Re-implement openstacklib::policy
openstacklib::policy has never been used in any other modules because it was implemented as a class not reusable for each service. This change re-implements openstacklib::policy as a defined resource type so that we can use this implementation from each puppet modules. The openstacklib::policy resource type provides the purge_config parameter. When this parameter is set to true, a policy file is cleared during configuration process. This allows users to remove any existing rules before applying their own (no) rules. Change-Id: I9bb486c9191c50c11717dcb9c6af00d17c3aa8f5
This commit is contained in:
parent
508fc7adde
commit
2a53c66ed3
|
@ -1,18 +1,67 @@
|
||||||
# == Class: openstacklib::policies
|
# == Define: openstacklib::policies
|
||||||
#
|
#
|
||||||
# This resource is an helper to call the policy definition
|
# This resource is an helper to call the policy definition
|
||||||
#
|
#
|
||||||
# == Parameters:
|
# == Parameters:
|
||||||
#
|
#
|
||||||
# [*policies*]
|
# [*policy_path*]
|
||||||
# Hash of policies one would like to set to specific values
|
# (Optional) Path to the policy file
|
||||||
# hash; optional
|
# Defaults to $name
|
||||||
#
|
#
|
||||||
class openstacklib::policy (
|
# [*policies*]
|
||||||
$policies = {},
|
# (Optional) Set of policies to configure
|
||||||
|
#
|
||||||
|
# [*file_mode*]
|
||||||
|
# (Optional) Permission mode for the policy file
|
||||||
|
# Defaults to '0640'
|
||||||
|
#
|
||||||
|
# [*file_user*]
|
||||||
|
# (Optional) User for the policy file
|
||||||
|
# Defaults to undef
|
||||||
|
#
|
||||||
|
# [*file_group*]
|
||||||
|
# (Optional) Group for the policy file
|
||||||
|
# Defaults to undef
|
||||||
|
#
|
||||||
|
# [*file_format*]
|
||||||
|
# (Optional) Format for file contents. Valid values
|
||||||
|
# are 'json' or 'yaml'.
|
||||||
|
# Defaults to 'json'.
|
||||||
|
#
|
||||||
|
# [*purge_config*]
|
||||||
|
# (Optional) Whether to set only the specified policy rules in the policy
|
||||||
|
# file.
|
||||||
|
# Defaults to false.
|
||||||
|
#
|
||||||
|
define openstacklib::policy (
|
||||||
|
$policy_path = $name,
|
||||||
|
$policies = {},
|
||||||
|
$file_mode = '0640',
|
||||||
|
$file_user = undef,
|
||||||
|
$file_group = undef,
|
||||||
|
$file_format = 'json',
|
||||||
|
$purge_config = false,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
validate_legacy(Hash, 'validate_hash', $policies)
|
validate_legacy(Hash, 'validate_hash', $policies)
|
||||||
|
|
||||||
create_resources('openstacklib::policy::base', $policies)
|
if empty($policies) {
|
||||||
|
create_resources('openstacklib::policy::default', { $policy_path => {
|
||||||
|
file_mode => $file_mode,
|
||||||
|
file_user => $file_user,
|
||||||
|
file_group => $file_group,
|
||||||
|
file_format => $file_format,
|
||||||
|
purge_config => $purge_config,
|
||||||
|
}})
|
||||||
|
} else {
|
||||||
|
$policy_defaults = {
|
||||||
|
file_path => $policy_path,
|
||||||
|
file_mode => $file_mode,
|
||||||
|
file_user => $file_user,
|
||||||
|
file_group => $file_group,
|
||||||
|
file_format => $file_format,
|
||||||
|
purge_config => $purge_config
|
||||||
|
}
|
||||||
|
|
||||||
|
create_resources('openstacklib::policy::base', $policies, $policy_defaults)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,16 +5,14 @@
