Only implement policy.json if an override is configured
With changes inside Designate merged about policy-incode, there is no longer a default policy.json file in the venv, so we need to change how we implement the file, and should only do so if there is a config override configured for it. If there is no policy override configured, but a policy.json file is present, then it's likely left over from a previous build. To ensure that we do not carry legacy configuration files which override the policy-in-code we remove the legacy file. This is done on restart to ensure that the policy still applies until the code is updated. Change-Id: Iea4d2029723529444b93d7deca58824e592d0e0f
This commit is contained in:
Mohammed Naser
parent
ef51958940
commit
3c9e9beaf2
@ -43,6 +43,18 @@
|
||||
group: "{{ designate_system_group_name }}"
|
||||
mode: "0640"
|
||||
remote_src: yes
|
||||
when:
|
||||
- designate_policy_overrides != {}
|
||||
listen:
|
||||
- "Restart designate services"
|
||||
- "venv changed"
|
||||
|
||||
- name: Remove legacy policy.json file
|
||||
file:
|
||||
path: "/etc/designate/policy.json"
|
||||
state: absent
|
||||
when:
|
||||
- designate_policy_overrides == {}
|
||||
listen:
|
||||
- "Restart designate services"
|
||||
- "venv changed"
|
||||
|
||||
@ -50,10 +50,6 @@
|
||||
dest: "/etc/designate/api-paste.ini"
|
||||
config_overrides: "{{ designate_api_paste_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
- src: "policy.json.j2"
|
||||
dest: "/etc/designate/policy.json-{{ designate_venv_tag }}"
|
||||
config_overrides: "{{ designate_policy_overrides }}"
|
||||
config_type: "json"
|
||||
- src: "rootwrap.conf.j2"
|
||||
dest: "/etc/designate/rootwrap.conf"
|
||||
owner: "root"
|
||||
@ -62,6 +58,13 @@
|
||||
config_type: "ini"
|
||||
notify: Restart designate services
|
||||
|
||||
- name: Implement policy.json if there are overrides configured
|
||||
copy:
|
||||
content: "{{ designate_policy_overrides | to_nice_json }}"
|
||||
dest: "/etc/designate/policy.json-{{ designate_venv_tag }}"
|
||||
when:
|
||||
- designate_policy_overrides != {}
|
||||
|
||||
- name: Create Designate pools.yaml file
|
||||
copy:
|
||||
content: "{{ designate_pools_yaml | to_nice_yaml }}"
|
||||
|
||||
@ -1,129 +0,0 @@
|
||||
{
|
||||
"admin": "role:admin or is_admin:True",
|
||||
"primary_zone": "target.zone_type:SECONDARY",
|
||||
|
||||
"owner": "tenant:%(tenant_id)s",
|
||||
"admin_or_owner": "rule:admin or rule:owner",
|
||||
"target": "tenant:%(target_tenant_id)s",
|
||||
"owner_or_target":"rule:target or rule:owner",
|
||||
"admin_or_owner_or_target":"rule:owner_or_target or rule:admin",
|
||||
"admin_or_target":"rule:admin or rule:target",
|
||||
|
||||
"zone_primary_or_admin": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)",
|
||||
|
||||
"default": "rule:admin_or_owner",
|
||||
|
||||
"all_tenants": "rule:admin",
|
||||
|
||||
"edit_managed_records" : "rule:admin",
|
||||
|
||||
"use_low_ttl": "rule:admin",
|
||||
|
||||
"get_quotas": "rule:admin_or_owner",
|
||||
"get_quota": "rule:admin_or_owner",
|
||||
"set_quota": "rule:admin",
|
||||
"reset_quotas": "rule:admin",
|
||||
|
||||
"create_tld": "rule:admin",
|
||||
"find_tlds": "rule:admin",
|
||||
"get_tld": "rule:admin",
|
||||
"update_tld": "rule:admin",
|
||||
"delete_tld": "rule:admin",
|
||||
|
||||
"create_tsigkey": "rule:admin",
|
||||
"find_tsigkeys": "rule:admin",
|
||||
"get_tsigkey": "rule:admin",
|
||||
"update_tsigkey": "rule:admin",
|
||||
"delete_tsigkey": "rule:admin",
|
||||
|
||||
"find_tenants": "rule:admin",
|
||||
"get_tenant": "rule:admin",
|
||||
"count_tenants": "rule:admin",
|
||||
|
||||
"create_zone": "rule:admin_or_owner",
