openstack/charm-swift-proxy
Code Issues Proposed changes

Policyd override implementation

Browse Source 
This patchset implements policy overrides for swift-proxy.  It uses
the code in charmhelpers.

Closed-Bug: #1741723
Change-Id: Ic51ee5d181558b63dfd968c5b0c7d40760a5ac59
This commit is contained in:
Arif Ali
2020-06-30 19:04:37 +00:00
parent 0ce1ee67f8
commit d21648e671
5 changed files with 70 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
README.md
View File

@@ -155,6 +155,49 @@ Actions allow specific operations to be performed on a per-unit basis.
To display action descriptions run `juju actions swift-proxy`. To display action descriptions run `juju actions swift-proxy`.
# Policy Overrides
This feature allows for policy overrides using the `policy.d` directory. This
is an **advanced** feature and the policies that the OpenStack service supports
should be clearly and unambiguously understood before trying to override, or
add to, the default policies that the service uses. The charm also has some
policy defaults. They should also be understood before being overridden.
> **Caution**: It is possible to break the system (for tenants and other
services) if policies are incorrectly applied to the service.
Policy overrides are YAML files that contain rules that will add to, or
override, existing policy rules in the service. The `policy.d` directory is
a place to put the YAML override files. This charm owns the
`/etc/swift/policy.d` directory, and as such, any manual changes to it will
be overwritten on charm upgrades.
Overrides are provided to the charm using a Juju resource called
`policyd-override`. The resource is a ZIP file. This file, say
`overrides.zip`, is attached to the charm by:
juju attach-resource swift-proxy policyd-override=overrides.zip
The policy override is enabled in the charm using:
juju config swift-proxy use-policyd-override=true
When `use-policyd-override` is `True` the status line of the charm will be
prefixed with `PO:` indicating that policies have been overridden. If the
installation of the policy override YAML files failed for any reason then the
status line will be prefixed with `PO (broken):`. The log file for the charm
will indicate the reason. No policy override files are installed if the `PO
(broken):` is shown. The status line indicates that the overrides are broken,
not that the policy for the service has failed. The policy will be the defaults
for the charm and service.
Policy overrides on one service may affect the functionality of another
service. Therefore, it may be necessary to provide policy overrides for
multiple service charms to achieve a consistent set of policies across the
OpenStack system. The charms for the other services that may need overrides
should be checked to ensure that they support overrides before proceeding.
# Bugs # Bugs
Please report bugs on [Launchpad][lp-bugs-charm-swift-proxy]. Please report bugs on [Launchpad][lp-bugs-charm-swift-proxy].

8
config.yaml
View File

@@ -440,3 +440,11 @@ options:
storing the objects replicas on up to 6 disks. storing the objects replicas on up to 6 disks.
. .
NOTE: use only when 'enable-multi-region=True' NOTE: use only when 'enable-multi-region=True'
use-policyd-override:
type: boolean
default: False
description: |
If True then use the resource file named 'policyd-override' to install
override YAML files in the service's policy.d directory. The resource
file should be a ZIP file containing at least one yaml file with a .yaml
or .yml extension. If False then remove the overrides.

12
hooks/swift_hooks.py
View File

@@ -78,6 +78,7 @@ from lib.swift_utils import (
from lib.swift_context import get_swift_hash from lib.swift_context import get_swift_hash
import charmhelpers.contrib.openstack.utils as openstack import charmhelpers.contrib.openstack.utils as openstack
import charmhelpers.contrib.openstack.policyd as policyd
from charmhelpers.contrib.openstack.ha.utils import ( from charmhelpers.contrib.openstack.ha.utils import (
generate_ha_relation_data, generate_ha_relation_data,
@@ -167,6 +168,10 @@ def install():
# configure a directory on webserver for distributing rings. # configure a directory on webserver for distributing rings.
ensure_www_dir_permissions(get_www_dir()) ensure_www_dir_permissions(get_www_dir())
# call the policy overrides handler which will install any policy overrides
policyd.maybe_do_policyd_overrides(
openstack.os_release('swift-proxy'), 'swift')
@hooks.hook('config-changed') @hooks.hook('config-changed')
@restart_on_change(restart_map()) @restart_on_change(restart_map())
@@ -222,6 +227,10 @@ def config_changed():
try_initialize_swauth() try_initialize_swauth()
# call the policy overrides handler which will install any policy overrides
policyd.maybe_do_policyd_overrides(
openstack.os_release('swift-proxy'), 'swift')
@hooks.hook('identity-service-relation-joined') @hooks.hook('identity-service-relation-joined')
def keystone_joined(relid=None): def keystone_joined(relid=None):
@@ -730,6 +739,9 @@ def upgrade_charm():
if new_packages: if new_packages:
apt_install(new_packages) apt_install(new_packages)
update_rsync_acls() update_rsync_acls()
# call the policy overrides handler which will install any policy overrides
policyd.maybe_do_policyd_overrides(
openstack.os_release('swift-proxy'), 'swift')
@hooks.hook('update-status') @hooks.hook('update-status')

5
metadata.yaml
View File

@@ -52,3 +52,8 @@ requires:
peers: peers:
cluster: cluster:
interface: swift-ha interface: swift-ha
resources:
policyd-override:
type: file
filename: policyd-override.zip
description: The policy.d overrides file

2
tests/tests.yaml
View File

@@ -31,3 +31,5 @@ tests:
tests_options: tests_options:
force_deploy: force_deploy:
- focal-ussuri - focal-ussuri
policyd:
- service: swift