From d77930373e0ac6634211633f499b7c3663e60de2 Mon Sep 17 00:00:00 2001 From: Dai Dang Van Date: Mon, 8 Jan 2018 11:21:12 +0700 Subject: [PATCH] Support policy.yaml file [part 2] - Keystone - Glance - Nova - Cinder This will copy only yaml or json policy file if they exist. Change-Id: I4a9415d82322aed68c9b7650bdf346f58fa49e2a Implements: blueprint support-custom-policy-yaml Co-authored-By: Duong Ha-Quang --- ansible/roles/cinder/handlers/main.yml | 16 ++++---- ansible/roles/cinder/tasks/config.yml | 32 ++++++++++----- .../roles/cinder/templates/cinder-api.json.j2 | 11 +++-- .../cinder/templates/cinder-backup.json.j2 | 11 +++-- .../cinder/templates/cinder-scheduler.json.j2 | 11 +++-- .../cinder/templates/cinder-volume.json.j2 | 11 +++-- ansible/roles/cinder/templates/cinder.conf.j2 | 5 +++ ansible/roles/glance/handlers/main.yml | 8 ++-- ansible/roles/glance/tasks/config.yml | 32 ++++++++++----- .../roles/glance/templates/glance-api.conf.j2 | 5 +++ .../roles/glance/templates/glance-api.json.j2 | 11 +++-- .../glance/templates/glance-registry.conf.j2 | 5 +++ .../glance/templates/glance-registry.json.j2 | 11 +++-- ansible/roles/keystone/handlers/main.yml | 8 ++-- ansible/roles/keystone/tasks/config.yml | 24 ++++++++--- .../templates/keystone-fernet.json.j2 | 11 +++-- .../roles/keystone/templates/keystone.conf.j2 | 5 +++ .../roles/keystone/templates/keystone.json.j2 | 11 +++-- ansible/roles/nova/handlers/main.yml | 40 +++++++++---------- ansible/roles/nova/tasks/config.yml | 32 ++++++++++----- ansible/roles/nova/templates/nova-api.json.j2 | 11 +++-- .../templates/nova-compute-ironic.json.j2 | 11 +++-- .../roles/nova/templates/nova-compute.json.j2 | 11 +++-- .../nova/templates/nova-conductor.json.j2 | 11 +++-- .../nova/templates/nova-consoleauth.json.j2 | 11 +++-- .../nova/templates/nova-novncproxy.json.j2 | 11 +++-- .../nova/templates/nova-scheduler.json.j2 | 11 +++-- .../templates/nova-spicehtml5proxy.json.j2 | 11 +++-- ansible/roles/nova/templates/nova.conf.j2 | 5 +++ .../nova/templates/placement-api.json.j2 | 11 +++-- 30 files changed, 230 insertions(+), 174 deletions(-) diff --git a/ansible/roles/cinder/handlers/main.yml b/ansible/roles/cinder/handlers/main.yml index 485669848e..0eccd28e2d 100644 --- a/ansible/roles/cinder/handlers/main.yml +++ b/ansible/roles/cinder/handlers/main.yml @@ -5,7 +5,7 @@ service: "{{ cinder_services[service_name] }}" config_json: "{{ cinder_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" cinder_conf: "{{ cinder_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" - policy_json: "{{ cinder_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" + policy_overwriting: "{{ cinder_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}" cinder_api_container: "{{ check_cinder_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" kolla_docker: action: "recreate_or_restart_container" @@ -20,7 +20,7 @@ - config_json.changed | bool or cinder_conf.changed | bool or wsgi_cinder_api.changed | bool - or policy_json.changed | bool + or policy_overwriting.changed | bool or cinder_api_container.changed | bool - name: Restart cinder-scheduler container @@ -29,7 +29,7 @@ service: "{{ cinder_services[service_name] }}" config_json: "{{ cinder_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" cinder_conf: "{{ cinder_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" - policy_json: "{{ cinder_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" + policy_overwriting: "{{ cinder_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}" cinder_scheduler_container: "{{ check_cinder_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" kolla_docker: action: "recreate_or_restart_container" @@ -43,7 +43,7 @@ - service.enabled | bool - config_json.changed | bool or cinder_conf.changed | bool - or policy_json.changed | bool + or policy_overwriting.changed | bool or cinder_scheduler_container.changed | bool - name: Restart cinder-volume container @@ -52,7 +52,7 @@ service: "{{ cinder_services[service_name] }}" config_json: "{{ cinder_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" cinder_conf: "{{ cinder_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" - policy_json: "{{ cinder_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" + policy_overwriting: "{{ cinder_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}" cinder_volume_container: "{{ check_cinder_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" kolla_docker: action: "recreate_or_restart_container" @@ -68,7 +68,7 @@ - service.enabled | bool - config_json.changed | bool or cinder_conf.changed | bool - or policy_json.changed | bool + or policy_overwriting.changed | bool or cinder_volume_container.changed | bool - name: Restart cinder-backup container @@ -77,7 +77,7 @@ service: "{{ cinder_services[service_name] }}" config_json: "{{ cinder_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" cinder_conf: "{{ cinder_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" - policy_json: "{{ cinder_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" + policy_overwriting: "{{ cinder_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}" cinder_backup_container: "{{ check_cinder_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" kolla_docker: action: "recreate_or_restart_container" @@ -92,5 +92,5 @@ - service.enabled | bool - config_json.changed | bool or cinder_conf.changed | bool - or policy_json.changed | bool + or policy_overwriting.changed | bool or cinder_backup_container.changed | bool diff --git a/ansible/roles/cinder/tasks/config.yml b/ansible/roles/cinder/tasks/config.yml index 7c38fd80c6..13fa9e2133 100644 --- a/ansible/roles/cinder/tasks/config.yml +++ b/ansible/roles/cinder/tasks/config.yml @@ -9,6 +9,23 @@ - item.value.enabled | bool with_dict: "{{ cinder_services }}" +- name: Check if policies shall be overwritten + local_action: stat path="{{ item }}" + run_once: True + register: cinder_policy + with_first_found: + - files: "{{ supported_policy_format_list }}" + paths: + - "{{ node_custom_config }}/cinder/" + skip: true + +- name: Set cinder policy file + set_fact: + cinder_policy_file: "{{ cinder_policy.results.0.stat.path | basename }}" + cinder_policy_file_path: "{{ cinder_policy.results.0.stat.path }}" + when: + - cinder_policy.results + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" @@ -63,18 +80,13 @@ - Restart cinder-volume container - Restart cinder-backup container -- name: Check if policies shall be overwritten - local_action: stat path="{{ node_custom_config }}/cinder/policy.json" - run_once: True - register: cinder_policy - -- name: Copying over existing policy.json +- name: Copying over existing policy file template: - src: "{{ node_custom_config }}/cinder/policy.json" - dest: "{{ node_config_directory }}/{{ item.key }}/policy.json" - register: cinder_policy_jsons + src: "{{ cinder_policy_file_path }}" + dest: "{{ node_config_directory }}/{{ item.key }}/{{ cinder_policy_file }}" + register: cinder_policy_overwriting when: - - cinder_policy.stat.exists + - cinder_policy_file is defined - inventory_hostname in groups[item.value.group] with_dict: "{{ cinder_services }}" notify: diff --git a/ansible/roles/cinder/templates/cinder-api.json.j2 b/ansible/roles/cinder/templates/cinder-api.json.j2 index 4b5243fffc..54b557902c 100644 --- a/ansible/roles/cinder/templates/cinder-api.json.j2 +++ b/ansible/roles/cinder/templates/cinder-api.json.j2 @@ -14,14 +14,13 @@ "dest": "/etc/{{ cinder_dir }}/cinder-wsgi.conf", "owner": "cinder", "perm": "0600" - }, + }{% if cinder_policy_file is defined %}, { - "source": "{{ container_config_directory }}/policy.json", - "dest": "/etc/cinder/policy.json", + "source": "{{ container_config_directory }}/{{ cinder_policy_file }}", + "dest": "/etc/cinder/{{ cinder_policy_file }}", "owner": "cinder", - "perm": "0600", - "optional": true - } + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/cinder/templates/cinder-backup.json.j2 b/ansible/roles/cinder/templates/cinder-backup.json.j2 index a24b2f062b..897e185a2f 100644 --- a/ansible/roles/cinder/templates/cinder-backup.json.j2 +++ b/ansible/roles/cinder/templates/cinder-backup.json.j2 @@ -6,14 +6,13 @@ "dest": "/etc/cinder/cinder.conf", "owner": "cinder", "perm": "0600" - }, + }{% if cinder_policy_file is defined %}, { - "source": "{{ container_config_directory }}/policy.json", - "dest": "/etc/cinder/policy.json", + "source": "{{ container_config_directory }}/{{ cinder_policy_file }}", + "dest": "/etc/cinder/{{ cinder_policy_file }}", "owner": "cinder", - "perm": "0600", - "optional": true - }{% if cinder_backend_ceph | bool %}, + "perm": "0600" + }{% endif %}{% if cinder_backend_ceph | bool %}, { "source": "{{ container_config_directory }}/ceph.*", "dest": "/etc/ceph/", diff --git a/ansible/roles/cinder/templates/cinder-scheduler.json.j2 b/ansible/roles/cinder/templates/cinder-scheduler.json.j2 index 84fdfe3d46..cd4a5124a6 100644 --- a/ansible/roles/cinder/templates/cinder-scheduler.json.j2 +++ b/ansible/roles/cinder/templates/cinder-scheduler.json.j2 @@ -6,14 +6,13 @@ "dest": "/etc/cinder/cinder.conf", "owner": "cinder", "perm": "0600" - }, + }{% if cinder_policy_file is defined %}, { - "source": "{{ container_config_directory }}/policy.json", - "dest": "/etc/cinder/policy.json", + "source": "{{ container_config_directory }}/{{ cinder_policy_file }}", + "dest": "/etc/cinder/{{ cinder_policy_file }}", "owner": "cinder", - "perm": "0600", - "optional": true - } + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/cinder/templates/cinder-volume.json.j2 