Heat: Present policy rules for all services

The policy rules are used not only by heat-api but also by heat-api-cfn and heat-engine. This change ensures the policy rules defined by the HeatApiPolicies parameter is rendered into hieradata in the node where these heat services are running, even if these services run on separate nodes. Backport note: This backport additionally removes the HeatApiPolicies parameter from heat-api, because stable/wallaby and older releases do not have [1]. [1] f63176e97a Change-Id: Ic278c69110d427118c5ff9b4bddc72493434154a Closes-Bug: #1983342 Depends-on: https://review.opendev.org/861128 (cherry picked from commit d503ee5fc9) (cherry picked from commit 69bdb2d6b6)
2022-08-02 16:43:27 +09:00 · 2022-08-02 16:43:27 +09:00 · ef6bdb3128
parent dae1f19d20
commit ef6bdb3128
2 changed files with 7 additions and 7 deletions
--- a/deployment/heat/heat-api-container-puppet.yaml
+++ b/deployment/heat/heat-api-container-puppet.yaml
@ -68,12 +68,6 @@ parameters:
  MonitoringSubscriptionHeatApi:
    default: 'overcloud-heat-api'
    type: string
-  HeatApiPolicies:
-    description: |
-      A hash of policies to configure for Heat API.
-      e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
-    default: {}
-    type: json
  HeatStackDomainAdminPassword:
    description: Password for heat_stack_domain_admin user.
    type: string
@ -158,7 +152,6 @@ outputs:
                  $NETWORK: {get_param: [ServiceNetMap, HeatApiNetwork]}
            heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
            heat::wsgi::apache_api::vhost_custom_fragment: 'Timeout 600'
-            heat::policy::policies: {get_param: HeatApiPolicies}
            heat::api::service_name: 'httpd'
            # NOTE: bind IP is found in hiera replacing the network name with the local node IP
            # for the given network; replacement examples (eg. for internal_api):
--- a/deployment/heat/heat-base-puppet.yaml
+++ b/deployment/heat/heat-base-puppet.yaml
@ -145,6 +145,12 @@ parameters:
    description: |
      Use the advanced (eventlet safe) memcached client pool.
    default: true
+  HeatApiPolicies:
+    description: |
+      A hash of policies to configure for Heat API.
+      e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json

 conditions:
  service_debug_unset: {equals : [{get_param: HeatDebug}, '']}
@ -172,6 +178,7 @@ outputs:
              - service_debug_unset
              - {get_param: Debug }
              - {get_param: HeatDebug }
+            heat::policy::policies: {get_param: HeatApiPolicies}
            heat::enable_proxy_headers_parsing: true
            heat::rpc_response_timeout: 600
            heat::rabbit_heartbeat_timeout_threshold: 60