Browse Source

Remove sample policy and config files

Now we have docs, lets point people there rather than attempting to
maintain a copy in tree.

Also update the devstack plugin to know nothing about policy.json, as it
never allowed for customizing the location or the contents anyhow, and
to build ironic.conf from scratch rather than from the sample.

Change-Id: I10a4987204eb335f1fed29d4b1d7f3e075aa1792
changes/49/536349/6
John Garbutt 4 years ago
committed by Dmitry Tantsur
parent
commit
d336978834
  1. 9
      devstack/lib/ironic
  2. 8
      etc/ironic/README-ironic.conf.txt
  3. 8
      etc/ironic/README-policy.yaml.txt
  4. 4361
      etc/ironic/ironic.conf.sample
  5. 5
      etc/ironic/policy.json
  6. 239
      etc/ironic/policy.json.sample
  7. 15
      releasenotes/notes/remove-policy-json-be92ffdba7bda951.yaml

9
devstack/lib/ironic

@ -67,7 +67,6 @@ IRONIC_AUTH_CACHE_DIR=${IRONIC_AUTH_CACHE_DIR:-/var/cache/ironic}
IRONIC_CONF_DIR=${IRONIC_CONF_DIR:-/etc/ironic}
IRONIC_CONF_FILE=$IRONIC_CONF_DIR/ironic.conf
IRONIC_ROOTWRAP_CONF=$IRONIC_CONF_DIR/rootwrap.conf
IRONIC_POLICY_JSON=$IRONIC_CONF_DIR/policy.json
if is_suse; then
IRONIC_WSGI_DIR=${IRONIC_WSGI_DIR:-/srv/www/htdocs/ironic}
else
@ -1050,8 +1049,9 @@ function cleanup_ironic_provision_network {
function configure_ironic {
configure_ironic_dirs
# Copy over ironic configuration file and configure common parameters.
cp $IRONIC_DIR/etc/ironic/ironic.conf.sample $IRONIC_CONF_FILE
# (re)create ironic configuration file and configure common parameters.
rm -f $IRONIC_CONF_FILE
iniset $IRONIC_CONF_FILE DEFAULT debug True
inicomment $IRONIC_CONF_FILE DEFAULT log_file
iniset $IRONIC_CONF_FILE database connection `database_connection_url ironic`
@ -1121,7 +1121,6 @@ EOF
function configure_ironic_api {
iniset $IRONIC_CONF_FILE DEFAULT auth_strategy $IRONIC_AUTH_STRATEGY
configure_auth_token_middleware $IRONIC_CONF_FILE ironic $IRONIC_AUTH_CACHE_DIR/api
iniset $IRONIC_CONF_FILE oslo_policy policy_file $IRONIC_POLICY_JSON
iniset_rpc_backend ironic $IRONIC_CONF_FILE
@ -1135,8 +1134,6 @@ function configure_ironic_api {
else
iniset $IRONIC_CONF_FILE api port $IRONIC_SERVICE_PORT
fi
cp -p $IRONIC_DIR/etc/ironic/policy.json $IRONIC_POLICY_JSON
}
# configure_client_for() - is used by configure_ironic_conductor.

8
etc/ironic/README-ironic.conf.txt

@ -0,0 +1,8 @@
To generate the sample ironic.conf file, run the following command from the top
level of the repo:
tox -egenconfig
For a pre-generated example of the latest ironic.conf, see:
https://docs.openstack.org/ironic/latest/configuration/sample-config.html

8
etc/ironic/README-policy.yaml.txt

@ -0,0 +1,8 @@
To generate the sample policy.yaml file, run the following command from the top
level of the repo:
tox -egenpolicy
For a pre-generated example of the latest policy.yaml, see:
https://docs.openstack.org/ironic/latest/configuration/sample-policy.html

4361
etc/ironic/ironic.conf.sample

File diff suppressed because it is too large

5
etc/ironic/policy.json

@ -1,5 +0,0 @@
# Beginning with the Newton release, you may leave this file empty
# to use default policy defined in code.
{
}