b/ansible/roles/cinder/templates/cinder-volume.json.j2 index c00ea1a016..a787ae0045 100644 --- a/ansible/roles/cinder/templates/cinder-volume.json.j2 +++ b/ansible/roles/cinder/templates/cinder-volume.json.j2 @@ -27,14 +27,13 @@ "owner": "cinder", "perm": "0600", "optional": {{ (not enable_cinder_backend_nfs | bool) | string | lower }} - }, + }{% if cinder_policy_file is defined %}, { - "source": "{{ container_config_directory }}/policy.json", - "dest": "/etc/cinder/policy.json", + "source": "{{ container_config_directory }}/{{ cinder_policy_file }}", + "dest": "/etc/cinder/{{ cinder_policy_file }}", "owner": "cinder", - "perm": "0600", - "optional": true - } + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2 index af4c849b73..bedafc7276 100644 --- a/ansible/roles/cinder/templates/cinder.conf.j2 +++ b/ansible/roles/cinder/templates/cinder.conf.j2 @@ -68,6 +68,11 @@ topics = notifications driver = noop {% endif %} +{% if cinder_policy_file is defined %} +[oslo_policy] +policy_file = {{ cinder_policy_file }} +{% endif %} + [nova] region_name = {{ openstack_region_name }} interface = internal diff --git a/ansible/roles/glance/handlers/main.yml b/ansible/roles/glance/handlers/main.yml index 33909725d2..39ea35a921 100644 --- a/ansible/roles/glance/handlers/main.yml +++ b/ansible/roles/glance/handlers/main.yml @@ -5,7 +5,7 @@ service: "{{ glance_services[service_name] }}" config_json: "{{ glance_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" glance_conf: "{{ glance_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" - policy_json: "{{ glance_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" + policy_overwriting: "{{ glance_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}" glance_api_container: "{{ check_glance_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" kolla_docker: action: "recreate_or_restart_container" @@ -20,7 +20,7 @@ - config_json.changed | bool or glance_conf.changed | bool or glance_swift_conf.changed | bool - or policy_json.changed | bool + or policy_overwriting.changed | bool or glance_api_container.changed | bool - name: Restart glance-registry container @@ -29,7 +29,7 @@ service: "{{ glance_services[service_name] }}" config_json: "{{ glance_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" glance_conf: "{{ glance_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" - policy_json: "{{ glance_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" + policy_overwriting: "{{ glance_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}" glance_registry_container: "{{ check_glance_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" kolla_docker: action: "recreate_or_restart_container" @@ -43,6 +43,6 @@ - service.enabled | bool - config_json.changed | bool or glance_conf.changed | bool - or policy_json.changed | bool + or policy_overwriting.changed | bool or glance_registry_container.changed | bool diff --git a/ansible/roles/glance/tasks/config.yml b/ansible/roles/glance/tasks/config.yml index 54a5394139..4d76a2eba3 100644 --- a/ansible/roles/glance/tasks/config.yml +++ b/ansible/roles/glance/tasks/config.yml @@ -22,6 +22,23 @@ - item.value.enabled | bool with_dict: "{{ glance_services }}" +- name: Check if policies shall be overwritten + local_action: stat path="{{ item }}" + run_once: True + register: glance_policy + with_first_found: + - files: "{{ supported_policy_format_list }}" + paths: + - "{{ node_custom_config }}/glance/" + skip: true + +- name: Set glance policy file + set_fact: + glance_policy_file: "{{ glance_policy.results.0.stat.path | basename }}" + glance_policy_file_path: "{{ glance_policy.results.0.stat.path }}" + when: + - glance_policy.results + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" @@ -59,11 +76,6 @@ - Restart glance-api container - Restart glance-registry container -- name: Check if policies shall be overwritten - local_action: stat path="{{ node_custom_config }}/glance/policy.json" - run_once: True - register: glance_policy - - name: Copying over glance-swift.conf for glance_api vars: glance_api: "{{ glance_services['glance-api'] }}" @@ -82,15 +94,15 @@ notify: - Restart glance-api container -- name: Copying over existing policy.json +- name: Copying over existing policy file template: - src: "{{ node_custom_config }}/glance/policy.json" - dest: "{{ node_config_directory }}/{{ item.key }}/policy.json" + src: "{{ glance_policy_file_path }}" + dest: "{{ node_config_directory }}/{{ item.key }}/{{ glance_policy_file_path }}" mode: "0660" become: true - register: glance_policy_jsons + register: glance_policy_overwriting when: - - glance_policy.stat.exists + - glance_policy_file is defined - inventory_hostname in groups[item.value.group] with_dict: "{{ glance_services }}" notify: diff --git a/ansible/roles/glance/templates/glance-api.conf.j2 b/ansible/roles/glance/templates/glance-api.conf.j2 index ca251fb3fb..1258b800ca 100644 --- a/ansible/roles/glance/templates/glance-api.conf.j2 +++ b/ansible/roles/glance/templates/glance-api.conf.j2 @@ -89,6 +89,11 @@ driver = messagingv2 driver = noop {% endif %} +{% if glance_policy_file is defined %} +[oslo_policy] +policy_file = {{ glance_policy_file }} +{% endif %} + {% if enable_osprofiler | bool %} [profiler] enabled = true diff --git a/ansible/roles/glance/templates/glance-api.json.j2 b/ansible/roles/glance/templates/glance-api.json.j2 index a491931395..89f330ae23 100644 --- a/ansible/roles/glance/templates/glance-api.json.j2 +++ b/ansible/roles/glance/templates/glance-api.json.j2 @@ -6,14 +6,13 @@ "dest": "/etc/glance/glance-api.conf", "owner": "glance", "perm": "0600" - }, + }{% if glance_policy_file is defined %}, { - "source": "{{ container_config_directory }}/policy.json", - "dest": "/etc/glance/policy.json", + "source": "{{ container_config_directory }}/{{ glance_policy_file }}", + "dest": "/etc/glance/{{ glance_policy_file }}", "owner": "glance", - "perm": "0600", - "optional": true - }{% if glance_backend_ceph | bool %}, + "perm": "0600" + }{% endif %}{% if glance_backend_ceph | bool %}, { "source": "{{ container_config_directory }}/ceph.*", "dest": "/etc/ceph/", diff --git a/ansible/roles/glance/templates/glance-registry.conf.j2 b/ansible/roles/glance/templates/glance-registry.conf.j2 index c08e207409..9a714b3a12 100644 --- a/ansible/roles/glance/templates/glance-registry.conf.j2 +++ b/ansible/roles/glance/templates/glance-registry.conf.j2 @@ -39,6 +39,11 @@ driver = messagingv2 driver = noop {% endif %} +{% if glance_policy_file is defined %} +[oslo_policy] +policy_file = {{ glance_policy_file }} +{% endif %} + {% if enable_osprofiler | bool %} [profiler] enabled = true diff --git a/ansible/roles/glance/templates/glance-registry.json.j2 b/ansible/roles/glance/templates/glance-registry.json.j2 index 46dd517364..9a1411bfbd 100644 --- a/ansible/roles/glance/templates/glance-registry.json.j2 +++ b/ansible/roles/glance/templates/glance-registry.json.j2 @@ -6,14 +6,13 @@ "dest": "/etc/glance/glance-registry.conf", "owner": "glance", "perm": "0600" - }, + }{% if glance_policy_file is defined %}, { - "source": "{{ container_config_directory }}/policy.json", - "dest": "/etc/glance/policy.json", + "source": "{{ container_config_directory }}/{{ glance_policy_file }}", + "dest": "/etc/glance/{{ glance_policy_file }}", "owner": "glance", - "perm": "0600", - "optional": true - } + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/keystone/handlers/main.yml b/ansible/roles/keystone/handlers/main.yml index 964bd7873e..3923ebe0a9 100644 --- a/ansible/roles/keystone/handlers/main.yml +++ b/ansible/roles/keystone/handlers/main.yml @@ -31,7 +31,7 @@ service: "{{ keystone_services[service_name] }}" config_json: "{{ keystone_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" keystone_conf: "{{ keystone_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" - policy_json: "{{ keystone_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" + policy_overwriting: "{{ keystone_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}" keystone_container: "{{ check_keystone_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" kolla_docker: action: "recreate_or_restart_container" @@ -46,7 +46,7 @@ - config_json.changed | bool or keystone_conf.changed | bool or keystone_domains.changed | bool - or policy_json.changed | bool + or policy_overwriting.changed | bool or keystone_wsgi.changed | bool or keystone_paste_ini.changed | bool or keystone_container.changed | bool @@ -57,7 +57,7 @@ service: "{{ keystone_services[service_name] }}" config_json: "{{ keystone_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" keystone_conf: "{{ keystone_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" - policy_json: "{{ keystone_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" + policy_overwriting: "{{ keystone_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}" keystone_fernet_container: "{{ check_keystone_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" kolla_docker: action: "recreate_or_restart_container" @@ -71,7 +71,7 @@ - service.enabled | bool - config_json.changed | bool or keystone_conf.changed | bool - or policy_json.changed | bool + or policy_overwriting.changed | bool or keystone_fernet_confs.changed | bool or keystone_fernet_container.changed | bool diff --git a/ansible/roles/keystone/tasks/config.yml b/ansible/roles/keystone/tasks/config.yml index f32001c9a3..31617bc998 100644 --- a/ansible/roles/keystone/tasks/config.yml +++ b/ansible/roles/keystone/tasks/config.yml @@ -1,8 +1,20 @@ --- - name: Check if policies shall be overwritten - local_action: stat path="{{ node_custom_config }}/keystone/policy.json" + local_action: stat path="{{ item }}" run_once: True register: keystone_policy + with_first_found: + - files: "{{ supported_policy_format_list }}" + paths: + - "{{ node_custom_config }}/keystone/" + skip: true + +- name: Set keystone policy file + set_fact: + keystone_policy_file: "{{ keystone_policy.results.0.stat.path | basename }}" + keystone_policy_file_path: "{{ keystone_policy.results.0.stat.path }}" + when: + - keystone_policy.results - name: Check if Keystone Domain specific settings enabled local_action: stat path="{{ node_custom_config }}/keystone/domains" @@ -107,18 +119,18 @@ notify: - Restart keystone container -- name: Copying over existing policy.json +- name: Copying over existing policy file template: - src: "{{ node_custom_config }}/keystone/policy.json" - dest: "{{ node_config_directory }}/{{ item.key }}/policy.json" + src: "{{ keystone_policy_file_path }}" + dest: "{{ node_config_directory }}/{{ item.key }}/{{ keystone_policy_file }}" mode: "0660" become: true - register: keystone_policy_jsons + register: keystone_policy_overwriting when: - inventory_hostname in groups[item.value.group] - item.key in [ "keystone", "keystone-fernet" ] - item.value.enabled | bool - - keystone_policy.stat.exists + - keystone_policy_file is defined with_dict: "{{ keystone_services }}" notify: - Restart keystone container diff --git a/ansible/roles/keystone/templates/keystone-fernet.json.j2 b/ansible/roles/keystone/templates/keystone-fernet.json.j2 index c7aa50e18d..666e785c4f 100644 --- a/ansible/roles/keystone/templates/keystone-fernet.json.j2 +++ b/ansible/roles/keystone/templates/keystone-fernet.json.j2 @@ -36,13 +36,12 @@ "dest": "/var/lib/keystone/.ssh/id_rsa", "owner": "keystone", "perm": "0600" - }, + }{% if keystone_policy_file is defined %}, { - "source": "{{ container_config_directory }}/policy.json", - "dest": "/etc/keystone/policy.json", + "source": "{{ container_config_directory }}/{{ keystone_policy_file }}", + "dest": "/etc/keystone/{{ keystone_policy_file }}", "owner": "keystone", - "perm": "0600", - "optional": true - } + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/keystone/templates/keystone.conf.j2 b/ansible/roles/keystone/templates/keystone.conf.j2 index fa6cf2a2d4..6615f764c9 100644 --- a/ansible/roles/keystone/templates/keystone.conf.j2 +++ b/ansible/roles/keystone/templates/keystone.conf.j2 @@ -13,6 +13,11 @@ use_stderr = True [oslo_middleware] enable_proxy_headers_parsing = True +{% if keystone_policy_file is defined %} +[oslo_policy] +policy_file = {{ keystone_policy_file }} +{% endif %} + [database] connection = mysql+pymysql://{{ keystone_database_user }}:{{ keystone_database_password }}@{{ keystone_database_address }}/{{ keystone_database_name }} max_retries = -1 diff --git a/ansible/roles/keystone/templates/keystone.json.j2 b/ansible/roles/keystone/templates/keystone.json.j2 index 0f871d16b6..5d0486ede0 100644 --- a/ansible/roles/keystone/templates/keystone.json.j2 +++ b/ansible/roles/keystone/templates/keystone.json.j2 @@ -22,14 +22,13 @@ "owner": "keystone", "perm": "0700", "optional": true - }, + }{% if keystone_policy_file is defined %}, { - "source": "{{ container_config_directory }}/policy.json", - "dest": "/etc/keystone/policy.json", + "source": "{{ container_config_directory }}/{{ keystone_policy_file }}", + "dest": "/etc/keystone/{{ keystone_policy_file }}", "owner": "keystone", - "perm": "0600", - "optional": true - }, + "perm": "0600" + }{% endif %}, { "source": "{{ container_config_directory }}/wsgi-keystone.conf", "dest": "/etc/{{ keystone_dir }}/wsgi-keystone.conf", diff --git a/ansible/roles/nova/handlers/main.yml b/ansible/roles/nova/handlers/main.yml index aab84b7fba..21b2d412fb 100644 --- a/ansible/roles/nova/handlers/main.yml +++ b/ansible/roles/nova/handlers/main.yml @@ -54,7 +54,7 @@ service: "{{ nova_services[service_name] }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" - policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" + policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}" placement_api_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" kolla_docker: action: "recreate_or_restart_container" @@ -68,7 +68,7 @@ - service.enabled | bool - config_json.changed | bool or nova_conf.changed | bool - or policy_json.changed | bool + or policy_overwriting.changed | bool or placement_api_wsgi_conf | changed or placement_api_container.changed | bool @@ -78,7 +78,7 @@ service: "{{ nova_services[service_name] }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" - policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" + policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_api_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" kolla_docker: action: "recreate_or_restart_container" @@ -93,7 +93,7 @@ - service.enabled | bool - config_json.changed | bool or nova_conf.changed | bool - or policy_json.changed | bool + or policy_overwriting.changed | bool or nova_api_container.changed | bool - name: Restart nova-scheduler container @@ -102,7 +102,7 @@ service: "{{ nova_services[service_name] }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" - policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" + policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_scheduler_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" kolla_docker: action: "recreate_or_restart_container" @@ -117,7 +117,7 @@ - service.enabled | bool - config_json.changed | bool or nova_conf.changed | bool - or policy_json.changed | bool + or policy_overwriting.changed | bool or nova_scheduler_container.changed | bool - name: Restart nova-conductor container @@ -126,7 +126,7 @@ service: "{{ nova_services[service_name] }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" - policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" + policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conductor_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" kolla_docker: action: "recreate_or_restart_container" @@ -141,7 +141,7 @@ - service.enabled | bool - config_json.changed | bool or nova_conf.changed | bool - or policy_json.changed | bool + or policy_overwriting.changed | bool or nova_conductor_container.changed | bool @@ -151,7 +151,7 @@ service: "{{ nova_services[service_name] }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" - policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" + policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_consoleauth_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" kolla_docker: action: "recreate_or_restart_container" @@ -166,7 +166,7 @@ - service.enabled | bool - config_json.changed | bool or nova_conf.changed | bool - or policy_json.changed | bool + or policy_overwriting.changed | bool or nova_consoleauth_container.changed | bool - name: Restart nova-novncproxy container @@ -175,7 +175,7 @@ service: "{{ nova_services[service_name] }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" - policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" + policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_novncproxy_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" kolla_docker: action: "recreate_or_restart_container" @@ -190,7 +190,7 @@ - service.enabled | bool - config_json.changed | bool or nova_conf.changed | bool - or policy_json.changed | bool + or policy_overwriting.changed | bool or nova_novncproxy_container.changed | bool - name: Restart nova-spicehtml5proxy container @@ -199,7 +199,7 @@ service: "{{ nova_services[service_name] }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" - policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" + policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_spicehtml5proxy_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" kolla_docker: action: "recreate_or_restart_container" @@ -214,7 +214,7 @@ - service.enabled | bool - config_json.changed | bool or nova_conf.changed | bool - or policy_json.changed | bool + or policy_overwriting.changed | bool or nova_spicehtml5proxy_container.changed | bool - name: Restart nova-serialproxy container @@ -223,7 +223,7 @@ service: "{{ nova_services[service_name] }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" - policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" + policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_serialproxy_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" kolla_docker: action: "recreate_or_restart_container" @@ -238,7 +238,7 @@ - service.enabled | bool - config_json.changed | bool or nova_conf.changed | bool - or policy_json.changed | bool + or policy_overwriting.changed | bool or nova_serialproxy_container.changed | bool - name: Restart nova-compute container @@ -247,7 +247,7 @@ service: "{{ nova_services[service_name] }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" - policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" + policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_compute_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" kolla_docker: action: "recreate_or_restart_container" @@ -263,7 +263,7 @@ - service.enabled | bool - config_json.changed | bool or nova_conf.changed | bool - or policy_json.changed | bool + or policy_overwriting.changed | bool or vcenter_ca_file | bool or nova_compute_container.changed | bool @@ -273,7 +273,7 @@ service: "{{ nova_services[service_name] }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" - policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" + policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_compute_ironic_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" kolla_docker: action: "recreate_or_restart_container" @@ -288,7 +288,7 @@ - service.enabled | bool - config_json.changed | bool or nova_conf.changed | bool - or policy_json.changed | bool + or policy_overwriting.changed | bool or nova_compute_ironic_container.changed | bool # nova-compute-fake is special. It will start multi numbers of container diff --git a/ansible/roles/nova/tasks/config.yml b/ansible/roles/nova/tasks/config.yml index 834646c956..26af6278bd 100644 --- a/ansible/roles/nova/tasks/config.yml +++ b/ansible/roles/nova/tasks/config.yml @@ -24,6 +24,23 @@ - item.value.enabled | bool with_dict: "{{ nova_services }}" +- name: Check if policies shall be overwritten + local_action: stat path="{{ item }}" + run_once: True + register: nova_policy + with_first_found: + - files: "{{ supported_policy_format_list }}" + paths: + - "{{ node_custom_config }}/nova/" + skip: true + +- name: Set nova policy file + set_fact: + nova_policy_file: "{{ nova_policy.results.0.stat.path | basename }}" + nova_policy_file_path: "{{ nova_policy.results.0.stat.path }}" + when: + - nova_policy.results + - name: Copying over config.json files for services become: true template: @@ -138,12 +155,7 @@ notify: - Restart nova-compute container -- name: Check if policies shall be overwritten - local_action: stat path="{{ node_custom_config }}/nova/policy.json" - run_once: True - register: nova_policy - -- name: Copying over existing policy.json +- name: Copying over existing policy file become: true vars: services_require_policy_json: @@ -158,13 +170,13 @@ - nova-scheduler - nova-spicehtml5proxy template: - src: "{{ node_custom_config }}/nova/policy.json" - dest: "{{ node_config_directory }}/{{ item.key }}/policy.json" - register: policy_jsons + src: "{{ nova_policy_file_path }}" + dest: "{{ node_config_directory }}/{{ item.key }}/{{ nova_policy_file }}" + register: nova_policy_overwriting when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool - - nova_policy.stat.exists + - nova_policy_file is defined - item.key in services_require_policy_json with_dict: "{{ nova_services }}" notify: diff --git a/ansible/roles/nova/templates/nova-api.json.j2 b/ansible/roles/nova/templates/nova-api.json.j2 index d669bfdaf8..f52b27ecc0 100644 --- a/ansible/roles/nova/templates/nova-api.json.j2 +++ b/ansible/roles/nova/templates/nova-api.json.j2 @@ -6,14 +6,13 @@ "dest": "/etc/nova/nova.conf", "owner": "nova", "perm": "0600" - }, + }{% if nova_policy_file is defined %}, { - "source": "{{ container_config_directory }}/policy.json", - "dest": "/etc/nova/policy.json", + "source": "{{ container_config_directory }}/{{ nova_policy_file }}", + "dest": "/etc/nova/{{ nova_policy_file }}", "owner": "nova", - "perm": "0600", - "optional": true - } + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/nova/templates/nova-compute-ironic.json.j2 b/ansible/roles/nova/templates/nova-compute-ironic.json.j2 index 92c0ee71b7..d41811fc70 100644 --- a/ansible/roles/nova/templates/nova-compute-ironic.json.j2 +++ b/ansible/roles/nova/templates/nova-compute-ironic.json.j2 @@ -6,14 +6,13 @@ "dest": "/etc/nova/nova.conf", "owner": "nova", "perm": "0600" - }, + }{% if nova_policy_file is defined %}, { - "source": "{{ container_config_directory }}/policy.json", - "dest": "/etc/nova/policy.json", + "source": "{{ container_config_directory }}/{{ nova_policy_file }}", + "dest": "/etc/nova/{{ nova_policy_file }}", "owner": "nova", - "perm": "0600", - "optional": true - } + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/nova/templates/nova-compute.json.j2 b/ansible/roles/nova/templates/nova-compute.json.j2 index 98a4f5ca99..c0f125e01c 100644 --- a/ansible/roles/nova/templates/nova-compute.json.j2 +++ b/ansible/roles/nova/templates/nova-compute.json.j2 @@ -6,14 +6,13 @@ "dest": "/etc/nova/nova.conf", "owner": "nova", "perm": "0600" - }, + }{% if nova_policy_file is defined %}, { - "source": "{{ container_config_directory }}/policy.json", - "dest": "/etc/nova/policy.json", + "source": "{{ container_config_directory }}/{{ nova_policy_file }}", + "dest": "/etc/nova/{{ nova_policy_file }}", "owner": "nova", - "perm": "0600", - "optional": true - }{% if nova_backend == "rbd" %}, + "perm": "0600" + }{% endif %}{% if nova_backend == "rbd" %}, { "source": "{{ container_config_directory }}/ceph.