Merge "Enable policy rule management in nova-compute"

2022-01-14 09:45:59 +00:00 · 2022-01-14 09:45:59 +00:00 · de62d2df65
parent 3fe597a5f2 2a27e8bdbb
commit de62d2df65
2 changed files with 89 additions and 89 deletions
--- a/deployment/nova/nova-api-container-puppet.yaml
+++ b/deployment/nova/nova-api-container-puppet.yaml
@ -59,17 +59,6 @@ parameters:
    default: 0
    description: Number of workers for Nova services.
    type: number
-  EnforceSecureRbac:
-    type: boolean
-    default: false
-    description: >-
-      Setting this option to True will configure each OpenStack service to
-      enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
-      `[oslo_policy] enforce_scope` to True. This introduces a consistent set
-      of RBAC personas across OpenStack services that include support for
-      system and project scope, as well as keystone's default roles, admin,
-      member, and reader. Do not enable this functionality until all services in
-      your deployment actually support secure RBAC.
  KeystoneRegion:
    type: string
    default: 'regionOne'
@ -95,12 +84,6 @@ parameters:
    default: 'public'
    description: Default pool for floating IP addresses
    type: string
-  NovaApiPolicies:
-    description: |
-      A hash of policies to configure for Nova API.
-      e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
-    default: {}
-    type: json
  NovaAllowResizeToSameHost:
    default: false
    description: Allow destination machine to match source for resize.
@ -247,46 +230,6 @@ parameters:
    description: |
      Use the advanced (eventlet safe) memcached client pool.
    default: true
-  NovaRestrictLiveMigration:
-    type: boolean
-    description: |
-      Restrict live migration by limit access to 'os_compute_api:os-migrate-server:migrate_live'
-      api policy to the NovaLiveMigrationRole role. This can be used to
-      disallow the default admin role use live migration.
-      Additional policies specified using NovaApiPolicies get merged with this
-      policy.
-    default: false
-  NovaRestrictLiveMigrationRole:
-    description: |
-      Name of the user role which gets set to limit live migration when
-      NovaRestrictLiveMigration is enabled.
-    default: 'live-migration'
-    type: string
-  NovaShowHostStatus:
-    type: string
-    description: |
-      Allow overriding API policies to access the compute host status in the
-      requested Nova server details. The default value 'hidden' allows only admins to
-      access it. Setting it to 'all' ('unknown-only') without additional fine-grained
-      tuning of NovaApiHostStatusPolicy shows the full (limited) host_status
-      to the system/project readers.
-    default: 'hidden'
-    constraints:
-      - allowed_values: ['all', 'unknown-only', 'hidden']
-  NovaApiHostStatusPolicy:
-    description: |
-      A custom API policy for os_compute_api:servers:show:host_status and
-      os_compute_api:servers:show:host_status:unknown-only.
-      These rules, or roles, replace the admins-only policies based on the given
-      NovaShowHostStatus: 'unknown-only' shows the limited host status UNKNOWN
-      whenever a heartbeat was not received within the configured threshold, and
-      'all' also reveals UP, DOWN, or MAINTENANCE statuses in the Nova server
-      details. NovaShowHostStatus 'hidden' puts it back being visible only for admins.
-      Additional policies specified using NovaApiPolicies get merged with this
-      policy.
-    # TODO(bogdando): use rule:system_or_project_reader once tripleo enforces scopes
-    default: 'role:reader'
-    type: string

 parameter_groups:
 - label: deprecated
@ -425,36 +368,6 @@ outputs:
                params:
                  $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
            nova::api::instance_name_template: {get_param: InstanceNameTemplate}
-            nova::policy::purge_config: true
-            nova::policy::policies:
-              map_merge:
-              - {get_param: NovaApiPolicies}
-              - if:
-                - {get_param: NovaRestrictLiveMigration}
-                - limit_live_migration:
-                    key: 'os_compute_api:os-migrate-server:migrate_live'
-                    value:
-                      str_replace:
-                        template: 'role:LMROLENAME'
-                        params:
-                           LMROLENAME: {get_param: NovaRestrictLiveMigrationRole}
-                - {}
-              - if:
-                - equals:
-                  - {get_param: NovaShowHostStatus}
-                  - 'all'
-                - nova-host_status:
-                    key: 'os_compute_api:servers:show:host_status'
-                    value: {get_param: NovaApiHostStatusPolicy}
-                - {}
-              - if:
-                - equals:
-                  - {get_param: NovaShowHostStatus}
-                  - 'unknown-only'
-                - nova-host_status_unknown_only:
-                    key: 'os_compute_api:servers:show:host_status:unknown-only'
-                    value: {get_param: NovaApiHostStatusPolicy}
-                - {}
            nova::api::allow_resize_to_same_host: {get_param: NovaAllowResizeToSameHost}
            nova_enable_db_purge: {get_param: NovaEnableDBPurge}
            nova::cron::purge_shadow_tables::minute: {get_param: NovaCronPurgeShadowTablesMinute}
@ -483,8 +396,6 @@ outputs:
            nova::cron::archive_deleted_rows::all_cells: {get_param: NovaCronArchiveDeleteAllCells}
            nova::cron::archive_deleted_rows::age: {get_param: NovaCronArchiveDeleteRowsAge}
            nova::cron::archive_deleted_rows::task_log: {get_param: NovaCronArchiveDeleteRowsTaskLog}
-            nova::policy::enforce_new_defaults: {get_param: EnforceSecureRbac}
-            nova::policy::enforce_scope: {get_param: EnforceSecureRbac}
          - if:
            - nova_workers_set
            - nova::api::osapi_compute_workers: {get_param: NovaWorkers}
--- a/deployment/nova/nova-base-puppet.yaml
+++ b/deployment/nova/nova-base-puppet.yaml
@ -78,6 +78,63 @@ parameters:
    type: string
    description: Nova Compute upgrade level
    default: ''
+  NovaApiPolicies:
+    description: |
+      A hash of policies to configure for Nova API.
