From ff5f16600a3627dce52e84b9ecf2ddefa00e516d Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sat, 4 Sep 2021 22:08:28 +0900 Subject: [PATCH] Allow purging policy files This change introduces the new purge_config parameter to the policy class so that any policy rules not managed by puppet manifests can be cleared. Co-Authored-By: Martin Schuppert Depends-On: https://review.opendev.org/802305 Change-Id: Ia5fecab4cb81dda87766b950433cdad3ce75b9eb --- manifests/inspector/policy.pp | 20 +++-- manifests/policy.pp | 20 +++-- .../policy_purge_config-f61123cb72ed68c1.yaml | 6 ++ spec/classes/ironic_inspector_policy_spec.rb | 87 +++++++++++++------ spec/classes/ironic_policy_spec.rb | 87 +++++++++++++------ 5 files changed, 158 insertions(+), 62 deletions(-) create mode 100644 releasenotes/notes/policy_purge_config-f61123cb72ed68c1.yaml diff --git a/manifests/inspector/policy.pp b/manifests/inspector/policy.pp index 64f20e5b..9cf6a652 100644 --- a/manifests/inspector/policy.pp +++ b/manifests/inspector/policy.pp @@ -36,12 +36,18 @@ # (Optional) Path to the ironic-inspector policy folder # Defaults to $::os_service_default # +# [*purge_config*] +# (optional) Whether to set only the specified policy rules in the policy +# file. +# Defaults to false. +# class ironic::inspector::policy ( $enforce_scope = $::os_service_default, $enforce_new_defaults = $::os_service_default, $policies = {}, $policy_path = '/etc/ironic-inspector/policy.yaml', $policy_dirs = $::os_service_default, + $purge_config = false, ) { include ironic::deps @@ -49,14 +55,16 @@ class ironic::inspector::policy ( validate_legacy(Hash, 'validate_hash', $policies) - Openstacklib::Policy::Base { - file_path => $policy_path, - file_user => 'root', - file_group => $::ironic::params::group, - file_format => 'yaml', + $policy_parameters = { + policies => $policies, + policy_path => $policy_path, + file_user => 'root', + file_group => $::ironic::params::group, + file_format => 'yaml', + purge_config => $purge_config, } - create_resources('openstacklib::policy::base', $policies) + create_resources('openstacklib::policy', { $policy_path => $policy_parameters }) oslo::policy { 'ironic_inspector_config': enforce_scope => $enforce_scope, diff --git a/manifests/policy.pp b/manifests/policy.pp index e0257284..9adf32ac 100644 --- a/manifests/policy.pp +++ b/manifests/policy.pp @@ -36,12 +36,18 @@ # (Optional) Path to the ironic policy folder # Defaults to $::os_service_default # +# [*purge_config*] +# (optional) Whether to set only the specified policy rules in the policy +# file. +# Defaults to false. +# class ironic::policy ( $enforce_scope = $::os_service_default, $enforce_new_defaults = $::os_service_default, $policies = {}, $policy_path = '/etc/ironic/policy.yaml', $policy_dirs = $::os_service_default, + $purge_config = false, ) { include ironic::deps @@ -49,14 +55,16 @@ class ironic::policy ( validate_legacy(Hash, 'validate_hash', $policies) - Openstacklib::Policy::Base { - file_path => $policy_path, - file_user => 'root', - file_group => $::ironic::params::group, - file_format => 'yaml', + $policy_parameters = { + policies => $policies, + policy_path => $policy_path, + file_user => 'root', + file_group => $::ironic::params::group, + file_format => 'yaml', + purge_config => $purge_config, } - create_resources('openstacklib::policy::base', $policies) + create_resources('openstacklib::policy', { $policy_path => $policy_parameters }) oslo::policy { 'ironic_config': enforce_scope => $enforce_scope, diff --git a/releasenotes/notes/policy_purge_config-f61123cb72ed68c1.yaml b/releasenotes/notes/policy_purge_config-f61123cb72ed68c1.yaml new file mode 100644 index 00000000..ecb17aed --- /dev/null +++ b/releasenotes/notes/policy_purge_config-f61123cb72ed68c1.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Adds new purge_config parameter. When set to true, the policy file is + cleared during configuration process. This allows to remove any existing + rules before applying them or clean the file when all policies got removed. diff --git a/spec/classes/ironic_inspector_policy_spec.rb b/spec/classes/ironic_inspector_policy_spec.rb index 1db7dd20..9a09a329 100644 --- a/spec/classes/ironic_inspector_policy_spec.rb +++ b/spec/classes/ironic_inspector_policy_spec.rb @@ -2,35 +2,72 @@ require 'spec_helper' describe 'ironic::inspector::policy' do shared_examples 'ironic::inspector::policy' do - let :params do - { - :enforce_scope => false, - :enforce_new_defaults => false, - :policy_path => '/etc/ironic-inspector/policy.yaml', - :policy_dirs => '/etc/ironic-inspector/policy.d', - :policies => { - 'context_is_admin' => { - 'key' => 'context_is_admin', - 'value' => 'foo:bar' + + context 'setup policy with parameters' do + let :params do + { + :enforce_scope => false, + :enforce_new_defaults => false, + :policy_path => '/etc/ironic-inspector/policy.yaml', + :policy_dirs => '/etc/ironic-inspector/policy.d', + :policies => { + 'context_is_admin' => { + 'key' => 'context_is_admin', + 'value' => 'foo:bar' + } } } - } + end + + it 'set up the policies' do + is_expected.to contain_openstacklib__policy('/etc/ironic-inspector/policy.yaml').with( + :policies => { + 'context_is_admin' => { + 'key' => 'context_is_admin', + 'value' => 'foo:bar' + } + }, + :policy_path => '/etc/ironic-inspector/policy.yaml', + :file_user => 'root', + :file_group => 'ironic', + :file_format => 'yaml', + :purge_config => false, + ) + is_expected.to contain_oslo__policy('ironic_inspector_config').with( + :enforce_scope => false, + :enforce_new_defaults => false, + :policy_file => '/etc/ironic-inspector/policy.yaml', + :policy_dirs => '/etc/ironic-inspector/policy.d', + ) + end end - it 'set up the policies' do - is_expected.to contain_openstacklib__policy__base('context_is_admin').with({ - :key => 'context_is_admin', - :value => 'foo:bar', - :file_user => 'root', - :file_group => 'ironic', - :file_format => 'yaml', - }) - is_expected.to contain_oslo__policy('ironic_inspector_config').with( - :enforce_scope => false, - :enforce_new_defaults => false, - :policy_file => '/etc/ironic-inspector/policy.yaml', - :policy_dirs => '/etc/ironic-inspector/policy.d', - ) + context 'with empty policies and purge_config enabled' do + let :params do + { + :enforce_scope => false, + :enforce_new_defaults => false, + :policy_path => '/etc/ironic-inspector/policy.yaml', + :policies => {}, + :purge_config => true, + } + end + + it 'set up the policies' do + is_expected.to contain_openstacklib__policy('/etc/ironic-inspector/policy.yaml').with( + :policies => {}, + :policy_path => '/etc/ironic-inspector/policy.yaml', + :file_user => 'root', + :file_group => 'ironic', + :file_format => 'yaml', + :purge_config => true, + ) + is_expected.to contain_oslo__policy('ironic_inspector_config').with( + :enforce_scope => false, + :enforce_new_defaults => false, + :policy_file => '/etc/ironic-inspector/policy.yaml', + ) + end end end diff --git a/spec/classes/ironic_policy_spec.rb b/spec/classes/ironic_policy_spec.rb index d92a0333..1d65fb94 100644 --- a/spec/classes/ironic_policy_spec.rb +++ b/spec/classes/ironic_policy_spec.rb @@ -2,35 +2,72 @@ require 'spec_helper' describe 'ironic::policy' do shared_examples 'ironic::policy' do - let :params do - { - :enforce_scope => false, - :enforce_new_defaults => false, - :policy_path => '/etc/ironic/policy.yaml', - :policy_dirs => '/etc/ironic/policy.d', - :policies => { - 'context_is_admin' => { - 'key' => 'context_is_admin', - 'value' => 'foo:bar' + + context 'setup policy with parameters' do + let :params do + { + :enforce_scope => false, + :enforce_new_defaults => false, + :policy_path => '/etc/ironic/policy.yaml', + :policy_dirs => '/etc/ironic/policy.d', + :policies => { + 'context_is_admin' => { + 'key' => 'context_is_admin', + 'value' => 'foo:bar' + } } } - } + end + + it 'set up the policies' do + is_expected.to contain_openstacklib__policy('/etc/ironic/policy.yaml').with( + :policies => { + 'context_is_admin' => { + 'key' => 'context_is_admin', + 'value' => 'foo:bar' + } + }, + :policy_path => '/etc/ironic/policy.yaml', + :file_user => 'root', + :file_group => 'ironic', + :file_format => 'yaml', + :purge_config => false, + ) + is_expected.to contain_oslo__policy('ironic_config').with( + :enforce_scope => false, + :enforce_new_defaults => false, + :policy_file => '/etc/ironic/policy.yaml', + :policy_dirs => '/etc/ironic/policy.d', + ) + end end - it 'set up the policies' do - is_expected.to contain_openstacklib__policy__base('context_is_admin').with({ - :key => 'context_is_admin', - :value => 'foo:bar', - :file_user => 'root', - :file_group => 'ironic', - :file_format => 'yaml', - }) - is_expected.to contain_oslo__policy('ironic_config').with( - :enforce_scope => false, - :enforce_new_defaults => false, - :policy_file => '/etc/ironic/policy.yaml', - :policy_dirs => '/etc/ironic/policy.d', - ) + context 'with empty policies and purge_config enabled' do + let :params do + { + :enforce_scope => false, + :enforce_new_defaults => false, + :policy_path => '/etc/ironic/policy.yaml', + :policies => {}, + :purge_config => true, + } + end + + it 'set up the policies' do + is_expected.to contain_openstacklib__policy('/etc/ironic/policy.yaml').with( + :policies => {}, + :policy_path => '/etc/ironic/policy.yaml', + :file_user => 'root', + :file_group => 'ironic', + :file_format => 'yaml', + :purge_config => true, + ) + is_expected.to contain_oslo__policy('ironic_config').with( + :enforce_scope => false, + :enforce_new_defaults => false, + :policy_file => '/etc/ironic/policy.yaml', + ) + end end end