Delete policy file if policies hash is empty
If all policies get deleted, previously created policy files won't get removed and the api policy file is still used. Let's make sure the policy file gets purged if the policies hash is empty. Depends-On: https://review.opendev.org/802305 Change-Id: Ic9b5ccd8fc23f6cebc06f62d972b64efd2400396
This commit is contained in:
parent
212ac22431
commit
d7c27f5051
@ -19,21 +19,27 @@
|
|||||||
# (Optional) Path to the novajoin policy.yaml file
|
# (Optional) Path to the novajoin policy.yaml file
|
||||||
# Defaults to /etc/novajoin/policy.yaml
|
# Defaults to /etc/novajoin/policy.yaml
|
||||||
#
|
#
|
||||||
|
# [*purge_config*]
|
||||||
|
# (optional) Whether to set only the specified policy rules in the policy
|
||||||
|
# file.
|
||||||
|
# Defaults to false.
|
||||||
|
#
|
||||||
class nova::metadata::novajoin::policy (
|
class nova::metadata::novajoin::policy (
|
||||||
$policies = {},
|
$policies = {},
|
||||||
$policy_path = '/etc/novajoin/policy.yaml',
|
$policy_path = '/etc/novajoin/policy.yaml',
|
||||||
|
$purge_config = false,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
validate_legacy(Hash, 'validate_hash', $policies)
|
validate_legacy(Hash, 'validate_hash', $policies)
|
||||||
|
|
||||||
$policy_defaults = {
|
openstacklib::policy { $policy_path:
|
||||||
file_path => $policy_path,
|
policies => $policies,
|
||||||
file_user => 'root',
|
policy_path => $policy_path,
|
||||||
file_format => 'yaml',
|
file_user => 'root',
|
||||||
|
file_format => 'yaml',
|
||||||
|
purge_config => $purge_config,
|
||||||
}
|
}
|
||||||
|
|
||||||
create_resources('openstacklib::policy::base', $policies, $policy_defaults)
|
|
||||||
|
|
||||||
oslo::policy { 'novajoin_config': policy_file => $policy_path }
|
oslo::policy { 'novajoin_config': policy_file => $policy_path }
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -36,12 +36,18 @@
|
|||||||
# (Optional) Path to the nova policy folder
|
# (Optional) Path to the nova policy folder
|
||||||
# Defaults to $::os_service_default
|
# Defaults to $::os_service_default
|
||||||
#
|
#
|
||||||
|
# [*purge_config*]
|
||||||
|
# (optional) Whether to set only the specified policy rules in the policy
|
||||||
|
# file.
|
||||||
|
# Defaults to false.
|
||||||
|
#
|
||||||
class nova::policy (
|
class nova::policy (
|
||||||
$enforce_scope = $::os_service_default,
|
$enforce_scope = $::os_service_default,
|
||||||
$enforce_new_defaults = $::os_service_default,
|
$enforce_new_defaults = $::os_service_default,
|
||||||
$policies = {},
|
$policies = {},
|
||||||
$policy_path = '/etc/nova/policy.yaml',
|
$policy_path = '/etc/nova/policy.yaml',
|
||||||
$policy_dirs = $::os_service_default,
|
$policy_dirs = $::os_service_default,
|
||||||
|
$purge_config = false,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
include nova::deps
|
include nova::deps
|
||||||
@ -49,14 +55,16 @@ class nova::policy (
|
|||||||
|
|
||||||
validate_legacy(Hash, 'validate_hash', $policies)
|
validate_legacy(Hash, 'validate_hash', $policies)
|
||||||
|
|
||||||
Openstacklib::Policy::Base {
|
$policy_parameters = {
|
||||||
file_path => $policy_path,
|
policies => $policies,
|
||||||
file_user => 'root',
|
policy_path => $policy_path,
|
||||||
file_group => $::nova::params::group,
|
file_user => 'root',
|
||||||
file_format => 'yaml',
|
file_group => $::nova::params::group,
|
||||||
|
file_format => 'yaml',
|
||||||
|
purge_config => $purge_config,
|
||||||
}
|
}
|
||||||
|
|
||||||
create_resources('openstacklib::policy::base', $policies)
|
create_resources('openstacklib::policy', { $policy_path => $policy_parameters })
|
||||||
|
|
||||||
oslo::policy { 'nova_config':
|
oslo::policy { 'nova_config':
|
||||||
enforce_scope => $enforce_scope,
|
enforce_scope => $enforce_scope,
|
||||||
|
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Adds new purge_config parameter. When set to true, the policy file is
|
||||||
|
cleared during configuration process. This allows to remove any existing
|
||||||
|
rules before applying them or clean the file when all policies got removed.
