From d77930373e0ac6634211633f499b7c3663e60de2 Mon Sep 17 00:00:00 2001
From: Dai Dang Van <daidv@vn.fujitsu.com>
Date: Mon, 8 Jan 2018 11:21:12 +0700
Subject: [PATCH] Support policy.yaml file [part 2]
- Keystone
- Glance
- Nova
- Cinder
This will copy only yaml or json policy file if they exist.
Change-Id: I4a9415d82322aed68c9b7650bdf346f58fa49e2a
Implements: blueprint support-custom-policy-yaml
Co-authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>
---
ansible/roles/cinder/handlers/main.yml | 16 ++++----
ansible/roles/cinder/tasks/config.yml | 32 ++++++++++-----
.../roles/cinder/templates/cinder-api.json.j2 | 11 +++--
.../cinder/templates/cinder-backup.json.j2 | 11 +++--
.../cinder/templates/cinder-scheduler.json.j2 | 11 +++--
.../cinder/templates/cinder-volume.json.j2 | 11 +++--
ansible/roles/cinder/templates/cinder.conf.j2 | 5 +++
ansible/roles/glance/handlers/main.yml | 8 ++--
ansible/roles/glance/tasks/config.yml | 32 ++++++++++-----
.../roles/glance/templates/glance-api.conf.j2 | 5 +++
.../roles/glance/templates/glance-api.json.j2 | 11 +++--
.../glance/templates/glance-registry.conf.j2 | 5 +++
.../glance/templates/glance-registry.json.j2 | 11 +++--
ansible/roles/keystone/handlers/main.yml | 8 ++--
ansible/roles/keystone/tasks/config.yml | 24 ++++++++---
.../templates/keystone-fernet.json.j2 | 11 +++--
.../roles/keystone/templates/keystone.conf.j2 | 5 +++
.../roles/keystone/templates/keystone.json.j2 | 11 +++--
ansible/roles/nova/handlers/main.yml | 40 +++++++++----------
ansible/roles/nova/tasks/config.yml | 32 ++++++++++-----
ansible/roles/nova/templates/nova-api.json.j2 | 11 +++--
.../templates/nova-compute-ironic.json.j2 | 11 +++--
.../roles/nova/templates/nova-compute.json.j2 | 11 +++--
.../nova/templates/nova-conductor.json.j2 | 11 +++--
.../nova/templates/nova-consoleauth.json.j2 | 11 +++--
.../nova/templates/nova-novncproxy.json.j2 | 11 +++--
.../nova/templates/nova-scheduler.json.j2 | 11 +++--
.../templates/nova-spicehtml5proxy.json.j2 | 11 +++--
ansible/roles/nova/templates/nova.conf.j2 | 5 +++
.../nova/templates/placement-api.json.j2 | 11 +++--
30 files changed, 230 insertions(+), 174 deletions(-)
diff --git a/ansible/roles/cinder/handlers/main.yml b/ansible/roles/cinder/handlers/main.yml
index 485669848e..0eccd28e2d 100644
--- a/ansible/roles/cinder/handlers/main.yml
+++ b/ansible/roles/cinder/handlers/main.yml
@@ -5,7 +5,7 @@
service: "{{ cinder_services[service_name] }}"
config_json: "{{ cinder_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
cinder_conf: "{{ cinder_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
- policy_json: "{{ cinder_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+ policy_overwriting: "{{ cinder_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
cinder_api_container: "{{ check_cinder_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker:
action: "recreate_or_restart_container"
@@ -20,7 +20,7 @@
- config_json.changed | bool
or cinder_conf.changed | bool
or wsgi_cinder_api.changed | bool
- or policy_json.changed | bool
+ or policy_overwriting.changed | bool
or cinder_api_container.changed | bool
- name: Restart cinder-scheduler container
@@ -29,7 +29,7 @@
service: "{{ cinder_services[service_name] }}"
config_json: "{{ cinder_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
cinder_conf: "{{ cinder_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
- policy_json: "{{ cinder_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+ policy_overwriting: "{{ cinder_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
cinder_scheduler_container: "{{ check_cinder_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker:
action: "recreate_or_restart_container"
@@ -43,7 +43,7 @@
- service.enabled | bool
- config_json.changed | bool
or cinder_conf.changed | bool
- or policy_json.changed | bool
+ or policy_overwriting.changed | bool
or cinder_scheduler_container.changed | bool
- name: Restart cinder-volume container
@@ -52,7 +52,7 @@
service: "{{ cinder_services[service_name] }}"
config_json: "{{ cinder_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
cinder_conf: "{{ cinder_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
- policy_json: "{{ cinder_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+ policy_overwriting: "{{ cinder_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
cinder_volume_container: "{{ check_cinder_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker:
action: "recreate_or_restart_container"
@@ -68,7 +68,7 @@
- service.enabled | bool
- config_json.changed | bool
or cinder_conf.changed | bool
- or policy_json.changed | bool
+ or policy_overwriting.changed | bool