|
||||||
# == Parameters:
|
# == Parameters:
|
||||||
#
|
#
|
||||||
# [*file_path*]
|
# [*file_path*]
|
||||||
# Path to the policy.json file
|
# (required) Path to the policy.json file
|
||||||
# string; required
|
|
||||||
#
|
#
|
||||||
# [*key*]
|
# [*key*]
|
||||||
# The key to replace the value for
|
# (required) The key to replace the value for
|
||||||
# string; required; the key to replace the value for
|
|
||||||
#
|
#
|
||||||
# [*value*]
|
# [*value*]
|
||||||
# The value to set
|
# (optional) The value to set
|
||||||
# string; optional; the value to set
|
# Defaults to ''
|
||||||
#
|
#
|
||||||
# [*file_mode*]
|
# [*file_mode*]
|
||||||
# (optional) Permission mode for the policy file
|
# (optional) Permission mode for the policy file
|
||||||
|
@ -33,28 +31,35 @@
|
||||||
# are 'json' or 'yaml'.
|
# are 'json' or 'yaml'.
|
||||||
# Defaults to 'json'.
|
# Defaults to 'json'.
|
||||||
#
|
#
|
||||||
|
# [*purge_config*]
|
||||||
|
# (optional) Whether to set only the specified policy rules in the policy
|
||||||
|
# file.
|
||||||
|
# Defaults to false.
|
||||||
|
#
|
||||||
define openstacklib::policy::base (
|
define openstacklib::policy::base (
|
||||||
$file_path,
|
$file_path,
|
||||||
$key,
|
$key,
|
||||||
$value = '',
|
$value = '',
|
||||||
$file_mode = '0640',
|
$file_mode = '0640',
|
||||||
$file_user = undef,
|
$file_user = undef,
|
||||||
$file_group = undef,
|
$file_group = undef,
|
||||||
$file_format = 'json',
|
$file_format = 'json',
|
||||||
|
$purge_config = false,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
|
ensure_resource('openstacklib::policy::default', $file_path, {
|
||||||
|
file_path => $file_path,
|
||||||
|
file_mode => $file_mode,
|
||||||
|
file_user => $file_user,
|
||||||
|
file_group => $file_group,
|
||||||
|
file_format => $file_format,
|
||||||
|
purge_config => $purge_config
|
||||||
|
})
|
||||||
|
|
||||||
case $file_format {
|
case $file_format {
|
||||||
'json': {
|
'json': {
|
||||||
warning('Json format is deprecated and will be removed in a future release')
|
warning('Json format is deprecated and will be removed in a future release')
|
||||||
|
|
||||||
ensure_resource('file', $file_path, {
|
|
||||||
mode => $file_mode,
|
|
||||||
owner => $file_user,
|
|
||||||
group => $file_group,
|
|
||||||
replace => false, # augeas will manage the content, we just need to make sure it exists
|
|
||||||
content => '{}'
|
|
||||||
})
|
|
||||||
|
|
||||||
# Add entry if it doesn't exists
|
# Add entry if it doesn't exists
|
||||||
augeas { "${file_path}-${key}-${value}-add":
|
augeas { "${file_path}-${key}-${value}-add":
|
||||||
lens => 'Json.lns',
|
lens => 'Json.lns',
|
||||||
|
@ -73,30 +78,17 @@ define openstacklib::policy::base (
|
||||||
changes => "set dict/entry[*][.=\"${key}\"]/string \"${value}\"",
|
changes => "set dict/entry[*][.=\"${key}\"]/string \"${value}\"",
|
||||||
}
|
}
|
||||||
|
|
||||||
File<| title == $file_path |>
|
Openstacklib::Policy::Default<| title == $file_path |>
|
||||||
-> Augeas<| title == "${file_path}-${key}-${value}-add" |>
|
-> Augeas<| title == "${file_path}-${key}-${value}-add" |>
|
||||||
~> Augeas<| title == "${file_path}-${key}-${value}" |>
|
~> Augeas<| title == "${file_path}-${key}-${value}" |>
|
||||||
}
|
}
|
||||||
'yaml': {
|
'yaml': {
|
||||||
if stdlib::extname($file_path) == '.json' {
|
|
||||||
# NOTE(tkajinam): It is likely that user is not aware of migration from
|
|
||||||
# policy.json to policy.yaml
|
|
||||||
fail("file_path: ${file_path} should be a yaml file instead of a json file")
|
|
||||||
}
|
|
||||||
|
|
||||||
