Remove sample policy and config files

Now we have docs, lets point people there rather than attempting to
maintain a copy in tree.

Also update the devstack plugin to know nothing about policy.json, as it
never allowed for customizing the location or the contents anyhow, and
to build ironic.conf from scratch rather than from the sample.

Change-Id: I10a4987204eb335f1fed29d4b1d7f3e075aa1792

devstack/lib/ironic

@@ -67,7 +67,6 @@ IRONIC_AUTH_CACHE_DIR=${IRONIC_AUTH_CACHE_DIR:-/var/cache/ironic}
 IRONIC_CONF_DIR=${IRONIC_CONF_DIR:-/etc/ironic}
 IRONIC_CONF_FILE=$IRONIC_CONF_DIR/ironic.conf
 IRONIC_ROOTWRAP_CONF=$IRONIC_CONF_DIR/rootwrap.conf
-IRONIC_POLICY_JSON=$IRONIC_CONF_DIR/policy.json
 if is_suse; then
     IRONIC_WSGI_DIR=${IRONIC_WSGI_DIR:-/srv/www/htdocs/ironic}
 else
@@ -1050,8 +1049,9 @@ function cleanup_ironic_provision_network {
 function configure_ironic {
     configure_ironic_dirs
 
-    # Copy over ironic configuration file and configure common parameters.
-    cp $IRONIC_DIR/etc/ironic/ironic.conf.sample $IRONIC_CONF_FILE
+    # (re)create ironic configuration file and configure common parameters.
+    rm -f $IRONIC_CONF_FILE
+
     iniset $IRONIC_CONF_FILE DEFAULT debug True
     inicomment $IRONIC_CONF_FILE DEFAULT log_file
     iniset $IRONIC_CONF_FILE database connection `database_connection_url ironic`
@@ -1121,7 +1121,6 @@ EOF
 function configure_ironic_api {
     iniset $IRONIC_CONF_FILE DEFAULT auth_strategy $IRONIC_AUTH_STRATEGY
     configure_auth_token_middleware $IRONIC_CONF_FILE ironic $IRONIC_AUTH_CACHE_DIR/api
-    iniset $IRONIC_CONF_FILE oslo_policy policy_file $IRONIC_POLICY_JSON
 
     iniset_rpc_backend ironic $IRONIC_CONF_FILE
 
@@ -1135,8 +1134,6 @@ function configure_ironic_api {
     else
         iniset $IRONIC_CONF_FILE api port $IRONIC_SERVICE_PORT
     fi
-
-    cp -p $IRONIC_DIR/etc/ironic/policy.json $IRONIC_POLICY_JSON
 }
 
 # configure_client_for() - is used by configure_ironic_conductor.

etc/ironic/README-ironic.conf.txt

@@ -0,0 +1,8 @@
+To generate the sample ironic.conf file, run the following command from the top
+level of the repo:
+
+    tox -egenconfig
+
+For a pre-generated example of the latest ironic.conf, see:
+
+    https://docs.openstack.org/ironic/latest/configuration/sample-config.html

etc/ironic/README-policy.yaml.txt

@@ -0,0 +1,8 @@
+To generate the sample policy.yaml file, run the following command from the top
+level of the repo:
+
+    tox -egenpolicy
+
+For a pre-generated example of the latest policy.yaml, see:
+
+    https://docs.openstack.org/ironic/latest/configuration/sample-policy.html

etc/ironic/policy.json

@@ -1,5 +0,0 @@
-# Beginning with the Newton release, you may leave this file empty
-# to use default policy defined in code.
-{
-
-}

