Applying copy_update to all policy.json files

Adding support for dynamically updating the policy files for
nova, glance, neutron, cinder and heat. Uses the copy_update
plugin to detect any updates and applies the changes to the default
policy.json

Implements: blueprint dynamically-manage-policy.json
Change-Id: I573229d6f18a5fe32460b2373ab8b2c36ac722b4

defaults/main.yml

@@ -210,6 +210,14 @@ nova_scheduler_program_name: nova-scheduler
 # nova_metadata_workers: 16
 
 
+## Policy vars
+# Provide a list of access controls to update the default policy.json with. These changes will be merged
+# with the access controls in the default policy.json. E.g.
+#nova_policy_overrides:
+#  "compute:create": ""
+#  "compute:create:attach_network": ""
+
+
 ## Service Names
 nova_service_names:
   - "{{ nova_metadata_program_name }}"

tasks/nova_post_install.yml

@@ -26,7 +26,6 @@
     - { src: "rootwrap.d/baremetal-deploy-helper.filters", dest: "/etc/nova/rootwrap.d/baremetal-deploy-helper.filters" }
     - { src: "rootwrap.d/compute.filters", dest: "/etc/nova/rootwrap.d/compute.filters" }
     - { src: "rootwrap.d/network.filters", dest: "/etc/nova/rootwrap.d/network.filters" }
-    - { src: "policy.json", dest: "/etc/nova/policy.json" }
     - { src: "api-paste.ini", dest: "/etc/nova/api-paste.ini" }
   notify: Restart nova services
   tags:
@@ -45,3 +44,20 @@
   tags:
     - nova-config
     - nova-post-install
+
+- name: Apply updates to Policy file
+  copy_updates:
+    content="{{ item.content }}"
+    updates="{{ item.policy_data }}"
+    dest="{{ item.dest }}"
+    owner="{{ nova_system_user_name }}"
+    group="{{ nova_system_group_name }}"
+    mode="{{ item.mode|default('0644') }}"
+  with_items:
+    - { content: "{{ lookup('file', 'policy.json') | b64encode }}", policy_data: "{{ nova_policy_overrides|default('') }}", dest: "/etc/nova/policy.json" }
+  notify:
+    - Restart nova services
+  tags:
+    - nova-config
+    - nova-post-install
+