or cinder_volume_container.changed | bool
- name: Restart cinder-backup container
@@ -77,7 +77,7 @@
service: "{{ cinder_services[service_name] }}"
config_json: "{{ cinder_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
cinder_conf: "{{ cinder_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
- policy_json: "{{ cinder_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+ policy_overwriting: "{{ cinder_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
cinder_backup_container: "{{ check_cinder_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker:
action: "recreate_or_restart_container"
@@ -92,5 +92,5 @@
- service.enabled | bool
- config_json.changed | bool
or cinder_conf.changed | bool
- or policy_json.changed | bool
+ or policy_overwriting.changed | bool
or cinder_backup_container.changed | bool
diff --git a/ansible/roles/cinder/tasks/config.yml b/ansible/roles/cinder/tasks/config.yml
index 7c38fd80c6..13fa9e2133 100644
--- a/ansible/roles/cinder/tasks/config.yml
+++ b/ansible/roles/cinder/tasks/config.yml
@@ -9,6 +9,23 @@
- item.value.enabled | bool
with_dict: "{{ cinder_services }}"
+- name: Check if policies shall be overwritten
+ local_action: stat path="{{ item }}"
+ run_once: True
+ register: cinder_policy
+ with_first_found:
+ - files: "{{ supported_policy_format_list }}"
+ paths:
+ - "{{ node_custom_config }}/cinder/"
+ skip: true
+
+- name: Set cinder policy file
+ set_fact:
+ cinder_policy_file: "{{ cinder_policy.results.0.stat.path | basename }}"
+ cinder_policy_file_path: "{{ cinder_policy.results.0.stat.path }}"
+ when:
+ - cinder_policy.results
+
- name: Copying over config.json files for services
template:
src: "{{ item.key }}.json.j2"
@@ -63,18 +80,13 @@
- Restart cinder-volume container
- Restart cinder-backup container
-- name: Check if policies shall be overwritten
- local_action: stat path="{{ node_custom_config }}/cinder/policy.json"
- run_once: True
- register: cinder_policy
-
-- name: Copying over existing policy.json
+- name: Copying over existing policy file
template:
- src: "{{ node_custom_config }}/cinder/policy.json"
- dest: "{{ node_config_directory }}/{{ item.key }}/policy.json"
- register: cinder_policy_jsons
+ src: "{{ cinder_policy_file_path }}"
+ dest: "{{ node_config_directory }}/{{ item.key }}/{{ cinder_policy_file }}"
+ register: cinder_policy_overwriting
when:
- - cinder_policy.stat.exists
+ - cinder_policy_file is defined
- inventory_hostname in groups[item.value.group]
with_dict: "{{ cinder_services }}"
notify:
diff --git a/ansible/roles/cinder/templates/cinder-api.json.j2 b/ansible/roles/cinder/templates/cinder-api.json.j2
index 4b5243fffc..54b557902c 100644
--- a/ansible/roles/cinder/templates/cinder-api.json.j2
+++ b/ansible/roles/cinder/templates/cinder-api.json.j2
@@ -14,14 +14,13 @@
"dest": "/etc/{{ cinder_dir }}/cinder-wsgi.conf",
"owner": "cinder",
"perm": "0600"
- },
+ }{% if cinder_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/policy.json",
- "dest": "/etc/cinder/policy.json",
+ "source": "{{ container_config_directory }}/{{ cinder_policy_file }}",
+ "dest": "/etc/cinder/{{ cinder_policy_file }}",
"owner": "cinder",
- "perm": "0600",
- "optional": true
- }
+ "perm": "0600"
+ }{% endif %}
],
"permissions": [
{
diff --git a/ansible/roles/cinder/templates/cinder-backup.json.j2 b/ansible/roles/cinder/templates/cinder-backup.json.j2
index a24b2f062b..897e185a2f 100644
--- a/ansible/roles/cinder/templates/cinder-backup.json.j2
+++ b/ansible/roles/cinder/templates/cinder-backup.json.j2
@@ -6,14 +6,13 @@
"dest": "/etc/cinder/cinder.conf",
"owner": "cinder",
"perm": "0600"
- },
+ }{% if cinder_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/policy.json",
- "dest": "/etc/cinder/policy.json",
+ "source": "{{ container_config_directory }}/{{ cinder_policy_file }}",
+ "dest": "/etc/cinder/{{ cinder_policy_file }}",
"owner": "cinder",
- "perm": "0600",
- "optional": true
- }{% if cinder_backend_ceph | bool %},
+ "perm": "0600"
+ }{% endif %}{% if cinder_backend_ceph | bool %},
{
"source": "{{ container_config_directory }}/ceph.*",
"dest": "/etc/ceph/",
diff --git a/ansible/roles/cinder/templates/cinder-scheduler.json.j2 b/ansible/roles/cinder/templates/cinder-scheduler.json.j2
index 84fdfe3d46..cd4a5124a6 100644
--- a/ansible/roles/cinder/templates/cinder-scheduler.json.j2
+++ b/ansible/roles/cinder/templates/cinder-scheduler.json.j2
@@ -6,14 +6,13 @@
"dest": "/etc/cinder/cinder.conf",
"owner": "cinder",
"perm": "0600"
- },
+ }{% if cinder_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/policy.json",
- "dest": "/etc/cinder/policy.json",
+ "source": "{{ container_config_directory }}/{{ cinder_policy_file }}",
