openstack/ironic
Code Issues Proposed changes

Merge "Remove sample policy and config files"

Browse Source
This commit is contained in:
Zuul 2018-02-03 16:35:38 +00:00 committed by Gerrit Code Review
commit e8cf57fa6a
7 changed files with 34 additions and 4611 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
devstack/lib/ironic
View File

@ -67,7 +67,6 @@ IRONIC_AUTH_CACHE_DIR=${IRONIC_AUTH_CACHE_DIR:-/var/cache/ironic}
IRONIC_CONF_DIR=${IRONIC_CONF_DIR:-/etc/ironic} IRONIC_CONF_DIR=${IRONIC_CONF_DIR:-/etc/ironic}
IRONIC_CONF_FILE=$IRONIC_CONF_DIR/ironic.conf IRONIC_CONF_FILE=$IRONIC_CONF_DIR/ironic.conf
IRONIC_ROOTWRAP_CONF=$IRONIC_CONF_DIR/rootwrap.conf IRONIC_ROOTWRAP_CONF=$IRONIC_CONF_DIR/rootwrap.conf
IRONIC_POLICY_JSON=$IRONIC_CONF_DIR/policy.json
if is_suse; then if is_suse; then
IRONIC_WSGI_DIR=${IRONIC_WSGI_DIR:-/srv/www/htdocs/ironic} IRONIC_WSGI_DIR=${IRONIC_WSGI_DIR:-/srv/www/htdocs/ironic}
else else
@ -1056,8 +1055,9 @@ function cleanup_ironic_provision_network {
function configure_ironic { function configure_ironic {
configure_ironic_dirs configure_ironic_dirs
# Copy over ironic configuration file and configure common parameters. # (re)create ironic configuration file and configure common parameters.
cp $IRONIC_DIR/etc/ironic/ironic.conf.sample $IRONIC_CONF_FILE rm -f $IRONIC_CONF_FILE
iniset $IRONIC_CONF_FILE DEFAULT debug True iniset $IRONIC_CONF_FILE DEFAULT debug True
inicomment $IRONIC_CONF_FILE DEFAULT log_file inicomment $IRONIC_CONF_FILE DEFAULT log_file
iniset $IRONIC_CONF_FILE database connection `database_connection_url ironic` iniset $IRONIC_CONF_FILE database connection `database_connection_url ironic`
@ -1127,7 +1127,6 @@ EOF
function configure_ironic_api { function configure_ironic_api {
iniset $IRONIC_CONF_FILE DEFAULT auth_strategy $IRONIC_AUTH_STRATEGY iniset $IRONIC_CONF_FILE DEFAULT auth_strategy $IRONIC_AUTH_STRATEGY
configure_auth_token_middleware $IRONIC_CONF_FILE ironic $IRONIC_AUTH_CACHE_DIR/api configure_auth_token_middleware $IRONIC_CONF_FILE ironic $IRONIC_AUTH_CACHE_DIR/api
iniset $IRONIC_CONF_FILE oslo_policy policy_file $IRONIC_POLICY_JSON
iniset_rpc_backend ironic $IRONIC_CONF_FILE iniset_rpc_backend ironic $IRONIC_CONF_FILE
@ -1141,8 +1140,6 @@ function configure_ironic_api {
else else
iniset $IRONIC_CONF_FILE api port $IRONIC_SERVICE_PORT iniset $IRONIC_CONF_FILE api port $IRONIC_SERVICE_PORT
fi fi
cp -p $IRONIC_DIR/etc/ironic/policy.json $IRONIC_POLICY_JSON
} }
# configure_client_for() - is used by configure_ironic_conductor. # configure_client_for() - is used by configure_ironic_conductor.

8
etc/ironic/README-ironic.conf.txt Normal file
View File

@ -0,0 +1,8 @@
To generate the sample ironic.conf file, run the following command from the top
level of the repo:
tox -egenconfig
For a pre-generated example of the latest ironic.conf, see:
https://docs.openstack.org/ironic/latest/configuration/sample-config.html

8
etc/ironic/README-policy.yaml.txt Normal file
View File

@ -0,0 +1,8 @@
To generate the sample policy.yaml file, run the following command from the top
level of the repo:
tox -egenpolicy
For a pre-generated example of the latest policy.yaml, see:
https://docs.openstack.org/ironic/latest/configuration/sample-policy.html

4361
etc/ironic/ironic.conf.sample
View File

File diff suppressed because it is too large Load Diff

5
etc/ironic/policy.json
View File

@ -1,5 +0,0 @@
# Beginning with the Newton release, you may leave this file empty
# to use default policy defined in code.
{
}

