Override policy for undercloud novajoin

The default policy compute_service_user[1] limits novajoin calls to the nova user. This prevents novajoin being called from a mistral workflow, which is required for a nova-less undercloud. This change overrides this policy so that any user with the admin role can call novajoin. Service users including the nova user have the admin role, so this should not affect the existing nova based novajoin calls. [1] https://opendev.org/x/novajoin/src/branch/master/novajoin/policy.py#L39 Depends-On: https://review.opendev.org/#/c/684435/ Change-Id: I9034c1bce9c296ff183f0d7f2e22df187699fa04 Blueprint: nova-less-deploy
2019-09-23 22:02:36 +00:00 · 2019-09-23 22:02:36 +00:00 · 39517657e8
commit 39517657e8
parent 144bea2680
2 changed files with 12 additions and 0 deletions
--- a/deployment/nova/novajoin-container-puppet.yaml
+++ b/deployment/nova/novajoin-container-puppet.yaml
@ -78,6 +78,11 @@ parameters:
    description: The timeout for both the vendordata dynamic connect and read
                 values.
    type: number
+  NovajoinPolicies:
+    description: |
+      A hash of policies to configure for Novajoin.
+    default: {}
+    type: json

 resources:

@ -117,6 +122,7 @@ outputs:
          '119 novajoin':
            dport:
              - 9090
+        nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies}
      service_config_settings:
        keystone:
          nova::metadata::novajoin::auth::tenant: 'service'
--- a/environments/undercloud.yaml
+++ b/environments/undercloud.yaml
@ -91,6 +91,12 @@ parameter_defaults:
  NovaAutoDisabling: '0'
  NovaCorsAllowedOrigin: '*'
  NovaSyncPowerStateInterval: -1
+  # Overwrite compute_server_user policy to allow any user with role admin
+  # to post to novajoin (required for mistral workflow)
+  NovajoinPolicies:
+    compute_service_user:
+      key: 'compute_service_user'
+      value: 'role:admin'
  NeutronDhcpAgentsPerNetwork: 2
  HeatConvergenceEngine: true
  HeatCorsAllowedOrigin: '*'