ensure_resource('file', $file_path, {
|
|
||||||
mode => $file_mode,
|
|
||||||
owner => $file_user,
|
|
||||||
group => $file_group,
|
|
||||||
replace => false, # augeas will manage the content, we just need to make sure it exists
|
|
||||||
content => ''
|
|
||||||
})
|
|
||||||
file_line { "${file_path}-${key}" :
|
file_line { "${file_path}-${key}" :
|
||||||
path => $file_path,
|
path => $file_path,
|
||||||
line => "'${key}': '${value}'",
|
line => "'${key}': '${value}'",
|
||||||
match => "^['\"]?${key}['\"]?\\s*:.+"
|
match => "^['\"]?${key}['\"]?\\s*:.+"
|
||||||
}
|
}
|
||||||
File<| title == $file_path |>
|
Openstacklib::Policy::Default<| title == $file_path |>
|
||||||
-> File_line<| title == "${file_path}-${key}" |>
|
-> File_line<| title == "${file_path}-${key}" |>
|
||||||
}
|
}
|
||||||
default: {
|
default: {
|
||||||
|
@ -105,4 +97,3 @@ define openstacklib::policy::base (
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,67 @@
|
||||||
|
# == Definition: openstacklib::policy::default
|
||||||
|
#
|
||||||
|
# Create a default (empty) policy fie for an OpenStack service
|
||||||
|
#
|
||||||
|
# == Parameters:
|
||||||
|
#
|
||||||
|
# [*file_path*]
|
||||||
|
# (Optional) Path to the policy.json file
|
||||||
|
# Defaults to $name
|
||||||
|
#
|
||||||
|
# [*file_mode*]
|
||||||
|
# (Optional) Permission mode for the policy file
|
||||||
|
# Defaults to '0640'
|
||||||
|
#
|
||||||
|
# [*file_user*]
|
||||||
|
# (Optional) User for the policy file
|
||||||
|
# Defaults to undef
|
||||||
|
#
|
||||||
|
# [*file_group*]
|
||||||
|
# (Optional) Group for the policy file
|
||||||
|
# Defaults to undef
|
||||||
|
#
|
||||||
|
# [*file_format*]
|
||||||
|
# (Optional) Format for file contents. Valid values
|
||||||
|
# are 'json' or 'yaml'.
|
||||||
|
# Defaults to 'json'.
|
||||||
|
#
|
||||||
|
# [*purge_config*]
|
||||||
|
# (Optional) Whether to set only the specified policy rules in the policy
|
||||||
|
# file.
|
||||||
|
# Defaults to false.
|
||||||
|
#
|
||||||
|
define openstacklib::policy::default (
|
||||||
|
$file_path = $name,
|
||||||
|
$file_mode = '0640',
|
||||||
|
$file_user = undef,
|
||||||
|
$file_group = undef,
|
||||||
|
$file_format = 'json',
|
||||||
|
$purge_config = false,
|
||||||
|
) {
|
||||||
|
|
||||||
|
case $file_format {
|
||||||
|
'json': {
|
||||||
|
warning('Json format is deprecated and will be removed in a future release')
|
||||||
|
$content = '{}'
|
||||||
|
}
|
||||||
|
'yaml': {
|
||||||
|
if stdlib::extname($file_path) == '.json' {
|
||||||
|
# NOTE(tkajinam): It is likely that user is not aware of migration from
|
||||||
|
# policy.json to policy.yaml
|
||||||
|
fail("file_path: ${file_path} should be a yaml file instead of a json file")
|
||||||
|
}
|
||||||
|
$content = ''
|
||||||
|
}
|
||||||
|
default: {
|
||||||
|
fail("${file_format} is an unsupported policy file format. Choose 'json' or 'yaml'.")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ensure_resource('file', $file_path, {
|
||||||
|
mode => $file_mode,
|
||||||
|
owner => $file_user,
|
||||||
|
group => $file_group,
|
||||||
|
replace => $purge_config,
|
||||||
|
content => $content
|
||||||
|
})
|
||||||
|
}
|
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Now the ``openstacklib::policies`` resource type provides the basic set
|
||||||
|
of configurations for policy settings. It provides the purge_config
|
||||||
|
parameter which ensures a policy file is purged.
|
||||||
|
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
The ``openstacklib::policies`` class has been re-implemented as a defined
|
||||||
|
resource type.
