Browse Source

Allow to configure policy.json for OpenStack projects

For both containers and classic deployments, allow to configure
policy.json for all OpenStack APIs with new parameters (hash,
empty by default).

Example of new parameter: NovaApiPolicies.
See environments/nova-api-policy.yaml for how the feature can be used.

Note: use it with extreme caution.

Partial-implement: blueprint modify-policy-json
Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
changes/00/445700/10
Emilien Macchi 5 years ago
parent
commit
91053af09d
  1. 4
      docker/docker-puppet.py
  2. 2
      docker/services/README.rst
  3. 10
      environments/nova-api-policy.yaml
  4. 2
      puppet/config.role.j2.yaml
  5. 7
      puppet/services/aodh-api.yaml
  6. 7
      puppet/services/barbican-api.yaml
  7. 7
      puppet/services/ceilometer-api.yaml
  8. 7
      puppet/services/cinder-api.yaml
  9. 7
      puppet/services/congress.yaml
  10. 7
      puppet/services/ec2-api.yaml
  11. 7
      puppet/services/glance-api.yaml
  12. 7
      puppet/services/gnocchi-api.yaml
  13. 7
      puppet/services/heat-api.yaml
  14. 7
      puppet/services/ironic-api.yaml
  15. 7
      puppet/services/keystone.yaml
  16. 7
      puppet/services/mistral-api.yaml
  17. 7
      puppet/services/neutron-api.yaml
  18. 7
      puppet/services/nova-api.yaml
  19. 7
      puppet/services/octavia-api.yaml
  20. 7
      puppet/services/panko-api.yaml
  21. 7
      puppet/services/sahara-api.yaml
  22. 7
      puppet/services/tacker.yaml
  23. 7
      puppet/services/zaqar.yaml
  24. 13
      releasenotes/notes/api-policy-4ca739519537f6f4.yaml

4
docker/docker-puppet.py

@ -247,9 +247,9 @@ for config_volume in configs:
volumes = service[4] if len(service) > 4 else []
if puppet_tags:
puppet_tags = "file,file_line,concat,%s" % puppet_tags
puppet_tags = "file,file_line,concat,augeas,%s" % puppet_tags
else:
puppet_tags = "file,file_line,concat"
puppet_tags = "file,file_line,concat,augeas"
process_map.append([config_volume, puppet_tags, manifest, config_image, volumes])

2
docker/services/README.rst

@ -74,7 +74,7 @@ are re-asserted when applying latter ones.
* puppet_tags: Puppet resource tag names that are used to generate config
files with puppet. Only the named config resources are used to generate
a config file. Any service that specifies tags will have the default
tags of 'file,concat,file_line' appended to the setting.
tags of 'file,concat,file_line,augeas' appended to the setting.
Example: keystone_config
* config_volume: The name of the volume (directory) where config files

10
environments/nova-api-policy.yaml

@ -0,0 +1,10 @@
# A Heat environment file which can be used to configure access policies for
# Nova API resources. It is here for example and doesn't cover all services
# but just Nova here.
# While recipes for editing policy.json files is supported, modifying the
# policy can have unexpected side effects and is not encouraged.
parameter_defaults:
# The target is "compute:get_all", the "list all instances" API of the Compute service.
# The rule is an empty string meaning "always". This policy allows anybody to list instances.
NovaApiPolicies: { nova-context_is_admin: { key: 'compute:get_all', value: '' } }

2
puppet/config.role.j2.yaml

@ -38,7 +38,7 @@ resources:
- ''
- list_join:
- ','
- ['file,concat,file_line', {get_param: PuppetTags}]
- ['file,concat,file_line,augeas', {get_param: PuppetTags}]
outputs:
- name: result
inputs:

7
puppet/services/aodh-api.yaml

@ -24,6 +24,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
AodhApiPolicies:
description: |
A hash of policies to configure for Aodh API.
e.g. { aodh-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
resources:
AodhBase:
@ -61,6 +67,7 @@ outputs:
aodh::wsgi::apache::wsgi_process_display_name: 'aodh_wsgi'
aodh::api::service_name: 'httpd'
aodh::api::enable_proxy_headers_parsing: true
aodh::policy::policies: {get_param: AodhApiPolicies}
tripleo.aodh_api.firewall_rules:
'128 aodh-api':
dport:

7
puppet/services/barbican-api.yaml

@ -55,6 +55,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
BarbicanPolicies:
description: |
A hash of policies to configure for Barbican.
e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
resources:
@ -77,6 +83,7 @@ outputs:
barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::project_name: 'service'
barbican::policy::policies: {get_param: BarbicanPolicies}
barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
barbican::api::db_auto_create: false
barbican::api::enabled_certificate_plugins: ['simple_certificate']

