Ensure policy file exists

With the move of existing policy.json files into code, the file may no
longer be shipped by packaging. The json augeas lens requires that the
file exist or it fails. This change adds a file resource to ensure the
file exists with a basic json construct prior to managing the contents
with augeas.

Change-Id: I26e8b1384f4f69712da9d06a4c565dfd1f17c9ed
Related-Bug: #1742154
This commit is contained in:
Alex Schultz 2018-01-09 10:33:00 -07:00
parent c99e470cc8
commit 2040b31029
3 changed files with 51 additions and 6 deletions

View File

@ -16,12 +16,35 @@
# The value to set
# string; optional; the value to set
#
# [*file_mode*]
# (optional) Permission mode for the policy file
# Defaults to '0640'
#
# [*file_user*]
# (optional) User for the policy file
# Defaults to undef
#
# [*file_group*]
# (optional) Group for the policy file
# Defaults to undef
#
define openstacklib::policy::base (
$file_path,
$key,
$value = '',
$file_mode = '0640',
$file_user = undef,
$file_group = undef,
) {
ensure_resource('file', $file_path, {
mode => $file_mode,
owner => $file_user,
group => $file_group,
replace => false, # augeas will manage the content, we just need to make sure it exists
content => '{}'
})
# Add entry if it doesn't exists
augeas { "${file_path}-${key}-${value}-add":
lens => 'Json.lns',
@ -40,7 +63,8 @@ define openstacklib::policy::base (
changes => "set dict/entry[*][.=\"${key}\"]/string \"${value}\"",
}
Augeas<| title == "${file_path}-${key}-${value}-add" |>
File<| title == $file_path |>
-> Augeas<| title == "${file_path}-${key}-${value}-add" |>
~> Augeas<| title == "${file_path}-${key}-${value}" |>
}

View File

@ -0,0 +1,9 @@
---
fixes:
- |
The upstream services are moving their policy files into code which means
they may not exist if a user tries to customize the policies. We've added
an file resource to openstacklib::policy::base to ensure the file exists
but this means that the user/group need to be passed into the module or
it will possibly lock out services from being able to read this file as
the defaults limit it to just root:root.

View File

@ -3,18 +3,30 @@ require 'spec_helper'
describe 'openstacklib::policy::base' do
shared_examples_for 'openstacklib::policy' do
shared_examples_for 'openstacklib::policy::base' do
context 'with some basic parameters' do
let :title do
'nova-contest_is_admin'
end
let :params do
{:file_path => '/etc/nova/policy.json',
:key => 'context_is_admin or owner',
:value => 'foo:bar'}
{
:file_path => '/etc/nova/policy.json',
:key => 'context_is_admin or owner',
:value => 'foo:bar',
:file_mode => '0644',
:file_user => 'foo',
:file_group => 'bar'
}
end
it {
is_expected.to contain_file('/etc/nova/policy.json').with(
:mode => '0644',
:owner => 'foo',
:group => 'bar')
}
it 'configures (modifies) the proper policy' do
is_expected.to contain_augeas('/etc/nova/policy.json-context_is_admin or owner-foo:bar').with(
'lens' => 'Json.lns',
@ -45,7 +57,7 @@ describe 'openstacklib::policy::base' do
facts.merge!(OSDefaults.get_facts())
end
it_configures 'openstacklib::policy'
it_configures 'openstacklib::policy::base'
end
end