From 23b8e8045693473d2149a19924d3a9fe1abe03cd Mon Sep 17 00:00:00 2001 From: Emilien Macchi Date: Wed, 10 Jan 2018 14:09:29 -0800 Subject: [PATCH] Add group to policy management The move of policy.json into code means the file may not exist. We've added support to ensure that the file exists in the openstacklib but we need to make sure the permissions are right for each service. This adds the group information to the policies so it works right. Depends-On: I26e8b1384f4f69712da9d06a4c565dfd1f17c9ed Change-Id: I4dfcf05aa8418df3ee1a13925f0831dc30921186 Co-Authored-By: Alex Schultz --- manifests/params.pp | 1 + manifests/policy.pp | 7 ++++++- spec/classes/keystone_policy_spec.rb | 7 ++++--- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 0d61acfb0..04d31fc42 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -8,6 +8,7 @@ class keystone::params { $keystone_group = 'keystone' $keystone_wsgi_admin_script_path = '/usr/bin/keystone-wsgi-admin' $keystone_wsgi_public_script_path = '/usr/bin/keystone-wsgi-public' + $group = 'keystone' case $::osfamily { 'Debian': { $package_name = 'keystone' diff --git a/manifests/policy.pp b/manifests/policy.pp index a484208eb..2451d674b 100644 --- a/manifests/policy.pp +++ b/manifests/policy.pp @@ -29,13 +29,18 @@ class keystone::policy ( ) { include ::keystone::deps + include ::keystone::params validate_hash($policies) Openstacklib::Policy::Base { - file_path => $policy_path, + file_path => $policy_path, + file_user => 'root', + file_group => $::keystone::params::group, } create_resources('openstacklib::policy::base', $policies) + oslo::policy { 'keystone_config': policy_file => $policy_path } + } diff --git a/spec/classes/keystone_policy_spec.rb b/spec/classes/keystone_policy_spec.rb index f36672500..53bb8f65d 100644 --- a/spec/classes/keystone_policy_spec.rb +++ b/spec/classes/keystone_policy_spec.rb @@ -17,8 +17,10 @@ describe 'keystone::policy' do it 'set up the policies' do is_expected.to contain_openstacklib__policy__base('context_is_admin').with({ - :key => 'context_is_admin', - :value => 'foo:bar' + :key => 'context_is_admin', + :value => 'foo:bar', + :file_user => 'root', + :file_group => 'keystone', }) is_expected.to contain_oslo__policy('keystone_config').with( :policy_file => '/etc/keystone/policy.json', @@ -37,5 +39,4 @@ describe 'keystone::policy' do it_configures 'keystone policies' end end - end