templatize policy.json

This commit takes the defaults from policy.json, turns them into attributes, and the file becomes a template. Also Adds readme information

README.md

@@ -67,6 +67,10 @@ Attributes
 * `cinder["rbd_pool"]` - RADOS Block Device pool to use
 * `cinder["rbd_user"]` - User for Cephx Authentication
 * `cinder["rbd_secret_uuid"]` - Secret UUID for Cephx Authentication
+* `cinder["policy"]["context_is_admin"]` - Define administrators
+* `cinder["policy"]["default"]` - default volume operations rule
+* `cinder["policy"]["admin_or_owner"]` - Define an admin or owner
+* `cinder["policy"]["admin_api"]` - Define api admin
 
 Testing
 =====

attributes/default.rb

@@ -112,6 +112,12 @@ default["cinder"]["rbd_pool"] = "rbd"
 default["cinder"]["rbd_user"] = nil
 default["cinder"]["rbd_secret_uuid"] = nil
 
+# Cinder Policy defaults
+default["cinder"]["policy"]["context_is_admin"] = '["role:admin"]'
+default["cinder"]["policy"]["default"] = '["rule:admin_or_owner"]'
+default["cinder"]["policy"]["admin_or_owner"] = '["is_admin:True"], ["project_id:%(project_id)s"]'
+default["cinder"]["policy"]["admin_api"] = '["is_admin:True"]'
+
 case platform
 when "fedora", "redhat", "centos" # :pragma-foodcritic: ~FC024 - won't fix this
   default["cinder"]["platform"] = {

templates/default/policy.json.erb

@@ -0,0 +1,34 @@
+{
+    "context_is_admin": [<%= node["cinder"]["policy"]["context_is_admin"] %>],
+    "admin_or_owner":  [<%= node["cinder"]["policy"]["admin_or_owner"] %>],
+    "default": [<%= node["cinder"]["policy"]["default"] %>],
+
+    "admin_api": [<%= node["cinder"]["policy"]["admin_api"] %>],
+
+    "volume:create": [],
+    "volume:get_all": [],
+    "volume:get_volume_metadata": [],
+    "volume:get_snapshot": [],
+    "volume:get_all_snapshots": [],
+
+    "volume_extension:types_manage": [["rule:admin_api"]],
+    "volume_extension:types_extra_specs": [["rule:admin_api"]],
+    "volume_extension:extended_snapshot_attributes": [],
+    "volume_extension:volume_image_metadata": [],
+
+    "volume_extension:quotas:show": [],
+    "volume_extension:quotas:update_for_project": [["rule:admin_api"]],
+    "volume_extension:quotas:update_for_user": [["rule:admin_or_projectadmin"]],
+    "volume_extension:quota_classes": [],
+
+    "volume_extension:volume_admin_actions:reset_status": [["rule:admin_api"]],
+    "volume_extension:snapshot_admin_actions:reset_status": [["rule:admin_api"]],
+    "volume_extension:volume_admin_actions:force_delete": [["rule:admin_api"]],
+    "volume_extension:snapshot_admin_actions:force_delete": [["rule:admin_api"]],
+
+    "volume_extension:volume_host_attribute": [["rule:admin_api"]],
+    "volume_extension:volume_tenant_attribute": [["rule:admin_api"]],
+    "volume_extension:hosts": [["rule:admin_api"]],
+    "volume_extension:services": [["rule:admin_api"]],
+    "volume:services": [["rule:admin_api"]]
+}