diff --git a/manifests/policy.pp b/manifests/policy.pp index 091694cd..f7b11423 100644 --- a/manifests/policy.pp +++ b/manifests/policy.pp @@ -1,18 +1,67 @@ -# == Class: openstacklib::policies +# == Define: openstacklib::policies # # This resource is an helper to call the policy definition # # == Parameters: # -# [*policies*] -# Hash of policies one would like to set to specific values -# hash; optional +# [*policy_path*] +# (Optional) Path to the policy file +# Defaults to $name # -class openstacklib::policy ( - $policies = {}, +# [*policies*] +# (Optional) Set of policies to configure +# +# [*file_mode*] +# (Optional) Permission mode for the policy file +# Defaults to '0640' +# +# [*file_user*] +# (Optional) User for the policy file +# Defaults to undef +# +# [*file_group*] +# (Optional) Group for the policy file +# Defaults to undef +# +# [*file_format*] +# (Optional) Format for file contents. Valid values +# are 'json' or 'yaml'. +# Defaults to 'json'. +# +# [*purge_config*] +# (Optional) Whether to set only the specified policy rules in the policy +# file. +# Defaults to false. +# +define openstacklib::policy ( + $policy_path = $name, + $policies = {}, + $file_mode = '0640', + $file_user = undef, + $file_group = undef, + $file_format = 'json', + $purge_config = false, ) { - validate_legacy(Hash, 'validate_hash', $policies) - create_resources('openstacklib::policy::base', $policies) + if empty($policies) { + create_resources('openstacklib::policy::default', { $policy_path => { + file_mode => $file_mode, + file_user => $file_user, + file_group => $file_group, + file_format => $file_format, + purge_config => $purge_config, + }}) + } else { + $policy_defaults = { + file_path => $policy_path, + file_mode => $file_mode, + file_user => $file_user, + file_group => $file_group, + file_format => $file_format, + purge_config => $purge_config + } + + create_resources('openstacklib::policy::base', $policies, $policy_defaults) + } } diff --git a/manifests/policy/base.pp b/manifests/policy/base.pp index 736e220d..47ecffed 100644 --- a/manifests/policy/base.pp +++ b/manifests/policy/base.pp @@ -5,16 +5,14 @@ # == Parameters: # # [*file_path*] -# Path to the policy.json file -# string; required +# (required) Path to the policy.json file # # [*key*] -# The key to replace the value for -# string; required; the key to replace the value for +# (required) The key to replace the value for # # [*value*] -# The value to set -# string; optional; the value to set +# (optional) The value to set +# Defaults to '' # # [*file_mode*] # (optional) Permission mode for the policy file @@ -33,28 +31,35 @@ # are 'json' or 'yaml'. # Defaults to 'json'. # +# [*purge_config*] +# (optional) Whether to set only the specified policy rules in the policy +# file. +# Defaults to false. +# define openstacklib::policy::base ( $file_path, $key, - $value = '', - $file_mode = '0640', - $file_user = undef, - $file_group = undef, - $file_format = 'json', + $value = '', + $file_mode = '0640', + $file_user = undef, + $file_group = undef, + $file_format = 'json', + $purge_config = false, ) { + ensure_resource('openstacklib::policy::default', $file_path, { + file_path => $file_path, + file_mode => $file_mode, + file_user => $file_user, + file_group => $file_group, + file_format => $file_format, + purge_config => $purge_config + }) + case $file_format { 'json': { warning('Json format is deprecated and will be removed in a future release') - ensure_resource('file', $file_path, { - mode => $file_mode, - owner => $file_user, - group => $file_group, - replace => false, # augeas will manage the content, we just need to make sure it exists - content => '{}' - }) - # Add entry if it doesn't exists augeas { "${file_path}-${key}-${value}-add": lens => 'Json.lns', @@ -73,30 +78,17 @@ define openstacklib::policy::base ( changes => "set dict/entry[*][.=\"${key}\"]/string \"${value}\"", } - File<| title == $file_path |> + Openstacklib::Policy::Default<| title == $file_path |> -> Augeas<| title == "${file_path}-${key}-${value}-add" |> ~> Augeas<| title == "${file_path}-${key}-${value}" |> } 'yaml': { - if stdlib::extname($file_path) == '.json' { - # NOTE(tkajinam): It is likely that user is not aware of migration from - # policy.json to policy.yaml - fail("file_path: ${file_path} should be a yaml file instead of a json file") - } - - ensure_resource('file', $file_path, { - mode => $file_mode, - owner => $file_user, - group => $file_group, - replace => false, # augeas will manage the content, we just need to make sure it exists - content => '' - }) file_line { "${file_path}-${key}" : path => $file_path, line => "'${key}': '${value}'", match => "^['\"]?