From 8b8cfcea7884a8c65876833bc1eb55c46209959d Mon Sep 17 00:00:00 2001
From: Andy McCrae <andy.mccrae@gmail.com>
Date: Sat, 10 Dec 2016 13:14:07 +0000
Subject: [PATCH] Update paste, policy and rootwrap configurations 2016-12-10

Change-Id: I2586f36e23d5decec524babf8ef8de2cb6be6468
---
 defaults/main.yml            |  1 +
 tasks/trove_post_install.yml |  4 ++
 templates/policy.json.j2     | 96 ++++++++++++++++++++++++++++++++++++
 3 files changed, 101 insertions(+)
 create mode 100644 templates/policy.json.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index 0a0af45..74ef329 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -157,3 +157,4 @@ trove_config_overrides: {}
 trove_api_paste_ini_overrides: {}
 trove_conductor_config_overrides: {}
 trove_taskmanager_config_overrides: {}
+trove_policy_overrides: {}
diff --git a/tasks/trove_post_install.yml b/tasks/trove_post_install.yml
index b38e702..f9ea4a5 100644
--- a/tasks/trove_post_install.yml
+++ b/tasks/trove_post_install.yml
@@ -33,6 +33,10 @@
       dest: "/etc/trove/trove.conf"
       config_overrides: "{{ trove_config_overrides }}"
       config_type: "ini"
+    - src: "policy.json.j2"
+      dest: "/etc/trove/policy.json"
+      config_overrides: "{{ trove_policy_overrides }}"
+      config_type: "json"
   notify:
     - Restart Apache
     - Restart trove API services
diff --git a/templates/policy.json.j2 b/templates/policy.json.j2
new file mode 100644
index 0000000..370a8f2
--- /dev/null
+++ b/templates/policy.json.j2
@@ -0,0 +1,96 @@
+{
+    "admin": "role:admin or is_admin:True",
+    "admin_or_owner": "rule:admin or tenant:%(tenant)s",
+    "default": "rule:admin_or_owner",
+
+    "instance:create": "rule:admin_or_owner",
+    "instance:delete": "rule:admin_or_owner",
+    "instance:force_delete": "rule:admin_or_owner",
+    "instance:index": "rule:admin_or_owner",
+    "instance:show": "rule:admin_or_owner",
+    "instance:update": "rule:admin_or_owner",
+    "instance:edit": "rule:admin_or_owner",
+    "instance:restart": "rule:admin_or_owner",
+    "instance:resize_volume": "rule:admin_or_owner",
+    "instance:resize_flavor": "rule:admin_or_owner",
+    "instance:reset_status": "rule:admin",
+    "instance:promote_to_replica_source": "rule:admin_or_owner",
+    "instance:eject_replica_source": "rule:admin_or_owner",
+    "instance:configuration": "rule:admin_or_owner",
+    "instance:guest_log_list": "rule:admin_or_owner",
+    "instance:backups": "rule:admin_or_owner",
+    "instance:module_list": "rule:admin_or_owner",
+    "instance:module_apply": "rule:admin_or_owner",
+    "instance:module_remove": "rule:admin_or_owner",
+
+    "instance:extension:root:create": "rule:admin_or_owner",
+    "instance:extension:root:delete": "rule:admin_or_owner",
+    "instance:extension:root:index": "rule:admin_or_owner",
+
+    "instance:extension:user:create": "rule:admin_or_owner",
+    "instance:extension:user:delete": "rule:admin_or_owner",
+    "instance:extension:user:index": "rule:admin_or_owner",
+    "instance:extension:user:show": "rule:admin_or_owner",
+    "instance:extension:user:update": "rule:admin_or_owner",
+    "instance:extension:user:update_all": "rule:admin_or_owner",
+
+    "instance:extension:user_access:update": "rule:admin_or_owner",
+    "instance:extension:user_access:delete": "rule:admin_or_owner",
+    "instance:extension:user_access:index": "rule:admin_or_owner",
+
+    "instance:extension:database:create": "rule:admin_or_owner",
+    "instance:extension:database:delete": "rule:admin_or_owner",
+    "instance:extension:database:index": "rule:admin_or_owner",
+    "instance:extension:database:show": "rule:admin_or_owner",
+
+    "cluster:create": "rule:admin_or_owner",
+    "cluster:delete": "rule:admin_or_owner",
+    "cluster:force_delete": "rule:admin_or_owner",
+    "cluster:index": "rule:admin_or_owner",
+    "cluster:show": "rule:admin_or_owner",
+    "cluster:show_instance": "rule:admin_or_owner",
+    "cluster:action": "rule:admin_or_owner",
+    "cluster:reset-status": "rule:admin",
+
+    "cluster:extension:root:create": "rule:admin_or_owner",
+    "cluster:extension:root:delete": "rule:admin_or_owner",
+    "cluster:extension:root:index": "rule:admin_or_owner",
+
+    "backup:create": "rule:admin_or_owner",
+    "backup:delete": "rule:admin_or_owner",
+    "backup:index": "rule:admin_or_owner",
+    "backup:show": "rule:admin_or_owner",
+
+    "configuration:create": "rule:admin_or_owner",
+    "configuration:delete": "rule:admin_or_owner",
+    "configuration:index": "rule:admin_or_owner",
+    "configuration:show": "rule:admin_or_owner",
+    "configuration:instances": "rule:admin_or_owner",
+    "configuration:update": "rule:admin_or_owner",
+    "configuration:edit": "rule:admin_or_owner",
+
+    "configuration-parameter:index": "rule:admin_or_owner",
+    "configuration-parameter:show": "rule:admin_or_owner",
+    "configuration-parameter:index_by_version": "rule:admin_or_owner",
+    "configuration-parameter:show_by_version": "rule:admin_or_owner",
+
+    "datastore:index": "",
+    "datastore:show": "",
+    "datastore:version_show": "",
+    "datastore:version_show_by_uuid": "",
+    "datastore:version_index": "",
+    "datastore:list_associated_flavors": "",
+    "datastore:list_associated_volume_types": "",
+
+    "flavor:index": "",
+    "flavor:show": "",
+
+    "limits:index": "rule:admin_or_owner",
+
+    "module:create": "rule:admin_or_owner",
+    "module:delete": "rule:admin_or_owner",
+    "module:index": "rule:admin_or_owner",
+    "module:show": "rule:admin_or_owner",
+    "module:instances": "rule:admin_or_owner",
+    "module:update": "rule:admin_or_owner"
+}