpn: 'rule:admin_only'
+      get_bgpvpn: 'rule:admin_or_owner'
+      get_bgpvpn:tenant_id:
\ No newline at end of file