Policyd override implementation
This patchset implements policy overrides for swift-proxy. It uses the code in charmhelpers. Closed-Bug: #1741723 Change-Id: Ic51ee5d181558b63dfd968c5b0c7d40760a5ac59
This commit is contained in:
parent
0ce1ee67f8
commit
d21648e671
43
README.md
43
README.md
|
@ -155,6 +155,49 @@ Actions allow specific operations to be performed on a per-unit basis.
|
|||
|
||||
To display action descriptions run `juju actions swift-proxy`.
|
||||
|
||||
# Policy Overrides
|
||||
|
||||
This feature allows for policy overrides using the `policy.d` directory. This
|
||||
is an **advanced** feature and the policies that the OpenStack service supports
|
||||
should be clearly and unambiguously understood before trying to override, or
|
||||
add to, the default policies that the service uses. The charm also has some
|
||||
policy defaults. They should also be understood before being overridden.
|
||||
|
||||
> **Caution**: It is possible to break the system (for tenants and other
|
||||
services) if policies are incorrectly applied to the service.
|
||||
|
||||
Policy overrides are YAML files that contain rules that will add to, or
|
||||
override, existing policy rules in the service. The `policy.d` directory is
|
||||
a place to put the YAML override files. This charm owns the
|
||||
`/etc/swift/policy.d` directory, and as such, any manual changes to it will
|
||||
be overwritten on charm upgrades.
|
||||
|
||||
Overrides are provided to the charm using a Juju resource called
|
||||
`policyd-override`. The resource is a ZIP file. This file, say
|
||||
`overrides.zip`, is attached to the charm by:
|
||||
|
||||
|
||||
juju attach-resource swift-proxy policyd-override=overrides.zip
|
||||
|
||||
The policy override is enabled in the charm using:
|
||||
|
||||
juju config swift-proxy use-policyd-override=true
|
||||
|
||||
When `use-policyd-override` is `True` the status line of the charm will be
|
||||
prefixed with `PO:` indicating that policies have been overridden. If the
|
||||
installation of the policy override YAML files failed for any reason then the
|
||||
status line will be prefixed with `PO (broken):`. The log file for the charm
|
||||
will indicate the reason. No policy override files are installed if the `PO
|
||||
(broken):` is shown. The status line indicates that the overrides are broken,
|
||||
not that the policy for the service has failed. The policy will be the defaults
|
||||
for the charm and service.
|
||||
|
||||
Policy overrides on one service may affect the functionality of another
|
||||
service. Therefore, it may be necessary to provide policy overrides for
|
||||
multiple service charms to achieve a consistent set of policies across the
|
||||
OpenStack system. The charms for the other services that may need overrides
|
||||
should be checked to ensure that they support overrides before proceeding.
|
||||
|
||||
# Bugs
|
||||
|
||||
Please report bugs on [Launchpad][lp-bugs-charm-swift-proxy].
|
||||
|
|
|
@ -440,3 +440,11 @@ options:
|
|||
storing the object’s replicas on up to 6 disks.
|
||||
.
|
||||
NOTE: use only when 'enable-multi-region=True'
|
||||
use-policyd-override:
|
||||
type: boolean
|
||||
default: False
|
||||
description: |
|
||||
If True then use the resource file named 'policyd-override' to install
|
||||
override YAML files in the service's policy.d directory. The resource
|
||||
file should be a ZIP file containing at least one yaml file with a .yaml
|
||||
or .yml extension. If False then remove the overrides.
|
||||
|
|
|
@ -78,6 +78,7 @@ from lib.swift_utils import (
|
|||
from lib.swift_context import get_swift_hash
|
||||
|
||||
import charmhelpers.contrib.openstack.utils as openstack
|
||||
import charmhelpers.contrib.openstack.policyd as policyd
|
||||
|
||||
from charmhelpers.contrib.openstack.ha.utils import (
|
||||
generate_ha_relation_data,
|
||||
|
@ -167,6 +168,10 @@ def install():
|
|||
# configure a directory on webserver for distributing rings.
|
||||
ensure_www_dir_permissions(get_www_dir())
|
||||
|
||||
# call the policy overrides handler which will install any policy overrides
|
||||
policyd.maybe_do_policyd_overrides(
|
||||
openstack.os_release('swift-proxy'), 'swift')
|
||||
|
||||
|
||||
@hooks.hook('config-changed')
|
||||
@restart_on_change(restart_map())
|
||||
|
@ -222,6 +227,10 @@ def config_changed():
|
|||
|
||||
try_initialize_swauth()
|
||||
|
||||
# call the policy overrides handler which will install any policy overrides
|
||||
policyd.maybe_do_policyd_overrides(
|
||||
openstack.os_release('swift-proxy'), 'swift')
|
||||
|
||||
|
||||
@hooks.hook('identity-service-relation-joined')
|
||||
def keystone_joined(relid=None):
|
||||
|
@ -730,6 +739,9 @@ def upgrade_charm():
|
|||
if new_packages:
|
||||
apt_install(new_packages)
|
||||
update_rsync_acls()
|
||||
# call the policy overrides handler which will install any policy overrides
|
||||
policyd.maybe_do_policyd_overrides(
|
||||
openstack.os_release('swift-proxy'), 'swift')
|
||||
|
||||
|
||||
@hooks.hook('update-status')
|
||||
|
|
|
@ -52,3 +52,8 @@ requires:
|
|||
peers:
|
||||
cluster:
|
||||
interface: swift-ha
|
||||
resources:
|
||||
policyd-override:
|
||||
type: file
|
||||
filename: policyd-override.zip
|
||||
description: The policy.d overrides file
|
||||
|
|
|
@ -31,3 +31,5 @@ tests:
|
|||
tests_options:
|
||||
force_deploy:
|
||||
- focal-ussuri
|
||||
policyd:
|
||||
- service: swift
|
||||
|
|
Loading…
Reference in New Issue