From 39a839c54a5008dc08823b9c8dd84dd8871f3277 Mon Sep 17 00:00:00 2001
From: Sudarshan Acharya <sudarshan.acharya@gmail.com>
Date: Fri, 17 Apr 2015 16:11:46 +0000
Subject: [PATCH] Applying copy_update to all policy.json files

Adding support for dynamically updating the policy files for
nova, glance, neutron, cinder and heat. Uses the copy_update
plugin to detect any updates and applies the changes to the default
policy.json

Implements: blueprint dynamically-manage-policy.json
Change-Id: I573229d6f18a5fe32460b2373ab8b2c36ac722b4
---
 defaults/main.yml             |  7 +++++++
 tasks/glance_post_install.yml | 17 ++++++++++++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index fe46649a..bb58d225 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -119,6 +119,13 @@ glance_policy_dirs: policy.d
 #     type: "nfs"                           ## This can be nfs or nfs4
 #     options: "_netdev,auto"               ## Mount options
 
+## Policy vars
+# Provide a list of access controls to update the default policy.json with. These changes will be merged
+# with the access controls in the default policy.json. E.g.
+#glance_policy_overrides:
+#  "add_image": ""
+#  "delete_image": ""
+
 # Common apt packages
 glance_apt_packages:
   - rpcbind
diff --git a/tasks/glance_post_install.yml b/tasks/glance_post_install.yml
index cd158220..98f0f3ed 100644
--- a/tasks/glance_post_install.yml
+++ b/tasks/glance_post_install.yml
@@ -59,7 +59,6 @@
     owner: "{{ glance_system_user_name }}"
     group: "{{ glance_system_group_name }}"
   with_items:
-    - { src: "policy.json", dest: "/etc/glance/policy.json" }
     - { src: "schema.json", dest: "/etc/glance/schema.json" }
     - { src: "schema.json", dest: "/etc/glance/schema-image.json" }
   notify:
@@ -68,6 +67,22 @@
   tags:
     - glance-config
 
+- name: Apply updates to Policy file
+  copy_updates:
+    content="{{ item.content }}"
+    updates="{{ item.policy_data }}"
+    dest="{{ item.dest }}"
+    owner="{{ glance_system_user_name }}"
+    group="{{ glance_system_group_name }}"
+    mode="{{ item.mode|default('0644') }}"
+  with_items:
+    - { content: "{{ lookup('file', 'policy.json') | b64encode }}", policy_data: "{{ glance_policy_overrides|default('') }}", dest: "/etc/glance/policy.json" }
+  notify:
+    - Restart glance api
+    - Restart glance registry
+  tags:
+    - glance-config
+
 - name: Create nfs shares local path
   file:
     path: "{{ item.local_path }}"