Policy.json should be defined by user
User can override and add values to policy.json by creating flat
key-value structure under nova:controller:policy.
Change-Id: Ide69691fe5dc4dd684159ad3f29bfeb1638c9bf3
diff --git a/.kitchen.yml b/.kitchen.yml
index 5ef8ebf..a2b4313 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -18,6 +18,9 @@
- name: linux
repo: git
source: https://github.com/salt-formulas/salt-formula-linux
+ - name: keystone
+ repo: git
+ source: https://github.com/salt-formulas/salt-formula-keystone
state_top:
base:
"*":
diff --git a/README.rst b/README.rst
index 252f845..cc6f92b 100644
--- a/README.rst
+++ b/README.rst
@@ -132,6 +132,18 @@
allow_credentials: True
max_age: 86400
+Configuration of policy.json file
+
+.. code-block:: yaml
+
+ nova:
+ controller:
+ ....
+ policy:
+ context_is_admin: 'role:admin or role:administrator'
+ 'compute:create': 'rule:admin_or_owner'
+ # Add key without value to remove line from policy.json
+ 'compute:create:attach_network':
Compute nodes
-------------
diff --git a/metadata.yml b/metadata.yml
index 7445fbd..0ee34f0 100644
--- a/metadata.yml
+++ b/metadata.yml
@@ -1,3 +1,6 @@
name: "nova"
version: "2017.2"
source: "https://github.com/openstack/salt-formula-nova"
+dependencies:
+ - name: keystone
+ source: "https://github.com/salt-formulas/salt-formula-keystone"
diff --git a/nova/controller.sls b/nova/controller.sls
index 4bd7a9a..c6a4a03 100644
--- a/nova/controller.sls
+++ b/nova/controller.sls
@@ -69,6 +69,30 @@
- require:
- pkg: nova_controller_packages
+{%- for name, rule in controller.get('policy', {}).iteritems() %}
+
+{%- if rule != None %}
+rule_{{ name }}_present:
+ keystone_policy.rule_present:
+ - path: /etc/nova/policy.json
+ - name: {{ name }}
+ - rule: {{ rule }}
+ - require:
+ - pkg: nova_controller_packages
+
+{%- else %}
+
+rule_{{ name }}_absent:
+ keystone_policy.rule_absent:
+ - path: /etc/nova/policy.json
+ - name: {{ name }}
+ - require:
+ - pkg: nova_controller_packages
+
+{%- endif %}
+
+{%- endfor %}
+
{%- if not grains.get('noservices', False) %}
nova_controller_syncdb:
diff --git a/tests/pillar/control_cluster.sls b/tests/pillar/control_cluster.sls
index 163b4e3..84da744 100644
--- a/tests/pillar/control_cluster.sls
+++ b/tests/pillar/control_cluster.sls
@@ -58,4 +58,8 @@
audit:
filter_factory: 'keystonemiddleware.audit:filter_factory'
map_file: '/etc/pycadf/nova_api_audit_map.conf'
+ policy:
+ context_is_admin: 'role:admin or role:administrator'
+ 'compute:create': 'rule:admin_or_owner'
+ 'compute:create:attach_network':
diff --git a/tests/pillar/control_single.sls b/tests/pillar/control_single.sls
index 8234bf3..ce33f8c 100644
--- a/tests/pillar/control_single.sls
+++ b/tests/pillar/control_single.sls
@@ -56,3 +56,7 @@
members:
- host: 127.0.0.1
port: 11211
+ policy:
+ context_is_admin: 'role:admin or role:administrator'
+ 'compute:create': 'rule:admin_or_owner'
+ 'compute:create:attach_network':