239
etc/ironic/policy.json.sample
View File

@ -1,239 +0,0 @@
# Legacy rule for cloud admin access
#"admin_api": "role:admin or role:administrator"
# Internal flag for public API routes
#"public_api": "is_public_api:True"
# Show or mask secrets within node driver information in API responses
#"show_password": "!"
# Show or mask secrets within instance information in API responses
#"show_instance_secrets": "!"
# May be used to restrict access to specific projects
#"is_member": "(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)"
# Read-only API access
#"is_observer": "rule:is_member and (role:observer or role:baremetal_observer)"
# Full read/write API access
#"is_admin": "rule:admin_api or (rule:is_member and role:baremetal_admin)"
# Create Node records
# POST /nodes
#"baremetal:node:create": "rule:is_admin"
# Retrieve Node records
# GET /nodes
# GET /nodes/detail
# GET /nodes/{node_ident}
#"baremetal:node:get": "rule:is_admin or rule:is_observer"
# Update Node records
# PATCH /nodes/{node_ident}
#"baremetal:node:update": "rule:is_admin"
# Delete Node records
# DELETE /nodes/{node_ident}
#"baremetal:node:delete": "rule:is_admin"
# Request active validation of Nodes
# GET /nodes/{node_ident}/validate
#"baremetal:node:validate": "rule:is_admin"
# Set maintenance flag, taking a Node out of service
# PUT /nodes/{node_ident}/maintenance
#"baremetal:node:set_maintenance": "rule:is_admin"
# Clear maintenance flag, placing the Node into service again
# DELETE /nodes/{node_ident}/maintenance
#"baremetal:node:clear_maintenance": "rule:is_admin"
# Retrieve Node boot device metadata
# GET /nodes/{node_ident}/management/boot_device
# GET /nodes/{node_ident}/management/boot_device/supported
#"baremetal:node:get_boot_device": "rule:is_admin or rule:is_observer"
# Change Node boot device
# PUT /nodes/{node_ident}/management/boot_device
#"baremetal:node:set_boot_device": "rule:is_admin"
# Inject NMI for a node
# PUT /nodes/{node_ident}/management/inject_nmi
#"baremetal:node:inject_nmi": "rule:is_admin"
# View Node power and provision state
# GET /nodes/{node_ident}/states
#"baremetal:node:get_states": "rule:is_admin or rule:is_observer"
# Change Node power status
# PUT /nodes/{node_ident}/states/power
#"baremetal:node:set_power_state": "rule:is_admin"
# Change Node provision status
# PUT /nodes/{node_ident}/states/provision
#"baremetal:node:set_provision_state": "rule:is_admin"
# Change Node RAID status
# PUT /nodes/{node_ident}/states/raid
#"baremetal:node:set_raid_state": "rule:is_admin"
# Get Node console connection information
# GET /nodes/{node_ident}/states/console
#"baremetal:node:get_console": "rule:is_admin"
# Change Node console status
# PUT /nodes/{node_ident}/states/console
#"baremetal:node:set_console_state": "rule:is_admin"
# List VIFs attached to node
# GET /nodes/{node_ident}/vifs
#"baremetal:node:vif:list": "rule:is_admin"
# Attach a VIF to a node
# POST /nodes/{node_ident}/vifs
#"baremetal:node:vif:attach": "rule:is_admin"
# Detach a VIF from a node
# DELETE /nodes/{node_ident}/vifs/{node_vif_ident}
#"baremetal:node:vif:detach": "rule:is_admin"
# List node traits
# GET /nodes/{node_ident}/traits
#"baremetal:node:traits:list": "rule:is_admin or rule:is_observer"
# Add a trait to, or replace all traits of, a node
# PUT /nodes/{node_ident}/traits
# PUT /nodes/{node_ident}/traits/{trait}
#"baremetal:node:traits:set": "rule:is_admin"
# Remove one or all traits from a node
# DELETE /nodes/{node_ident}/traits
# DELETE /nodes/{node_ident}/traits/{trait}
#"baremetal:node:traits:delete": "rule:is_admin"
# Retrieve Port records
# GET /ports
# GET /ports/detail
# GET /ports/{port_id}
# GET /nodes/{node_ident}/ports
# GET /nodes/{node_ident}/ports/detail
# GET /portgroups/{portgroup_ident}/ports
# GET /portgroups/{portgroup_ident}/ports/detail
#"baremetal:port:get": "rule:is_admin or rule:is_observer"
# Create Port records
# POST /ports
#"baremetal:port:create": "rule:is_admin"
# Delete Port records
# DELETE /ports/{port_id}
#"baremetal:port:delete": "rule:is_admin"
# Update Port records
# PATCH /ports/{port_id}
#"baremetal:port:update": "rule:is_admin"