239
etc/ironic/policy.json.sample

@ -1,239 +0,0 @@
# Legacy rule for cloud admin access
#"admin_api": "role:admin or role:administrator"
# Internal flag for public API routes
#"public_api": "is_public_api:True"
# Show or mask secrets within node driver information in API responses
#"show_password": "!"
# Show or mask secrets within instance information in API responses
#"show_instance_secrets": "!"
# May be used to restrict access to specific projects
#"is_member": "(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)"
# Read-only API access
#"is_observer": "rule:is_member and (role:observer or role:baremetal_observer)"
# Full read/write API access
#"is_admin": "rule:admin_api or (rule:is_member and role:baremetal_admin)"
# Create Node records
# POST /nodes
#"baremetal:node:create": "rule:is_admin"
# Retrieve Node records
# GET /nodes
# GET /nodes/detail
# GET /nodes/{node_ident}
#"baremetal:node:get": "rule:is_admin or rule:is_observer"
# Update Node records
# PATCH /nodes/{node_ident}
#"baremetal:node:update": "rule:is_admin"
# Delete Node records
# DELETE /nodes/{node_ident}
#"baremetal:node:delete": "rule:is_admin"
# Request active validation of Nodes
# GET /nodes/{node_ident}/validate
#"baremetal:node:validate": "rule:is_admin"
# Set maintenance flag, taking a Node out of service
# PUT /nodes/{node_ident}/maintenance
#"baremetal:node:set_maintenance": "rule:is_admin"
# Clear maintenance flag, placing the Node into service again
# DELETE /nodes/{node_ident}/maintenance
#"baremetal:node:clear_maintenance": "rule:is_admin"
# Retrieve Node boot device metadata
# GET /nodes/{node_ident}/management/boot_device
# GET /nodes/{node_ident}/management/boot_device/supported
#"baremetal:node:get_boot_device": "rule:is_admin or rule:is_observer"
# Change Node boot device
# PUT /nodes/{node_ident}/management/boot_device
#"baremetal:node:set_boot_device": "rule:is_admin"
# Inject NMI for a node
# PUT /nodes/{node_ident}/management/inject_nmi
#"baremetal:node:inject_nmi": "rule:is_admin"
# View Node power and provision state
# GET /nodes/{node_ident}/states
#"baremetal:node:get_states": "rule:is_admin or rule:is_observer"
# Change Node power status
# PUT /nodes/{node_ident}/states/power
#"baremetal:node:set_power_state": "rule:is_admin"
# Change Node provision status
# PUT /nodes/{node_ident}/states/provision
#"baremetal:node:set_provision_state": "rule:is_admin"
# Change Node RAID status
# PUT /nodes/{node_ident}/states/raid
#"baremetal:node:set_raid_state": "rule:is_admin"
# Get Node console connection information
# GET /nodes/{node_ident}/states/console
#"baremetal:node:get_console": "rule:is_admin"
# Change Node console status
# PUT /nodes/{node_ident}/states/console
#"baremetal:node:set_console_state": "rule:is_admin"
# List VIFs attached to node
# GET /nodes/{node_ident}/vifs
#"baremetal:node:vif:list": "rule:is_admin"
# Attach a VIF to a node
# POST /nodes/{node_ident}/vifs
#"baremetal:node:vif:attach": "rule:is_admin"
# Detach a VIF from a node
# DELETE /nodes/{node_ident}/vifs/{node_vif_ident}
#"baremetal:node:vif:detach": "rule:is_admin"
# List node traits
# GET /nodes/{node_ident}/traits
#"baremetal:node:traits:list": "rule:is_admin or rule:is_observer"
# Add a trait to, or replace all traits of, a node
# PUT /nodes/{node_ident}/traits
# PUT /nodes/{node_ident}/traits/{trait}
#"baremetal:node:traits:set": "rule:is_admin"
# Remove one or all traits from a node
# DELETE /nodes/{node_ident}/traits
# DELETE /nodes/{node_ident}/traits/{trait}
#"baremetal:node:traits:delete": "rule:is_admin"
# Retrieve Port records
# GET /ports
# GET /ports/detail
# GET /ports/{port_id}
# GET /nodes/{node_ident}/ports
# GET /nodes/{node_ident}/ports/detail
# GET /portgroups/{portgroup_ident}/ports
# GET /portgroups/{portgroup_ident}/ports/detail
#"baremetal:port:get": "rule:is_admin or rule:is_observer"
# Create Port records
# POST /ports
#"baremetal:port:create": "rule:is_admin"
# Delete Port records
# DELETE /ports/{port_id}
#"baremetal:port:delete": "rule:is_admin"
# Update Port records
# PATCH /ports/{port_id}
#"baremetal:port:update": "rule:is_admin"
