From 91053af09dace8dba65c9e5b72eb7de15fd69522 Mon Sep 17 00:00:00 2001 From: Emilien Macchi Date: Tue, 14 Mar 2017 21:09:11 -0400 Subject: Allow to configure policy.json for OpenStack projects For both containers and classic deployments, allow to configure policy.json for all OpenStack APIs with new parameters (hash, empty by default). Example of new parameter: NovaApiPolicies. See environments/nova-api-policy.yaml for how the feature can be used. Note: use it with extreme caution. Partial-implement: blueprint modify-policy-json Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95 --- docker/docker-puppet.py | 4 ++-- docker/services/README.rst | 2 +- environments/nova-api-policy.yaml | 10 ++++++++++ puppet/config.role.j2.yaml | 2 +- puppet/services/aodh-api.yaml | 7 +++++++ puppet/services/barbican-api.yaml | 7 +++++++ puppet/services/ceilometer-api.yaml | 7 +++++++ puppet/services/cinder-api.yaml | 7 +++++++ puppet/services/congress.yaml | 7 +++++++ puppet/services/ec2-api.yaml | 7 +++++++ puppet/services/glance-api.yaml | 7 +++++++ puppet/services/gnocchi-api.yaml | 7 +++++++ puppet/services/heat-api.yaml | 7 +++++++ puppet/services/ironic-api.yaml | 7 +++++++ puppet/services/keystone.yaml | 7 +++++++ puppet/services/mistral-api.yaml | 7 +++++++ puppet/services/neutron-api.yaml | 7 +++++++ puppet/services/nova-api.yaml | 7 +++++++ puppet/services/octavia-api.yaml | 7 +++++++ puppet/services/panko-api.yaml | 7 +++++++ puppet/services/sahara-api.yaml | 7 +++++++ puppet/services/tacker.yaml | 7 +++++++ puppet/services/zaqar.yaml | 7 +++++++ releasenotes/notes/api-policy-4ca739519537f6f4.yaml | 13 +++++++++++++ 24 files changed, 160 insertions(+), 4 deletions(-) create mode 100644 environments/nova-api-policy.yaml create mode 100644 releasenotes/notes/api-policy-4ca739519537f6f4.yaml diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py index 8f95208f..eb647737 100755 --- a/docker/docker-puppet.py +++ b/docker/docker-puppet.py @@ -247,9 +247,9 @@ for config_volume in configs: volumes = service[4] if len(service) > 4 else [] if puppet_tags: - puppet_tags = "file,file_line,concat,%s" % puppet_tags + puppet_tags = "file,file_line,concat,augeas,%s" % puppet_tags else: - puppet_tags = "file,file_line,concat" + puppet_tags = "file,file_line,concat,augeas" process_map.append([config_volume, puppet_tags, manifest, config_image, volumes]) diff --git a/docker/services/README.rst b/docker/services/README.rst index 465e4abe..84ac842e 100644 --- a/docker/services/README.rst +++ b/docker/services/README.rst @@ -74,7 +74,7 @@ are re-asserted when applying latter ones. * puppet_tags: Puppet resource tag names that are used to generate config files with puppet. Only the named config resources are used to generate a config file. Any service that specifies tags will have the default - tags of 'file,concat,file_line' appended to the setting. + tags of 'file,concat,file_line,augeas' appended to the setting. Example: keystone_config * config_volume: The name of the volume (directory) where config files diff --git a/environments/nova-api-policy.yaml b/environments/nova-api-policy.yaml new file mode 100644 index 00000000..681bd010 --- /dev/null +++ b/environments/nova-api-policy.yaml @@ -0,0 +1,10 @@ +# A Heat environment file which can be used to configure access policies for +# Nova API resources. It is here for example and doesn't cover all services +# but just Nova here. +# While recipes for editing policy.json files is supported, modifying the +# policy can have unexpected side effects and is not encouraged. + +parameter_defaults: + # The target is "compute:get_all", the "list all instances" API of the Compute service. + # The rule is an empty string meaning "always". This policy allows anybody to list instances. + NovaApiPolicies: { nova-context_is_admin: { key: 'compute:get_all', value: '' } } diff --git a/puppet/config.role.j2.yaml b/puppet/config.role.j2.yaml index 7337d062..cdbc76f0 100644 --- a/puppet/config.role.j2.yaml +++ b/puppet/config.role.j2.yaml @@ -38,7 +38,7 @@ resources: - '' - list_join: - ',' - - ['file,concat,file_line', {get_param: PuppetTags}] + - ['file,concat,file_line,augeas', {get_param: PuppetTags}] outputs: - name: result inputs: diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index d7c87b61..7cc6e4c6 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -24,6 +24,12 @@ parameters: EnableInternalTLS: type: boolean default: false + AodhApiPolicies: + description: | + A hash of policies to configure for Aodh API. + e.g. { aodh-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: AodhBase: @@ -61,6 +67,7 @@ outputs: aodh::wsgi::apache::wsgi_process_display_name: 'aodh_wsgi' aodh::api::service_name: 