openstack
/
puppet-ironic
Code Issues Proposed changes

Allow purging policy files

Browse Source 
This change introduces the new purge_config parameter to the policy
class so that any policy rules not managed by puppet manifests can be
cleared.

Co-Authored-By: Martin Schuppert <mschuppert@redhat.com>
Depends-On: https://review.opendev.org/802305
Change-Id: Ia5fecab4cb81dda87766b950433cdad3ce75b9eb
changes/39/807439/2
Takashi Kajinami 1 year ago
parent 17eb103f4a
commit ff5f16600a
5 changed files with 158 additions and 62 deletions
Show Stats Download Patch File Download Diff File

20
manifests/inspector/policy.pp
Unescape View File

@ -36,12 +36,18 @@
# (Optional) Path to the ironic-inspector policy folder
# Defaults to $::os_service_default
#
# [*purge_config*]
# (optional) Whether to set only the specified policy rules in the policy
# file.
# Defaults to false.
#
class ironic::inspector::policy (
$enforce_scope = $::os_service_default,
$enforce_new_defaults = $::os_service_default,
$policies = {},
$policy_path = '/etc/ironic-inspector/policy.yaml',
$policy_dirs = $::os_service_default,
$purge_config = false,
) {
include ironic::deps
@ -49,14 +55,16 @@ class ironic::inspector::policy (
validate_legacy(Hash, 'validate_hash', $policies)
Openstacklib::Policy::Base {
file_path => $policy_path,
file_user => 'root',
file_group => $::ironic::params::group,
file_format => 'yaml',
$policy_parameters = {
policies => $policies,
policy_path => $policy_path,
file_user => 'root',
file_group => $::ironic::params::group,
file_format => 'yaml',
purge_config => $purge_config,
}
create_resources('openstacklib::policy::base', $policies)
create_resources('openstacklib::policy', { $policy_path => $policy_parameters })
oslo::policy { 'ironic_inspector_config':
enforce_scope => $enforce_scope,

20
manifests/policy.pp
Unescape View File

@ -36,12 +36,18 @@
# (Optional) Path to the ironic policy folder
# Defaults to $::os_service_default
#
# [*purge_config*]
# (optional) Whether to set only the specified policy rules in the policy
# file.
# Defaults to false.
#
class ironic::policy (
$enforce_scope = $::os_service_default,
$enforce_new_defaults = $::os_service_default,
$policies = {},
$policy_path = '/etc/ironic/policy.yaml',
$policy_dirs = $::os_service_default,
$purge_config = false,
) {
include ironic::deps
@ -49,14 +55,16 @@ class ironic::policy (
validate_legacy(Hash, 'validate_hash', $policies)
Openstacklib::Policy::Base {
file_path => $policy_path,
file_user => 'root',
file_group => $::ironic::params::group,
file_format => 'yaml',
$policy_parameters = {
policies => $policies,
policy_path => $policy_path,
file_user => 'root',
file_group => $::ironic::params::group,
file_format => 'yaml',
purge_config => $purge_config,
}
create_resources('openstacklib::policy::base', $policies)
create_resources('openstacklib::policy', { $policy_path => $policy_parameters })
oslo::policy { 'ironic_config':
enforce_scope => $enforce_scope,

6
releasenotes/notes/policy_purge_config-f61123cb72ed68c1.yaml
Unescape View File

@ -0,0 +1,6 @@
---
features:
- |
Adds new purge_config parameter. When set to true, the policy file is
cleared during configuration process. This allows to remove any existing
rules before applying them or clean the file when all policies got removed.

