From e7b394dd58e4ee3e17aa88db5189a8c10480d05a Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Mon, 22 Mar 2021 18:17:49 +0200 Subject: [PATCH] [goal] Deprecate the JSON formatted policy file As per the community goal of migrating the policy file the format from JSON to YAML[1], we need to replace policy.json to policy.yaml and remove deprecated policy.json. config_template has been choosen instead of the copy, since it can properly handle content that has been lookuped. We make a separate task not to restart service when it's not needed. [1] https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/787199 Change-Id: Idd28e5df99bfcf51bad2b785be41221eb0fe5142 --- handlers/main.yml | 8 ++++++++ tasks/main.yml | 1 + tasks/octavia_policy.yml | 23 ++++++++++++++--------- templates/policy.json.j2 | 11 ----------- vars/main.yml | 10 ++++++++++ 5 files changed, 33 insertions(+), 20 deletions(-) delete mode 100644 templates/policy.json.j2 diff --git a/handlers/main.yml b/handlers/main.yml index 79d96ed5..78674b74 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -21,6 +21,14 @@ listen: - "venv changed" +# NOTE (noonedeadpunk): Remove this task after Xena release +- name: Remove obsoleted policy.json + file: + path: "/etc/octavia/policy.json" + state: absent + listen: + - Restart octavia services + - name: Start octavia services service: name: "{{ item.service_name }}" diff --git a/tasks/main.yml b/tasks/main.yml index 050eea32..5c3ecae0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -209,6 +209,7 @@ tags: - octavia-install - octavia-config + - octavia-policy-override - import_tasks: octavia_amp_image.yml when: diff --git a/tasks/octavia_policy.yml b/tasks/octavia_policy.yml index 43d5b671..7aa8a0b3 100644 --- a/tasks/octavia_policy.yml +++ b/tasks/octavia_policy.yml @@ -13,16 +13,21 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Set legacy role policies +- name: Implement policy.yaml if there are overrides configured config_template: - src: policy.json.j2 - dest: /etc/octavia/policy.json + dest: /etc/octavia/policy.yaml owner: "{{ octavia_system_user_name }}" group: "{{ octavia_system_group_name }}" mode: "0640" - config_overrides: "{{ octavia_policy_overrides }}" - config_type: "json" - notify: - - Restart octavia services - - Restart uwsgi services - when: octavia_legacy_policy + content: "{{ (octavia_legacy_policy | bool) | ternary(_octavia_legacy_policies, {}) | combine(octavia_policy_overrides) }}" + config_type: "yaml" + when: + - (octavia_policy_overrides | length > 0) or (octavia_legacy_policy | bool) + +- name: Remove legacy policy.yaml file + file: + path: "/etc/octavia/policy.yaml" + state: absent + when: + - octavia_policy_overrides | length == 0 + - not octavia_legacy_policy | bool diff --git a/templates/policy.json.j2 b/templates/policy.json.j2 deleted file mode 100644 index 7a356575..00000000 --- a/templates/policy.json.j2 +++ /dev/null @@ -1,11 +0,0 @@ -{ - "context_is_admin": "role:admin or role:load-balancer_admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - - "load-balancer:read": "rule:admin_or_owner", - "load-balancer:read-global": "is_admin:True", - "load-balancer:write": "rule:admin_or_owner", - "load-balancer:read-quota": "rule:admin_or_owner", - "load-balancer:read-quota-global": "is_admin:True", - "load-balancer:write-quota": "is_admin:True" -} \ No newline at end of file diff --git a/vars/main.yml b/vars/main.yml index 06a64069..10631a86 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -62,3 +62,13 @@ uwsgi_octavia_services: |- {% endif %} {% endfor %} {{ services }} + +_octavia_legacy_policies: + "context_is_admin": "role:admin or role:load-balancer_admin" + "admin_or_owner": "is_admin:True or project_id:%(project_id)s" + "load-balancer:read": "rule:admin_or_owner" + "load-balancer:read-global": "is_admin:True" + "load-balancer:write": "rule:admin_or_owner" + "load-balancer:read-quota": "rule:admin_or_owner" + "load-balancer:read-quota-global": "is_admin:True" + "load-balancer:write-quota": "is_admin:True"