|
|
@ -19,10 +19,12 @@ describe 'openstacklib::policy::base' do
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
it { should contain_file('/etc/nova/policy.json').with(
|
it { should contain_openstacklib__policy__default('/etc/nova/policy.json').with(
|
||||||
:mode => '0644',
|
:file_mode => '0644',
|
||||||
:owner => 'foo',
|
:file_user => 'foo',
|
||||||
:group => 'bar'
|
:file_group => 'bar',
|
||||||
|
:file_format => 'json',
|
||||||
|
:purge_config => false,
|
||||||
)}
|
)}
|
||||||
|
|
||||||
it { should contain_augeas('/etc/nova/policy.json-context_is_admin or owner-foo:bar').with(
|
it { should contain_augeas('/etc/nova/policy.json-context_is_admin or owner-foo:bar').with(
|
||||||
|
@ -59,10 +61,12 @@ describe 'openstacklib::policy::base' do
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
it { should contain_file('/etc/nova/policy.yaml').with(
|
it { should contain_openstacklib__policy__default('/etc/nova/policy.yaml').with(
|
||||||
:mode => '0644',
|
:file_mode => '0644',
|
||||||
:owner => 'foo',
|
:file_user => 'foo',
|
||||||
:group => 'bar'
|
:file_group => 'bar',
|
||||||
|
:file_format => 'yaml',
|
||||||
|
:purge_config => false,
|
||||||
)}
|
)}
|
||||||
|
|
||||||
it { should contain_file_line('/etc/nova/policy.yaml-context_is_admin or owner').with(
|
it { should contain_file_line('/etc/nova/policy.yaml-context_is_admin or owner').with(
|
||||||
|
@ -70,7 +74,33 @@ describe 'openstacklib::policy::base' do
|
||||||
:line => '\'context_is_admin or owner\': \'foo:bar\'',
|
:line => '\'context_is_admin or owner\': \'foo:bar\'',
|
||||||
:match => '^[\'"]?context_is_admin or owner[\'"]?\s*:.+'
|
:match => '^[\'"]?context_is_admin or owner[\'"]?\s*:.+'
|
||||||
) }
|
) }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with purge_config enabled' do
|
||||||
|
let :title do
|
||||||
|
'nova-contest_is_admin'
|
||||||
|
end
|
||||||
|
|
||||||
|
let :params do
|
||||||
|
{
|
||||||
|
:file_path => '/etc/nova/policy.yaml',
|
||||||
|
:key => 'context_is_admin or owner',
|
||||||
|
:value => 'foo:bar',
|
||||||
|
:file_mode => '0644',
|
||||||
|
:file_user => 'foo',
|
||||||
|
:file_group => 'bar',
|
||||||
|
:file_format => 'yaml',
|
||||||
|
:purge_config => true,
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
it { should contain_openstacklib__policy__default('/etc/nova/policy.yaml').with(
|
||||||
|
:file_mode => '0644',
|
||||||
|
:file_user => 'foo',
|
||||||
|
:file_group => 'bar',
|
||||||
|
:file_format => 'yaml',
|
||||||
|
:purge_config => true,
|
||||||
|
)}
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'with json file_path and yaml file format' do
|
context 'with json file_path and yaml file format' do
|
||||||
|
|
|
@ -0,0 +1,87 @@
|
||||||
|
require 'spec_helper'
|
||||||
|
|
||||||
|
describe 'openstacklib::policy::default' do
|
||||||
|
shared_examples 'openstacklib::policy::default' do
|
||||||
|
context 'with policy.json' do
|
||||||
|
let :title do
|
||||||
|
'/etc/nova/policy.json'
|
||||||
|
end
|
||||||
|
|
||||||
|
let :params do
|
||||||
|
{
|
||||||
|
:file_mode => '0644',
|
||||||
|
:file_user => 'foo',
|
||||||
|
:file_group => 'bar',
|
||||||
|
:file_format => 'json',
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
it { should contain_file('/etc/nova/policy.json').with(
|
||||||
|
:mode => '0644',
|
||||||
|
:owner => 'foo',
|
||||||
|
:group => 'bar',
|
||||||
|
:content => '{}',
|
||||||
|
:replace => false
|
||||||
|
)}
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with policy.yaml' do
|
||||||
|
let :title do
|
||||||
|
'/etc/nova/policy.yaml'
|
||||||
|
end
|
||||||
|
|
||||||
|
let :params do
|
||||||
|
{
|
||||||
|
:file_mode => '0644',
|
||||||
|
:file_user => 'foo',
|
||||||
|
:file_group => 'bar',
|
||||||
|
:file_format => 'yaml',
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
it { should contain_file('/etc/nova/policy.yaml').with(
|
||||||
|
:mode => '0644',
|
||||||
|
:owner => 'foo',
|
||||||
|
:group => 'bar',
|
||||||
|
:content => '',
|
||||||
|
