Remove octavia_legacy_policy variable

We did not review or maintain policy rules controlled by this flag for a while, neither it was tested. It is proposed to remove the variable from the code and promote overrides usage by operators instead. Change-Id: I6c1f1d10c5cc7fea4bffc18c2253d6ab162b00e0 Signed-off-by: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
2025-11-14 12:23:36 +01:00
parent 8d4a943821
commit 90f522cda5
5 changed files with 11 additions and 21 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -33,13 +33,6 @@ octavia_venv_python_executable: "{{ openstack_venv_python_executable | default('
 ## Allow TLS listener
 octavia_tls_listener_enabled: true

-# Legacy policy disables the requirement for load-balancer service users to
-# have one of the load-balancer:* roles.  It provides a similar policy to
-# legacy OpenStack policies where any user or admin has access to load-balancer
-# resources that they own.  Users with the admin role has access to all
-# load-balancer resources, whether they own them or not.
-octavia_legacy_policy: false
-
 # Set the package install state for distribution packages
 # Options are 'present' and 'latest'
 octavia_package_state: "{{ package_state | default('latest') }}"
--- a/releasenotes/notes/remove_octavia_legacy_poliicies-ae2e8370097d2cfb.yaml
+++ b/releasenotes/notes/remove_octavia_legacy_poliicies-ae2e8370097d2cfb.yaml
@@ -0,0 +1,9 @@
+---
+
+deprecations:
+  - |
+    Variable ``octavia_legacy_policy`` was removed and has no effect anymore.
+    In case you was using the variable and it was set to ``True``, you can
+    incorporate policy changes this variable was implementing to your
+    ``octavia_policy_overrides``. You may find rules controlled by this
+    variable via the `link <https://opendev.org/openstack/openstack-ansible-os_octavia/src/commit/8d4a94382127f9065ec493800f9a5ceda0154e1a/vars/main.yml#L90-L97>`_
--- a/tasks/octavia_policy.yml
+++ b/tasks/octavia_policy.yml
@@ -19,10 +19,10 @@
    owner: "{{ octavia_system_user_name }}"
    group: "{{ octavia_system_group_name }}"
    mode: "0640"
-    content: "{{ (octavia_legacy_policy | bool) | ternary(_octavia_legacy_policies, {}) | combine(octavia_policy_overrides) }}"
+    content: "{{ octavia_policy_overrides }}"
    config_type: "yaml"
  when:
-    - (octavia_policy_overrides | length > 0) or (octavia_legacy_policy | bool)
+    - (octavia_policy_overrides | length > 0)

 - name: Remove legacy policy.yaml file
  ansible.builtin.file:
@@ -30,4 +30,3 @@
    state: absent
  when:
    - octavia_policy_overrides | length == 0
-    - not octavia_legacy_policy | bool
--- a/tests/os_octavia-overrides.yml
+++ b/tests/os_octavia-overrides.yml
@@ -12,7 +12,6 @@
 # limitations under the License.

 test_octavia_amphora: True
-octavia_legacy_policy: True

 octavia_amp_active_retries: 20

--- a/vars/main.yml
+++ b/vars/main.yml
@@ -86,16 +86,6 @@ uwsgi_octavia_services: |-
  {% endfor %}
  {{ services }}

-_octavia_legacy_policies:
-  "context_is_admin": "role:admin or role:load-balancer_admin"
-  "admin_or_owner": "is_admin:True or project_id:%(project_id)s"
-  "load-balancer:read": "rule:admin_or_owner"
-  "load-balancer:read-global": "is_admin:True"
-  "load-balancer:write": "rule:admin_or_owner"
-  "load-balancer:read-quota": "rule:admin_or_owner"
-  "load-balancer:read-quota-global": "is_admin:True"
-  "load-balancer:write-quota": "is_admin:True"
-
 _octavia_jobboard_driver_map:
  zookeeper: zookeeper_taskflow_driver
  redis: redis_taskflow_driver