Horizon: Manage policy files

This change enables management of policy files for Horizon so that
customized policy rules are injected into horizon policy files in
addition to service policy files.

Depends-on: https://review.opendev.org/823890
Change-Id: I00ca1f4da82cdc25737f462fa024e31316216c12

deployment/cinder/cinder-api-container-puppet.yaml

@@ -221,6 +221,8 @@ outputs:
           cinder::db::mysql::user: cinder
           cinder::db::mysql::host: '%'
           cinder::db::mysql::dbname: cinder
+        horizon:
+          horizon::policy::cinder_policies: {get_param: CinderApiPolicies}
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: cinder

deployment/glance/glance-api-container-puppet.yaml

@@ -635,6 +635,8 @@ outputs:
         rsyslog:
           tripleo_logging_sources_glance_api:
             - {get_param: GlanceApiLoggingSource}
+        horizon:
+          horizon::policy::glance_policies: {get_param: GlanceApiPolicies}
       # BEGIN DOCKER SETTINGS #
       puppet_config:
         config_volume: glance_api

deployment/heat/heat-api-container-puppet.yaml

@@ -181,6 +181,8 @@ outputs:
         rsyslog:
           tripleo_logging_sources_heat_api:
             - {get_param: HeatApiLoggingSource}
+        horizon:
+          horizon::dashboards::heat::policies: {get_param: HeatApiPolicies}
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: heat_api

deployment/keystone/keystone-container-puppet.yaml

@@ -674,10 +674,12 @@ outputs:
           keystone::endpoint::region: {get_param: KeystoneRegion}
           keystone::admin_password: {get_param: AdminPassword}
         horizon:
-          if:
-          - {get_param: KeystoneLDAPDomainEnable}
-          - horizon::keystone_multidomain_support: true
-            horizon::keystone_default_domain: 'Default'
+          map_merge:
+            - if:
+              - {get_param: KeystoneLDAPDomainEnable}
+              - horizon::keystone_multidomain_support: true
+                horizon::keystone_default_domain: 'Default'
+            - horizon::policy::keystone_policies: {get_param: KeystonePolicies}
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: keystone

deployment/manila/manila-api-container-puppet.yaml

@@ -48,6 +48,12 @@ parameters:
     type: string
     default: 'regionOne'
     description: Keystone region for endpoint
+  ManilaApiPolicies:
+    description: |
+      A hash of policies to configure for Manila API.
+      e.g. { manila-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json
   MonitoringSubscriptionManilaApi:
     default: 'overcloud-manila-api'
     type: string
@@ -207,6 +213,7 @@ outputs:
             manila::api::service_name: 'httpd'
             manila::api::enable_proxy_headers_parsing: true
             manila::api::default_share_type: 'default'
+            manila::api::policies: {get_param: ManilaApiPolicies}
             manila_enabled_share_protocols: {get_param: ManilaEnabledShareProtocols}
             manila::cron::db_purge::minute: {get_param: ManilaCronDbPurgeMinute}
             manila::cron::db_purge::hour: {get_param: ManilaCronDbPurgeHour}
@@ -224,7 +231,11 @@ outputs:
                 params:
                   $NETWORK: {get_param: [ServiceNetMap, ManilaApiNetwork]}
             manila::wsgi::apache::workers: {get_param: ManilaWorkers}
-      service_config_settings: {get_attr: [ManilaBase, role_data, service_config_settings]}
+      service_config_settings:
+        map_merge:
+          - {get_attr: [ManilaBase, role_data, service_config_settings]}
+          - horizon:
+              horizon::dashboard::manila::policies: {get_param: ManilaApiPolicies}
       # BEGIN DOCKER SETTINGS #
       puppet_config:
         config_volume: manila

deployment/neutron/neutron-api-container-puppet.yaml

@@ -434,7 +434,8 @@ outputs:
           neutron::db::mysql::user: neutron
           neutron::db::mysql::host: '%'
           neutron::db::mysql::dbname: ovs_neutron
-
+        horizon:
+          horizon::policy::neutron_policies: {get_param: NeutronApiPolicies}
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: neutron

deployment/nova/nova-api-container-puppet.yaml

@@ -409,6 +409,7 @@ outputs:
         rsyslog:
           tripleo_logging_sources_nova_api:
             - {get_param: NovaApiLoggingSource}
+        horizon: {get_attr: [NovaBase, role_data, service_config_settings], horizon}
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: nova

deployment/nova/nova-base-puppet.yaml

@@ -263,7 +263,7 @@ outputs:
           nova::policy::enforce_new_defaults: {get_param: EnforceSecureRbac}
           nova::policy::enforce_scope: {get_param: EnforceSecureRbac}
           nova::policy::purge_config: true
-          nova::policy::policies:
+          nova::policy::policies: &nova_policies
             map_merge:
             - {get_param: NovaApiPolicies}
             - if:
@@ -296,3 +296,5 @@ outputs:
       service_config_settings:
         rabbitmq:
           nova::rabbit_use_ssl: {get_param: RpcUseSSL}
+        horizon:
+          horizon::policy::nova_policies: *nova_policies

deployment/octavia/octavia-api-container-puppet.yaml

@@ -231,6 +231,8 @@ outputs:
           octavia::db::mysql::user: {get_param: OctaviaUserName}
           octavia::db::mysql::host: '%'
           octavia::db::mysql::dbname: octavia
+        horizon:
+          octavia::dashboards::heat::policies: {get_param: OctaviaApiPolicies}
       # BEGIN DOCKER SETTINGS #
       puppet_config:
         config_volume: octavia