Allow purging policy files

This change introduces the new purge_config parameter to the policy
class so that any policy rules not managed by puppet manifests can be
cleared.

Co-Authored-By: Martin Schuppert <mschuppert@redhat.com>
Depends-On: https://review.opendev.org/802305
Change-Id: I7e453f3abf08e13d2366ea68af1ce859a88e8448
This commit is contained in:
Takashi Kajinami 2021-09-04 22:22:34 +09:00
parent dfe0e42f86
commit 9c04deee7f
3 changed files with 89 additions and 30 deletions

View File

@ -32,11 +32,22 @@
# (Optional) Path to the zaqar policy.yaml file # (Optional) Path to the zaqar policy.yaml file
# Defaults to /etc/zaqar/policy.yaml # Defaults to /etc/zaqar/policy.yaml
# #
# [*policy_dirs*]
# (Optional) Path to the zaqar policy folder
# Defaults to $::os_service_default
#
# [*purge_config*]
# (optional) Whether to set only the specified policy rules in the policy
# file.
# Defaults to false.
#
class zaqar::policy ( class zaqar::policy (
$enforce_scope = $::os_service_default, $enforce_scope = $::os_service_default,
$enforce_new_defaults = $::os_service_default, $enforce_new_defaults = $::os_service_default,
$policies = {}, $policies = {},
$policy_path = '/etc/zaqar/policy.yaml', $policy_path = '/etc/zaqar/policy.yaml',
$policy_dirs = $::os_service_default,
$purge_config = false,
) { ) {
include zaqar::deps include zaqar::deps
@ -44,19 +55,22 @@ class zaqar::policy (
validate_legacy(Hash, 'validate_hash', $policies) validate_legacy(Hash, 'validate_hash', $policies)
Openstacklib::Policy::Base { $policy_parameters = {
file_path => $policy_path, policies => $policies,
file_user => 'root', policy_path => $policy_path,
file_group => $::zaqar::params::group, file_user => 'root',
file_format => 'yaml', file_group => $::zaqar::params::group,
file_format => 'yaml',
purge_config => $purge_config,
} }
create_resources('openstacklib::policy::base', $policies) create_resources('openstacklib::policy', { $policy_path => $policy_parameters })
oslo::policy { 'zaqar_config': oslo::policy { 'zaqar_config':
enforce_scope => $enforce_scope, enforce_scope => $enforce_scope,
enforce_new_defaults => $enforce_new_defaults, enforce_new_defaults => $enforce_new_defaults,
policy_file => $policy_path policy_file => $policy_path,
policy_dirs => $policy_dirs,
} }
} }

View File

@ -0,0 +1,6 @@
---
features:
- |
Adds new purge_config parameter. When set to true, the policy file is
cleared during configuration process. This allows to remove any existing
rules before applying them or clean the file when all policies got removed.

View File

@ -2,33 +2,72 @@ require 'spec_helper'
describe 'zaqar::policy' do describe 'zaqar::policy' do
shared_examples 'zaqar::policy' do shared_examples 'zaqar::policy' do
let :params do
{ context 'setup policy with parameters' do
:enforce_scope => false, let :params do
:enforce_new_defaults => false, {
:policy_path => '/etc/zaqar/policy.yaml', :enforce_scope => false,
:policies => { :enforce_new_defaults => false,
'context_is_admin' => { :policy_path => '/etc/zaqar/policy.yaml',
'key' => 'context_is_admin', :policy_dirs => '/etc/zaqar/policy.d',
'value' => 'foo:bar' :policies => {
'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
}
} }
} }
} end
it 'set up the policies' do
is_expected.to contain_openstacklib__policy('/etc/zaqar/policy.yaml').with(
:policies => {
'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
}
},
:policy_path => '/etc/zaqar/policy.yaml',
:file_user => 'root',
:file_group => 'zaqar',
:file_format => 'yaml',
:purge_config => false,
)
is_expected.to contain_oslo__policy('zaqar_config').with(
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_file => '/etc/zaqar/policy.yaml',
:policy_dirs => '/etc/zaqar/policy.d',
)
end
end end
it 'set up the policies' do context 'with empty policies and purge_config enabled' do
is_expected.to contain_openstacklib__policy__base('context_is_admin').with({ let :params do
:key => 'context_is_admin', {
:value => 'foo:bar', :enforce_scope => false,
:file_user => 'root', :enforce_new_defaults => false,
:file_group => 'zaqar', :policy_path => '/etc/zaqar/policy.yaml',
:file_format => 'yaml', :policies => {},
}) :purge_config => true,
is_expected.to contain_oslo__policy('zaqar_config').with( }
:enforce_scope => false, end
:enforce_new_defaults => false,
:policy_file => '/etc/zaqar/policy.yaml', it 'set up the policies' do
) is_expected.to contain_openstacklib__policy('/etc/zaqar/policy.yaml').with(
:policies => {},
:policy_path => '/etc/zaqar/policy.yaml',
:file_user => 'root',
:file_group => 'zaqar',
:file_format => 'yaml',
:purge_config => true,
)
is_expected.to contain_oslo__policy('zaqar_config').with(
:enforce_scope => false,
:enforce_new_defaults => false,
:policy_file => '/etc/zaqar/policy.yaml',
)
end
end end
end end