Implement policyd-override resource support

Currently, the Barbican charm lacks the standard mechanism for
overriding policies via a Juju resource, which is present in other
charms like Keystone, Octavia, and Designate [0].

This change uses the code in charms.openstack [1], and implements the
policyd-override functionality in a similar manner as other reactive
charms like Octavia [2] and Designate [3].

[0] https://docs.openstack.org/charm-guide/latest/concepts/policy-overrides.html
[1] https://opendev.org/openstack/charms.openstack/src/branch/master/charms_openstack/plugins/classes.py
[2] 5e3e942cd8
[3] 08d9d1929b

Closes-Bug: #2131898
Change-Id: I5e1ede0efb914a36ce15683dafed7e3c9fd2675e
Signed-off-by: Munir Siddiqui <munir.siddiqui@canonical.com>

README.md

@@ -63,6 +63,29 @@ juju run-action generate-mkek
 Note that, depending on the HSM, it may only be possible to do this ONCE as the
 HSM may reject setting up the keys more than once.
 
+# Policy Overrides
+
+Policy overrides is an **advanced** feature that allows an operator to override the
+default policy of an OpenStack service. The policies that the service supports,
+the defaults it implements in its code, and the defaults that a charm may
+include should all be clearly understood before proceeding.
+
+> **Caution**: It is possible to break the system (for tenants and other
+  services) if policies are incorrectly applied to the service.
+
+Policy statements are placed in a YAML file. This file (or files) is then (ZIP)
+compressed into a single file and used as an application resource. The override
+is then enabled via a Boolean charm option.
+
+Here are the essential commands (filenames are arbitrary):
+
+    zip overrides.zip override-file.yaml
+    juju attach-resource barbican policyd-override=overrides.zip
+    juju config barbican use-policyd-override=true
+
+See appendix [Policy Overrides](https://docs.openstack.org/project-deploy-guide/charm-deployment-guide/latest/app-policy-overrides.html) in the [OpenStack Charms Deployment](https://docs.openstack.org/project-deploy-guide/charm-deployment-guide) Guide for a
+thorough treatment of this feature.
+
 # Developer Notes
 
 The Barbican charm has to be able to set `[crypto]` and `[xxx_plugin]` sections

src/config.yaml

@@ -49,3 +49,11 @@ options:
   use-internal-endpoints:
     default: True
     type: boolean
+  use-policyd-override:
+    type: boolean
+    default: False
+    description: |
+      If True then use the resource file named 'policyd-override' to install
+      override YAML files in the service's policy.d directory.  The resource
+      file should be a ZIP file containing at least one yaml file with a .yaml
+      or .yml extension.  If False then remove the overrides.

src/lib/charm/openstack/barbican.py

@@ -24,6 +24,7 @@ import charmhelpers.core.hookenv as hookenv
 import charms_openstack.charm
 import charms_openstack.adapters
 import charms_openstack.ip as os_ip
+import charms_openstack.plugins as ch_plugins
 
 PACKAGES = [
     'barbican-common', 'barbican-api', 'barbican-worker',
@@ -44,8 +45,10 @@ OPENSTACK_RELEASE_KEY = 'barbican-charm.openstack-release-version'
 
 
 # select the default release function
-charms_openstack.charm.use_defaults('charm.default-select-release')
-
+# config.changed is needed to get the policyd override clean-up to work when
+# setting use-policyd-override=false
+charms_openstack.charm.use_defaults('charm.default-select-release',
+                                    'config.changed')
 
 ###
 # Implementation of the Barbican Charm classes
@@ -55,6 +58,7 @@ charms_openstack.charm.use_defaults('charm.default-select-release')
 # variable 'exists' that we can test in the template to see if we should
 # render HSM parameters into the template.
 
+
 @charms_openstack.adapters.adapter_property('hsm')
 def library_path(hsm):
     """Provide a library_path property to the template if it exists"""
@@ -94,7 +98,8 @@ def plugins_string(secrets):
     return secrets.relation.plugins_string
 
 
-class BarbicanCharm(charms_openstack.charm.HAOpenStackCharm):
+class BarbicanCharm(ch_plugins.PolicydOverridePlugin,
+                    charms_openstack.charm.HAOpenStackCharm):
     """BarbicanCharm provides the specialisation of the OpenStackCharm
     functionality to manage a barbican unit.
     """
@@ -148,6 +153,10 @@ class BarbicanCharm(charms_openstack.charm.HAOpenStackCharm):
     # This is the command to sync the database
     sync_cmd = ['sudo', '-u', 'barbican', 'barbican-manage', 'db', 'upgrade']
 
+    # policyd override constants
+    policyd_service_name = 'barbican'
+    policyd_restart_on_change = True
+
     def get_amqp_credentials(self):
         """Provide the default amqp username and vhost as a tuple.
 

src/metadata.yaml

@@ -21,3 +21,8 @@ requires:
   secrets:
     interface: barbican-secrets
     optional: true
+resources:
+  policyd-override:
+    type: file
+    filename: policyd-override.zip
+    description: The policy.d overrides file