+ "dest": "/etc/cinder/{{ cinder_policy_file }}",
"owner": "cinder",
- "perm": "0600",
- "optional": true
- }
+ "perm": "0600"
+ }{% endif %}
],
"permissions": [
{
diff --git a/ansible/roles/cinder/templates/cinder-volume.json.j2 b/ansible/roles/cinder/templates/cinder-volume.json.j2
index c00ea1a016..a787ae0045 100644
--- a/ansible/roles/cinder/templates/cinder-volume.json.j2
+++ b/ansible/roles/cinder/templates/cinder-volume.json.j2
@@ -27,14 +27,13 @@
"owner": "cinder",
"perm": "0600",
"optional": {{ (not enable_cinder_backend_nfs | bool) | string | lower }}
- },
+ }{% if cinder_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/policy.json",
- "dest": "/etc/cinder/policy.json",
+ "source": "{{ container_config_directory }}/{{ cinder_policy_file }}",
+ "dest": "/etc/cinder/{{ cinder_policy_file }}",
"owner": "cinder",
- "perm": "0600",
- "optional": true
- }
+ "perm": "0600"
+ }{% endif %}
],
"permissions": [
{
diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2
index af4c849b73..bedafc7276 100644
--- a/ansible/roles/cinder/templates/cinder.conf.j2
+++ b/ansible/roles/cinder/templates/cinder.conf.j2
@@ -68,6 +68,11 @@ topics = notifications
driver = noop
{% endif %}
+{% if cinder_policy_file is defined %}
+[oslo_policy]
+policy_file = {{ cinder_policy_file }}
+{% endif %}
+
[nova]
region_name = {{ openstack_region_name }}
interface = internal
diff --git a/ansible/roles/glance/handlers/main.yml b/ansible/roles/glance/handlers/main.yml
index 33909725d2..39ea35a921 100644
--- a/ansible/roles/glance/handlers/main.yml
+++ b/ansible/roles/glance/handlers/main.yml
@@ -5,7 +5,7 @@
service: "{{ glance_services[service_name] }}"
config_json: "{{ glance_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
glance_conf: "{{ glance_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
- policy_json: "{{ glance_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+ policy_overwriting: "{{ glance_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
glance_api_container: "{{ check_glance_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker:
action: "recreate_or_restart_container"
@@ -20,7 +20,7 @@
- config_json.changed | bool
or glance_conf.changed | bool
or glance_swift_conf.changed | bool
- or policy_json.changed | bool
+ or policy_overwriting.changed | bool
or glance_api_container.changed | bool
- name: Restart glance-registry container
@@ -29,7 +29,7 @@
service: "{{ glance_services[service_name] }}"
config_json: "{{ glance_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
glance_conf: "{{ glance_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
- policy_json: "{{ glance_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+ policy_overwriting: "{{ glance_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
glance_registry_container: "{{ check_glance_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker:
action: "recreate_or_restart_container"
@@ -43,6 +43,6 @@
- service.enabled | bool
- config_json.changed | bool
or glance_conf.changed | bool
- or policy_json.changed | bool
+ or policy_overwriting.changed | bool
or glance_registry_container.changed | bool
diff --git a/ansible/roles/glance/tasks/config.yml b/ansible/roles/glance/tasks/config.yml
index 54a5394139..4d76a2eba3 100644
--- a/ansible/roles/glance/tasks/config.yml
+++ b/ansible/roles/glance/tasks/config.yml
@@ -22,6 +22,23 @@
- item.value.enabled | bool
with_dict: "{{ glance_services }}"
+- name: Check if policies shall be overwritten
+ local_action: stat path="{{ item }}"
+ run_once: True
+ register: glance_policy
+ with_first_found:
+ - files: "{{ supported_policy_format_list }}"
+ paths:
+ - "{{ node_custom_config }}/glance/"
+ skip: true
+
+- name: Set glance policy file
+ set_fact:
+ glance_policy_file: "{{ glance_policy.results.0.stat.path | basename }}"
+ glance_policy_file_path: "{{ glance_policy.results.0.stat.path }}"
+ when:
+ - glance_policy.results
+
- name: Copying over config.json files for services
template:
src: "{{ item.key }}.json.j2"
@@ -59,11 +76,6 @@
- Restart glance-api container
- Restart glance-registry container
-- name: Check if policies shall be overwritten
- local_action: stat path="{{ node_custom_config }}/glance/policy.json"
- run_once: True
- register: glance_policy
-
- name: Copying over glance-swift.conf for glance_api
vars:
glance_api: "{{ glance_services['glance-api'] }}"
@@ -82,15 +94,15 @@
notify:
- Restart glance-api container
-- name: Copying over existing policy.json
+- name: Copying over existing policy file
template:
- src: "{{ node_custom_config }}/glance/policy.json"
- dest: "{{ node_config_directory }}/{{ item.key }}/policy.json"
+ src: "{{ glance_policy_file_path }}"