*", "dest": "/etc/ceph/", diff --git a/ansible/roles/nova/templates/nova-conductor.json.j2 b/ansible/roles/nova/templates/nova-conductor.json.j2 index 50bcd53693..68e4c7294f 100644 --- a/ansible/roles/nova/templates/nova-conductor.json.j2 +++ b/ansible/roles/nova/templates/nova-conductor.json.j2 @@ -6,14 +6,13 @@ "dest": "/etc/nova/nova.conf", "owner": "nova", "perm": "0600" - }, + }{% if nova_policy_file is defined %}, { - "source": "{{ container_config_directory }}/policy.json", - "dest": "/etc/nova/policy.json", + "source": "{{ container_config_directory }}/{{ nova_policy_file }}", + "dest": "/etc/nova/{{ nova_policy_file }}", "owner": "nova", - "perm": "0600", - "optional": true - } + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/nova/templates/nova-consoleauth.json.j2 b/ansible/roles/nova/templates/nova-consoleauth.json.j2 index af6a6c992c..09e663402f 100644 --- a/ansible/roles/nova/templates/nova-consoleauth.json.j2 +++ b/ansible/roles/nova/templates/nova-consoleauth.json.j2 @@ -6,14 +6,13 @@ "dest": "/etc/nova/nova.conf", "owner": "nova", "perm": "0600" - }, + }{% if nova_policy_file is defined %}, { - "source": "{{ container_config_directory }}/policy.json", - "dest": "/etc/nova/policy.json", + "source": "{{ container_config_directory }}/{{ nova_policy_file }}", + "dest": "/etc/nova/{{ nova_policy_file }}", "owner": "nova", - "perm": "0600", - "optional": true - } + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/nova/templates/nova-novncproxy.json.j2 b/ansible/roles/nova/templates/nova-novncproxy.json.j2 index 11e2bbf06b..e85cdbb48a 100644 --- a/ansible/roles/nova/templates/nova-novncproxy.json.j2 +++ b/ansible/roles/nova/templates/nova-novncproxy.json.j2 @@ -6,14 +6,13 @@ "dest": "/etc/nova/nova.conf", "owner": "nova", "perm": "0600" - }, + }{% if nova_policy_file is defined %}, { - "source": "{{ container_config_directory }}/policy.json", - "dest": "/etc/nova/policy.json", + "source": "{{ container_config_directory }}/{{ nova_policy_file }}", + "dest": "/etc/nova/{{ nova_policy_file }}", "owner": "nova", - "perm": "0600", - "optional": true - } + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/nova/templates/nova-scheduler.json.j2 b/ansible/roles/nova/templates/nova-scheduler.json.j2 index b59f2f0e47..ae13758df7 100644 --- a/ansible/roles/nova/templates/nova-scheduler.json.j2 +++ b/ansible/roles/nova/templates/nova-scheduler.json.j2 @@ -6,14 +6,13 @@ "dest": "/etc/nova/nova.conf", "owner": "nova", "perm": "0600" - }, + }{% if nova_policy_file is defined %}, { - "source": "{{ container_config_directory }}/policy.json", - "dest": "/etc/nova/policy.json", + "source": "{{ container_config_directory }}/{{ nova_policy_file }}", + "dest": "/etc/nova/{{ nova_policy_file }}", "owner": "nova", - "perm": "0600", - "optional": true - } + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/nova/templates/nova-spicehtml5proxy.json.j2 b/ansible/roles/nova/templates/nova-spicehtml5proxy.json.j2 index b1a218bb82..727b1121e5 100644 --- a/ansible/roles/nova/templates/nova-spicehtml5proxy.json.j2 +++ b/ansible/roles/nova/templates/nova-spicehtml5proxy.json.j2 @@ -6,14 +6,13 @@ "dest": "/etc/nova/nova.conf", "owner": "nova", "perm": "0600" - }, + }{% if nova_policy_file is defined %}, { - "source": "{{ container_config_directory }}/policy.json", - "dest": "/etc/nova/policy.json", + "source": "{{ container_config_directory }}/{{ nova_policy_file }}", + "dest": "/etc/nova/{{ nova_policy_file }}", "owner": "nova", - "perm": "0600", - "optional": true - } + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2 index a09e4800e1..73f7510c6e 100644 --- a/ansible/roles/nova/templates/nova.conf.j2 +++ b/ansible/roles/nova/templates/nova.conf.j2 @@ -215,6 +215,11 @@ topics = {{ nova_enabled_notification_topics | map(attribute='name') | join(',') driver = noop {% endif %} +{% if nova_policy_file is defined %} +[oslo_policy] +policy_file = {{ nova_policy_file }} +{% endif %} + [privsep_entrypoint] helper_command=sudo nova-rootwrap /etc/nova/rootwrap.conf privsep-helper --config-file /etc/nova/nova.conf diff --git a/ansible/roles/nova/templates/placement-api.json.j2 b/ansible/roles/nova/templates/placement-api.json.j2 index fba578a84f..395f7d06fa 100644 --- a/ansible/roles/nova/templates/placement-api.json.j2 +++ b/ansible/roles/nova/templates/placement-api.json.j2 @@ -8,14 +8,13 @@ "dest": "/etc/nova/nova.conf", "owner": "nova", "perm": "0600" - }, + }{% if nova_policy_file is defined %}, { - "source": "{{ container_config_directory }}/policy.json", - "dest": "/etc/nova/policy.json", + "source": "{{ container_config_directory }}/{{ nova_policy_file }}", + "dest": "/etc/nova/{{ nova_policy_file }}", "owner": "nova", - "perm": "0600", - "optional": true - }, + "perm": "0600" + }{% endif %}, { "source": "{{ container_config_directory }}/placement-api-wsgi.conf", "dest": "/etc/{{ apache_conf_dir }}/placement-api-wsgi.conf",