openstack
/
puppet-ironic
Code Issues Proposed changes

Merge "Allow purging policy files"

This commit is contained in:
Zuul 2021-09-20 08:30:26 +00:00 committed by Gerrit Code Review
parent eb26414d5e ff5f16600a
commit 4b790c23b0
5 changed files with 158 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
manifests/inspector/policy.pp
View File

@ -36,12 +36,18 @@
# (Optional) Path to the ironic-inspector policy folder # (Optional) Path to the ironic-inspector policy folder
# Defaults to $::os_service_default # Defaults to $::os_service_default
# #
# [*purge_config*]
# (optional) Whether to set only the specified policy rules in the policy
# file.
# Defaults to false.
#
class ironic::inspector::policy ( class ironic::inspector::policy (
$enforce_scope = $::os_service_default, $enforce_scope = $::os_service_default,
$enforce_new_defaults = $::os_service_default, $enforce_new_defaults = $::os_service_default,
$policies = {}, $policies = {},
$policy_path = '/etc/ironic-inspector/policy.yaml', $policy_path = '/etc/ironic-inspector/policy.yaml',
$policy_dirs = $::os_service_default, $policy_dirs = $::os_service_default,
$purge_config = false,
) { ) {
include ironic::deps include ironic::deps
@ -49,14 +55,16 @@ class ironic::inspector::policy (
validate_legacy(Hash, 'validate_hash', $policies) validate_legacy(Hash, 'validate_hash', $policies)
Openstacklib::Policy::Base { $policy_parameters = {
file_path => $policy_path, policies => $policies,
file_user => 'root', policy_path => $policy_path,
file_group => $::ironic::params::group, file_user => 'root',
file_format => 'yaml', file_group => $::ironic::params::group,
file_format => 'yaml',
purge_config => $purge_config,
} }
create_resources('openstacklib::policy::base', $policies) create_resources('openstacklib::policy', { $policy_path => $policy_parameters })
oslo::policy { 'ironic_inspector_config': oslo::policy { 'ironic_inspector_config':
enforce_scope => $enforce_scope, enforce_scope => $enforce_scope,

20
manifests/policy.pp
View File

@ -36,12 +36,18 @@
# (Optional) Path to the ironic policy folder # (Optional) Path to the ironic policy folder
# Defaults to $::os_service_default # Defaults to $::os_service_default
# #
# [*purge_config*]
# (optional) Whether to set only the specified policy rules in the policy
# file.
# Defaults to false.
#
class ironic::policy ( class ironic::policy (
$enforce_scope = $::os_service_default, $enforce_scope = $::os_service_default,
$enforce_new_defaults = $::os_service_default, $enforce_new_defaults = $::os_service_default,
$policies = {}, $policies = {},
$policy_path = '/etc/ironic/policy.yaml', $policy_path = '/etc/ironic/policy.yaml',
$policy_dirs = $::os_service_default, $policy_dirs = $::os_service_default,
$purge_config = false,
) { ) {
include ironic::deps include ironic::deps
@ -49,14 +55,16 @@ class ironic::policy (
validate_legacy(Hash, 'validate_hash', $policies) validate_legacy(Hash, 'validate_hash', $policies)
Openstacklib::Policy::Base { $policy_parameters = {
file_path => $policy_path, policies => $policies,
file_user => 'root', policy_path => $policy_path,
file_group => $::ironic::params::group, file_user => 'root',
file_format => 'yaml', file_group => $::ironic::params::group,
file_format => 'yaml',
purge_config => $purge_config,
} }
create_resources('openstacklib::policy::base', $policies) create_resources('openstacklib::policy', { $policy_path => $policy_parameters })
oslo::policy { 'ironic_config': oslo::policy { 'ironic_config':
enforce_scope => $enforce_scope, enforce_scope => $enforce_scope,

6
releasenotes/notes/policy_purge_config-f61123cb72ed68c1.yaml Normal file
View File

@ -0,0 +1,6 @@
---
features:
- |
Adds new purge_config parameter. When set to true, the policy file is
cleared during configuration process. This allows to remove any existing
rules before applying them or clean the file when all policies got removed.