etc/ironic/policy.json.sample

@@ -1,239 +0,0 @@
-# Legacy rule for cloud admin access
-#"admin_api": "role:admin or role:administrator"
-
-# Internal flag for public API routes
-#"public_api": "is_public_api:True"
-
-# Show or mask secrets within node driver information in API responses
-#"show_password": "!"
-
-# Show or mask secrets within instance information in API responses
-#"show_instance_secrets": "!"
-
-# May be used to restrict access to specific projects
-#"is_member": "(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)"
-
-# Read-only API access
-#"is_observer": "rule:is_member and (role:observer or role:baremetal_observer)"
-
-# Full read/write API access
-#"is_admin": "rule:admin_api or (rule:is_member and role:baremetal_admin)"
-
-# Create Node records
-# POST  /nodes
-#"baremetal:node:create": "rule:is_admin"
-
-# Retrieve Node records
-# GET  /nodes
-# GET  /nodes/detail
-# GET  /nodes/{node_ident}
-#"baremetal:node:get": "rule:is_admin or rule:is_observer"
-
-# Update Node records
-# PATCH  /nodes/{node_ident}
-#"baremetal:node:update": "rule:is_admin"
-
-# Delete Node records
-# DELETE  /nodes/{node_ident}
-#"baremetal:node:delete": "rule:is_admin"
-
-# Request active validation of Nodes
-# GET  /nodes/{node_ident}/validate
-#"baremetal:node:validate": "rule:is_admin"
-
-# Set maintenance flag, taking a Node out of service
-# PUT  /nodes/{node_ident}/maintenance
-#"baremetal:node:set_maintenance": "rule:is_admin"
-
-# Clear maintenance flag, placing the Node into service again
-# DELETE  /nodes/{node_ident}/maintenance
-#"baremetal:node:clear_maintenance": "rule:is_admin"
-
-# Retrieve Node boot device metadata
-# GET  /nodes/{node_ident}/management/boot_device
-# GET  /nodes/{node_ident}/management/boot_device/supported
-#"baremetal:node:get_boot_device": "rule:is_admin or rule:is_observer"
-
-# Change Node boot device
-# PUT  /nodes/{node_ident}/management/boot_device
-#"baremetal:node:set_boot_device": "rule:is_admin"
-
-# Inject NMI for a node
-# PUT  /nodes/{node_ident}/management/inject_nmi
-#"baremetal:node:inject_nmi": "rule:is_admin"
-
-# View Node power and provision state
-# GET  /nodes/{node_ident}/states
-#"baremetal:node:get_states": "rule:is_admin or rule:is_observer"
-
-# Change Node power status
-# PUT  /nodes/{node_ident}/states/power
-#"baremetal:node:set_power_state": "rule:is_admin"
-
-# Change Node provision status
-# PUT  /nodes/{node_ident}/states/provision
-#"baremetal:node:set_provision_state": "rule:is_admin"
-
-# Change Node RAID status
-# PUT  /nodes/{node_ident}/states/raid
-#"baremetal:node:set_raid_state": "rule:is_admin"
-
-# Get Node console connection information
-# GET  /nodes/{node_ident}/states/console
-#"baremetal:node:get_console": "rule:is_admin"
-
-# Change Node console status
-# PUT  /nodes/{node_ident}/states/console
-#"baremetal:node:set_console_state": "rule:is_admin"
-
-# List VIFs attached to node
-# GET  /nodes/{node_ident}/vifs
-#"baremetal:node:vif:list": "rule:is_admin"
-
-# Attach a VIF to a node
-# POST  /nodes/{node_ident}/vifs
-#"baremetal:node:vif:attach": "rule:is_admin"
-
-# Detach a VIF from a node
-# DELETE  /nodes/{node_ident}/vifs/{node_vif_ident}
-#"baremetal:node:vif:detach": "rule:is_admin"
-
-# List node traits
-# GET  /nodes/{node_ident}/traits
-#"baremetal:node:traits:list": "rule:is_admin or rule:is_observer"
-
-# Add a trait to, or replace all traits of, a node
-# PUT  /nodes/{node_ident}/traits
-# PUT  /nodes/{node_ident}/traits/{trait}
-#"baremetal:node:traits:set": "rule:is_admin"
-
-# Remove one or all traits from a node
-# DELETE  /nodes/{node_ident}/traits
-# DELETE  /nodes/{node_ident}/traits/{trait}
-#"baremetal:node:traits:delete": "rule:is_admin"
-
-# Retrieve Port records
-# GET  /ports
-# GET  /ports/detail
-# GET  /ports/{port_id}
-# GET  /nodes/{node_ident}/ports
-# GET  /nodes/{node_ident}/ports/detail
-# GET  /portgroups/{portgroup_ident}/ports
-# GET  /portgroups/{portgroup_ident}/ports/detail
-#"baremetal:port:get": "rule:is_admin or rule:is_observer"
-
-# Create Port records
-# POST  /ports
-#"baremetal:port:create": "rule:is_admin"
-
-# Delete Port records
-# DELETE  /ports/{port_id}
-#"baremetal:port:delete": "rule:is_admin"
-
-# Update Port records
-# PATCH  /ports/{port_id}
-#"baremetal:port:update": "rule:is_admin"
-
-# Retrieve Portgroup records
-# GET  /portgroups