+ dest: "{{ node_config_directory }}/{{ item.key }}/{{ glance_policy_file_path }}"
mode: "0660"
become: true
- register: glance_policy_jsons
+ register: glance_policy_overwriting
when:
- - glance_policy.stat.exists
+ - glance_policy_file is defined
- inventory_hostname in groups[item.value.group]
with_dict: "{{ glance_services }}"
notify:
diff --git a/ansible/roles/glance/templates/glance-api.conf.j2 b/ansible/roles/glance/templates/glance-api.conf.j2
index ca251fb3fb..1258b800ca 100644
--- a/ansible/roles/glance/templates/glance-api.conf.j2
+++ b/ansible/roles/glance/templates/glance-api.conf.j2
@@ -89,6 +89,11 @@ driver = messagingv2
driver = noop
{% endif %}
+{% if glance_policy_file is defined %}
+[oslo_policy]
+policy_file = {{ glance_policy_file }}
+{% endif %}
+
{% if enable_osprofiler | bool %}
[profiler]
enabled = true
diff --git a/ansible/roles/glance/templates/glance-api.json.j2 b/ansible/roles/glance/templates/glance-api.json.j2
index a491931395..89f330ae23 100644
--- a/ansible/roles/glance/templates/glance-api.json.j2
+++ b/ansible/roles/glance/templates/glance-api.json.j2
@@ -6,14 +6,13 @@
"dest": "/etc/glance/glance-api.conf",
"owner": "glance",
"perm": "0600"
- },
+ }{% if glance_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/policy.json",
- "dest": "/etc/glance/policy.json",
+ "source": "{{ container_config_directory }}/{{ glance_policy_file }}",
+ "dest": "/etc/glance/{{ glance_policy_file }}",
"owner": "glance",
- "perm": "0600",
- "optional": true
- }{% if glance_backend_ceph | bool %},
+ "perm": "0600"
+ }{% endif %}{% if glance_backend_ceph | bool %},
{
"source": "{{ container_config_directory }}/ceph.*",
"dest": "/etc/ceph/",
diff --git a/ansible/roles/glance/templates/glance-registry.conf.j2 b/ansible/roles/glance/templates/glance-registry.conf.j2
index c08e207409..9a714b3a12 100644
--- a/ansible/roles/glance/templates/glance-registry.conf.j2
+++ b/ansible/roles/glance/templates/glance-registry.conf.j2
@@ -39,6 +39,11 @@ driver = messagingv2
driver = noop
{% endif %}
+{% if glance_policy_file is defined %}
+[oslo_policy]
+policy_file = {{ glance_policy_file }}
+{% endif %}
+
{% if enable_osprofiler | bool %}
[profiler]
enabled = true
diff --git a/ansible/roles/glance/templates/glance-registry.json.j2 b/ansible/roles/glance/templates/glance-registry.json.j2
index 46dd517364..9a1411bfbd 100644
--- a/ansible/roles/glance/templates/glance-registry.json.j2
+++ b/ansible/roles/glance/templates/glance-registry.json.j2
@@ -6,14 +6,13 @@
"dest": "/etc/glance/glance-registry.conf",
"owner": "glance",
"perm": "0600"
- },
+ }{% if glance_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/policy.json",
- "dest": "/etc/glance/policy.json",
+ "source": "{{ container_config_directory }}/{{ glance_policy_file }}",
+ "dest": "/etc/glance/{{ glance_policy_file }}",
"owner": "glance",
- "perm": "0600",
- "optional": true
- }
+ "perm": "0600"
+ }{% endif %}
],
"permissions": [
{
diff --git a/ansible/roles/keystone/handlers/main.yml b/ansible/roles/keystone/handlers/main.yml
index 964bd7873e..3923ebe0a9 100644
--- a/ansible/roles/keystone/handlers/main.yml
+++ b/ansible/roles/keystone/handlers/main.yml
@@ -31,7 +31,7 @@
service: "{{ keystone_services[service_name] }}"
config_json: "{{ keystone_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
keystone_conf: "{{ keystone_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
- policy_json: "{{ keystone_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+ policy_overwriting: "{{ keystone_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
keystone_container: "{{ check_keystone_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker:
action: "recreate_or_restart_container"
@@ -46,7 +46,7 @@
- config_json.changed | bool
or keystone_conf.changed | bool
or keystone_domains.changed | bool
- or policy_json.changed | bool
+ or policy_overwriting.changed | bool
or keystone_wsgi.changed | bool
or keystone_paste_ini.changed | bool
or keystone_container.changed | bool
@@ -57,7 +57,7 @@
service: "{{ keystone_services[service_name] }}"
config_json: "{{ keystone_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
keystone_conf: "{{ keystone_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
- policy_json: "{{ keystone_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+ policy_overwriting: "{{ keystone_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
keystone_fernet_container: "{{ check_keystone_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker:
action: "recreate_or_restart_container"
@@ -71,7 +71,7 @@
- service.enabled | bool
- config_json.changed | bool
or keystone_conf.changed | bool
- or policy_json.changed | bool
