openstack/puppet-nova
Code Issues Proposed changes

Delete policy file if policies hash is empty

Browse Source 
If all policies get deleted, previously created policy files won't
get removed and the api policy file is still used. Let's make
sure the policy file gets purged if the policies hash is empty.

Depends-On: https://review.opendev.org/802305
Change-Id: Ic9b5ccd8fc23f6cebc06f62d972b64efd2400396
This commit is contained in:
Martin Schuppert 2021-07-26 11:47:33 +02:00 committed by Takashi Kajinami
parent 212ac22431
commit d7c27f5051
5 changed files with 108 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
manifests/metadata/novajoin/policy.pp
View File

@ -19,21 +19,27 @@
# (Optional) Path to the novajoin policy.yaml file
# Defaults to /etc/novajoin/policy.yaml
#
# [*purge_config*]
# (optional) Whether to set only the specified policy rules in the policy
# file.
# Defaults to false.
#
class nova::metadata::novajoin::policy (
$policies = {},
$policy_path = '/etc/novajoin/policy.yaml',
$policies = {},
$policy_path = '/etc/novajoin/policy.yaml',
$purge_config = false,
) {
validate_legacy(Hash, 'validate_hash', $policies)
$policy_defaults = {
file_path => $policy_path,
file_user => 'root',
file_format => 'yaml',
openstacklib::policy { $policy_path:
policies => $policies,
policy_path => $policy_path,
file_user => 'root',
file_format => 'yaml',
purge_config => $purge_config,
}
create_resources('openstacklib::policy::base', $policies, $policy_defaults)
oslo::policy { 'novajoin_config': policy_file => $policy_path }
}

20
manifests/policy.pp
View File

@ -36,12 +36,18 @@
# (Optional) Path to the nova policy folder
# Defaults to $::os_service_default
#
# [*purge_config*]
# (optional) Whether to set only the specified policy rules in the policy
# file.
# Defaults to false.
#
class nova::policy (
$enforce_scope = $::os_service_default,
$enforce_new_defaults = $::os_service_default,
$policies = {},
$policy_path = '/etc/nova/policy.yaml',
$policy_dirs = $::os_service_default,
$purge_config = false,
) {
include nova::deps
@ -49,14 +55,16 @@ class nova::policy (
validate_legacy(Hash, 'validate_hash', $policies)
Openstacklib::Policy::Base {
file_path => $policy_path,
file_user => 'root',
file_group => $::nova::params::group,
file_format => 'yaml',
$policy_parameters = {
policies => $policies,
policy_path => $policy_path,
file_user => 'root',
file_group => $::nova::params::group,
file_format => 'yaml',
purge_config => $purge_config,
}
create_resources('openstacklib::policy::base', $policies)
create_resources('openstacklib::policy', { $policy_path => $policy_parameters })
oslo::policy { 'nova_config':
enforce_scope => $enforce_scope,

6
releasenotes/notes/policy_purge_config-6b6302d91f8d58a9.yaml Normal file
View File

@ -0,0 +1,6 @@
---
features:
- |
Adds new purge_config parameter. When set to true, the policy file is
cleared during configuration process. This allows to remove any existing
rules before applying them or clean the file when all policies got removed.

18
spec/classes/nova_metadata_novajoin_policy_spec.rb
View File

@ -16,12 +16,18 @@ describe 'nova::metadata::novajoin::policy' do
end
it 'set up the policies' do
is_expected.to contain_openstacklib__policy__base('context_is_admin').with({
:key => 'context_is_admin',
:value => 'foo:bar',
:file_user => 'root',
:file_format => 'yaml',
})
is_expected.to contain_openstacklib__policy('/etc/novajoin/policy.yaml').with(
:policies => {
'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
}
},
:policy_path => '/etc/novajoin/policy.yaml',
:file_user => 'root',
:file_format => 'yaml',
:purge_config => false,
)
is_expected.to contain_oslo__policy('novajoin_config').with(
:policy_file => '/etc/novajoin/policy.yaml',
)

87
spec/classes/nova_policy_spec.rb
View File

@ -2,35 +2,72 @@ require 'spec_helper'
describe 'nova::policy' do
shared_examples 'nova::policy' do
let :params do
{
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_path => '/etc/nova/policy.yaml',
:policy_dirs => '/etc/nova/policy.d',
:policies => {
'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
context 'setup policy with parameters' do
let :params do
{
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_path => '/etc/nova/policy.yaml',
:policy_dirs => '/etc/nova/policy.d',
:policies => {
'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
}
}
}
}
end
it 'set up the policies' do
is_expected.to contain_openstacklib__policy('/etc/nova/policy.yaml').with(
:policies => {
'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
}
},
:policy_path => '/etc/nova/policy.yaml',
:file_user => 'root',
:file_group => 'nova',
:file_format => 'yaml',
:purge_config => false,
)
is_expected.to contain_oslo__policy('nova_config').with(
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_file => '/etc/nova/policy.yaml',
:policy_dirs => '/etc/nova/policy.d',
)
end
end
it 'set up the policies' do
is_expected.to contain_openstacklib__policy__base('context_is_admin').with({
:key => 'context_is_admin',
:value => 'foo:bar',
:file_user => 'root',
:file_group => 'nova',
:file_format => 'yaml',
})
is_expected.to contain_oslo__policy('nova_config').with(
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_file => '/etc/nova/policy.yaml',
:policy_dirs => '/etc/nova/policy.d',
)
context 'with empty policies and purge_config enabled' do
let :params do
{
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_path => '/etc/nova/policy.yaml',
:policies => {},
:purge_config => true,
}
end
it 'set up the policies' do
is_expected.to contain_openstacklib__policy('/etc/nova/policy.yaml').with(
:policies => {},
:policy_path => '/etc/nova/policy.yaml',
:file_user => 'root',
:file_group => 'nova',
:file_format => 'yaml',
:purge_config => true,
)
is_expected.to contain_oslo__policy('nova_config').with(
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_file => '/etc/nova/policy.yaml',
)
end
end
end