${key}['\"]?\\s*:.+" } - File<| title == $file_path |> + Openstacklib::Policy::Default<| title == $file_path |> -> File_line<| title == "${file_path}-${key}" |> } default: { @@ -105,4 +97,3 @@ define openstacklib::policy::base ( } } - diff --git a/manifests/policy/default.pp b/manifests/policy/default.pp new file mode 100644 index 00000000..fdf09174 --- /dev/null +++ b/manifests/policy/default.pp @@ -0,0 +1,67 @@ +# == Definition: openstacklib::policy::default +# +# Create a default (empty) policy fie for an OpenStack service +# +# == Parameters: +# +# [*file_path*] +# (Optional) Path to the policy.json file +# Defaults to $name +# +# [*file_mode*] +# (Optional) Permission mode for the policy file +# Defaults to '0640' +# +# [*file_user*] +# (Optional) User for the policy file +# Defaults to undef +# +# [*file_group*] +# (Optional) Group for the policy file +# Defaults to undef +# +# [*file_format*] +# (Optional) Format for file contents. Valid values +# are 'json' or 'yaml'. +# Defaults to 'json'. +# +# [*purge_config*] +# (Optional) Whether to set only the specified policy rules in the policy +# file. +# Defaults to false. +# +define openstacklib::policy::default ( + $file_path = $name, + $file_mode = '0640', + $file_user = undef, + $file_group = undef, + $file_format = 'json', + $purge_config = false, +) { + + case $file_format { + 'json': { + warning('Json format is deprecated and will be removed in a future release') + $content = '{}' + } + 'yaml': { + if stdlib::extname($file_path) == '.json' { + # NOTE(tkajinam): It is likely that user is not aware of migration from + # policy.json to policy.yaml + fail("file_path: ${file_path} should be a yaml file instead of a json file") + } + $content = '' + } + default: { + fail("${file_format} is an unsupported policy file format. Choose 'json' or 'yaml'.") + } + } + + ensure_resource('file', $file_path, { + mode => $file_mode, + owner => $file_user, + group => $file_group, + replace => $purge_config, + content => $content + }) +} diff --git a/releasenotes/notes/purge-policy-file-1ad9f366345142e7.yaml b/releasenotes/notes/purge-policy-file-1ad9f366345142e7.yaml new file mode 100644 index 00000000..4557a8d3 --- /dev/null +++ b/releasenotes/notes/purge-policy-file-1ad9f366345142e7.yaml @@ -0,0 +1,11 @@ +--- +features: + - | + Now the ``openstacklib::policies`` resource type provides the basic set + of configurations for policy settings. It provides the purge_config + parameter which ensures a policy file is purged. + +upgrade: + - | + The ``openstacklib::policies`` class has been re-implemented as a defined + resource type. diff --git a/spec/defines/openstacklib_policy_base_spec.rb b/spec/defines/openstacklib_policy_base_spec.rb index da8724b2..314830b7 100644 --- a/spec/defines/openstacklib_policy_base_spec.rb +++ b/spec/defines/openstacklib_policy_base_spec.rb @@ -19,10 +19,12 @@ describe 'openstacklib::policy::base' do } end - it { should contain_file('/etc/nova/policy.json').with( - :mode => '0644', - :owner => 'foo', - :group => 'bar' + it { should contain_openstacklib__policy__default('/etc/nova/policy.json').with( + :file_mode => '0644', + :file_user => 'foo', + :file_group => 'bar', + :file_format => 'json', + :purge_config => false, )} it { should contain_augeas('/etc/nova/policy.json-context_is_admin or owner-foo:bar').with( @@ -59,10 +61,12 @@ describe 'openstacklib::policy::base' do } end - it { should contain_file('/etc/nova/policy.yaml').with( - :mode => '0644', - :owner => 'foo', - :group => 'bar' + it { should contain_openstacklib__policy__default('/etc/nova/policy.yaml').with( + :file_mode => '0644', + :file_user => 'foo', + :file_group => 'bar', + :file_format => 'yaml', + :purge_config => false, )} it { should contain_file_line('/etc/nova/policy.yaml-context_is_admin or owner').with( @@ -70,7 +74,33 @@ describe 'openstacklib::policy::base' do :line => '\'context_is_admin or owner\': \'foo:bar\'', :match => '^[\'"]?context_is_admin or owner[\'"]?\s*:.