Allow to configure policy.json for OpenStack projects

For both containers and classic deployments, allow to configure policy.json for all OpenStack APIs with new parameters (hash, empty by default). Example of new parameter: NovaApiPolicies. See environments/nova-api-policy.yaml for how the feature can be used. Note: use it with extreme caution. Partial-implement: blueprint modify-policy-json Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
5 years ago · 91053af09d
24 changed files with 160 additions and 4 deletions
--- a/docker/docker-puppet.py
+++ b/docker/docker-puppet.py
@ -247,9 +247,9 @@ for config_volume in configs:
    volumes = service[4] if len(service) > 4 else []

    if puppet_tags:
-        puppet_tags = "file,file_line,concat,%s" % puppet_tags
+        puppet_tags = "file,file_line,concat,augeas,%s" % puppet_tags
    else:
-        puppet_tags = "file,file_line,concat"
+        puppet_tags = "file,file_line,concat,augeas"

    process_map.append([config_volume, puppet_tags, manifest, config_image, volumes])

--- a/docker/services/README.rst
+++ b/docker/services/README.rst
@ -74,7 +74,7 @@ are re-asserted when applying latter ones.
     * puppet_tags: Puppet resource tag names that are used to generate config
       files with puppet. Only the named config resources are used to generate
       a config file. Any service that specifies tags will have the default
-       tags of 'file,concat,file_line' appended to the setting.
+       tags of 'file,concat,file_line,augeas' appended to the setting.
       Example: keystone_config

     * config_volume: The name of the volume (directory) where config files
--- a/environments/nova-api-policy.yaml
+++ b/environments/nova-api-policy.yaml
@ -0,0 +1,10 @@
+# A Heat environment file which can be used to configure access policies for
+# Nova API resources. It is here for example and doesn't cover all services
+# but just Nova here.
+# While recipes for editing policy.json files is supported, modifying the
+# policy can have unexpected side effects and is not encouraged.
+
+parameter_defaults:
+  # The target is "compute:get_all", the "list all instances" API of the Compute service.
+  # The rule is an empty string meaning "always". This policy allows anybody to list instances.
+  NovaApiPolicies: { nova-context_is_admin: { key: 'compute:get_all', value: '' } }
--- a/puppet/config.role.j2.yaml
+++ b/puppet/config.role.j2.yaml
@ -38,7 +38,7 @@ resources:
          - ''
          - list_join:
            - ','
-            - ['file,concat,file_line', {get_param: PuppetTags}]
+            - ['file,concat,file_line,augeas', {get_param: PuppetTags}]
      outputs:
      - name: result
      inputs:
--- a/puppet/services/aodh-api.yaml
+++ b/puppet/services/aodh-api.yaml
@ -24,6 +24,12 @@ parameters:
  EnableInternalTLS:
    type: boolean
    default: false
+  AodhApiPolicies:
+    description: |
+      A hash of policies to configure for Aodh API.
+      e.g. { aodh-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json

 resources:
  AodhBase:
@ -61,6 +67,7 @@ outputs:
            aodh::wsgi::apache::wsgi_process_display_name: 'aodh_wsgi'
            aodh::api::service_name: 'httpd'
            aodh::api::enable_proxy_headers_parsing: true
+            aodh::policy::policies: {get_param: AodhApiPolicies}
            tripleo.aodh_api.firewall_rules:
              '128 aodh-api':
                dport:
--- a/puppet/services/barbican-api.yaml
+++ b/puppet/services/barbican-api.yaml
@ -55,6 +55,12 @@ parameters:
  EnableInternalTLS:
    type: boolean
    default: false
+  BarbicanPolicies:
+    description: |
+      A hash of policies to configure for Barbican.
+      e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json

 resources:

@ -77,6 +83,7 @@ outputs:
            barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            barbican::keystone::authtoken::project_name: 'service'
+            barbican::policy::policies: {get_param: BarbicanPolicies}
            barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
            barbican::api::db_auto_create: false
            barbican::api::enabled_certificate_plugins: ['simple_certificate']
--- a/puppet/services/ceilometer-api.yaml
+++ b/puppet/services/ceilometer-api.yaml
@ -29,6 +29,12 @@ parameters:
  EnableInternalTLS:
    type: boolean
    default: false
+  CeilometerApiPolicies:
+    description: |
+      A hash of policies to configure for Ceilometer API.
+      e.g. { ceilometer-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json

 resources:
  CeilometerServiceBase:
@ -78,6 +84,7 @@ outputs:
                  "%{hiera('fqdn_$NETWORK')}"
                params:
                  $NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
+            ceilometer::policy::policies: {get_param: CeilometerApiPolicies}
            ceilometer::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
            ceilometer::wsgi::apache::ssl: {get_param: EnableInternalTLS}
            ceilometer::wsgi::apache::servername:
--- a/puppet/services/cinder-api.yaml
+++ b/puppet/services/cinder-api.yaml
@ -46,6 +46,12 @@ parameters:
  EnableInternalTLS:
    type: boolean
    default: false
+  CinderApiPolicies:
+    description: |
+      A hash of policies to configure for Cinder API.
+      e.g. { cinder-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json

 conditions:
  cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]}
@ -86,6 +92,7 @@ outputs:
            cinder::keystone::authtoken::project_name: 'service'
            cinder::keystone::authtoken::user_domain_name: 'Default'
            cinder::keystone::authtoken::project_domain_name: 'Default'
+            cinder::policy::policies: {get_param: CinderApiPolicies}
            cinder::api::enable_proxy_headers_parsing: true

            cinder::api::nova_catalog_info: 'compute:nova:internalURL'
--- a/puppet/services/congress.yaml
+++ b/puppet/services/congress.yaml
@ -47,6 +47,12 @@ parameters:
    default: 5672
    description: Set rabbit subscriber port, change this if using SSL
    type: number
+  CongressPolicies:
+    description: |
+      A hash of policies to configure for Congress.
+      e.g. { congress-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json

 outputs:
  role_data:
@ -86,6 +92,7 @@ outputs:
        congress::db::mysql::allowed_hosts:
          - '%'
          - {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+        congress::policy::policies: {get_param: CongressPolicies}

      service_config_settings:
        keystone:
--- a/puppet/services/ec2-api.yaml
+++ b/puppet/services/ec2-api.yaml
@ -42,6 +42,12 @@ parameters:
    default: 'false'
    description: Set to true to enable package installation via Puppet
    type: boolean
+  Ec2ApiPolicies:
+    description: |
+      A hash of policies to configure for EC2-API.
+      e.g. { ec2api-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json


 conditions:
@ -67,6 +73,7 @@ outputs:
          ec2api::keystone::authtoken::password: {get_param: Ec2ApiPassword}
          ec2api::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
          ec2api::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+          ec2api::policy::policies: {get_param: Ec2ApiPolicies}
          ec2api::api::enabled: true
          ec2api::package_manage: {get_param: EnablePackageInstall}
          ec2api::api::ec2api_listen:
--- a/puppet/services/glance-api.yaml
+++ b/puppet/services/glance-api.yaml
@ -110,6 +110,12 @@ parameters:
    type: string
    default: 'regionOne'
    description: Keystone region for endpoint
+  GlanceApiPolicies:
+    description: |
+      A hash of policies to configure for Glance API.
+      e.g. { glance-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json

 conditions:
  use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
@ -155,6 +161,7 @@ outputs:
            glance::api::enable_proxy_headers_parsing: true
            glance::api::debug: {get_param: Debug}
            glance::api::workers: {get_param: GlanceWorkers}
+            glance::policy::policies: {get_param: GlanceApiPolicies}
            tripleo.glance_api.firewall_rules:
              '112 glance_api':
                dport:
--- a/puppet/services/gnocchi-api.yaml
+++ b/puppet/services/gnocchi-api.yaml
@ -44,6 +44,12 @@ parameters:
  EnableInternalTLS:
    type: boolean
    default: false
+  GnocchiApiPolicies:
+    description: |
+      A hash of policies to configure for Gnocchi API.
+      e.g. { gnocchi-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json

 resources:

@ -83,6 +89,7 @@ outputs:
            gnocchi::api::enabled: true
            gnocchi::api::enable_proxy_headers_parsing: true
            gnocchi::api::service_name: 'httpd'
+            gnocchi::policy::policies: {get_param: GnocchiApiPolicies}
            gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword}
--- a/puppet/services/heat-api.yaml
+++ b/puppet/services/heat-api.yaml
@ -41,6 +41,12 @@ parameters:
  EnableInternalTLS:
    type: boolean
    default: false
+  HeatApiPolicies:
+    description: |
+      A hash of policies to configure for Heat API.
+      e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json

 conditions:
  heat_workers_zero: {equals : [{get_param: HeatWorkers}, 0]}
@ -82,6 +88,7 @@ outputs:
                  - 13004
            heat::api::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]}
            heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
+            heat::policy::policies: {get_param: HeatApiPolicies}
            heat::api::service_name: 'httpd'
            # NOTE: bind IP is found in Heat replacing the network name with the local node IP
            # for the given network; replacement examples (eg. for internal_api):
--- a/puppet/services/ironic-api.yaml
+++ b/puppet/services/ironic-api.yaml
@ -29,6 +29,12 @@ parameters:
    type: string
    default: 'regionOne'
    description: Keystone region for endpoint
+  IronicApiPolicies:
+    description: |
+      A hash of policies to configure for Ironic API.
+      e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json

 resources:
  IronicBase:
@ -64,6 +70,7 @@ outputs:
            ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]}
            # This is used to build links in responses
            ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
+            ironic::policy::policies: {get_param: IronicApiPolicies}
            tripleo.ironic_api.firewall_rules:
              '133 ironic api':
                dport:
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@ -158,6 +158,12 @@ parameters:
    description: >
        Cron to purge expired tokens - User
    default: 'keystone'
+  KeystonePolicies:
+    description: |
+      A hash of policies to configure for Keystone.
+      e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json

 resources:

@ -197,6 +203,7 @@ outputs:
            keystone::admin_token: {get_param: AdminToken}
            keystone::admin_password: {get_param: AdminPassword}
            keystone::roles::admin::password: {get_param: AdminPassword}
+            keystone::policy::policies: {get_param: KeystonePolicies}
            keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
            keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
            keystone::token_provider: {get_param: KeystoneTokenProvider}
--- a/puppet/services/mistral-api.yaml
+++ b/puppet/services/mistral-api.yaml
@ -22,6 +22,12 @@ parameters:
    default: 1
    description: The number of workers for the mistral-api.
    type: number
+  MistralApiPolicies:
+    description: |
+      A hash of policies to configure for Mistral API.
+      e.g. { mistral-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json

 resources:
  MistralBase:
@ -41,6 +47,7 @@ outputs:
          - get_attr: [MistralBase, role_data, config_settings]
          - mistral::api::api_workers: {get_param: MistralWorkers}
            mistral::api::bind_host: {get_param: [ServiceNetMap, MistralApiNetwork]}
+            mistral::policy::policies: {get_param: MistralApiPolicies}
            tripleo.mistral_api.firewall_rules:
              '133 mistral':
                dport:
--- a/puppet/services/neutron-api.yaml
+++ b/puppet/services/neutron-api.yaml
@ -60,6 +60,12 @@ parameters:
  EnableInternalTLS:
    type: boolean
    default: false
+  NeutronApiPolicies:
+    description: |
+      A hash of policies to configure for Neutron API.
+      e.g. { neutron-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json

  # DEPRECATED: the following options are deprecated and are currently maintained
  # for backwards compatibility. They will be removed in the Ocata cycle.
@ -127,6 +133,7 @@ outputs:
                  - {get_param: [EndpointMap, MysqlInternal, host]}
                  - '/ovs_neutron'
                  - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
+            neutron::policy::policies: {get_param: NeutronApiPolicies}
            neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            neutron::server::api_workers: {get_param: NeutronWorkers}
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@ -62,6 +62,12 @@ parameters:
    default: 300
    description: Timeout for Nova db sync
    type: number
+  NovaApiPolicies:
+    description: |
+      A hash of policies to configure for Nova API.
+      e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json

 conditions:
  nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
@ -145,6 +151,7 @@ outputs:
          nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
          nova::api::instance_name_template: {get_param: InstanceNameTemplate}
          nova_enable_db_purge: {get_param: NovaEnableDBPurge}
+          nova::policy::policies: {get_param: NovaApiPolicies}
        -
          if:
          - nova_workers_zero
--- a/puppet/services/octavia-api.yaml
+++ b/puppet/services/octavia-api.yaml
@ -34,6 +34,12 @@ parameters:
    default:
      tag: openstack.octavia.api
      path: /var/log/octavia/api.log
+  OctaviaApiPolicies:
+    description: |
+      A hash of policies to configure for Octavia API.
+      e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json

 resources:

@ -57,6 +63,7 @@ outputs:
        map_merge:
          - get_attr: [OctaviaBase, role_data, config_settings]
          - octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+            octavia::policy::policies: {get_param: OctaviaApiPolicies}
            octavia::db::database_connection:
              list_join:
                - ''
--- a/puppet/services/panko-api.yaml
+++ b/puppet/services/panko-api.yaml
@ -24,6 +24,12 @@ parameters:
  EnableInternalTLS:
    type: boolean
    default: false
+  PankoApiPolicies:
+    description: |
+      A hash of policies to configure for Panko API.
+      e.g. { panko-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json

 resources:
  PankoBase:
@ -58,6 +64,7 @@ outputs:
                  "%{hiera('fqdn_$NETWORK')}"
                params:
                  $NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]}
+            panko::policy::policies: {get_param: PankoApiPolicies}
            panko::api::service_name: 'httpd'
            panko::api::enable_proxy_headers_parsing: true
            tripleo.panko_api.firewall_rules:
--- a/puppet/services/sahara-api.yaml
+++ b/puppet/services/sahara-api.yaml
@ -38,6 +38,12 @@ parameters:
    default:
      tag: openstack.sahara.api
      path: /var/log/sahara/sahara-api.log
+  SaharaApiPolicies:
+    description: |
+      A hash of policies to configure for Sahara API.
+      e.g. { sahara-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json

 resources:
  SaharaBase:
@ -60,6 +66,7 @@ outputs:
        map_merge:
          - get_attr: [SaharaBase, role_data, config_settings]
          - sahara::port: {get_param: [EndpointMap, SaharaInternal, port]}
+            sahara::policy::policies: {get_param: SaharaApiPolicies}
            sahara::service::api::api_workers: {get_param: SaharaWorkers}
            # NOTE: bind IP is found in Heat replacing the network name with the local node IP
            # for the given network; replacement examples (eg. for internal_api):
--- a/puppet/services/tacker.yaml
+++ b/puppet/services/tacker.yaml
@ -47,6 +47,12 @@ parameters:
    default: 5672
    description: Set rabbit subscriber port, change this if using SSL
    type: number
+  TackerPolicies:
+    description: |
+      A hash of policies to configure for Tacker.
+      e.g. { tacker-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json

 outputs:
  role_data:
@ -87,6 +93,7 @@ outputs:
        tacker::db::mysql::allowed_hosts:
          - '%'
          - {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+        tacker::policy::policies: {get_param: TackerPolicies}

      service_config_settings:
        keystone:
--- a/puppet/services/zaqar.yaml
+++ b/puppet/services/zaqar.yaml
@ -30,6 +30,12 @@ parameters:
    type: string
    default: 'regionOne'
    description: Keystone region for endpoint
+  ZaqarPolicies:
+    description: |
+      A hash of policies to configure for Zaqar.
+      e.g. { zaqar-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json


 outputs:
@ -38,6 +44,7 @@ outputs:
    value:
      service_name: zaqar
      config_settings:
+        zaqar::policy::policies: {get_param: ZaqarPolicies}
        zaqar::keystone::authtoken::password: {get_param: ZaqarPassword}
        zaqar::keystone::authtoken::project_name: 'service'
        zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
--- a/releasenotes/notes/api-policy-4ca739519537f6f4.yaml
+++ b/releasenotes/notes/api-policy-4ca739519537f6f4.yaml
@ -0,0 +1,13 @@
+---
+features:
+  - |
+    TripleO is now able to configure role-based access API policies with new
+    parameters for each API service.
+    For example, Nova API service has now NovaApiPolicies and the value
+    could be { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    It will configure /etc/nova/policy.json file and configure context_is_admin
+    to true. Puppet will take care of this configuration and API services are
+    restarted when the file is touched.
+    We're also adding augeas resource to the list of Puppet providers that
+    container deployments grab in the catalog to generate configurations, so
+    this feature can be used when deploying TripleO in containers.