|
||||
"get_zones": "rule:admin_or_owner",
|
||||
"get_zone": "rule:admin_or_owner",
|
||||
"get_zone_servers": "rule:admin_or_owner",
|
||||
"find_zones": "rule:admin_or_owner",
|
||||
"find_zone": "rule:admin_or_owner",
|
||||
"update_zone": "rule:admin_or_owner",
|
||||
"delete_zone": "rule:admin_or_owner",
|
||||
"xfr_zone": "rule:admin_or_owner",
|
||||
"abandon_zone": "rule:admin",
|
||||
"count_zones": "rule:admin_or_owner",
|
||||
"count_zones_pending_notify": "rule:admin_or_owner",
|
||||
"purge_zones": "rule:admin",
|
||||
"touch_zone": "rule:admin_or_owner",
|
||||
|
||||
"create_recordset": "rule:zone_primary_or_admin",
|
||||
"get_recordsets": "rule:admin_or_owner",
|
||||
"get_recordset": "rule:admin_or_owner",
|
||||
"find_recordsets": "rule:admin_or_owner",
|
||||
"find_recordset": "rule:admin_or_owner",
|
||||
"update_recordset": "rule:zone_primary_or_admin",
|
||||
"delete_recordset": "rule:zone_primary_or_admin",
|
||||
"count_recordset": "rule:admin_or_owner",
|
||||
|
||||
"create_record": "rule:admin_or_owner",
|
||||
"get_records": "rule:admin_or_owner",
|
||||
"get_record": "rule:admin_or_owner",
|
||||
"find_records": "rule:admin_or_owner",
|
||||
"find_record": "rule:admin_or_owner",
|
||||
"update_record": "rule:admin_or_owner",
|
||||
"delete_record": "rule:admin_or_owner",
|
||||
"count_records": "rule:admin_or_owner",
|
||||
|
||||
"use_sudo": "rule:admin",
|
||||
|
||||
"create_blacklist": "rule:admin",
|
||||
"find_blacklist": "rule:admin",
|
||||
"find_blacklists": "rule:admin",
|
||||
"get_blacklist": "rule:admin",
|
||||
"update_blacklist": "rule:admin",
|
||||
"delete_blacklist": "rule:admin",
|
||||
"use_blacklisted_zone": "rule:admin",
|
||||
|
||||
"create_pool": "rule:admin",
|
||||
"find_pools": "rule:admin",
|
||||
"find_pool": "rule:admin",
|
||||
"get_pool": "rule:admin",
|
||||
"update_pool": "rule:admin",
|
||||
"delete_pool": "rule:admin",
|
||||
"zone_create_forced_pool": "rule:admin",
|
||||
|
||||
"diagnostics_ping": "rule:admin",
|
||||
"diagnostics_sync_zones": "rule:admin",
|
||||
"diagnostics_sync_zone": "rule:admin",
|
||||
"diagnostics_sync_record": "rule:admin",
|
||||
|
||||
"create_zone_transfer_request": "rule:admin_or_owner",
|
||||
"get_zone_transfer_request": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s",
|
||||
"get_zone_transfer_request_detailed": "rule:admin_or_owner",
|
||||
"find_zone_transfer_requests": "@",
|
||||
"find_zone_transfer_request": "@",
|
||||
"update_zone_transfer_request": "rule:admin_or_owner",
|
||||
"delete_zone_transfer_request": "rule:admin_or_owner",
|
||||
|
||||
"create_zone_transfer_accept": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s",
|
||||
"get_zone_transfer_accept": "rule:admin_or_owner",
|
||||
"find_zone_transfer_accepts": "rule:admin",
|
||||
"find_zone_transfer_accept": "rule:admin",
|
||||
"update_zone_transfer_accept": "rule:admin",
|
||||
"delete_zone_transfer_accept": "rule:admin",
|
||||
|
||||
"create_zone_import": "rule:admin_or_owner",
|
||||
"find_zone_imports": "rule:admin_or_owner",
|
||||
"get_zone_import": "rule:admin_or_owner",
|
||||
"update_zone_import": "rule:admin_or_owner",
|
||||
"delete_zone_import": "rule:admin_or_owner",
|
||||
|
||||
"zone_export": "rule:admin_or_owner",
|
||||
"create_zone_export": "rule:admin_or_owner",
|
||||
"find_zone_exports": "rule:admin_or_owner",
|
||||
"get_zone_export": "rule:admin_or_owner",
|
||||
"update_zone_export": "rule:admin_or_owner",
|
||||
|
||||
"find_service_status": "rule:admin",
|
||||
"find_service_statuses": "rule:admin",
|
||||
"update_service_service_status": "rule:admin"
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user