Add option to override horizon policies

In case policies are overriden for services,
horizon maintain and ship it's own set of policies that should be
separatelly overriden.

Depends-On: https://review.opendev.org/754382
Change-Id: I7099a5b11390d3296c7b4bb74d69670c7fe64f58

defaults/main.yml

@@ -486,6 +486,12 @@ horizon_translations_pull: "{{ _horizon_translations_pull }}"
 # Set arbitrary horizon configuration options
 horizon_config_overrides: {}
 
+# Set overrides for horizon embedded policies
+#horizon_policy_overrides:
+#  cinder:
+#    "volume:create": "rule:admin_or_owner"
+horizon_policy_overrides: {}
+
 horizon_keystone_admin_roles:
   - admin
 

releasenotes/notes/horizon_policy_overrides-ca84702ef993ea92.yaml

@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Added variable `horizon_policy_overrides` which allows to customize horizon
+    specific policies. As we don't want to carry and maintain horizon policies
+    with OSA, they're retrieved from horizon hosts and adjusted in-place,
+    which means that they won't rollback in case you just remove override.
+    `horizon_policy_overrides` has also non-standart format, as it's nested
+    dictionary, where 1st level key represents service which policy needs to
+    be overriden, and it's value is normal policy override format.

tasks/horizon_post_install.yml

@@ -42,6 +42,21 @@
   when: item.always_install
   notify: Restart apache2
 
+- name: Retrieve horizon policy files
+  slurp:
+    src: "{{ horizon_lib_dir }}/openstack_dashboard/conf/{{ item }}_policy.yaml"
+  with_items: "{{ horizon_policy_overrides.keys() | list }}"
+  register: _horizon_policy
+
+- name: Place policy overrides
+  config_template:
+    content: "{{ item.content | b64decode }}"
+    dest: "{{ item.source }}"
+    mode: "0644"
+    config_type: json
+    config_overrides: "{{ horizon_policy_overrides[item.item] }}"
+  with_items: "{{ _horizon_policy.results }}"
+
 - name: Uploading horizon custom files
   copy:
     src: "{{ item.value.src }}"