Update nova policy management
Related: PROD-34318
Change-Id: Ifb4ba79dc2fc9cb53910898c39ccbc762f7ade4d
diff --git a/README.rst b/README.rst
index e5151f0..ce885a6 100644
--- a/README.rst
+++ b/README.rst
@@ -281,6 +281,20 @@
.. note:: Barbican, Cinder, and placement url endpoints are discovering
using service catalog.
+Change default service policy configuration:
+--------------------------------------------
+
+.. code-block:: yaml
+
+ nova:
+ controller:
+ policy:
+ 'context_is_admin': 'role:admin or role:administrator'
+ 'compute:create': 'rule:admin_or_owner'
+ # Add key without value to remove line from policy.json
+ 'compute:create:attach_network':
+
+
Compute nodes
-------------
diff --git a/nova/controller.sls b/nova/controller.sls
index 94ad162..7654536 100644
--- a/nova/controller.sls
+++ b/nova/controller.sls
@@ -296,13 +296,11 @@
{% endif %}
{%- if controller.version not in ['liberty', 'mitaka', 'newton'] %}
-{# nova no longer ships with a default policy.json #}
-{#- Since Queens release `policy.json` is changed to `policy.yaml`. But default option in `oslo_policy` is `policy.json` #}
/etc/nova/{{ controller.get('oslo_policy', {}).get('policy_file', 'policy.json') }}:
file.managed:
- - contents: '{}'
+ - mode: 0640
- replace: False
- - user: nova
+ - user: root
- group: nova
- require:
- pkg: nova_controller_packages
@@ -318,7 +316,7 @@
- rule: {{ rule }}
- require:
- pkg: nova_controller_packages
- {% if controller.version not in ['liberty', 'mitaka', 'newton'] %}
+ {%- if controller.version not in ['liberty', 'mitaka', 'newton'] %}
- file: /etc/nova/{{ controller.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
{% endif%}
@@ -330,7 +328,7 @@
- name: {{ name }}
- require:
- pkg: nova_controller_packages
- {% if controller.version not in ['liberty', 'mitaka', 'newton'] %}
+ {%- if controller.version not in ['liberty', 'mitaka', 'newton'] %}
- file: /etc/nova/{{ controller.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
{% endif%}