'httpd' aodh::api::enable_proxy_headers_parsing: true + aodh::policy::policies: {get_param: AodhApiPolicies} tripleo.aodh_api.firewall_rules: '128 aodh-api': dport: diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml index d8787c87..91a5b01c 100644 --- a/puppet/services/barbican-api.yaml +++ b/puppet/services/barbican-api.yaml @@ -55,6 +55,12 @@ parameters: EnableInternalTLS: type: boolean default: false + BarbicanPolicies: + description: | + A hash of policies to configure for Barbican. + e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: @@ -77,6 +83,7 @@ outputs: barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} barbican::keystone::authtoken::project_name: 'service' + barbican::policy::policies: {get_param: BarbicanPolicies} barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]} barbican::api::db_auto_create: false barbican::api::enabled_certificate_plugins: ['simple_certificate'] diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index f5ee9d40..ba94b451 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -29,6 +29,12 @@ parameters: EnableInternalTLS: type: boolean default: false + CeilometerApiPolicies: + description: | + A hash of policies to configure for Ceilometer API. + e.g. { ceilometer-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: CeilometerServiceBase: @@ -78,6 +84,7 @@ outputs: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]} + ceilometer::policy::policies: {get_param: CeilometerApiPolicies} ceilometer::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CeilometerApiNetwork]} ceilometer::wsgi::apache::ssl: {get_param: EnableInternalTLS} ceilometer::wsgi::apache::servername: diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index 958b0e7d..c1e6b0b0 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -46,6 +46,12 @@ parameters: EnableInternalTLS: type: boolean default: false + CinderApiPolicies: + description: | + A hash of policies to configure for Cinder API. + e.g. { cinder-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]} @@ -86,6 +92,7 @@ outputs: cinder::keystone::authtoken::project_name: 'service' cinder::keystone::authtoken::user_domain_name: 'Default' cinder::keystone::authtoken::project_domain_name: 'Default' + cinder::policy::policies: {get_param: CinderApiPolicies} cinder::api::enable_proxy_headers_parsing: true cinder::api::nova_catalog_info: 'compute:nova:internalURL' diff --git a/puppet/services/congress.yaml b/puppet/services/congress.yaml index 20f64162..1d9eecb1 100644 --- a/puppet/services/congress.yaml +++ b/puppet/services/congress.yaml @@ -47,6 +47,12 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + CongressPolicies: + description: | + A hash of policies to configure for Congress. + e.g. { congress-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json outputs: role_data: @@ -86,6 +92,7 @@ outputs: congress::db::mysql::allowed_hosts: - '%' - {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + congress::policy::policies: {get_param: CongressPolicies} service_config_settings: keystone: diff --git a/puppet/services/ec2-api.yaml b/puppet/services/ec2-api.yaml index 10f6d311..eef2a76f 100644 --- a/puppet/services/ec2-api.yaml +++ b/puppet/services/ec2-api.yaml @@ -42,6 +42,12 @@ parameters: default: 'false' description: Set to true to enable package installation via Puppet type: boolean + Ec2ApiPolicies: + description: | + A hash of policies to configure for EC2-API. + e.g. { ec2api-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: @@ -67,6 +73,7 @@ outputs: ec2api::keystone::authtoken::password: {get_param: Ec2ApiPassword} ec2api::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } ec2api::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ec2api::policy::policies: {get_param: Ec2ApiPolicies} ec2api::api::enabled: true ec2api::package_manage: {get_param: EnablePackageInstall} ec2api::api::ec2api_listen: diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index b06f9993..f61e6154 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -110,6 +110,12 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + GlanceApiPolicies: + description: | + A hash of policies to configure for Glance API. + e.g. { glance-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} @@ -155,6 +161,7 @@ outputs: glance::api::enable_proxy_headers_parsing: true glance::api::debug: {get_param: Debug} glance::api::workers: {get_param: GlanceWorkers} + glance::policy::policies: {get_param: GlanceApiPolicies} tripleo.glance_api.firewall_rules: '112 glance_api': dport: diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index f4629917..cd323703 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -44,6 +44,12 @@ parameters: EnableInternalTLS: type: boolean default: false + GnocchiApiPolicies: + description: | + A hash of policies to configure for Gnocchi API. + e.g. { gnocchi-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: @@ -83,6 +89,7 @@ outputs: gnocchi::api::enabled: true gnocchi::api::enable_proxy_headers_parsing: true gnocchi::api::service_name: 'httpd' + gnocchi::policy::policies: {get_param: GnocchiApiPolicies} gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword} diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml index e21369e8..f8128bb8 100644 --- a/puppet/services/heat-api.yaml +++ b/puppet/services/heat-api.yaml @@ -41,6 +41,12 @@ parameters: EnableInternalTLS: type: boolean default: false + HeatApiPolicies: + description: | + A hash of policies to configure for Heat API. + e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: heat_workers_zero: {equals : [{get_param: HeatWorkers}, 0]} @@ -82,6 +88,7 @@ outputs: - 13004 heat::api::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]} heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS} + heat::policy::policies: {get_param: HeatApiPolicies} heat::api::service_name: 'httpd' # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml index e24d0de6..1f18cb1b 100644 --- a/puppet/services/ironic-api.yaml +++ b/puppet/services/ironic-api.yaml @@ -29,6 +29,12 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + IronicApiPolicies: + description: | + A hash of policies to configure for Ironic API. + e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: IronicBase: @@ -64,6 +70,7 @@ outputs: ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]} # This is used to build links in responses ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]} + ironic::policy::policies: {get_param: IronicApiPolicies} tripleo.ironic_api.firewall_rules: '133 ironic api': dport: diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 17616867..0976b97c 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -158,6 +158,12 @@ parameters: description: > Cron to purge expired tokens - User default: 'keystone' + KeystonePolicies: + description: | + A hash of policies to configure for Keystone. + e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: @@ -197,6 +203,7 @@ outputs: keystone::admin_token: {get_param: AdminToken} keystone::admin_password: {get_param: AdminPassword} keystone::roles::admin::password: {get_param: AdminPassword} + keystone::policy::policies: {get_param: KeystonePolicies} keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} keystone::token_provider: {get_param: KeystoneTokenProvider} diff --git a/puppet/services/mistral-api.yaml b/puppet/services/mistral-api.yaml index 1c7d6bd3..02c69392 100644 --- a/puppet/services/mistral-api.yaml +++ b/puppet/services/mistral-api.yaml @@ -22,6 +22,12 @@ parameters: default: 1 description: The number of workers for the mistral-api. type: number + MistralApiPolicies: + description: | + A hash of policies to configure for Mistral API. + e.g. { mistral-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: MistralBase: @@ -41,6 +47,7 @@ outputs: - get_attr: [MistralBase, role_data, config_settings] - mistral::api::api_workers: {get_param: MistralWorkers} mistral::api::bind_host: {get_param: [ServiceNetMap, MistralApiNetwork]} + mistral::policy::policies: {get_param: MistralApiPolicies} tripleo.mistral_api.firewall_rules: '133 mistral': dport: diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index 7a24ffdd..9b9d1c72 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -60,6 +60,12 @@ parameters: EnableInternalTLS: type: boolean default: false + NeutronApiPolicies: + description: | + A hash of policies to configure for Neutron API. + e.g. { neutron-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json # DEPRECATED: the following options are deprecated and are currently maintained # for backwards compatibility. They will be removed in the Ocata cycle. @@ -127,6 +133,7 @@ outputs: - {get_param: [EndpointMap, MysqlInternal, host]} - '/ovs_neutron' - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + neutron::policy::policies: {get_param: NeutronApiPolicies} neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} neutron::server::api_workers: {get_param: NeutronWorkers} diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index 473c24b4..6f90409b 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -62,6 +62,12 @@ parameters: default: 300 description: Timeout for Nova db sync type: number + NovaApiPolicies: + description: | + A hash of policies to configure for Nova API. + e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json conditions: nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} @@ -145,6 +151,7 @@ outputs: nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} nova::api::instance_name_template: {get_param: InstanceNameTemplate} nova_enable_db_purge: {get_param: NovaEnableDBPurge} + nova::policy::policies: {get_param: NovaApiPolicies} - if: - nova_workers_zero diff --git a/puppet/services/octavia-api.yaml b/puppet/services/octavia-api.yaml index 909a3030..2f898a67 100644 --- a/puppet/services/octavia-api.yaml +++ b/puppet/services/octavia-api.yaml @@ -34,6 +34,12 @@ parameters: default: tag: openstack.octavia.api path: /var/log/octavia/api.log + OctaviaApiPolicies: + description: | + A hash of policies to configure for Octavia API. + e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: @@ -57,6 +63,7 @@ outputs: map_merge: - get_attr: [OctaviaBase, role_data, config_settings] - octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + octavia::policy::policies: {get_param: OctaviaApiPolicies} octavia::db::database_connection: list_join: - '' diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml index eed98257..43e7aa18 100644 --- a/puppet/services/panko-api.yaml +++ b/puppet/services/panko-api.yaml @@ -24,6 +24,12 @@ parameters: EnableInternalTLS: type: boolean default: false + PankoApiPolicies: + description: | + A hash of policies to configure for Panko API. + e.g. { panko-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: PankoBase: @@ -58,6 +64,7 @@ outputs: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]} + panko::policy::policies: {get_param: PankoApiPolicies} panko::api::service_name: 'httpd' panko::api::enable_proxy_headers_parsing: true tripleo.panko_api.firewall_rules: diff --git a/puppet/services/sahara-api.yaml b/puppet/services/sahara-api.yaml index 96b3d6e3..d9f2115a 100644 --- a/puppet/services/sahara-api.yaml +++ b/puppet/services/sahara-api.yaml @@ -38,6 +38,12 @@ parameters: default: tag: openstack.sahara.api path: /var/log/sahara/sahara-api.log + SaharaApiPolicies: + description: | + A hash of policies to configure for Sahara API. + e.g. { sahara-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json resources: SaharaBase: @@ -60,6 +66,7 @@ outputs: map_merge: - get_attr: [SaharaBase, role_data, config_settings] - sahara::port: {get_param: [EndpointMap, SaharaInternal, port]} + sahara::policy::policies: {get_param: SaharaApiPolicies} sahara::service::api::api_workers: {get_param: SaharaWorkers} # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): diff --git a/puppet/services/tacker.yaml b/puppet/services/tacker.yaml index a4c139b5..d6c0ef9a 100644 --- a/puppet/services/tacker.yaml +++ b/puppet/services/tacker.yaml @@ -47,6 +47,12 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + TackerPolicies: + description: | + A hash of policies to configure for Tacker. + e.g. { tacker-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json outputs: role_data: @@ -87,6 +93,7 @@ outputs: tacker::db::mysql::allowed_hosts: - '%' - {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + tacker::policy::policies: {get_param: TackerPolicies} service_config_settings: keystone: diff --git a/puppet/services/zaqar.yaml b/puppet/services/zaqar.yaml index a320f694..33769d02 100644 --- a/puppet/services/zaqar.yaml +++ b/puppet/services/zaqar.yaml @@ -30,6 +30,12 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + ZaqarPolicies: + description: | + A hash of policies to configure for Zaqar. + e.g. { zaqar-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + default: {} + type: json outputs: @@ -38,6 +44,7 @@ outputs: value: service_name: zaqar config_settings: + zaqar::policy::policies: {get_param: ZaqarPolicies} zaqar::keystone::authtoken::password: {get_param: ZaqarPassword} zaqar::keystone::authtoken::project_name: 'service' zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} diff --git a/releasenotes/notes/api-policy-4ca739519537f6f4.yaml b/releasenotes/notes/api-policy-4ca739519537f6f4.yaml new file mode 100644 index 00000000..54beb305 --- /dev/null +++ b/releasenotes/notes/api-policy-4ca739519537f6f4.yaml @@ -0,0 +1,13 @@ +--- +features: + - | + TripleO is now able to configure role-based access API policies with new + parameters for each API service. + For example, Nova API service has now NovaApiPolicies and the value + could be { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + It will configure /etc/nova/policy.json file and configure context_is_admin + to true. Puppet will take care of this configuration and API services are + restarted when the file is touched. + We're also adding augeas resource to the list of Puppet providers that + container deployments grab in the catalog to generate configurations, so + this feature can be used when deploying TripleO in containers. -- cgit 1.2.3-korg