7
puppet/services/ceilometer-api.yaml

@ -29,6 +29,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
CeilometerApiPolicies:
description: |
A hash of policies to configure for Ceilometer API.
e.g. { ceilometer-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
resources:
CeilometerServiceBase:
@ -78,6 +84,7 @@ outputs:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
ceilometer::policy::policies: {get_param: CeilometerApiPolicies}
ceilometer::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
ceilometer::wsgi::apache::ssl: {get_param: EnableInternalTLS}
ceilometer::wsgi::apache::servername:

7
puppet/services/cinder-api.yaml

@ -46,6 +46,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
CinderApiPolicies:
description: |
A hash of policies to configure for Cinder API.
e.g. { cinder-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
conditions:
cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]}
@ -86,6 +92,7 @@ outputs:
cinder::keystone::authtoken::project_name: 'service'
cinder::keystone::authtoken::user_domain_name: 'Default'
cinder::keystone::authtoken::project_domain_name: 'Default'
cinder::policy::policies: {get_param: CinderApiPolicies}
cinder::api::enable_proxy_headers_parsing: true
cinder::api::nova_catalog_info: 'compute:nova:internalURL'

7
puppet/services/congress.yaml

@ -47,6 +47,12 @@ parameters:
default: 5672
description: Set rabbit subscriber port, change this if using SSL
type: number
CongressPolicies:
description: |
A hash of policies to configure for Congress.
e.g. { congress-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
outputs:
role_data:
@ -86,6 +92,7 @@ outputs:
congress::db::mysql::allowed_hosts:
- '%'
- {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
congress::policy::policies: {get_param: CongressPolicies}
service_config_settings:
keystone:

7
puppet/services/ec2-api.yaml

@ -42,6 +42,12 @@ parameters:
default: 'false'
description: Set to true to enable package installation via Puppet
type: boolean
Ec2ApiPolicies:
description: |
A hash of policies to configure for EC2-API.
e.g. { ec2api-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
conditions:
@ -67,6 +73,7 @@ outputs:
ec2api::keystone::authtoken::password: {get_param: Ec2ApiPassword}
ec2api::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
ec2api::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
ec2api::policy::policies: {get_param: Ec2ApiPolicies}
ec2api::api::enabled: true
ec2api::package_manage: {get_param: EnablePackageInstall}
ec2api::api::ec2api_listen:

7
puppet/services/glance-api.yaml

@ -110,6 +110,12 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
GlanceApiPolicies:
description: |
A hash of policies to configure for Glance API.
e.g. { glance-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
conditions:
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
@ -155,6 +161,7 @@ outputs:
glance::api::enable_proxy_headers_parsing: true
glance::api::debug: {get_param: Debug}
glance::api::workers: {get_param: GlanceWorkers}
glance::policy::policies: {get_param: GlanceApiPolicies}
tripleo.glance_api.firewall_rules:
'112 glance_api':
dport:

7
puppet/services/gnocchi-api.yaml

@ -44,6 +44,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
GnocchiApiPolicies:
description: |
A hash of policies to configure for Gnocchi API.
e.g. { gnocchi-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
resources:
@ -83,6 +89,7 @@ outputs:
gnocchi::api::enabled: true
gnocchi::api::enable_proxy_headers_parsing: true
gnocchi::api::service_name: 'httpd'
gnocchi::policy::policies: {get_param: GnocchiApiPolicies}
gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword}

7
puppet/services/heat-api.yaml

@ -41,6 +41,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
HeatApiPolicies:
description: |
A hash of policies to configure for Heat API.
e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
conditions:
heat_workers_zero: {equals : [{get_param: HeatWorkers}, 0]}
@ -82,6 +88,7 @@ outputs:
- 13004
heat::api::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]}
heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
heat::policy::policies: {get_param: HeatApiPolicies}
heat::api::service_name: 'httpd'
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):

7
puppet/services/ironic-api.yaml

@ -29,6 +29,12 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
IronicApiPolicies:
description: |
A hash of policies to configure for Ironic API.
e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
resources:
IronicBase:
@ -64,6 +70,7 @@ outputs:
ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]}
# This is used to build links in responses
ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
ironic::policy::policies: {get_param: IronicApiPolicies}
tripleo.ironic_api.firewall_rules:
'133 ironic api':
dport:

7
puppet/services/keystone.yaml

@ -158,6 +158,12 @@ parameters:
description: >
Cron to purge expired tokens - User
default: 'keystone'
KeystonePolicies:
description: |
A hash of policies to configure for Keystone.
e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
resources:
@ -197,6 +203,7 @@ outputs:
keystone::admin_token: {get_param: AdminToken}
keystone::admin_password: {get_param: AdminPassword}
keystone::roles::admin::password: {get_param: AdminPassword}
keystone::policy::policies: {get_param: KeystonePolicies}
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
keystone::token_provider: {get_param: KeystoneTokenProvider}