|
@ -16,12 +16,18 @@ describe 'nova::metadata::novajoin::policy' do
|
|||||||
end
|
end
|
||||||
|
|
||||||
it 'set up the policies' do
|
it 'set up the policies' do
|
||||||
is_expected.to contain_openstacklib__policy__base('context_is_admin').with({
|
is_expected.to contain_openstacklib__policy('/etc/novajoin/policy.yaml').with(
|
||||||
:key => 'context_is_admin',
|
:policies => {
|
||||||
:value => 'foo:bar',
|
'context_is_admin' => {
|
||||||
:file_user => 'root',
|
'key' => 'context_is_admin',
|
||||||
:file_format => 'yaml',
|
'value' => 'foo:bar'
|
||||||
})
|
}
|
||||||
|
},
|
||||||
|
:policy_path => '/etc/novajoin/policy.yaml',
|
||||||
|
:file_user => 'root',
|
||||||
|
:file_format => 'yaml',
|
||||||
|
:purge_config => false,
|
||||||
|
)
|
||||||
is_expected.to contain_oslo__policy('novajoin_config').with(
|
is_expected.to contain_oslo__policy('novajoin_config').with(
|
||||||
:policy_file => '/etc/novajoin/policy.yaml',
|
:policy_file => '/etc/novajoin/policy.yaml',
|
||||||
)
|
)
|
||||||
|
@ -2,35 +2,72 @@ require 'spec_helper'
|
|||||||
|
|
||||||
describe 'nova::policy' do
|
describe 'nova::policy' do
|
||||||
shared_examples 'nova::policy' do
|
shared_examples 'nova::policy' do
|
||||||
let :params do
|
|
||||||
{
|
context 'setup policy with parameters' do
|
||||||
:enforce_scope => false,
|
let :params do
|
||||||
:enforce_new_defaults => false,
|
{
|
||||||
:policy_path => '/etc/nova/policy.yaml',
|
:enforce_scope => false,
|
||||||
:policy_dirs => '/etc/nova/policy.d',
|
:enforce_new_defaults => false,
|
||||||
:policies => {
|
:policy_path => '/etc/nova/policy.yaml',
|
||||||
'context_is_admin' => {
|
:policy_dirs => '/etc/nova/policy.d',
|
||||||
'key' => 'context_is_admin',
|
:policies => {
|
||||||
'value' => 'foo:bar'
|
'context_is_admin' => {
|
||||||
|
'key' => 'context_is_admin',
|
||||||
|
'value' => 'foo:bar'
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
end
|
||||||
|
|
||||||
|
it 'set up the policies' do
|
||||||
|
is_expected.to contain_openstacklib__policy('/etc/nova/policy.yaml').with(
|
||||||
|
:policies => {
|
||||||
|
'context_is_admin' => {
|
||||||
|
'key' => 'context_is_admin',
|
||||||
|
'value' => 'foo:bar'
|
||||||
|
}
|
||||||
|
},
|
||||||
|
:policy_path => '/etc/nova/policy.yaml',
|
||||||
|
:file_user => 'root',
|
||||||
|
:file_group => 'nova',
|
||||||
|
:file_format => 'yaml',
|
||||||
|
:purge_config => false,
|
||||||
|
)
|
||||||
|
is_expected.to contain_oslo__policy('nova_config').with(
|
||||||
|
:enforce_scope => false,
|
||||||
|
:enforce_new_defaults => false,
|
||||||
|
:policy_file => '/etc/nova/policy.yaml',
|
||||||
|
:policy_dirs => '/etc/nova/policy.d',
|
||||||
|
)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'set up the policies' do
|
context 'with empty policies and purge_config enabled' do
|
||||||
is_expected.to contain_openstacklib__policy__base('context_is_admin').with({
|
let :params do
|
||||||
:key => 'context_is_admin',
|
{
|
||||||
:value => 'foo:bar',
|
:enforce_scope => false,
|
||||||
:file_user => 'root',
|
:enforce_new_defaults => false,
|
||||||
:file_group => 'nova',
|
:policy_path => '/etc/nova/policy.yaml',
|
||||||
:file_format => 'yaml',
|
:policies => {},
|
||||||
})
|
:purge_config => true,
|
||||||
is_expected.to contain_oslo__policy('nova_config').with(
|
}
|
||||||
:enforce_scope => false,
|
end
|
||||||
:enforce_new_defaults => false,
|
|
||||||
:policy_file => '/etc/nova/policy.yaml',
|
it 'set up the policies' do
|
||||||
:policy_dirs => '/etc/nova/policy.d',
|
is_expected.to contain_openstacklib__policy('/etc/nova/policy.yaml').with(
|
||||||
)
|
:policies => {},
|
||||||
|
:policy_path => '/etc/nova/policy.yaml',
|
||||||
|
:file_user => 'root',
|
||||||
|
:file_group => 'nova',
|
||||||
|
:file_format => 'yaml',
|
||||||
|
:purge_config => true,
|
||||||
|
)
|
||||||
|
is_expected.to contain_oslo__policy('nova_config').with(
|
||||||
|
:enforce_scope => false,
|
||||||
|
:enforce_new_defaults => false,
|
||||||
|
:policy_file => '/etc/nova/policy.yaml',
|
||||||
|
)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user