+ or policy_overwriting.changed | bool
or keystone_fernet_confs.changed | bool
or keystone_fernet_container.changed | bool
diff --git a/ansible/roles/keystone/tasks/config.yml b/ansible/roles/keystone/tasks/config.yml
index f32001c9a3..31617bc998 100644
--- a/ansible/roles/keystone/tasks/config.yml
+++ b/ansible/roles/keystone/tasks/config.yml
@@ -1,8 +1,20 @@
---
- name: Check if policies shall be overwritten
- local_action: stat path="{{ node_custom_config }}/keystone/policy.json"
+ local_action: stat path="{{ item }}"
run_once: True
register: keystone_policy
+ with_first_found:
+ - files: "{{ supported_policy_format_list }}"
+ paths:
+ - "{{ node_custom_config }}/keystone/"
+ skip: true
+
+- name: Set keystone policy file
+ set_fact:
+ keystone_policy_file: "{{ keystone_policy.results.0.stat.path | basename }}"
+ keystone_policy_file_path: "{{ keystone_policy.results.0.stat.path }}"
+ when:
+ - keystone_policy.results
- name: Check if Keystone Domain specific settings enabled
local_action: stat path="{{ node_custom_config }}/keystone/domains"
@@ -107,18 +119,18 @@
notify:
- Restart keystone container
-- name: Copying over existing policy.json
+- name: Copying over existing policy file
template:
- src: "{{ node_custom_config }}/keystone/policy.json"
- dest: "{{ node_config_directory }}/{{ item.key }}/policy.json"
+ src: "{{ keystone_policy_file_path }}"
+ dest: "{{ node_config_directory }}/{{ item.key }}/{{ keystone_policy_file }}"
mode: "0660"
become: true
- register: keystone_policy_jsons
+ register: keystone_policy_overwriting
when:
- inventory_hostname in groups[item.value.group]
- item.key in [ "keystone", "keystone-fernet" ]
- item.value.enabled | bool
- - keystone_policy.stat.exists
+ - keystone_policy_file is defined
with_dict: "{{ keystone_services }}"
notify:
- Restart keystone container
diff --git a/ansible/roles/keystone/templates/keystone-fernet.json.j2 b/ansible/roles/keystone/templates/keystone-fernet.json.j2
index c7aa50e18d..666e785c4f 100644
--- a/ansible/roles/keystone/templates/keystone-fernet.json.j2
+++ b/ansible/roles/keystone/templates/keystone-fernet.json.j2
@@ -36,13 +36,12 @@
"dest": "/var/lib/keystone/.ssh/id_rsa",
"owner": "keystone",
"perm": "0600"
- },
+ }{% if keystone_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/policy.json",
- "dest": "/etc/keystone/policy.json",
+ "source": "{{ container_config_directory }}/{{ keystone_policy_file }}",
+ "dest": "/etc/keystone/{{ keystone_policy_file }}",
"owner": "keystone",
- "perm": "0600",
- "optional": true
- }
+ "perm": "0600"
+ }{% endif %}
]
}
diff --git a/ansible/roles/keystone/templates/keystone.conf.j2 b/ansible/roles/keystone/templates/keystone.conf.j2
index fa6cf2a2d4..6615f764c9 100644
--- a/ansible/roles/keystone/templates/keystone.conf.j2
+++ b/ansible/roles/keystone/templates/keystone.conf.j2
@@ -13,6 +13,11 @@ use_stderr = True
[oslo_middleware]
enable_proxy_headers_parsing = True
+{% if keystone_policy_file is defined %}
+[oslo_policy]
+policy_file = {{ keystone_policy_file }}
+{% endif %}
+
[database]
connection = mysql+pymysql://{{ keystone_database_user }}:{{ keystone_database_password }}@{{ keystone_database_address }}/{{ keystone_database_name }}
max_retries = -1
diff --git a/ansible/roles/keystone/templates/keystone.json.j2 b/ansible/roles/keystone/templates/keystone.json.j2
index 0f871d16b6..5d0486ede0 100644
--- a/ansible/roles/keystone/templates/keystone.json.j2
+++ b/ansible/roles/keystone/templates/keystone.json.j2
@@ -22,14 +22,13 @@
"owner": "keystone",
"perm": "0700",
"optional": true
- },
+ }{% if keystone_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/policy.json",
- "dest": "/etc/keystone/policy.json",
+ "source": "{{ container_config_directory }}/{{ keystone_policy_file }}",
+ "dest": "/etc/keystone/{{ keystone_policy_file }}",
"owner": "keystone",
- "perm": "0600",
- "optional": true
- },
+ "perm": "0600"
+ }{% endif %},
{
"source": "{{ container_config_directory }}/wsgi-keystone.conf",
"dest": "/etc/{{ keystone_dir }}/wsgi-keystone.conf",
diff --git a/ansible/roles/nova/handlers/main.yml b/ansible/roles/nova/handlers/main.yml
index aab84b7fba..21b2d412fb 100644
--- a/ansible/roles/nova/handlers/main.yml
+++ b/ansible/roles/nova/handlers/main.yml
@@ -54,7 +54,7 @@
service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
- policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+ policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
placement_api_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker:
action: "recreate_or_restart_container"
@@ -68,7 +68,7 @@
- service.enabled | bool
- config_json.changed | bool
or nova_conf.changed | bool
