Browse Source

Only implement policy.json if an override is configured

With changes inside Designate merged about policy-incode, there
is no longer a default policy.json file in the venv, so we
need to change how we implement the file, and should only do
so if there is a config override configured for it.

If there is no policy override configured, but a policy.json
file is present, then it's likely left over from a previous
build. To ensure that we do not carry legacy configuration
files which override the policy-in-code we remove the legacy
file. This is done on restart to ensure that the policy still
applies until the code is updated.

Change-Id: Iea4d2029723529444b93d7deca58824e592d0e0f
Mohammed Naser 2 months ago
parent
commit
3c9e9beaf2
3 changed files with 19 additions and 133 deletions
  1. 12
    0
      handlers/main.yml
  2. 7
    4
      tasks/designate_post_install.yml
  3. 0
    129
      templates/policy.json.j2

+ 12
- 0
handlers/main.yml View File

@@ -43,6 +43,18 @@
43 43
     group: "{{ designate_system_group_name }}"
44 44
     mode: "0640"
45 45
     remote_src: yes
46
+  when:
47
+    - designate_policy_overrides != {}
48
+  listen:
49
+    - "Restart designate services"
50
+    - "venv changed"
51
+
52
+- name: Remove legacy policy.json file
53
+  file:
54
+    path: "/etc/designate/policy.json"
55
+    state: absent
56
+  when:
57
+    - designate_policy_overrides == {}
46 58
   listen:
47 59
     - "Restart designate services"
48 60
     - "venv changed"

+ 7
- 4
tasks/designate_post_install.yml View File

@@ -50,10 +50,6 @@
50 50
       dest: "/etc/designate/api-paste.ini"
51 51
       config_overrides: "{{ designate_api_paste_ini_overrides }}"
52 52
       config_type: "ini"
53
-    - src: "policy.json.j2"
54
-      dest: "/etc/designate/policy.json-{{ designate_venv_tag }}"
55
-      config_overrides: "{{ designate_policy_overrides }}"
56
-      config_type: "json"
57 53
     - src: "rootwrap.conf.j2"
58 54
       dest: "/etc/designate/rootwrap.conf"
59 55
       owner: "root"
@@ -62,6 +58,13 @@
62 58
       config_type: "ini"
63 59
   notify: Restart designate services
64 60
 
61
+- name: Implement policy.json if there are overrides configured
62
+  copy:
63
+    content: "{{ designate_policy_overrides | to_nice_json }}"
64
+    dest: "/etc/designate/policy.json-{{ designate_venv_tag }}"
65
+  when:
66
+    - designate_policy_overrides != {}
67
+
65 68
 - name: Create Designate pools.yaml file
66 69
   copy:
67 70
     content: "{{ designate_pools_yaml | to_nice_yaml }}"

