diff --git a/defaults/main.yml b/defaults/main.yml index e84460d1..7bebc3ab 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -16,7 +16,7 @@ ## Verbosity Options debug: False -## Octavia stnadalone (v2) experimental +## Octavia standalone (v2) experimental octavia_v2: false ## Activate Octavia V1 API @@ -25,6 +25,13 @@ octavia_v1: True ## Allow TLS listener octavia_tls_listener_enabled: True +# Legacy policy disables the requirement for load-balancer service users to +# have one of the load-balancer:* roles. It provides a similar policy to +# legacy OpenStack policies where any user or admin has access to load-balancer +# resources that they own. Users with the admin role has access to all +# load-balancer resources, whether they own them or not. +octavia_legacy_policy: False + # Set the package install state for distribution and pip packages # Options are 'present' and 'latest' octavia_package_state: "latest" diff --git a/tasks/main.yml b/tasks/main.yml index 32b52be3..e0177c64 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -84,6 +84,11 @@ tags: - octavia-install +- include: octavia_policy.yml + tags: + - octavia-install + - octavia-config + - name: Flush handlers meta: flush_handlers diff --git a/tasks/octavia_policy.yml b/tasks/octavia_policy.yml new file mode 100644 index 00000000..9953a831 --- /dev/null +++ b/tasks/octavia_policy.yml @@ -0,0 +1,50 @@ +--- +# Copyright 2017, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Create load-balancer_observer role + keystone: + command: "ensure_role" + endpoint: "{{ keystone_service_adminurl }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" + region_name: "{{ octavia_service_region }}" + service_name: "{{ octavia_service_name }}" + service_type: "{{ octavia_service_type }}" + insecure: "{{ keystone_service_adminuri_insecure }}" + role_name: "{{ item }}" + register: add_role + until: add_role|success + retries: 5 + delay: 10 + with_items: + - load-balancer_observer + - load-balancer_global_observer + - load-balancer_member + - load-balancer_admin + - load-balancer_quota_admin + +- name: Set legacy role policies + config_template: + src: policy.json.j2 + dest: /etc/octavia/policy.json + owner: "{{ octavia_system_user_name }}" + group: "{{ octavia_system_group_name }}" + mode: "0640" + config_overrides: "{{ octavia_policy_overrides }}" + config_type: "json" + notify: + - Restart octavia services + when: octavia_legacy_policy diff --git a/templates/policy.json.j2 b/templates/policy.json.j2 new file mode 100644 index 00000000..7a356575 --- /dev/null +++ b/templates/policy.json.j2 @@ -0,0 +1,11 @@ +{ + "context_is_admin": "role:admin or role:load-balancer_admin", + "admin_or_owner": "is_admin:True or project_id:%(project_id)s", + + "load-balancer:read": "rule:admin_or_owner", + "load-balancer:read-global": "is_admin:True", + "load-balancer:write": "rule:admin_or_owner", + "load-balancer:read-quota": "rule:admin_or_owner", + "load-balancer:read-quota-global": "is_admin:True", + "load-balancer:write-quota": "is_admin:True" +} \ No newline at end of file diff --git a/tests/os_octavia-overrides.yml b/tests/os_octavia-overrides.yml index f04325fb..92f4de90 100644 --- a/tests/os_octavia-overrides.yml +++ b/tests/os_octavia-overrides.yml @@ -53,6 +53,7 @@ octavia_service_project_domain_id: default octavia_service_user_domain_id: default octavia_service_user_name: "octavia" octavia_ansible_endpoint_type: "internal" +octavia_legacy_policy: True octavia_health_hmac_key: secrete