From bba32efdae5682b09e906983c8a7815fcc549ade Mon Sep 17 00:00:00 2001
From: Eduardo Gonzalez <dabarren@gmail.com>
Date: Fri, 18 Nov 2016 17:26:17 +0000
Subject: [PATCH] Horizon custom policies

Apply custom policies for different OpenStack services.

Change-Id: I26df2d0d7c52215ffbedbfa66acd352063e885ae
Partially-Implements: blueprint custom-policies
---
 ansible/roles/horizon/tasks/config.yml        | 42 +++++++++++++++++++
 .../roles/horizon/templates/horizon.json.j2   | 25 +++++++++++
 2 files changed, 67 insertions(+)

diff --git a/ansible/roles/horizon/tasks/config.yml b/ansible/roles/horizon/tasks/config.yml
index c361c83521..801bafd133 100644
--- a/ansible/roles/horizon/tasks/config.yml
+++ b/ansible/roles/horizon/tasks/config.yml
@@ -31,3 +31,45 @@
     - "{{ node_custom_config }}/horizon/{{ inventory_hostname }}/local_settings"
     - "{{ node_custom_config }}/horizon/local_settings"
     - "local_settings.j2"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/horizon/{{ item.name }}_policy.json"
+  register: custom_policy
+  when: item.enabled | bool
+  with_items:
+    - { name: "ceilometer", enabled: "{{ enable_ceilometer }}" }
+    - { name: "cinder", enabled: "{{ enable_cinder }}" }
+    - { name: "cloudkitty", enabled: "{{ enable_cloudkitty }}" }
+    - { name: "glance", enabled: "{{ enable_glance }}" }
+    - { name: "heat", enabled: "{{ enable_heat }}" }
+    - { name: "ironic", enabled: "{{ enable_ironic }}" }
+    - { name: "keystone", enabled: "{{ enable_keystone }}" }
+    - { name: "manila", enabled" "{{ enable_manila }}" }
+    - { name: "neutron", enabled: "{{ enable_neutron }}" }
+    - { name: "nova", enabled: "{{ enable_nova }}" }
+    - { name: "sahara", enabled: "{{ enable_sahara }}" }
+    - { name: "senlin", enabled: "{{ enable_senlin }}" }
+    - { name: "trove", enabled: "{{ enable_trove }}" }
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/horizon/{{ item[0]['name'] }}_policy.json"
+    dest: "{{ node_config_directory }}/horizon/{{ item[0]['name'] }}_policy.json"
+  when:
+    - item[0]['enabled'] | bool
+    - item[1]['stat']['exists']
+  with_together:
+    - [{ name: "ceilometer", enabled: "{{ enable_ceilometer }}" },
+       { name: "cinder", enabled: "{{ enable_cinder }}" },
+       { name: "cloudkitty", enabled: "{{ enable_cloudkitty }}" },
+       { name: "glance", enabled: "{{ enable_glance }}" },
+       { name: "heat", enabled: "{{ enable_heat }}" },
+       { name: "ironic", enabled: "{{ enable_ironic }}" },
+       { name: "keystone", enabled: "{{ enable_keystone }}" },
+       { name: "manila", enabled" "{{ enable_manila }}" },
+       { name: "neutron", enabled: "{{ enable_neutron }}" },
+       { name: "nova", enabled: "{{ enable_nova }}" },
+       { name: "sahara", enabled: "{{ enable_sahara }}" },
+       { name: "senlin", enabled: "{{ enable_senlin }}" },
+       { name: "trove", enabled: "{{ enable_trove }}" }]
+    - "{{ custom_policy.results }}"
diff --git a/ansible/roles/horizon/templates/horizon.json.j2 b/ansible/roles/horizon/templates/horizon.json.j2
index b52554d48a..9cdf717b6a 100644
--- a/ansible/roles/horizon/templates/horizon.json.j2
+++ b/ansible/roles/horizon/templates/horizon.json.j2
@@ -1,6 +1,22 @@
 {% set apache_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
 {% set apache_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
 {% set apache_file = '000-default.conf' if kolla_base_distro in ['ubuntu', 'debian'] else 'horizon.conf' %}
+{% set services = [
+    ( 'ceilometer', enable_ceilometer ),
+    ( 'cinder', enable_cinder ),
+    ( 'cloudkitty', enable_cloudkitty ),
+    ( 'glance', enable_glance ),
+    ( 'heat', enable_heat ),
+    ( 'ironic', enable_ironic ),
+    ( 'keystone', enable_keystone ),
+    ( 'manila', enable_manila ),
+    ( 'neutron', enable_neutron ),
+    ( 'nova', enable_nova ),
+    ( 'sahara', enable_sahara ),
+    ( 'senlin', enable_senlin ),
+    ( 'trove', enable_trove )
+] %}
+
 {
     "command": "/usr/sbin/{{ apache_cmd }} -DFOREGROUND",
     "config_files": [
@@ -10,6 +26,15 @@
             "owner": "horizon",
             "perm": "0644"
         },
+{% for service, enabled in services if enabled | bool %}
+        {
+            "source": "{{ container_config_directory }}/horizon/{{ service }}_policy.json",
+            "dest": "/etc/openstack-dashboard/{{ service }}_policy.json",
+            "owner": "horizon",
+            "perm": "0600",
+            "optional": true
+        },
+{% endfor %}
         {
             "source": "{{ container_config_directory }}/local_settings",
             "dest": "/etc/openstack-dashboard/local_settings",