- or policy_json.changed | bool
+ or policy_overwriting.changed | bool
or placement_api_wsgi_conf | changed
or placement_api_container.changed | bool
@@ -78,7 +78,7 @@
service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
- policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+ policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_api_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker:
action: "recreate_or_restart_container"
@@ -93,7 +93,7 @@
- service.enabled | bool
- config_json.changed | bool
or nova_conf.changed | bool
- or policy_json.changed | bool
+ or policy_overwriting.changed | bool
or nova_api_container.changed | bool
- name: Restart nova-scheduler container
@@ -102,7 +102,7 @@
service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
- policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+ policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_scheduler_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker:
action: "recreate_or_restart_container"
@@ -117,7 +117,7 @@
- service.enabled | bool
- config_json.changed | bool
or nova_conf.changed | bool
- or policy_json.changed | bool
+ or policy_overwriting.changed | bool
or nova_scheduler_container.changed | bool
- name: Restart nova-conductor container
@@ -126,7 +126,7 @@
service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
- policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+ policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conductor_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker:
action: "recreate_or_restart_container"
@@ -141,7 +141,7 @@
- service.enabled | bool
- config_json.changed | bool
or nova_conf.changed | bool
- or policy_json.changed | bool
+ or policy_overwriting.changed | bool
or nova_conductor_container.changed | bool
@@ -151,7 +151,7 @@
service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
- policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+ policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_consoleauth_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker:
action: "recreate_or_restart_container"
@@ -166,7 +166,7 @@
- service.enabled | bool
- config_json.changed | bool
or nova_conf.changed | bool
- or policy_json.changed | bool
+ or policy_overwriting.changed | bool
or nova_consoleauth_container.changed | bool
- name: Restart nova-novncproxy container
@@ -175,7 +175,7 @@
service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
- policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+ policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_novncproxy_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker:
action: "recreate_or_restart_container"
@@ -190,7 +190,7 @@
- service.enabled | bool
- config_json.changed | bool
or nova_conf.changed | bool
- or policy_json.changed | bool
+ or policy_overwriting.changed | bool
or nova_novncproxy_container.changed | bool
- name: Restart nova-spicehtml5proxy container
@@ -199,7 +199,7 @@
service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
- policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+ policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_spicehtml5proxy_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker:
action: "recreate_or_restart_container"
@@ -214,7 +214,7 @@
- service.enabled | bool
- config_json.changed | bool
or nova_conf.changed | bool
- or policy_json.changed | bool
+ or policy_overwriting.changed | bool
or nova_spicehtml5proxy_container.changed | bool
- name: Restart nova-serialproxy container
@@ -223,7 +223,7 @@
service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
- policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+ policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_serialproxy_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker:
action: "recreate_or_restart_container"
@@ -238,7 +238,7 @@
- service.enabled | bool
- config_json.changed | bool
or nova_conf.changed | bool
- or policy_json.changed | bool
+ or policy_overwriting.changed | bool
or nova_serialproxy_container.changed | bool
- name: Restart nova-compute container
@@ -247,7 +247,7 @@
service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
- policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+ policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_compute_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker:
action: "recreate_or_restart_container"
@@ -263,7 +263,7 @@
- service.enabled | bool
- config_json.changed | bool
or nova_conf.changed | bool
- or policy_json.changed | bool
+ or policy_overwriting.changed | bool
or vcenter_ca_file | bool
or nova_compute_container.changed | bool
@@ -273,7 +273,7 @@
