Merge "Create Octavia policy roles and legacy admin-owner rules"

defaults/main.yml

@@ -16,7 +16,7 @@
 ## Verbosity Options
 debug: False
 
-## Octavia stnadalone (v2) experimental
+## Octavia standalone (v2) experimental
 octavia_v2: false
 
 ## Activate Octavia V1 API
@@ -25,6 +25,13 @@ octavia_v1: True
 ## Allow TLS listener
 octavia_tls_listener_enabled: True
 
+# Legacy policy disables the requirement for load-balancer service users to
+# have one of the load-balancer:* roles.  It provides a similar policy to
+# legacy OpenStack policies where any user or admin has access to load-balancer
+# resources that they own.  Users with the admin role has access to all
+# load-balancer resources, whether they own them or not.
+octavia_legacy_policy: False
+
 # Set the package install state for distribution and pip packages
 # Options are 'present' and 'latest'
 octavia_package_state: "latest"

tasks/main.yml

@@ -84,6 +84,11 @@
   tags:
     - octavia-install
 
+- include: octavia_policy.yml
+  tags:
+    - octavia-install
+    - octavia-config
+
 
 - name: Flush handlers
   meta: flush_handlers

tasks/octavia_policy.yml

@@ -0,0 +1,50 @@
+---
+# Copyright 2017, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Create load-balancer_observer role
+  keystone:
+    command: "ensure_role"
+    endpoint: "{{ keystone_service_adminurl }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
+    region_name: "{{ octavia_service_region }}"
+    service_name: "{{ octavia_service_name }}"
+    service_type: "{{ octavia_service_type }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+    role_name: "{{ item }}"
+  register: add_role
+  until: add_role|success
+  retries: 5
+  delay: 10
+  with_items:
+    - load-balancer_observer
+    - load-balancer_global_observer
+    - load-balancer_member
+    - load-balancer_admin
+    - load-balancer_quota_admin
+
+- name: Set legacy role policies
+  config_template:
+    src: policy.json.j2
+    dest: /etc/octavia/policy.json
+    owner: "{{ octavia_system_user_name }}"
+    group: "{{ octavia_system_group_name }}"
+    mode: "0640"
+    config_overrides: "{{ octavia_policy_overrides }}"
+    config_type: "json"
+  notify:
+    - Restart octavia services
+  when: octavia_legacy_policy

templates/policy.json.j2

@@ -0,0 +1,11 @@
+{
+    "context_is_admin": "role:admin or role:load-balancer_admin",
+    "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
+
+    "load-balancer:read": "rule:admin_or_owner",
+    "load-balancer:read-global": "is_admin:True",
+    "load-balancer:write": "rule:admin_or_owner",
+    "load-balancer:read-quota": "rule:admin_or_owner",
+    "load-balancer:read-quota-global": "is_admin:True",
+    "load-balancer:write-quota": "is_admin:True"
+}

tests/os_octavia-overrides.yml

@@ -53,6 +53,7 @@ octavia_service_project_domain_id: default
 octavia_service_user_domain_id: default
 octavia_service_user_name: "octavia"
 octavia_ansible_endpoint_type: "internal"
+octavia_legacy_policy: True
 
 
 octavia_health_hmac_key: secrete