+' ) } + end + context 'with purge_config enabled' do + let :title do + 'nova-contest_is_admin' + end + + let :params do + { + :file_path => '/etc/nova/policy.yaml', + :key => 'context_is_admin or owner', + :value => 'foo:bar', + :file_mode => '0644', + :file_user => 'foo', + :file_group => 'bar', + :file_format => 'yaml', + :purge_config => true, + } + end + + it { should contain_openstacklib__policy__default('/etc/nova/policy.yaml').with( + :file_mode => '0644', + :file_user => 'foo', + :file_group => 'bar', + :file_format => 'yaml', + :purge_config => true, + )} end context 'with json file_path and yaml file format' do diff --git a/spec/defines/openstacklib_policy_default_spec.rb b/spec/defines/openstacklib_policy_default_spec.rb new file mode 100644 index 00000000..1ceee2b9 --- /dev/null +++ b/spec/defines/openstacklib_policy_default_spec.rb @@ -0,0 +1,87 @@ +require 'spec_helper' + +describe 'openstacklib::policy::default' do + shared_examples 'openstacklib::policy::default' do + context 'with policy.json' do + let :title do + '/etc/nova/policy.json' + end + + let :params do + { + :file_mode => '0644', + :file_user => 'foo', + :file_group => 'bar', + :file_format => 'json', + } + end + + it { should contain_file('/etc/nova/policy.json').with( + :mode => '0644', + :owner => 'foo', + :group => 'bar', + :content => '{}', + :replace => false + )} + end + + context 'with policy.yaml' do + let :title do + '/etc/nova/policy.yaml' + end + + let :params do + { + :file_mode => '0644', + :file_user => 'foo', + :file_group => 'bar', + :file_format => 'yaml', + } + end + + it { should contain_file('/etc/nova/policy.yaml').with( + :mode => '0644', + :owner => 'foo', + :group => 'bar', + :content => '', + :replace => false + )} + end + + context 'with purge_config enabled' do + let :title do + '/etc/nova/policy.yaml' + end + + let :params do + { + :file_mode => '0644', + :file_user => 'foo', + :file_group => 'bar', + :file_format => 'yaml', + :purge_config => true, + } + end + + it { should contain_file('/etc/nova/policy.yaml').with( + :mode => '0644', + :owner => 'foo', + :group => 'bar', + :content => '', + :replace => true + )} + end + end + + on_supported_os({ + :supported_os => OSDefaults.get_supported_os + }).each do |os,facts| + context "on #{os}" do + let (:facts) do + facts.merge!(OSDefaults.get_facts()) + end + + it_behaves_like 'openstacklib::policy::default' + end + end +end diff --git a/spec/classes/openstacklib_policy_spec.rb b/spec/defines/openstacklib_policy_spec.rb similarity index 51% rename from spec/classes/openstacklib_policy_spec.rb rename to spec/defines/openstacklib_policy_spec.rb index e60acde5..ff1b7813 100644 --- a/spec/classes/openstacklib_policy_spec.rb +++ b/spec/defines/openstacklib_policy_spec.rb @@ -3,15 +3,22 @@ require 'spec_helper' describe 'openstacklib::policy' do shared_examples 'openstacklib::policy' do context 'with basic configuration' do + let :title do + '/etc/nova/policy.json' + end + let :params do { :policies => { 'foo' => { - 'file_path' => '/etc/nova/policy.json', 'key' => 'context_is_admin', 'value' => 'foo:bar' } - } + }, + :file_mode => '0644', + :file_user => 'foo', + :file_group => 'baa', + :file_format => 'json', } end @@ -21,25 +28,57 @@ describe 'openstacklib::policy' do :value => 'foo:bar' )} end + context 'with yaml configuration' do + let :title do + '/etc/nova/policy.yaml' + end + let :params do { - :policies => { + :policies => { 'foo' => { - 'file_path' => '/etc/octavia/policy.yaml', 'key' => 'context_is_admin', 'value' => 'foo:bar' } - } + }, + :file_mode => '0644', + :file_user => 'foo', + :file_group => 'baa', + :file_format => 'yaml', } end it { should contain_openstacklib__policy__base('foo').with( - :file_path => '/etc/octavia/policy.yaml', + :file_path => '/etc/nova/policy.yaml', :key => 'context_is_admin', :value => 'foo:bar' )} end + + context 'with empty policies and purge_config enabled' do + let :title do + '/etc/nova/policy.yaml' + end + + let :params do + { + :file_mode => '0644', + :file_user => 'foo', + :file_group => 'baa', + :file_format => 'yaml', + :purge_config => true, + } + end + + it { should contain_openstacklib__policy__default('/etc/nova/policy.yaml').with( + :file_mode => '0644', + :file_user => 'foo', + :file_group => 'baa', + :file_format => 'yaml', + :purge_config => true, + )} + end end on_supported_os({