[goal] Deprecate the JSON formatted policy file

As per the community goal of migrating the policy file the format from JSON to YAML[1], we need to replace policy.json to policy.yaml and remove deprecated policy.json. config_template has been choosen instead of the copy, since it can properly handle content that has been lookuped. We make a separate task not to restart service when it's not needed. [1] https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html Change-Id: Ib434e98cd4df42ea77bcb985eafe2e56b1ac6fe9
2021-03-22 18:04:36 +02:00 · 2021-03-22 18:04:36 +02:00 · a396d45942
parent 21f767d08b
commit a396d45942
3 changed files with 27 additions and 27 deletions
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -31,22 +31,11 @@
    - "Restart panko services"
    - "venv changed"

-# Note (odyssey4me):
-# The policy.json file is currently read continually by the services
-# and is not only read on service start. We therefore cannot template
-# directly to the file read by the service because the new policies
-# may not be valid until the service restarts. This is particularly
-# important during a major upgrade. We therefore only put the policy
-# file in place after the service has been stopped.
-#
- name: Copy new policy file into place
-  copy:
-    src: "/etc/panko/policy.json-{{ panko_venv_tag }}"
-    dest: "/etc/panko/policy.json"
-    owner: "root"
-    group: "{{ panko_system_group_name }}"
-    mode: "0640"
-    remote_src: yes
+# NOTE (noonedeadpunk): Remove this task after Xena release
+- name: Remove obsoleted policy.json
+  file:
+    path: "/etc/panko/policy.json"
+    state: absent
  listen:
    - "Restart panko services"
    - "venv changed"
--- a/tasks/panko_post_install.yml
+++ b/tasks/panko_post_install.yml
@ -31,14 +31,32 @@
      dest: "/etc/panko/api_paste.ini"
      config_overrides: "{{ panko_api_paste_ini_overrides }}"
      config_type: "ini"
-    - src: "policy.json.j2"
-      dest: "/etc/panko/policy.json-{{ panko_venv_tag }}"
-      config_overrides: "{{ panko_policy_overrides }}"
-      config_type: "json"
  notify:
    - Restart panko services
    - Restart uwsgi services

+- name: Implement policy.yaml if there are overrides configured
+  config_template:
+    content: "{{ panko_policy_overrides }}"
+    dest: "/etc/panko/policy.yaml"
+    owner: "{{ panko_system_user_name }}"
+    group: "{{ panko_system_group_name }}"
+    mode: "0644"
+    config_type: "yaml"
+  when:
+    - panko_policy_overrides | length > 0
+  tags:
+    - panko-policy-override
+
+- name: Remove legacy policy.yaml file
+  file:
+    path: "/etc/panko/policy.yaml"
+    state: absent
+  when:
+    - panko_policy_overrides | length == 0
+  tags:
+    - panko-policy-override
+
 - name: Create cron job for panko event expirer
  cron:
    name: "Purge old panko events"
--- a/templates/policy.json.j2
+++ b/templates/policy.json.j2
@ -1,7 +0,0 @@
-{
-    "context_is_admin": "role:admin",
-    "segregation": "rule:context_is_admin",
-
-    "telemetry:events:index": "",
-    "telemetry:events:show": ""
-}