-# GET  /portgroups/detail
-# GET  /portgroups/{portgroup_ident}
-# GET  /nodes/{node_ident}/portgroups
-# GET  /nodes/{node_ident}/portgroups/detail
-#"baremetal:portgroup:get": "rule:is_admin or rule:is_observer"
-
-# Create Portgroup records
-# POST  /portgroups
-#"baremetal:portgroup:create": "rule:is_admin"
-
-# Delete Portgroup records
-# DELETE  /portgroups/{portgroup_ident}
-#"baremetal:portgroup:delete": "rule:is_admin"
-
-# Update Portgroup records
-# PATCH  /portgroups/{portgroup_ident}
-#"baremetal:portgroup:update": "rule:is_admin"
-
-# Retrieve Chassis records
-# GET  /chassis
-# GET  /chassis/detail
-# GET  /chassis/{chassis_id}
-#"baremetal:chassis:get": "rule:is_admin or rule:is_observer"
-
-# Create Chassis records
-# POST  /chassis
-#"baremetal:chassis:create": "rule:is_admin"
-
-# Delete Chassis records
-# DELETE  /chassis/{chassis_id}
-#"baremetal:chassis:delete": "rule:is_admin"
-
-# Update Chassis records
-# PATCH  /chassis/{chassis_id}
-#"baremetal:chassis:update": "rule:is_admin"
-
-# View list of available drivers
-# GET  /drivers
-# GET  /drivers/{driver_name}
-#"baremetal:driver:get": "rule:is_admin or rule:is_observer"
-
-# View driver-specific properties
-# GET  /drivers/{driver_name}/properties
-#"baremetal:driver:get_properties": "rule:is_admin or rule:is_observer"
-
-# View driver-specific RAID metadata
-# GET  /drivers/{driver_name}/raid/logical_disk_properties
-#"baremetal:driver:get_raid_logical_disk_properties": "rule:is_admin or rule:is_observer"
-
-# Access vendor-specific Node functions
-# GET  nodes/{node_ident}/vendor_passthru/methods
-# GET  nodes/{node_ident}/vendor_passthru?method={method_name}
-# PUT  nodes/{node_ident}/vendor_passthru?method={method_name}
-# POST  nodes/{node_ident}/vendor_passthru?method={method_name}
-# PATCH  nodes/{node_ident}/vendor_passthru?method={method_name}
-# DELETE  nodes/{node_ident}/vendor_passthru?method={method_name}
-#"baremetal:node:vendor_passthru": "rule:is_admin"
-
-# Access vendor-specific Driver functions
-# GET  drivers/{driver_name}/vendor_passthru/methods
-# GET  drivers/{driver_name}/vendor_passthru?method={method_name}
-# PUT  drivers/{driver_name}/vendor_passthru?method={method_name}
-# POST  drivers/{driver_name}/vendor_passthru?method={method_name}
-# PATCH  drivers/{driver_name}/vendor_passthru?method={method_name}
-# DELETE  drivers/{driver_name}/vendor_passthru?method={method_name}
-#"baremetal:driver:vendor_passthru": "rule:is_admin"
-
-# Send heartbeats from IPA ramdisk
-# POST  /heartbeat/{node_ident}
-#"baremetal:node:ipa_heartbeat": "rule:public_api"
-
-# Access IPA ramdisk functions
-# GET  /lookup
-#"baremetal:driver:ipa_lookup": "rule:public_api"
-
-# Retrieve Volume connector and target records
-# GET  /volume
-# GET  /volume/connectors
-# GET  /volume/connectors/{volume_connector_id}
-# GET  /volume/targets
-# GET  /volume/targets/{volume_target_id}
-# GET  /nodes/{node_ident}/volume
-# GET  /nodes/{node_ident}/volume/connectors
-# GET  /nodes/{node_ident}/volume/targets
-#"baremetal:volume:get": "rule:is_admin or rule:is_observer"
-
-# Create Volume connector and target records
-# POST  /volume/connectors
-# POST  /volume/targets
-#"baremetal:volume:create": "rule:is_admin"
-
-# Delete Volume connector and target records
-# DELETE  /volume/connectors/{volume_connector_id}
-# DELETE  /volume/targets/{volume_target_id}
-#"baremetal:volume:delete": "rule:is_admin"
-
-# Update Volume connector and target records
-# PATCH  /volume/connectors/{volume_connector_id}
-# PATCH  /volume/targets/{volume_target_id}
-#"baremetal:volume:update": "rule:is_admin"
-

releasenotes/notes/remove-policy-json-be92ffdba7bda951.yaml

@@ -0,0 +1,15 @@
+---
+upgrade:
+  - |
+    The default policy file located at ``etc/ironic/policy.json`` was removed
+    in this release, as no policy file is required to run the ironic-api
+    service.
+other:
+  - |
+    The sample configuration file located at ``etc/ironic/ironic.conf.sample``
+    and the sample policy file located at ``etc/ironic/policy.json.sample``
+    were removed in this release, as they are now published with documentation.
+    See `the sample configuration file
+    <https://docs.openstack.org/ironic/latest/configuration/sample-config.html>`_
+    and `the sample policy file
+    <https://docs.openstack.org/ironic/latest/configuration/sample-policy.html>`_.