:replace => false
|
||||||
|
)}
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with purge_config enabled' do
|
||||||
|
let :title do
|
||||||
|
'/etc/nova/policy.yaml'
|
||||||
|
end
|
||||||
|
|
||||||
|
let :params do
|
||||||
|
{
|
||||||
|
:file_mode => '0644',
|
||||||
|
:file_user => 'foo',
|
||||||
|
:file_group => 'bar',
|
||||||
|
:file_format => 'yaml',
|
||||||
|
:purge_config => true,
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
it { should contain_file('/etc/nova/policy.yaml').with(
|
||||||
|
:mode => '0644',
|
||||||
|
:owner => 'foo',
|
||||||
|
:group => 'bar',
|
||||||
|
:content => '',
|
||||||
|
:replace => true
|
||||||
|
)}
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
on_supported_os({
|
||||||
|
:supported_os => OSDefaults.get_supported_os
|
||||||
|
}).each do |os,facts|
|
||||||
|
context "on #{os}" do
|
||||||
|
let (:facts) do
|
||||||
|
facts.merge!(OSDefaults.get_facts())
|
||||||
|
end
|
||||||
|
|
||||||
|
it_behaves_like 'openstacklib::policy::default'
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -3,15 +3,22 @@ require 'spec_helper'
|
||||||
describe 'openstacklib::policy' do
|
describe 'openstacklib::policy' do
|
||||||
shared_examples 'openstacklib::policy' do
|
shared_examples 'openstacklib::policy' do
|
||||||
context 'with basic configuration' do
|
context 'with basic configuration' do
|
||||||
|
let :title do
|
||||||
|
'/etc/nova/policy.json'
|
||||||
|
end
|
||||||
|
|
||||||
let :params do
|
let :params do
|
||||||
{
|
{
|
||||||
:policies => {
|
:policies => {
|
||||||
'foo' => {
|
'foo' => {
|
||||||
'file_path' => '/etc/nova/policy.json',
|
|
||||||
'key' => 'context_is_admin',
|
'key' => 'context_is_admin',
|
||||||
'value' => 'foo:bar'
|
'value' => 'foo:bar'
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
:file_mode => '0644',
|
||||||
|
:file_user => 'foo',
|
||||||
|
:file_group => 'baa',
|
||||||
|
:file_format => 'json',
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -21,25 +28,57 @@ describe 'openstacklib::policy' do
|
||||||
:value => 'foo:bar'
|
:value => 'foo:bar'
|
||||||
)}
|
)}
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'with yaml configuration' do
|
context 'with yaml configuration' do
|
||||||
|
let :title do
|
||||||
|
'/etc/nova/policy.yaml'
|
||||||
|
end
|
||||||
|
|
||||||
let :params do
|
let :params do
|
||||||
{
|
{
|
||||||
:policies => {
|
:policies => {
|
||||||
'foo' => {
|
'foo' => {
|
||||||
'file_path' => '/etc/octavia/policy.yaml',
|
|
||||||
'key' => 'context_is_admin',
|
'key' => 'context_is_admin',
|
||||||
'value' => 'foo:bar'
|
'value' => 'foo:bar'
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
:file_mode => '0644',
|
||||||
|
:file_user => 'foo',
|
||||||
|
:file_group => 'baa',
|
||||||
|
:file_format => 'yaml',
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
it { should contain_openstacklib__policy__base('foo').with(
|
it { should contain_openstacklib__policy__base('foo').with(
|
||||||
:file_path => '/etc/octavia/policy.yaml',
|
:file_path => '/etc/nova/policy.yaml',
|
||||||
:key => 'context_is_admin',
|
:key => 'context_is_admin',
|
||||||
:value => 'foo:bar'
|
:value => 'foo:bar'
|
||||||
)}
|
)}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'with empty policies and purge_config enabled' do
|
||||||
|
let :title do
|
||||||
|
'/etc/nova/policy.yaml'
|
||||||
|
end
|
||||||
|
|
||||||
|
let :params do
|
||||||
|
{
|
||||||
|
:file_mode => '0644',
|
||||||
|
:file_user => 'foo',
|
||||||
|
:file_group => 'baa',
|
||||||
|
:file_format => 'yaml',
|
||||||
|
:purge_config => true,
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
it { should contain_openstacklib__policy__default('/etc/nova/policy.yaml').with(
|
||||||
|
:file_mode => '0644',
|
||||||
|
:file_user => 'foo',
|
||||||
|
:file_group => 'baa',
|
||||||
|
:file_format => 'yaml',
|
||||||
|
:purge_config => true,
|
||||||
|
)}
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
on_supported_os({
|
on_supported_os({
|
Loading…
Reference in New Issue