7
puppet/services/mistral-api.yaml

@ -22,6 +22,12 @@ parameters:
default: 1
description: The number of workers for the mistral-api.
type: number
MistralApiPolicies:
description: |
A hash of policies to configure for Mistral API.
e.g. { mistral-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
resources:
MistralBase:
@ -41,6 +47,7 @@ outputs:
- get_attr: [MistralBase, role_data, config_settings]
- mistral::api::api_workers: {get_param: MistralWorkers}
mistral::api::bind_host: {get_param: [ServiceNetMap, MistralApiNetwork]}
mistral::policy::policies: {get_param: MistralApiPolicies}
tripleo.mistral_api.firewall_rules:
'133 mistral':
dport:

7
puppet/services/neutron-api.yaml

@ -60,6 +60,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
NeutronApiPolicies:
description: |
A hash of policies to configure for Neutron API.
e.g. { neutron-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
# DEPRECATED: the following options are deprecated and are currently maintained
# for backwards compatibility. They will be removed in the Ocata cycle.
@ -127,6 +133,7 @@ outputs:
- {get_param: [EndpointMap, MysqlInternal, host]}
- '/ovs_neutron'
- '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
neutron::policy::policies: {get_param: NeutronApiPolicies}
neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
neutron::server::api_workers: {get_param: NeutronWorkers}

7
puppet/services/nova-api.yaml

@ -62,6 +62,12 @@ parameters:
default: 300
description: Timeout for Nova db sync
type: number
NovaApiPolicies:
description: |
A hash of policies to configure for Nova API.
e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
conditions:
nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
@ -145,6 +151,7 @@ outputs:
nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
nova::api::instance_name_template: {get_param: InstanceNameTemplate}
nova_enable_db_purge: {get_param: NovaEnableDBPurge}
nova::policy::policies: {get_param: NovaApiPolicies}
-
if:
- nova_workers_zero

7
puppet/services/octavia-api.yaml

@ -34,6 +34,12 @@ parameters:
default:
tag: openstack.octavia.api
path: /var/log/octavia/api.log
OctaviaApiPolicies:
description: |
A hash of policies to configure for Octavia API.
e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
resources:
@ -57,6 +63,7 @@ outputs:
map_merge:
- get_attr: [OctaviaBase, role_data, config_settings]
- octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
octavia::policy::policies: {get_param: OctaviaApiPolicies}
octavia::db::database_connection:
list_join:
- ''

7
puppet/services/panko-api.yaml

@ -24,6 +24,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
PankoApiPolicies:
description: |
A hash of policies to configure for Panko API.
e.g. { panko-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
resources:
PankoBase:
@ -58,6 +64,7 @@ outputs:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]}
panko::policy::policies: {get_param: PankoApiPolicies}
panko::api::service_name: 'httpd'
panko::api::enable_proxy_headers_parsing: true
tripleo.panko_api.firewall_rules:

7
puppet/services/sahara-api.yaml

@ -38,6 +38,12 @@ parameters:
default:
tag: openstack.sahara.api
path: /var/log/sahara/sahara-api.log
SaharaApiPolicies:
description: |
A hash of policies to configure for Sahara API.
e.g. { sahara-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
resources:
SaharaBase:
@ -60,6 +66,7 @@ outputs:
map_merge:
- get_attr: [SaharaBase, role_data, config_settings]
- sahara::port: {get_param: [EndpointMap, SaharaInternal, port]}
sahara::policy::policies: {get_param: SaharaApiPolicies}
sahara::service::api::api_workers: {get_param: SaharaWorkers}
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):

7
puppet/services/tacker.yaml

@ -47,6 +47,12 @@ parameters:
default: 5672
description: Set rabbit subscriber port, change this if using SSL
type: number
TackerPolicies:
description: |
A hash of policies to configure for Tacker.
e.g. { tacker-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
outputs:
role_data:
@ -87,6 +93,7 @@ outputs:
tacker::db::mysql::allowed_hosts:
- '%'
- {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
tacker::policy::policies: {get_param: TackerPolicies}
service_config_settings:
keystone:

7
puppet/services/zaqar.yaml

@ -30,6 +30,12 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
ZaqarPolicies:
description: |
A hash of policies to configure for Zaqar.
e.g. { zaqar-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
outputs:
@ -38,6 +44,7 @@ outputs:
value:
service_name: zaqar
config_settings:
zaqar::policy::policies: {get_param: ZaqarPolicies}
zaqar::keystone::authtoken::password: {get_param: ZaqarPassword}
zaqar::keystone::authtoken::project_name: 'service'
zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}

13
releasenotes/notes/api-policy-4ca739519537f6f4.yaml

@ -0,0 +1,13 @@
---
features:
- |
TripleO is now able to configure role-based access API policies with new
parameters for each API service.
For example, Nova API service has now NovaApiPolicies and the value
could be { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
It will configure /etc/nova/policy.json file and configure context_is_admin
to true. Puppet will take care of this configuration and API services are
restarted when the file is touched.
We're also adding augeas resource to the list of Puppet providers that
container deployments grab in the catalog to generate configurations, so
this feature can be used when deploying TripleO in containers.
Loading…
Cancel
Save