Ensure policy file exists
With the move of existing policy.json files into code, the file may no longer be shipped by packaging. The json augeas lens requires that the file exist or it fails. This change adds a file resource to ensure the file exists with a basic json construct prior to managing the contents with augeas. Change-Id: I26e8b1384f4f69712da9d06a4c565dfd1f17c9ed Related-Bug: #1742154
This commit is contained in:
parent
c99e470cc8
commit
2040b31029
|
@ -16,12 +16,35 @@
|
|||
# The value to set
|
||||
# string; optional; the value to set
|
||||
#
|
||||
# [*file_mode*]
|
||||
# (optional) Permission mode for the policy file
|
||||
# Defaults to '0640'
|
||||
#
|
||||
# [*file_user*]
|
||||
# (optional) User for the policy file
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*file_group*]
|
||||
# (optional) Group for the policy file
|
||||
# Defaults to undef
|
||||
#
|
||||
define openstacklib::policy::base (
|
||||
$file_path,
|
||||
$key,
|
||||
$value = '',
|
||||
$file_mode = '0640',
|
||||
$file_user = undef,
|
||||
$file_group = undef,
|
||||
) {
|
||||
|
||||
ensure_resource('file', $file_path, {
|
||||
mode => $file_mode,
|
||||
owner => $file_user,
|
||||
group => $file_group,
|
||||
replace => false, # augeas will manage the content, we just need to make sure it exists
|
||||
content => '{}'
|
||||
})
|
||||
|
||||
# Add entry if it doesn't exists
|
||||
augeas { "${file_path}-${key}-${value}-add":
|
||||
lens => 'Json.lns',
|
||||
|
@ -40,7 +63,8 @@ define openstacklib::policy::base (
|
|||
changes => "set dict/entry[*][.=\"${key}\"]/string \"${value}\"",
|
||||
}
|
||||
|
||||
Augeas<| title == "${file_path}-${key}-${value}-add" |>
|
||||
File<| title == $file_path |>
|
||||
-> Augeas<| title == "${file_path}-${key}-${value}-add" |>
|
||||
~> Augeas<| title == "${file_path}-${key}-${value}" |>
|
||||
|
||||
}
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
The upstream services are moving their policy files into code which means
|
||||
they may not exist if a user tries to customize the policies. We've added
|
||||
an file resource to openstacklib::policy::base to ensure the file exists
|
||||
but this means that the user/group need to be passed into the module or
|
||||
it will possibly lock out services from being able to read this file as
|
||||
the defaults limit it to just root:root.
|
|
@ -3,18 +3,30 @@ require 'spec_helper'
|
|||
describe 'openstacklib::policy::base' do
|
||||
|
||||
|
||||
shared_examples_for 'openstacklib::policy' do
|
||||
shared_examples_for 'openstacklib::policy::base' do
|
||||
context 'with some basic parameters' do
|
||||
let :title do
|
||||
'nova-contest_is_admin'
|
||||
end
|
||||
|
||||
let :params do
|
||||
{:file_path => '/etc/nova/policy.json',
|
||||
:key => 'context_is_admin or owner',
|
||||
:value => 'foo:bar'}
|
||||
{
|
||||
:file_path => '/etc/nova/policy.json',
|
||||
:key => 'context_is_admin or owner',
|
||||
:value => 'foo:bar',
|
||||
:file_mode => '0644',
|
||||
:file_user => 'foo',
|
||||
:file_group => 'bar'
|
||||
}
|
||||
end
|
||||
|
||||
it {
|
||||
is_expected.to contain_file('/etc/nova/policy.json').with(
|
||||
:mode => '0644',
|
||||
:owner => 'foo',
|
||||
:group => 'bar')
|
||||
}
|
||||
|
||||
it 'configures (modifies) the proper policy' do
|
||||
is_expected.to contain_augeas('/etc/nova/policy.json-context_is_admin or owner-foo:bar').with(
|
||||
'lens' => 'Json.lns',
|
||||
|
@ -45,7 +57,7 @@ describe 'openstacklib::policy::base' do
|
|||
facts.merge!(OSDefaults.get_facts())
|
||||
end
|
||||
|
||||
it_configures 'openstacklib::policy'
|
||||
it_configures 'openstacklib::policy::base'
|
||||
end
|
||||
end
|
||||
|
Loading…
Reference in New Issue