Allow purging policy files

This change introduces the new purge_config parameter to the policy class so that any policy rules not managed by puppet manifests can be cleared. Co-Authored-By: Martin Schuppert <mschuppert@redhat.com> Depends-On: https://review.opendev.org/802305 Change-Id: I44145c4a07b5f21680d2e32ca4bc3436edb191ba
2021-09-04 22:12:07 +09:00 · 2021-09-04 22:12:07 +09:00 · 6b7fd1b643
parent 3c0b8b5fe2
commit 6b7fd1b643
3 changed files with 83 additions and 32 deletions
--- a/manifests/policy.pp
+++ b/manifests/policy.pp
@ -33,15 +33,21 @@
 #   Defaults to /etc/magnum/policy.yaml
 #
 # [*policy_dirs*]
-#   (Optional) Path to the keystone policy folder
+#   (Optional) Path to the magnum policy folder
 #   Defaults to $::os_service_default
 #
+# [*purge_config*]
+#   (optional) Whether to set only the specified policy rules in the policy
+#    file.
+#    Defaults to false.
+#
 class magnum::policy (
  $enforce_scope        = $::os_service_default,
  $enforce_new_defaults = $::os_service_default,
  $policies             = {},
  $policy_path          = '/etc/magnum/policy.yaml',
  $policy_dirs          = $::os_service_default,
+  $purge_config         = false,
 ) {

  include magnum::deps
@ -49,14 +55,16 @@ class magnum::policy (

  validate_legacy(Hash, 'validate_hash', $policies)

-  Openstacklib::Policy::Base {
-    file_path   => $policy_path,
-    file_user   => 'root',
-    file_group  => $::magnum::params::group,
-    file_format => 'yaml',
+  $policy_parameters = {
+    policies     => $policies,
+    policy_path  => $policy_path,
+    file_user    => 'root',
+    file_group   => $::magnum::params::group,
+    file_format  => 'yaml',
+    purge_config => $purge_config,
  }

-  create_resources('openstacklib::policy::base', $policies)
+  create_resources('openstacklib::policy', { $policy_path => $policy_parameters })

  oslo::policy { 'magnum_config':
    enforce_scope        => $enforce_scope,
--- a/releasenotes/notes/policy_purge_config-af5675fcb2b9ad76.yaml
+++ b/releasenotes/notes/policy_purge_config-af5675fcb2b9ad76.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Adds new purge_config parameter. When set to true, the policy file is
+    cleared during configuration process. This allows to remove any existing
+    rules before applying them or clean the file when all policies got removed.
--- a/spec/classes/magnum_policy_spec.rb
+++ b/spec/classes/magnum_policy_spec.rb
@ -2,35 +2,72 @@ require 'spec_helper'

 describe 'magnum::policy' do
  shared_examples 'magnum::policy' do
-    let :params do
-      {
-        :enforce_scope        => false,
-        :enforce_new_defaults => false,
-        :policy_path          => '/etc/magnum/policy.yaml',
-        :policy_dirs          => '/etc/magnum/policy.d',
-        :policies             => {
-          'context_is_admin' => {
-            'key'   => 'context_is_admin',
-            'value' => 'foo:bar'
+
+    context 'setup policy with parameters' do
+      let :params do
+        {
+          :enforce_scope        => false,
+          :enforce_new_defaults => false,
+          :policy_path          => '/etc/magnum/policy.yaml',
+          :policy_dirs          => '/etc/magnum/policy.d',
+          :policies             => {
+            'context_is_admin' => {
+              'key'   => 'context_is_admin',
+              'value' => 'foo:bar'
+            }
          }
        }
-      }
+      end
+
+      it 'set up the policies' do
+        is_expected.to contain_openstacklib__policy('/etc/magnum/policy.yaml').with(
+          :policies     => {
+            'context_is_admin' => {
+              'key'   => 'context_is_admin',
+              'value' => 'foo:bar'
+            }
+          },
+          :policy_path  => '/etc/magnum/policy.yaml',
+          :file_user    => 'root',
+          :file_group   => 'magnum',
+          :file_format  => 'yaml',
+          :purge_config => false,
+        )
+        is_expected.to contain_oslo__policy('magnum_config').with(
+          :enforce_scope        => false,
+          :enforce_new_defaults => false,
+          :policy_file          => '/etc/magnum/policy.yaml',
+          :policy_dirs          => '/etc/magnum/policy.d',
+        )
+      end
    end

-    it 'set up the policies' do
-      is_expected.to contain_openstacklib__policy__base('context_is_admin').with({
-        :key         => 'context_is_admin',
-        :value       => 'foo:bar',
-        :file_user   => 'root',
-        :file_group  => 'magnum',
-        :file_format => 'yaml',
-      })
-      is_expected.to contain_oslo__policy('magnum_config').with(
-        :enforce_scope        => false,
-        :enforce_new_defaults => false,
-        :policy_file          => '/etc/magnum/policy.yaml',
-        :policy_dirs          => '/etc/magnum/policy.d',
-      )
+    context 'with empty policies and purge_config enabled' do
+      let :params do
+        {
+          :enforce_scope        => false,
+          :enforce_new_defaults => false,
+          :policy_path          => '/etc/magnum/policy.yaml',
+          :policies             => {},
+          :purge_config         => true,
+        }
+      end
+
+      it 'set up the policies' do
+        is_expected.to contain_openstacklib__policy('/etc/magnum/policy.yaml').with(
+          :policies     => {},
+          :policy_path  => '/etc/magnum/policy.yaml',
+          :file_user    => 'root',
+          :file_group   => 'magnum',
+          :file_format  => 'yaml',
+          :purge_config => true,
+        )
+        is_expected.to contain_oslo__policy('magnum_config').with(
+          :enforce_scope        => false,
+          :enforce_new_defaults => false,
+          :policy_file          => '/etc/magnum/policy.yaml',
+        )
+      end
    end
  end