# Retrieve Portgroup records
# GET /portgroups
# GET /portgroups/detail
# GET /portgroups/{portgroup_ident}
# GET /nodes/{node_ident}/portgroups
# GET /nodes/{node_ident}/portgroups/detail
#"baremetal:portgroup:get": "rule:is_admin or rule:is_observer"
# Create Portgroup records
# POST /portgroups
#"baremetal:portgroup:create": "rule:is_admin"
# Delete Portgroup records
# DELETE /portgroups/{portgroup_ident}
#"baremetal:portgroup:delete": "rule:is_admin"
# Update Portgroup records
# PATCH /portgroups/{portgroup_ident}
#"baremetal:portgroup:update": "rule:is_admin"
# Retrieve Chassis records
# GET /chassis
# GET /chassis/detail
# GET /chassis/{chassis_id}
#"baremetal:chassis:get": "rule:is_admin or rule:is_observer"
# Create Chassis records
# POST /chassis
#"baremetal:chassis:create": "rule:is_admin"
# Delete Chassis records
# DELETE /chassis/{chassis_id}
#"baremetal:chassis:delete": "rule:is_admin"
# Update Chassis records
# PATCH /chassis/{chassis_id}
#"baremetal:chassis:update": "rule:is_admin"
# View list of available drivers
# GET /drivers
# GET /drivers/{driver_name}
#"baremetal:driver:get": "rule:is_admin or rule:is_observer"
# View driver-specific properties
# GET /drivers/{driver_name}/properties
#"baremetal:driver:get_properties": "rule:is_admin or rule:is_observer"
# View driver-specific RAID metadata
# GET /drivers/{driver_name}/raid/logical_disk_properties
#"baremetal:driver:get_raid_logical_disk_properties": "rule:is_admin or rule:is_observer"
# Access vendor-specific Node functions
# GET nodes/{node_ident}/vendor_passthru/methods
# GET nodes/{node_ident}/vendor_passthru?method={method_name}
# PUT nodes/{node_ident}/vendor_passthru?method={method_name}
# POST nodes/{node_ident}/vendor_passthru?method={method_name}
# PATCH nodes/{node_ident}/vendor_passthru?method={method_name}
# DELETE nodes/{node_ident}/vendor_passthru?method={method_name}
#"baremetal:node:vendor_passthru": "rule:is_admin"
# Access vendor-specific Driver functions
# GET drivers/{driver_name}/vendor_passthru/methods
# GET drivers/{driver_name}/vendor_passthru?method={method_name}
# PUT drivers/{driver_name}/vendor_passthru?method={method_name}
# POST drivers/{driver_name}/vendor_passthru?method={method_name}
# PATCH drivers/{driver_name}/vendor_passthru?method={method_name}
# DELETE drivers/{driver_name}/vendor_passthru?method={method_name}
#"baremetal:driver:vendor_passthru": "rule:is_admin"
# Send heartbeats from IPA ramdisk
# POST /heartbeat/{node_ident}
#"baremetal:node:ipa_heartbeat": "rule:public_api"
# Access IPA ramdisk functions
# GET /lookup
#"baremetal:driver:ipa_lookup": "rule:public_api"
# Retrieve Volume connector and target records
# GET /volume
# GET /volume/connectors
# GET /volume/connectors/{volume_connector_id}
# GET /volume/targets
# GET /volume/targets/{volume_target_id}
# GET /nodes/{node_ident}/volume
# GET /nodes/{node_ident}/volume/connectors
# GET /nodes/{node_ident}/volume/targets
#"baremetal:volume:get": "rule:is_admin or rule:is_observer"
# Create Volume connector and target records
# POST /volume/connectors
# POST /volume/targets
#"baremetal:volume:create": "rule:is_admin"
# Delete Volume connector and target records
# DELETE /volume/connectors/{volume_connector_id}
# DELETE /volume/targets/{volume_target_id}
#"baremetal:volume:delete": "rule:is_admin"
# Update Volume connector and target records
# PATCH /volume/connectors/{volume_connector_id}
# PATCH /volume/targets/{volume_target_id}
#"baremetal:volume:update": "rule:is_admin"

15
releasenotes/notes/remove-policy-json-be92ffdba7bda951.yaml Normal file
View File

@ -0,0 +1,15 @@
---
upgrade:
- |
The default policy file located at ``etc/ironic/policy.json`` was removed
in this release, as no policy file is required to run the ironic-api
service.
other:
- |
The sample configuration file located at ``etc/ironic/ironic.conf.sample``
and the sample policy file located at ``etc/ironic/policy.json.sample``
were removed in this release, as they are now published with documentation.
See `the sample configuration file
<https://docs.openstack.org/ironic/latest/configuration/sample-config.html>`_
and `the sample policy file
<https://docs.openstack.org/ironic/latest/configuration/sample-policy.html>`_.