service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
- policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
+ policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_compute_ironic_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker:
action: "recreate_or_restart_container"
@@ -288,7 +288,7 @@
- service.enabled | bool
- config_json.changed | bool
or nova_conf.changed | bool
- or policy_json.changed | bool
+ or policy_overwriting.changed | bool
or nova_compute_ironic_container.changed | bool
# nova-compute-fake is special. It will start multi numbers of container
diff --git a/ansible/roles/nova/tasks/config.yml b/ansible/roles/nova/tasks/config.yml
index 834646c956..26af6278bd 100644
--- a/ansible/roles/nova/tasks/config.yml
+++ b/ansible/roles/nova/tasks/config.yml
@@ -24,6 +24,23 @@
- item.value.enabled | bool
with_dict: "{{ nova_services }}"
+- name: Check if policies shall be overwritten
+ local_action: stat path="{{ item }}"
+ run_once: True
+ register: nova_policy
+ with_first_found:
+ - files: "{{ supported_policy_format_list }}"
+ paths:
+ - "{{ node_custom_config }}/nova/"
+ skip: true
+
+- name: Set nova policy file
+ set_fact:
+ nova_policy_file: "{{ nova_policy.results.0.stat.path | basename }}"
+ nova_policy_file_path: "{{ nova_policy.results.0.stat.path }}"
+ when:
+ - nova_policy.results
+
- name: Copying over config.json files for services
become: true
template:
@@ -138,12 +155,7 @@
notify:
- Restart nova-compute container
-- name: Check if policies shall be overwritten
- local_action: stat path="{{ node_custom_config }}/nova/policy.json"
- run_once: True
- register: nova_policy
-
-- name: Copying over existing policy.json
+- name: Copying over existing policy file
become: true
vars:
services_require_policy_json:
@@ -158,13 +170,13 @@
- nova-scheduler
- nova-spicehtml5proxy
template:
- src: "{{ node_custom_config }}/nova/policy.json"
- dest: "{{ node_config_directory }}/{{ item.key }}/policy.json"
- register: policy_jsons
+ src: "{{ nova_policy_file_path }}"
+ dest: "{{ node_config_directory }}/{{ item.key }}/{{ nova_policy_file }}"
+ register: nova_policy_overwriting
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
- - nova_policy.stat.exists
+ - nova_policy_file is defined
- item.key in services_require_policy_json
with_dict: "{{ nova_services }}"
notify:
diff --git a/ansible/roles/nova/templates/nova-api.json.j2 b/ansible/roles/nova/templates/nova-api.json.j2
index d669bfdaf8..f52b27ecc0 100644
--- a/ansible/roles/nova/templates/nova-api.json.j2
+++ b/ansible/roles/nova/templates/nova-api.json.j2
@@ -6,14 +6,13 @@
"dest": "/etc/nova/nova.conf",
"owner": "nova",
"perm": "0600"
- },
+ }{% if nova_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/policy.json",
- "dest": "/etc/nova/policy.json",
+ "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
+ "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova",
- "perm": "0600",
- "optional": true
- }
+ "perm": "0600"
+ }{% endif %}
],
"permissions": [
{
diff --git a/ansible/roles/nova/templates/nova-compute-ironic.json.j2 b/ansible/roles/nova/templates/nova-compute-ironic.json.j2
index 92c0ee71b7..d41811fc70 100644
--- a/ansible/roles/nova/templates/nova-compute-ironic.json.j2
+++ b/ansible/roles/nova/templates/nova-compute-ironic.json.j2
@@ -6,14 +6,13 @@
"dest": "/etc/nova/nova.conf",
"owner": "nova",
"perm": "0600"
- },
+ }{% if nova_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/policy.json",
- "dest": "/etc/nova/policy.json",
+ "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
+ "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova",
- "perm": "0600",
- "optional": true
- }
+ "perm": "0600"
+ }{% endif %}
],
"permissions": [
{
diff --git a/ansible/roles/nova/templates/nova-compute.json.j2 b/ansible/roles/nova/templates/nova-compute.json.j2
index 98a4f5ca99..c0f125e01c 100644
--- a/ansible/roles/nova/templates/nova-compute.json.j2
+++ b/ansible/roles/nova/templates/nova-compute.json.j2
@@ -6,14 +6,13 @@
"dest": "/etc/nova/nova.conf",
"owner": "nova",
"perm": "0600"
- },
+ }{% if nova_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/policy.json",
- "dest": "/etc/nova/policy.json",
+ "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
+ "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova",
- "perm": "0600",
- "optional": true
- }{% if nova_backend == "rbd" %},
+ "perm": "0600"
+ }{% endif %}{% if nova_backend == "rbd" %},
{
"source": "{{ container_config_directory }}/ceph.*",
"dest": "/etc/ceph/",
diff --git a/ansible/roles/nova/templates/nova-conductor.json.j2 b/ansible/roles/nova/templates/nova-conductor.json.j2
index 50bcd53693..68e4c7294f 100644
