From d21648e67106c48e222a3f698eeb2255593326dd Mon Sep 17 00:00:00 2001 From: Arif Ali Date: Tue, 30 Jun 2020 19:04:37 +0000 Subject: [PATCH] Policyd override implementation This patchset implements policy overrides for swift-proxy. It uses the code in charmhelpers. Closed-Bug: #1741723 Change-Id: Ic51ee5d181558b63dfd968c5b0c7d40760a5ac59 --- README.md | 43 +++++++++++++++++++++++++++++++++++++++++++ config.yaml | 8 ++++++++ hooks/swift_hooks.py | 12 ++++++++++++ metadata.yaml | 5 +++++ tests/tests.yaml | 2 ++ 5 files changed, 70 insertions(+) diff --git a/README.md b/README.md index 3def3dc..94bb772 100644 --- a/README.md +++ b/README.md @@ -155,6 +155,49 @@ Actions allow specific operations to be performed on a per-unit basis. To display action descriptions run `juju actions swift-proxy`. +# Policy Overrides + +This feature allows for policy overrides using the `policy.d` directory. This +is an **advanced** feature and the policies that the OpenStack service supports +should be clearly and unambiguously understood before trying to override, or +add to, the default policies that the service uses. The charm also has some +policy defaults. They should also be understood before being overridden. + +> **Caution**: It is possible to break the system (for tenants and other + services) if policies are incorrectly applied to the service. + +Policy overrides are YAML files that contain rules that will add to, or +override, existing policy rules in the service. The `policy.d` directory is +a place to put the YAML override files. This charm owns the +`/etc/swift/policy.d` directory, and as such, any manual changes to it will +be overwritten on charm upgrades. + +Overrides are provided to the charm using a Juju resource called +`policyd-override`. The resource is a ZIP file. This file, say +`overrides.zip`, is attached to the charm by: + + + juju attach-resource swift-proxy policyd-override=overrides.zip + +The policy override is enabled in the charm using: + + juju config swift-proxy use-policyd-override=true + +When `use-policyd-override` is `True` the status line of the charm will be +prefixed with `PO:` indicating that policies have been overridden. If the +installation of the policy override YAML files failed for any reason then the +status line will be prefixed with `PO (broken):`. The log file for the charm +will indicate the reason. No policy override files are installed if the `PO +(broken):` is shown. The status line indicates that the overrides are broken, +not that the policy for the service has failed. The policy will be the defaults +for the charm and service. + +Policy overrides on one service may affect the functionality of another +service. Therefore, it may be necessary to provide policy overrides for +multiple service charms to achieve a consistent set of policies across the +OpenStack system. The charms for the other services that may need overrides +should be checked to ensure that they support overrides before proceeding. + # Bugs Please report bugs on [Launchpad][lp-bugs-charm-swift-proxy]. diff --git a/config.yaml b/config.yaml index c0242d7..7461822 100644 --- a/config.yaml +++ b/config.yaml @@ -440,3 +440,11 @@ options: storing the object’s replicas on up to 6 disks. . NOTE: use only when 'enable-multi-region=True' + use-policyd-override: + type: boolean + default: False + description: | + If True then use the resource file named 'policyd-override' to install + override YAML files in the service's policy.d directory. The resource + file should be a ZIP file containing at least one yaml file with a .yaml + or .yml extension. If False then remove the overrides. diff --git a/hooks/swift_hooks.py b/hooks/swift_hooks.py index fc4e5f8..6b43dcc 100755 --- a/hooks/swift_hooks.py +++ b/hooks/swift_hooks.py @@ -78,6 +78,7 @@ from lib.swift_utils import ( from lib.swift_context import get_swift_hash import charmhelpers.contrib.openstack.utils as openstack +import charmhelpers.contrib.openstack.policyd as policyd from charmhelpers.contrib.openstack.ha.utils import ( generate_ha_relation_data, @@ -167,6 +168,10 @@ def install(): # configure a directory on webserver for distributing rings. ensure_www_dir_permissions(get_www_dir()) + # call the policy overrides handler which will install any policy overrides + policyd.maybe_do_policyd_overrides( + openstack.os_release('swift-proxy'), 'swift') + @hooks.hook('config-changed') @restart_on_change(restart_map()) @@ -222,6 +227,10 @@ def config_changed(): try_initialize_swauth() + # call the policy overrides handler which will install any policy overrides + policyd.maybe_do_policyd_overrides( + openstack.os_release('swift-proxy'), 'swift') + @hooks.hook('identity-service-relation-joined') def keystone_joined(relid=None): @@ -730,6 +739,9 @@ def upgrade_charm(): if new_packages: apt_install(new_packages) update_rsync_acls() + # call the policy overrides handler which will install any policy overrides + policyd.maybe_do_policyd_overrides( + openstack.os_release('swift-proxy'), 'swift') @hooks.hook('update-status') diff --git a/metadata.yaml b/metadata.yaml index 314a33f..14296d4 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -52,3 +52,8 @@ requires: peers: cluster: interface: swift-ha +resources: + policyd-override: + type: file + filename: policyd-override.zip + description: The policy.d overrides file diff --git a/tests/tests.yaml b/tests/tests.yaml index 5f63723..eb24f2d 100644 --- a/tests/tests.yaml +++ b/tests/tests.yaml @@ -31,3 +31,5 @@ tests: tests_options: force_deploy: - focal-ussuri + policyd: + - service: swift