# Retrieve Portgroup records
# GET /portgroups
# GET /portgroups/detail
# GET /portgroups/{portgroup_ident}
# GET /nodes/{node_ident}/portgroups
# GET /nodes/{node_ident}/portgroups/detail
#"baremetal:portgroup:get": "rule:is_admin or rule:is_observer"
# Create Portgroup records
# POST /portgroups
#"baremetal:portgroup:create": "rule:is_admin"
# Delete Portgroup records
# DELETE /portgroups/{portgroup_ident}
#"baremetal:portgroup:delete": "rule:is_admin"
# Update Portgroup records
# PATCH /portgroups/{portgroup_ident}
#"baremetal:portgroup:update": "rule:is_admin"
# Retrieve Chassis records
# GET /chassis
# GET /chassis/detail
# GET /chassis/{chassis_id}
#"baremetal:chassis:get": "rule:is_admin or rule:is_observer"
# Create Chassis records
# POST /chassis
#"baremetal:chassis:create": "rule:is_admin"
# Delete Chassis records
# DELETE /chassis/{chassis_id}
#"baremetal:chassis:delete": "rule:is_admin"
# Update Chassis records
# PATCH /chassis/{chassis_id}
#"baremetal:chassis:update": "rule:is_admin"
# View list of available drivers
# GET /drivers
# GET /drivers/{driver_name}
#"baremetal:driver:get": "rule:is_admin or rule:is_observer"
# View driver-specific properties
# GET /drivers/{driver_name}/properties
#"baremetal:driver:get_properties": "rule:is_admin or rule:is_observer"
# View driver-specific RAID metadata
# GET /drivers/{driver_name}/raid/logical_disk_properties
#"baremetal:driver:get_raid_logical_disk_properties": "rule:is_admin or rule:is_observer"
# Access vendor-specific Node functions
# GET nodes/{node_ident}/vendor_passthru/methods
# GET nodes/{node_ident}/vendor_passthru?method={method_name}
# PUT nodes/{node_ident}/vendor_passthru?method={method_name}
# POST nodes/{node_ident}/vendor_passthru?method={method_name}
# PATCH nodes/{node_ident}/vendor_passthru?method={method_name}
# DELETE nodes/{node_ident}/vendor_passthru?method={method_name}
#"baremetal:node:vendor_passthru": "rule:is_admin"
# Access vendor-specific Driver functions
# GET drivers/{driver_name}/vendor_passthru/methods
# GET drivers/{driver_name}/vendor_passthru?method={method_name}
# PUT drivers/{driver_name}/vendor_passthru?method={method_name}
# POST drivers/{driver_name}/vendor_passthru?method={method_name}
# PATCH drivers/{driver_name}/vendor_passthru?method={method_name}
# DELETE drivers/{driver_name}/vendor_passthru?method={method_name}
#"baremetal:driver:vendor_passthru": "rule:is_admin"
# Send heartbeats from IPA ramdisk
# POST /heartbeat/{node_ident}
#"baremetal:node:ipa_heartbeat": "rule:public_api"
# Access IPA ramdisk functions
# GET /lookup
#"baremetal:driver:ipa_lookup": "rule:public_api"
# Retrieve Volume connector and target records
# GET /volume
# GET /volume/connectors
# GET /volume/connectors/{volume_connector_id}
# GET /volume/targets
# GET /volume/targets/{volume_target_id}
# GET /nodes/{node_ident}/volume
# GET /nodes/{node_ident}/volume/connectors
# GET /nodes/{node_ident}/volume/targets
#"baremetal:volume:get": "rule:is_admin or rule:is_observer"
# Create Volume connector and target records
# POST /volume/connectors
# POST /volume/targets
#"baremetal:volume:create": "rule:is_admin"
# Delete Volume connector and target records
# DELETE /volume/connectors/{volume_connector_id}
# DELETE /volume/targets/{volume_target_id}
#"baremetal:volume:delete": "rule:is_admin"
# Update Volume connector and target records
# PATCH /volume/connectors/{volume_connector_id}
# PATCH /volume/targets/{volume_target_id}
#"baremetal:volume:update": "rule:is_admin"

15
releasenotes/notes/remove-policy-json-be92ffdba7bda951.yaml

@ -0,0 +1,15 @@
---
upgrade:
- |
The default policy file located at ``etc/ironic/policy.json`` was removed
in this release, as no policy file is required to run the ironic-api
service.
other:
- |
The sample configuration file located at ``etc/ironic/ironic.conf.sample``
and the sample policy file located at ``etc/ironic/policy.json.sample``
were removed in this release, as they are now published with documentation.
See `the sample configuration file
<https://docs.openstack.org/ironic/latest/configuration/sample-config.html>`_
and `the sample policy file
<https://docs.openstack.org/ironic/latest/configuration/sample-policy.html>`_.
Loading…
Cancel
Save