87
spec/classes/ironic_inspector_policy_spec.rb
View File

@ -2,35 +2,72 @@ require 'spec_helper'
describe 'ironic::inspector::policy' do describe 'ironic::inspector::policy' do
shared_examples 'ironic::inspector::policy' do shared_examples 'ironic::inspector::policy' do
let :params do
{ context 'setup policy with parameters' do
:enforce_scope => false, let :params do
:enforce_new_defaults => false, {
:policy_path => '/etc/ironic-inspector/policy.yaml', :enforce_scope => false,
:policy_dirs => '/etc/ironic-inspector/policy.d', :enforce_new_defaults => false,
:policies => { :policy_path => '/etc/ironic-inspector/policy.yaml',
'context_is_admin' => { :policy_dirs => '/etc/ironic-inspector/policy.d',
'key' => 'context_is_admin', :policies => {
'value' => 'foo:bar' 'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
}
} }
} }
} end
it 'set up the policies' do
is_expected.to contain_openstacklib__policy('/etc/ironic-inspector/policy.yaml').with(
:policies => {
'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
}
},
:policy_path => '/etc/ironic-inspector/policy.yaml',
:file_user => 'root',
:file_group => 'ironic',
:file_format => 'yaml',
:purge_config => false,
)
is_expected.to contain_oslo__policy('ironic_inspector_config').with(
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_file => '/etc/ironic-inspector/policy.yaml',
:policy_dirs => '/etc/ironic-inspector/policy.d',
)
end
end end
it 'set up the policies' do context 'with empty policies and purge_config enabled' do
is_expected.to contain_openstacklib__policy__base('context_is_admin').with({ let :params do
:key => 'context_is_admin', {
:value => 'foo:bar', :enforce_scope => false,
:file_user => 'root', :enforce_new_defaults => false,
:file_group => 'ironic', :policy_path => '/etc/ironic-inspector/policy.yaml',
:file_format => 'yaml', :policies => {},
}) :purge_config => true,
is_expected.to contain_oslo__policy('ironic_inspector_config').with( }
:enforce_scope => false, end
:enforce_new_defaults => false,
:policy_file => '/etc/ironic-inspector/policy.yaml', it 'set up the policies' do
:policy_dirs => '/etc/ironic-inspector/policy.d', is_expected.to contain_openstacklib__policy('/etc/ironic-inspector/policy.yaml').with(
) :policies => {},
:policy_path => '/etc/ironic-inspector/policy.yaml',
:file_user => 'root',
:file_group => 'ironic',
:file_format => 'yaml',
:purge_config => true,
)
is_expected.to contain_oslo__policy('ironic_inspector_config').with(
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_file => '/etc/ironic-inspector/policy.yaml',
)
end
end end
end end

87
spec/classes/ironic_policy_spec.rb
View File

@ -2,35 +2,72 @@ require 'spec_helper'
describe 'ironic::policy' do describe 'ironic::policy' do
shared_examples 'ironic::policy' do shared_examples 'ironic::policy' do
let :params do
{ context 'setup policy with parameters' do
:enforce_scope => false, let :params do
:enforce_new_defaults => false, {
:policy_path => '/etc/ironic/policy.yaml', :enforce_scope => false,
:policy_dirs => '/etc/ironic/policy.d', :enforce_new_defaults => false,
:policies => { :policy_path => '/etc/ironic/policy.yaml',
'context_is_admin' => { :policy_dirs => '/etc/ironic/policy.d',
'key' => 'context_is_admin', :policies => {
'value' => 'foo:bar' 'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
}
} }
} }
} end
it 'set up the policies' do
is_expected.to contain_openstacklib__policy('/etc/ironic/policy.yaml').with(
:policies => {
'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
}
},
:policy_path => '/etc/ironic/policy.yaml',
:file_user => 'root',
:file_group => 'ironic',
:file_format => 'yaml',
:purge_config => false,
)
is_expected.to contain_oslo__policy('ironic_config').with(
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_file => '/etc/ironic/policy.yaml',
:policy_dirs => '/etc/ironic/policy.d',
)
end
end end
it 'set up the policies' do context 'with empty policies and purge_config enabled' do
is_expected.to contain_openstacklib__policy__base('context_is_admin').with({ let :params do
:key => 'context_is_admin', {
:value => 'foo:bar', :enforce_scope => false,
:file_user => 'root', :enforce_new_defaults => false,
:file_group => 'ironic', :policy_path => '/etc/ironic/policy.yaml',
:file_format => 'yaml', :policies => {},
}) :purge_config => true,
is_expected.to contain_oslo__policy('ironic_config').with( }
:enforce_scope => false, end
:enforce_new_defaults => false,
:policy_file => '/etc/ironic/policy.yaml', it 'set up the policies' do
:policy_dirs => '/etc/ironic/policy.d', is_expected.to contain_openstacklib__policy('/etc/ironic/policy.yaml').with(
) :policies => {},
:policy_path => '/etc/ironic/policy.yaml',
:file_user => 'root',
:file_group => 'ironic',
:file_format => 'yaml',
:purge_config => true,
)
is_expected.to contain_oslo__policy('ironic_config').with(
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_file => '/etc/ironic/policy.yaml',
)
end
end end
end end