+ 0
- 129
templates/policy.json.j2 View File

@@ -1,129 +0,0 @@
1
-{
2
-    "admin": "role:admin or is_admin:True",
3
-    "primary_zone": "target.zone_type:SECONDARY",
4
-
5
-    "owner": "tenant:%(tenant_id)s",
6
-    "admin_or_owner": "rule:admin or rule:owner",
7
-    "target": "tenant:%(target_tenant_id)s",
8
-    "owner_or_target":"rule:target or rule:owner",
9
-    "admin_or_owner_or_target":"rule:owner_or_target or rule:admin",
10
-    "admin_or_target":"rule:admin or rule:target",
11
-
12
-    "zone_primary_or_admin": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)",
13
-
14
-    "default": "rule:admin_or_owner",
15
-
16
-    "all_tenants": "rule:admin",
17
-
18
-    "edit_managed_records" : "rule:admin",
19
-
20
-    "use_low_ttl": "rule:admin",
21
-
22
-    "get_quotas": "rule:admin_or_owner",
23
-    "get_quota": "rule:admin_or_owner",
24
-    "set_quota": "rule:admin",
25
-    "reset_quotas": "rule:admin",
26
-
27
-    "create_tld": "rule:admin",
28
-    "find_tlds": "rule:admin",
29
-    "get_tld": "rule:admin",
30
-    "update_tld": "rule:admin",
31
-    "delete_tld": "rule:admin",
32
-
33
-    "create_tsigkey": "rule:admin",
34
-    "find_tsigkeys": "rule:admin",
35
-    "get_tsigkey": "rule:admin",
36
-    "update_tsigkey": "rule:admin",
37
-    "delete_tsigkey": "rule:admin",
38
-
39
-    "find_tenants": "rule:admin",
40
-    "get_tenant": "rule:admin",
41
-    "count_tenants": "rule:admin",
42
-
43
-    "create_zone": "rule:admin_or_owner",
44
-    "get_zones": "rule:admin_or_owner",
45
-    "get_zone": "rule:admin_or_owner",
46
-    "get_zone_servers": "rule:admin_or_owner",
47
-    "find_zones": "rule:admin_or_owner",
48
-    "find_zone": "rule:admin_or_owner",
49
-    "update_zone": "rule:admin_or_owner",
50
-    "delete_zone": "rule:admin_or_owner",
51
-    "xfr_zone": "rule:admin_or_owner",
52
-    "abandon_zone": "rule:admin",
53
-    "count_zones": "rule:admin_or_owner",
54
-    "count_zones_pending_notify": "rule:admin_or_owner",
55
-    "purge_zones": "rule:admin",
56
-    "touch_zone": "rule:admin_or_owner",
57
-
58
-    "create_recordset": "rule:zone_primary_or_admin",
59
-    "get_recordsets": "rule:admin_or_owner",
60
-    "get_recordset": "rule:admin_or_owner",
61
-    "find_recordsets": "rule:admin_or_owner",
62
-    "find_recordset": "rule:admin_or_owner",
63
-    "update_recordset": "rule:zone_primary_or_admin",
64
-    "delete_recordset": "rule:zone_primary_or_admin",
65
-    "count_recordset": "rule:admin_or_owner",
66
-
67
-    "create_record": "rule:admin_or_owner",
68
-    "get_records": "rule:admin_or_owner",
69
-    "get_record": "rule:admin_or_owner",
70
-    "find_records": "rule:admin_or_owner",
71
-    "find_record": "rule:admin_or_owner",
72
-    "update_record": "rule:admin_or_owner",
73
-    "delete_record": "rule:admin_or_owner",
74
-    "count_records": "rule:admin_or_owner",
75
-
76
-    "use_sudo": "rule:admin",
77
-
78
-    "create_blacklist": "rule:admin",
79
-    "find_blacklist": "rule:admin",
80
-    "find_blacklists": "rule:admin",
81
-    "get_blacklist": "rule:admin",
82
-    "update_blacklist": "rule:admin",
83
-    "delete_blacklist": "rule:admin",
84
-    "use_blacklisted_zone": "rule:admin",
85
-
86
-    "create_pool": "rule:admin",
87
-    "find_pools": "rule:admin",
88
-    "find_pool": "rule:admin",
89
-    "get_pool": "rule:admin",
90
-    "update_pool": "rule:admin",
91
-    "delete_pool": "rule:admin",
92
-    "zone_create_forced_pool": "rule:admin",
93
-
94
-    "diagnostics_ping": "rule:admin",
95
-    "diagnostics_sync_zones": "rule:admin",
96
-    "diagnostics_sync_zone": "rule:admin",
97
-    "diagnostics_sync_record": "rule:admin",
98
-
99
-    "create_zone_transfer_request": "rule:admin_or_owner",
100
-    "get_zone_transfer_request": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s",
101
-    "get_zone_transfer_request_detailed": "rule:admin_or_owner",
102
-    "find_zone_transfer_requests": "@",
103
-    "find_zone_transfer_request": "@",
104
-    "update_zone_transfer_request": "rule:admin_or_owner",
105
-    "delete_zone_transfer_request": "rule:admin_or_owner",
106
-
107
-    "create_zone_transfer_accept": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s",
108
-    "get_zone_transfer_accept": "rule:admin_or_owner",
109
-    "find_zone_transfer_accepts": "rule:admin",
110
-    "find_zone_transfer_accept": "rule:admin",
111
-    "update_zone_transfer_accept": "rule:admin",
112
-    "delete_zone_transfer_accept": "rule:admin",
113
-
114
-    "create_zone_import": "rule:admin_or_owner",
115
-    "find_zone_imports": "rule:admin_or_owner",
116
-    "get_zone_import": "rule:admin_or_owner",
117
-    "update_zone_import": "rule:admin_or_owner",
118
-    "delete_zone_import": "rule:admin_or_owner",
119
-
120
-    "zone_export": "rule:admin_or_owner",
121
-    "create_zone_export": "rule:admin_or_owner",
122
-    "find_zone_exports": "rule:admin_or_owner",
123
-    "get_zone_export": "rule:admin_or_owner",
124
-    "update_zone_export": "rule:admin_or_owner",
125
-
126
-    "find_service_status": "rule:admin",
127
-    "find_service_statuses": "rule:admin",
128
-    "update_service_service_status": "rule:admin"
129
-}

Loading…
Cancel
Save