Merge "Heat: Present policy rules for all services"

deployment/heat/heat-api-container-puppet.yaml

@@ -193,7 +193,6 @@ outputs:
             heat::wsgi::apache_api::access_log_format: 'forwarded'
             heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
             heat::wsgi::apache_api::vhost_custom_fragment: 'Timeout 600'
-            heat::policy::policies: {get_param: HeatApiPolicies}
             heat::api::service_name: 'httpd'
             # NOTE: bind IP is found in hiera replacing the network name with the local node IP
             # for the given network; replacement examples (eg. for internal_api):

deployment/heat/heat-base-puppet.yaml

@@ -144,6 +144,12 @@ parameters:
     description: |
       Use the advanced (eventlet safe) memcached client pool.
     default: true
+  HeatApiPolicies:
+    description: |
+      A hash of policies to configure for Heat API.
+      e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json
   EnforceSecureRbac:
     type: boolean
     default: false
@@ -184,6 +190,7 @@ outputs:
               - {get_param: HeatDebug}
               - true
               - {get_param: Debug}
+            heat::policy::policies: {get_param: HeatApiPolicies}
             heat::enable_proxy_headers_parsing: true
             heat::rpc_response_timeout: {get_param: HeatRpcResponseTimeout}
             heat::rabbit_heartbeat_timeout_threshold: 60