87
spec/classes/ironic_inspector_policy_spec.rb
Unescape View File

@ -2,35 +2,72 @@ require 'spec_helper'
describe 'ironic::inspector::policy' do
shared_examples 'ironic::inspector::policy' do
let :params do
{
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_path => '/etc/ironic-inspector/policy.yaml',
:policy_dirs => '/etc/ironic-inspector/policy.d',
:policies => {
'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
context 'setup policy with parameters' do
let :params do
{
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_path => '/etc/ironic-inspector/policy.yaml',
:policy_dirs => '/etc/ironic-inspector/policy.d',
:policies => {
'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
}
}
}
}
end
it 'set up the policies' do
is_expected.to contain_openstacklib__policy('/etc/ironic-inspector/policy.yaml').with(
:policies => {
'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
}
},
:policy_path => '/etc/ironic-inspector/policy.yaml',
:file_user => 'root',
:file_group => 'ironic',
:file_format => 'yaml',
:purge_config => false,
)
is_expected.to contain_oslo__policy('ironic_inspector_config').with(
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_file => '/etc/ironic-inspector/policy.yaml',
:policy_dirs => '/etc/ironic-inspector/policy.d',
)
end
end
it 'set up the policies' do
is_expected.to contain_openstacklib__policy__base('context_is_admin').with({
:key => 'context_is_admin',
:value => 'foo:bar',
:file_user => 'root',
:file_group => 'ironic',
:file_format => 'yaml',
})
is_expected.to contain_oslo__policy('ironic_inspector_config').with(
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_file => '/etc/ironic-inspector/policy.yaml',
:policy_dirs => '/etc/ironic-inspector/policy.d',
)
context 'with empty policies and purge_config enabled' do
let :params do
{
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_path => '/etc/ironic-inspector/policy.yaml',
:policies => {},
:purge_config => true,
}
end
it 'set up the policies' do
is_expected.to contain_openstacklib__policy('/etc/ironic-inspector/policy.yaml').with(
:policies => {},
:policy_path => '/etc/ironic-inspector/policy.yaml',
:file_user => 'root',
:file_group => 'ironic',
:file_format => 'yaml',
:purge_config => true,
)
is_expected.to contain_oslo__policy('ironic_inspector_config').with(
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_file => '/etc/ironic-inspector/policy.yaml',
)
end
end
end

87
spec/classes/ironic_policy_spec.rb
Unescape View File

@ -2,35 +2,72 @@ require 'spec_helper'
describe 'ironic::policy' do
shared_examples 'ironic::policy' do
let :params do
{
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_path => '/etc/ironic/policy.yaml',
:policy_dirs => '/etc/ironic/policy.d',
:policies => {
'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
context 'setup policy with parameters' do
let :params do
{
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_path => '/etc/ironic/policy.yaml',
:policy_dirs => '/etc/ironic/policy.d',
:policies => {
'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
}
}
}
}
end
it 'set up the policies' do
is_expected.to contain_openstacklib__policy('/etc/ironic/policy.yaml').with(
:policies => {
'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
}
},
:policy_path => '/etc/ironic/policy.yaml',
:file_user => 'root',
:file_group => 'ironic',
:file_format => 'yaml',
:purge_config => false,
)
is_expected.to contain_oslo__policy('ironic_config').with(
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_file => '/etc/ironic/policy.yaml',
:policy_dirs => '/etc/ironic/policy.d',
)
end
end
it 'set up the policies' do
is_expected.to contain_openstacklib__policy__base('context_is_admin').with({
:key => 'context_is_admin',
:value => 'foo:bar',
:file_user => 'root',
:file_group => 'ironic',
:file_format => 'yaml',
})
is_expected.to contain_oslo__policy('ironic_config').with(
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_file => '/etc/ironic/policy.yaml',
:policy_dirs => '/etc/ironic/policy.d',
)
context 'with empty policies and purge_config enabled' do
let :params do
{
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_path => '/etc/ironic/policy.yaml',
:policies => {},
:purge_config => true,
}
end
it 'set up the policies' do
is_expected.to contain_openstacklib__policy('/etc/ironic/policy.yaml').with(
:policies => {},
:policy_path => '/etc/ironic/policy.yaml',
:file_user => 'root',
:file_group => 'ironic',
:file_format => 'yaml',
:purge_config => true,
)
is_expected.to contain_oslo__policy('ironic_config').with(
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_file => '/etc/ironic/policy.yaml',
)
end
end
end

Write Preview
Loading…
Cancel
Save