--- a/ansible/roles/nova/templates/nova-conductor.json.j2
+++ b/ansible/roles/nova/templates/nova-conductor.json.j2
@@ -6,14 +6,13 @@
"dest": "/etc/nova/nova.conf",
"owner": "nova",
"perm": "0600"
- },
+ }{% if nova_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/policy.json",
- "dest": "/etc/nova/policy.json",
+ "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
+ "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova",
- "perm": "0600",
- "optional": true
- }
+ "perm": "0600"
+ }{% endif %}
],
"permissions": [
{
diff --git a/ansible/roles/nova/templates/nova-consoleauth.json.j2 b/ansible/roles/nova/templates/nova-consoleauth.json.j2
index af6a6c992c..09e663402f 100644
--- a/ansible/roles/nova/templates/nova-consoleauth.json.j2
+++ b/ansible/roles/nova/templates/nova-consoleauth.json.j2
@@ -6,14 +6,13 @@
"dest": "/etc/nova/nova.conf",
"owner": "nova",
"perm": "0600"
- },
+ }{% if nova_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/policy.json",
- "dest": "/etc/nova/policy.json",
+ "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
+ "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova",
- "perm": "0600",
- "optional": true
- }
+ "perm": "0600"
+ }{% endif %}
],
"permissions": [
{
diff --git a/ansible/roles/nova/templates/nova-novncproxy.json.j2 b/ansible/roles/nova/templates/nova-novncproxy.json.j2
index 11e2bbf06b..e85cdbb48a 100644
--- a/ansible/roles/nova/templates/nova-novncproxy.json.j2
+++ b/ansible/roles/nova/templates/nova-novncproxy.json.j2
@@ -6,14 +6,13 @@
"dest": "/etc/nova/nova.conf",
"owner": "nova",
"perm": "0600"
- },
+ }{% if nova_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/policy.json",
- "dest": "/etc/nova/policy.json",
+ "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
+ "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova",
- "perm": "0600",
- "optional": true
- }
+ "perm": "0600"
+ }{% endif %}
],
"permissions": [
{
diff --git a/ansible/roles/nova/templates/nova-scheduler.json.j2 b/ansible/roles/nova/templates/nova-scheduler.json.j2
index b59f2f0e47..ae13758df7 100644
--- a/ansible/roles/nova/templates/nova-scheduler.json.j2
+++ b/ansible/roles/nova/templates/nova-scheduler.json.j2
@@ -6,14 +6,13 @@
"dest": "/etc/nova/nova.conf",
"owner": "nova",
"perm": "0600"
- },
+ }{% if nova_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/policy.json",
- "dest": "/etc/nova/policy.json",
+ "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
+ "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova",
- "perm": "0600",
- "optional": true
- }
+ "perm": "0600"
+ }{% endif %}
],
"permissions": [
{
diff --git a/ansible/roles/nova/templates/nova-spicehtml5proxy.json.j2 b/ansible/roles/nova/templates/nova-spicehtml5proxy.json.j2
index b1a218bb82..727b1121e5 100644
--- a/ansible/roles/nova/templates/nova-spicehtml5proxy.json.j2
+++ b/ansible/roles/nova/templates/nova-spicehtml5proxy.json.j2
@@ -6,14 +6,13 @@
"dest": "/etc/nova/nova.conf",
"owner": "nova",
"perm": "0600"
- },
+ }{% if nova_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/policy.json",
- "dest": "/etc/nova/policy.json",
+ "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
+ "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova",
- "perm": "0600",
- "optional": true
- }
+ "perm": "0600"
+ }{% endif %}
],
"permissions": [
{
diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2
index a09e4800e1..73f7510c6e 100644
--- a/ansible/roles/nova/templates/nova.conf.j2
+++ b/ansible/roles/nova/templates/nova.conf.j2
@@ -215,6 +215,11 @@ topics = {{ nova_enabled_notification_topics | map(attribute='name') | join(',')
driver = noop
{% endif %}
+{% if nova_policy_file is defined %}
+[oslo_policy]
+policy_file = {{ nova_policy_file }}
+{% endif %}
+
[privsep_entrypoint]
helper_command=sudo nova-rootwrap /etc/nova/rootwrap.conf privsep-helper --config-file /etc/nova/nova.conf
diff --git a/ansible/roles/nova/templates/placement-api.json.j2 b/ansible/roles/nova/templates/placement-api.json.j2
index fba578a84f..395f7d06fa 100644
--- a/ansible/roles/nova/templates/placement-api.json.j2
+++ b/ansible/roles/nova/templates/placement-api.json.j2
@@ -8,14 +8,13 @@
"dest": "/etc/nova/nova.conf",
"owner": "nova",
"perm": "0600"
- },
+ }{% if nova_policy_file is defined %},
{
- "source": "{{ container_config_directory }}/policy.json",
- "dest": "/etc/nova/policy.json",
+ "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
+ "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova",
- "perm": "0600",
- "optional": true
- },
+ "perm": "0600"
+ }{% endif %},
{
"source": "{{ container_config_directory }}/placement-api-wsgi.conf",
"dest": "/etc/{{ apache_conf_dir }}/placement-api-wsgi.conf",