commit
cdd3998753
|
@ -67,6 +67,10 @@ Attributes
|
||||||
* `cinder["rbd_pool"]` - RADOS Block Device pool to use
|
* `cinder["rbd_pool"]` - RADOS Block Device pool to use
|
||||||
* `cinder["rbd_user"]` - User for Cephx Authentication
|
* `cinder["rbd_user"]` - User for Cephx Authentication
|
||||||
* `cinder["rbd_secret_uuid"]` - Secret UUID for Cephx Authentication
|
* `cinder["rbd_secret_uuid"]` - Secret UUID for Cephx Authentication
|
||||||
|
* `cinder["policy"]["context_is_admin"]` - Define administrators
|
||||||
|
* `cinder["policy"]["default"]` - default volume operations rule
|
||||||
|
* `cinder["policy"]["admin_or_owner"]` - Define an admin or owner
|
||||||
|
* `cinder["policy"]["admin_api"]` - Define api admin
|
||||||
|
|
||||||
Testing
|
Testing
|
||||||
=====
|
=====
|
||||||
|
|
|
@ -112,6 +112,12 @@ default["cinder"]["rbd_pool"] = "rbd"
|
||||||
default["cinder"]["rbd_user"] = nil
|
default["cinder"]["rbd_user"] = nil
|
||||||
default["cinder"]["rbd_secret_uuid"] = nil
|
default["cinder"]["rbd_secret_uuid"] = nil
|
||||||
|
|
||||||
|
# Cinder Policy defaults
|
||||||
|
default["cinder"]["policy"]["context_is_admin"] = '["role:admin"]'
|
||||||
|
default["cinder"]["policy"]["default"] = '["rule:admin_or_owner"]'
|
||||||
|
default["cinder"]["policy"]["admin_or_owner"] = '["is_admin:True"], ["project_id:%(project_id)s"]'
|
||||||
|
default["cinder"]["policy"]["admin_api"] = '["is_admin:True"]'
|
||||||
|
|
||||||
case platform
|
case platform
|
||||||
when "fedora", "redhat", "centos" # :pragma-foodcritic: ~FC024 - won't fix this
|
when "fedora", "redhat", "centos" # :pragma-foodcritic: ~FC024 - won't fix this
|
||||||
default["cinder"]["platform"] = {
|
default["cinder"]["platform"] = {
|
||||||
|
|
|
@ -102,3 +102,11 @@ template "/etc/cinder/api-paste.ini" do
|
||||||
|
|
||||||
notifies :restart, "service[cinder-api]", :immediately
|
notifies :restart, "service[cinder-api]", :immediately
|
||||||
end
|
end
|
||||||
|
|
||||||
|
template "/etc/cinder/policy.json" do
|
||||||
|
source "policy.json.erb"
|
||||||
|
owner node["cinder"]["user"]
|
||||||
|
group node["cinder"]["group"]
|
||||||
|
mode 00644
|
||||||
|
notifies :restart, "service[cinder-api]"
|
||||||
|
end
|
||||||
|
|
|
@ -101,6 +101,8 @@ describe "cinder::api" do
|
||||||
expect(@chef_run).to execute_command cmd
|
expect(@chef_run).to execute_command cmd
|
||||||
end
|
end
|
||||||
|
|
||||||
|
expect_creates_policy_json "service[cinder-api]"
|
||||||
|
|
||||||
describe "api-paste.ini" do
|
describe "api-paste.ini" do
|
||||||
before do
|
before do
|
||||||
@file = @chef_run.template "/etc/cinder/api-paste.ini"
|
@file = @chef_run.template "/etc/cinder/api-paste.ini"
|
||||||
|
|
|
@ -50,3 +50,23 @@ def expect_creates_cinder_conf service, action=:restart
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def expect_creates_policy_json service, action=:restart
|
||||||
|
describe "policy.json" do
|
||||||
|
before do
|
||||||
|
@file = @chef_run.template "/etc/cinder/policy.json"
|
||||||
|
end
|
||||||
|
|
||||||
|
it "has proper owner" do
|
||||||
|
expect(@file).to be_owned_by "cinder", "cinder"
|
||||||
|
end
|
||||||
|
|
||||||
|
it "has proper modes" do
|
||||||
|
expect(sprintf("%o", @file.mode)).to eq "644"
|
||||||
|
end
|
||||||
|
|
||||||
|
it "notifies nova-api-ec2 restart" do
|
||||||
|
expect(@file).to notify service, action
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
<%= node["cinder"]["custom_template_banner"] %>
|
||||||
|
{
|
||||||
|
"context_is_admin": [<%= node["cinder"]["policy"]["context_is_admin"] %>],
|
||||||
|
"admin_or_owner": [<%= node["cinder"]["policy"]["admin_or_owner"] %>],
|
||||||
|
"default": [<%= node["cinder"]["policy"]["default"] %>],
|
||||||
|
|
||||||
|
"admin_api": [<%= node["cinder"]["policy"]["admin_api"] %>],
|
||||||
|
|
||||||
|
"volume:create": [],
|
||||||
|
"volume:get_all": [],
|
||||||
|
"volume:get_volume_metadata": [],
|
||||||
|
"volume:get_snapshot": [],
|
||||||
|
"volume:get_all_snapshots": [],
|
||||||
|
|
||||||
|
"volume_extension:types_manage": [["rule:admin_api"]],
|
||||||
|
"volume_extension:types_extra_specs": [["rule:admin_api"]],
|
||||||
|
"volume_extension:extended_snapshot_attributes": [],
|
||||||
|
"volume_extension:volume_image_metadata": [],
|
||||||
|
|
||||||
|
"volume_extension:quotas:show": [],
|
||||||
|
"volume_extension:quotas:update_for_project": [["rule:admin_api"]],
|
||||||
|
"volume_extension:quotas:update_for_user": [["rule:admin_or_projectadmin"]],
|
||||||
|
"volume_extension:quota_classes": [],
|
||||||
|
|
||||||
|
"volume_extension:volume_admin_actions:reset_status": [["rule:admin_api"]],
|
||||||
|
"volume_extension:snapshot_admin_actions:reset_status": [["rule:admin_api"]],
|
||||||
|
"volume_extension:volume_admin_actions:force_delete": [["rule:admin_api"]],
|
||||||
|
"volume_extension:snapshot_admin_actions:force_delete": [["rule:admin_api"]],
|
||||||
|
|
||||||
|
"volume_extension:volume_host_attribute": [["rule:admin_api"]],
|
||||||
|
"volume_extension:volume_tenant_attribute": [["rule:admin_api"]],
|
||||||
|
"volume_extension:hosts": [["rule:admin_api"]],
|
||||||
|
"volume_extension:services": [["rule:admin_api"]],
|
||||||
|
"volume:services": [["rule:admin_api"]]
|
||||||
|
}
|
Loading…
Reference in New Issue