+      e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json
+  EnforceSecureRbac:
+    type: boolean
+    default: false
+    description: >-
+      Setting this option to True will configure each OpenStack service to
+      enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
+      `[oslo_policy] enforce_scope` to True. This introduces a consistent set
+      of RBAC personas across OpenStack services that include support for
+      system and project scope, as well as keystone's default roles, admin,
+      member, and reader. Do not enable this functionality until all services in
+      your deployment actually support secure RBAC.
+  NovaRestrictLiveMigration:
+    type: boolean
+    description: |
+      Restrict live migration by limit access to 'os_compute_api:os-migrate-server:migrate_live'
+      api policy to the NovaLiveMigrationRole role. This can be used to
+      disallow the default admin role use live migration.
+      Additional policies specified using NovaApiPolicies get merged with this
+      policy.
+    default: false
+  NovaRestrictLiveMigrationRole:
+    description: |
+      Name of the user role which gets set to limit live migration when
+      NovaRestrictLiveMigration is enabled.
+    default: 'live-migration'
+    type: string
+  NovaShowHostStatus:
+    type: string
+    description: |
+      Allow overriding API policies to access the compute host status in the
+      requested Nova server details. The default value 'hidden' allows only admins to
+      access it. Setting it to 'all' ('unknown-only') without additional fine-grained
+      tuning of NovaApiHostStatusPolicy shows the full (limited) host_status
+      to the system/project readers.
+    default: 'hidden'
+    constraints:
+      - allowed_values: ['all', 'unknown-only', 'hidden']
+  NovaApiHostStatusPolicy:
+    description: |
+      A custom API policy for os_compute_api:servers:show:host_status and
+      os_compute_api:servers:show:host_status:unknown-only.
+      These rules, or roles, replace the admins-only policies based on the given
+      NovaShowHostStatus: 'unknown-only' shows the limited host status UNKNOWN
+      whenever a heartbeat was not received within the configured threshold, and
+      'all' also reveals UP, DOWN, or MAINTENANCE statuses in the Nova server
+      details. NovaShowHostStatus 'hidden' puts it back being visible only for admins.
+      Additional policies specified using NovaApiPolicies get merged with this
+      policy.
+    # TODO(bogdando): use rule:system_or_project_reader once tripleo enforces scopes
+    default: 'role:reader'
+    type: string
  NovaOVSDBConnection:
   type: string
   description: OVS DB connection string to used by Nova
@ -203,6 +260,38 @@ outputs:
            if:
            - compute_upgrade_level_set
            - {get_param: UpgradeLevelNovaCompute}
+          nova::policy::enforce_new_defaults: {get_param: EnforceSecureRbac}
+          nova::policy::enforce_scope: {get_param: EnforceSecureRbac}
+          nova::policy::purge_config: true
+          nova::policy::policies:
+            map_merge:
+            - {get_param: NovaApiPolicies}
+            - if:
+              - {get_param: NovaRestrictLiveMigration}
+              - limit_live_migration:
+                  key: 'os_compute_api:os-migrate-server:migrate_live'
+                  value:
+                    str_replace:
+                      template: 'role:LMROLENAME'
+                      params:
+                         LMROLENAME: {get_param: NovaRestrictLiveMigrationRole}
+              - {}
+            - if:
+              - equals:
+                - {get_param: NovaShowHostStatus}
+                - 'all'
+              - nova-host_status:
+                  key: 'os_compute_api:servers:show:host_status'
+                  value: {get_param: NovaApiHostStatusPolicy}
+              - {}
+            - if:
+              - equals:
+                - {get_param: NovaShowHostStatus}
+                - 'unknown-only'
+              - nova-host_status_unknown_only:
+                  key: 'os_compute_api:servers:show:host_status:unknown-only'
+                  value: {get_param: NovaApiHostStatusPolicy}
+              - {}
        - get_attr: [RoleParametersValue, value]
      service_config_settings:
        rabbitmq: