aboutsummaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
authorEmilien Macchi <emilien@redhat.com>2017-03-14 21:09:11 -0400
committerEmilien Macchi <emilien@redhat.com>2017-03-28 22:21:28 +0000
commit91053af09dace8dba65c9e5b72eb7de15fd69522 (patch)
treea6f588badd22243d0079b7db01bd0f629ea89881 /puppet
parent06ec138699b0658b8d005ed900d24c9d72ac8ec7 (diff)
Allow to configure policy.json for OpenStack projects
For both containers and classic deployments, allow to configure policy.json for all OpenStack APIs with new parameters (hash, empty by default). Example of new parameter: NovaApiPolicies. See environments/nova-api-policy.yaml for how the feature can be used. Note: use it with extreme caution. Partial-implement: blueprint modify-policy-json Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
Diffstat (limited to 'puppet')
-rw-r--r--puppet/config.role.j2.yaml2
-rw-r--r--puppet/services/aodh-api.yaml7
-rw-r--r--puppet/services/barbican-api.yaml7
-rw-r--r--puppet/services/ceilometer-api.yaml7
-rw-r--r--puppet/services/cinder-api.yaml7
-rw-r--r--puppet/services/congress.yaml7
-rw-r--r--puppet/services/ec2-api.yaml7
-rw-r--r--puppet/services/glance-api.yaml7
-rw-r--r--puppet/services/gnocchi-api.yaml7
-rw-r--r--puppet/services/heat-api.yaml7
-rw-r--r--puppet/services/ironic-api.yaml7
-rw-r--r--puppet/services/keystone.yaml7
-rw-r--r--puppet/services/mistral-api.yaml7
-rw-r--r--puppet/services/neutron-api.yaml7
-rw-r--r--puppet/services/nova-api.yaml7
-rw-r--r--puppet/services/octavia-api.yaml7
-rw-r--r--puppet/services/panko-api.yaml7
-rw-r--r--puppet/services/sahara-api.yaml7
-rw-r--r--puppet/services/tacker.yaml7
-rw-r--r--puppet/services/zaqar.yaml7
20 files changed, 134 insertions, 1 deletions
diff --git a/puppet/config.role.j2.yaml b/puppet/config.role.j2.yaml
index 7337d062..cdbc76f0 100644
--- a/puppet/config.role.j2.yaml
+++ b/puppet/config.role.j2.yaml
@@ -38,7 +38,7 @@ resources:
- ''
- list_join:
- ','
- - ['file,concat,file_line', {get_param: PuppetTags}]
+ - ['file,concat,file_line,augeas', {get_param: PuppetTags}]
outputs:
- name: result
inputs:
diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml
index d7c87b61..7cc6e4c6 100644
--- a/puppet/services/aodh-api.yaml
+++ b/puppet/services/aodh-api.yaml
@@ -24,6 +24,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ AodhApiPolicies:
+ description: |
+ A hash of policies to configure for Aodh API.
+ e.g. { aodh-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
AodhBase:
@@ -61,6 +67,7 @@ outputs:
aodh::wsgi::apache::wsgi_process_display_name: 'aodh_wsgi'
aodh::api::service_name: 'httpd'
aodh::api::enable_proxy_headers_parsing: true
+ aodh::policy::policies: {get_param: AodhApiPolicies}
tripleo.aodh_api.firewall_rules:
'128 aodh-api':
dport:
diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml
index d8787c87..91a5b01c 100644
--- a/puppet/services/barbican-api.yaml
+++ b/puppet/services/barbican-api.yaml
@@ -55,6 +55,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ BarbicanPolicies:
+ description: |
+ A hash of policies to configure for Barbican.
+ e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
@@ -77,6 +83,7 @@ outputs:
barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::project_name: 'service'
+ barbican::policy::policies: {get_param: BarbicanPolicies}
barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
barbican::api::db_auto_create: false
barbican::api::enabled_certificate_plugins: ['simple_certificate']
diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml
index f5ee9d40..ba94b451 100644
--- a/puppet/services/ceilometer-api.yaml
+++ b/puppet/services/ceilometer-api.yaml
@@ -29,6 +29,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ CeilometerApiPolicies:
+ description: |
+ A hash of policies to configure for Ceilometer API.
+ e.g. { ceilometer-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
CeilometerServiceBase:
@@ -78,6 +84,7 @@ outputs:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
+ ceilometer::policy::policies: {get_param: CeilometerApiPolicies}
ceilometer::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
ceilometer::wsgi::apache::ssl: {get_param: EnableInternalTLS}
ceilometer::wsgi::apache::servername:
diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml
index 958b0e7d..c1e6b0b0 100644
--- a/puppet/services/cinder-api.yaml
+++ b/puppet/services/cinder-api.yaml
@@ -46,6 +46,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ CinderApiPolicies:
+ description: |
+ A hash of policies to configure for Cinder API.
+ e.g. { cinder-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
conditions:
cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]}
@@ -86,6 +92,7 @@ outputs:
cinder::keystone::authtoken::project_name: 'service'
cinder::keystone::authtoken::user_domain_name: 'Default'
cinder::keystone::authtoken::project_domain_name: 'Default'
+ cinder::policy::policies: {get_param: CinderApiPolicies}
cinder::api::enable_proxy_headers_parsing: true
cinder::api::nova_catalog_info: 'compute:nova:internalURL'
diff --git a/puppet/services/congress.yaml b/puppet/services/congress.yaml
index 20f64162..1d9eecb1 100644
--- a/puppet/services/congress.yaml
+++ b/puppet/services/congress.yaml
@@ -47,6 +47,12 @@ parameters:
default: 5672
description: Set rabbit subscriber port, change this if using SSL
type: number
+ CongressPolicies:
+ description: |
+ A hash of policies to configure for Congress.
+ e.g. { congress-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
outputs:
role_data:
@@ -86,6 +92,7 @@ outputs:
congress::db::mysql::allowed_hosts:
- '%'
- {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+ congress::policy::policies: {get_param: CongressPolicies}
service_config_settings:
keystone:
diff --git a/puppet/services/ec2-api.yaml b/puppet/services/ec2-api.yaml
index 10f6d311..eef2a76f 100644
--- a/puppet/services/ec2-api.yaml
+++ b/puppet/services/ec2-api.yaml
@@ -42,6 +42,12 @@ parameters:
default: 'false'
description: Set to true to enable package installation via Puppet
type: boolean
+ Ec2ApiPolicies:
+ description: |
+ A hash of policies to configure for EC2-API.
+ e.g. { ec2api-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
conditions:
@@ -67,6 +73,7 @@ outputs:
ec2api::keystone::authtoken::password: {get_param: Ec2ApiPassword}
ec2api::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
ec2api::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+ ec2api::policy::policies: {get_param: Ec2ApiPolicies}
ec2api::api::enabled: true
ec2api::package_manage: {get_param: EnablePackageInstall}
ec2api::api::ec2api_listen:
diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml
index b06f9993..f61e6154 100644
--- a/puppet/services/glance-api.yaml
+++ b/puppet/services/glance-api.yaml
@@ -110,6 +110,12 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
+ GlanceApiPolicies:
+ description: |
+ A hash of policies to configure for Glance API.
+ e.g. { glance-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
conditions:
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
@@ -155,6 +161,7 @@ outputs:
glance::api::enable_proxy_headers_parsing: true
glance::api::debug: {get_param: Debug}
glance::api::workers: {get_param: GlanceWorkers}
+ glance::policy::policies: {get_param: GlanceApiPolicies}
tripleo.glance_api.firewall_rules:
'112 glance_api':
dport:
diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml
index f4629917..cd323703 100644
--- a/puppet/services/gnocchi-api.yaml
+++ b/puppet/services/gnocchi-api.yaml
@@ -44,6 +44,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ GnocchiApiPolicies:
+ description: |
+ A hash of policies to configure for Gnocchi API.
+ e.g. { gnocchi-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
@@ -83,6 +89,7 @@ outputs:
gnocchi::api::enabled: true
gnocchi::api::enable_proxy_headers_parsing: true
gnocchi::api::service_name: 'httpd'
+ gnocchi::policy::policies: {get_param: GnocchiApiPolicies}
gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword}
diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml
index e21369e8..f8128bb8 100644
--- a/puppet/services/heat-api.yaml
+++ b/puppet/services/heat-api.yaml
@@ -41,6 +41,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ HeatApiPolicies:
+ description: |
+ A hash of policies to configure for Heat API.
+ e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
conditions:
heat_workers_zero: {equals : [{get_param: HeatWorkers}, 0]}
@@ -82,6 +88,7 @@ outputs:
- 13004
heat::api::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]}
heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
+ heat::policy::policies: {get_param: HeatApiPolicies}
heat::api::service_name: 'httpd'
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml
index e24d0de6..1f18cb1b 100644
--- a/puppet/services/ironic-api.yaml
+++ b/puppet/services/ironic-api.yaml
@@ -29,6 +29,12 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
+ IronicApiPolicies:
+ description: |
+ A hash of policies to configure for Ironic API.
+ e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
IronicBase:
@@ -64,6 +70,7 @@ outputs:
ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]}
# This is used to build links in responses
ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
+ ironic::policy::policies: {get_param: IronicApiPolicies}
tripleo.ironic_api.firewall_rules:
'133 ironic api':
dport:
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 17616867..0976b97c 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -158,6 +158,12 @@ parameters:
description: >
Cron to purge expired tokens - User
default: 'keystone'
+ KeystonePolicies:
+ description: |
+ A hash of policies to configure for Keystone.
+ e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
@@ -197,6 +203,7 @@ outputs:
keystone::admin_token: {get_param: AdminToken}
keystone::admin_password: {get_param: AdminPassword}
keystone::roles::admin::password: {get_param: AdminPassword}
+ keystone::policy::policies: {get_param: KeystonePolicies}
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
keystone::token_provider: {get_param: KeystoneTokenProvider}
diff --git a/puppet/services/mistral-api.yaml b/puppet/services/mistral-api.yaml
index 1c7d6bd3..02c69392 100644
--- a/puppet/services/mistral-api.yaml
+++ b/puppet/services/mistral-api.yaml
@@ -22,6 +22,12 @@ parameters:
default: 1
description: The number of workers for the mistral-api.
type: number
+ MistralApiPolicies:
+ description: |
+ A hash of policies to configure for Mistral API.
+ e.g. { mistral-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
MistralBase:
@@ -41,6 +47,7 @@ outputs:
- get_attr: [MistralBase, role_data, config_settings]
- mistral::api::api_workers: {get_param: MistralWorkers}
mistral::api::bind_host: {get_param: [ServiceNetMap, MistralApiNetwork]}
+ mistral::policy::policies: {get_param: MistralApiPolicies}
tripleo.mistral_api.firewall_rules:
'133 mistral':
dport:
diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml
index 7a24ffdd..9b9d1c72 100644
--- a/puppet/services/neutron-api.yaml
+++ b/puppet/services/neutron-api.yaml
@@ -60,6 +60,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ NeutronApiPolicies:
+ description: |
+ A hash of policies to configure for Neutron API.
+ e.g. { neutron-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
# DEPRECATED: the following options are deprecated and are currently maintained
# for backwards compatibility. They will be removed in the Ocata cycle.
@@ -127,6 +133,7 @@ outputs:
- {get_param: [EndpointMap, MysqlInternal, host]}
- '/ovs_neutron'
- '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
+ neutron::policy::policies: {get_param: NeutronApiPolicies}
neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
neutron::server::api_workers: {get_param: NeutronWorkers}
diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
index 473c24b4..6f90409b 100644
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@@ -62,6 +62,12 @@ parameters:
default: 300
description: Timeout for Nova db sync
type: number
+ NovaApiPolicies:
+ description: |
+ A hash of policies to configure for Nova API.
+ e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
conditions:
nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
@@ -145,6 +151,7 @@ outputs:
nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
nova::api::instance_name_template: {get_param: InstanceNameTemplate}
nova_enable_db_purge: {get_param: NovaEnableDBPurge}
+ nova::policy::policies: {get_param: NovaApiPolicies}
-
if:
- nova_workers_zero
diff --git a/puppet/services/octavia-api.yaml b/puppet/services/octavia-api.yaml
index 909a3030..2f898a67 100644
--- a/puppet/services/octavia-api.yaml
+++ b/puppet/services/octavia-api.yaml
@@ -34,6 +34,12 @@ parameters:
default:
tag: openstack.octavia.api
path: /var/log/octavia/api.log
+ OctaviaApiPolicies:
+ description: |
+ A hash of policies to configure for Octavia API.
+ e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
@@ -57,6 +63,7 @@ outputs:
map_merge:
- get_attr: [OctaviaBase, role_data, config_settings]
- octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ octavia::policy::policies: {get_param: OctaviaApiPolicies}
octavia::db::database_connection:
list_join:
- ''
diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml
index eed98257..43e7aa18 100644
--- a/puppet/services/panko-api.yaml
+++ b/puppet/services/panko-api.yaml
@@ -24,6 +24,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ PankoApiPolicies:
+ description: |
+ A hash of policies to configure for Panko API.
+ e.g. { panko-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
PankoBase:
@@ -58,6 +64,7 @@ outputs:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]}
+ panko::policy::policies: {get_param: PankoApiPolicies}
panko::api::service_name: 'httpd'
panko::api::enable_proxy_headers_parsing: true
tripleo.panko_api.firewall_rules:
diff --git a/puppet/services/sahara-api.yaml b/puppet/services/sahara-api.yaml
index 96b3d6e3..d9f2115a 100644
--- a/puppet/services/sahara-api.yaml
+++ b/puppet/services/sahara-api.yaml
@@ -38,6 +38,12 @@ parameters:
default:
tag: openstack.sahara.api
path: /var/log/sahara/sahara-api.log
+ SaharaApiPolicies:
+ description: |
+ A hash of policies to configure for Sahara API.
+ e.g. { sahara-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
resources:
SaharaBase:
@@ -60,6 +66,7 @@ outputs:
map_merge:
- get_attr: [SaharaBase, role_data, config_settings]
- sahara::port: {get_param: [EndpointMap, SaharaInternal, port]}
+ sahara::policy::policies: {get_param: SaharaApiPolicies}
sahara::service::api::api_workers: {get_param: SaharaWorkers}
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
diff --git a/puppet/services/tacker.yaml b/puppet/services/tacker.yaml
index a4c139b5..d6c0ef9a 100644
--- a/puppet/services/tacker.yaml
+++ b/puppet/services/tacker.yaml
@@ -47,6 +47,12 @@ parameters:
default: 5672
description: Set rabbit subscriber port, change this if using SSL
type: number
+ TackerPolicies:
+ description: |
+ A hash of policies to configure for Tacker.
+ e.g. { tacker-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
outputs:
role_data:
@@ -87,6 +93,7 @@ outputs:
tacker::db::mysql::allowed_hosts:
- '%'
- {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+ tacker::policy::policies: {get_param: TackerPolicies}
service_config_settings:
keystone:
diff --git a/puppet/services/zaqar.yaml b/puppet/services/zaqar.yaml
index a320f694..33769d02 100644
--- a/puppet/services/zaqar.yaml
+++ b/puppet/services/zaqar.yaml
@@ -30,6 +30,12 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
+ ZaqarPolicies:
+ description: |
+ A hash of policies to configure for Zaqar.
+ e.g. { zaqar-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+ default: {}
+ type: json
outputs:
@@ -38,6 +44,7 @@ outputs:
value:
service_name: zaqar
config_settings:
+ zaqar::policy::policies: {get_param: ZaqarPolicies}
zaqar::keystone::authtoken::password: {get_param: ZaqarPassword}
zaqar::keystone::authtoken::project_name: 'service'
zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}