Allow purging policy files

This change introduces the new purge_config parameter to the policy class so that any policy rules not managed by puppet manifests can be cleared. Co-Authored-By: Martin Schuppert <mschuppert@redhat.com> Depends-On: https://review.opendev.org/802305 Change-Id: Ib07734e8f3d1ba0ca413d3c68ff6f00ffd0f8a64
2021-09-04 22:19:58 +09:00 · 2021-09-04 22:19:58 +09:00 · 53ac7d78a3
commit 53ac7d78a3
parent 31e26658de
3 changed files with 82 additions and 31 deletions
--- a/manifests/policy.pp
+++ b/manifests/policy.pp
@ -36,12 +36,18 @@
 #   (Optional) Path to the trove policy folder
 #   Defaults to $::os_service_default
 #
 # [*purge_config*]
 #   (optional) Whether to set only the specified policy rules in the policy
 #    file.
 #    Defaults to false.
 #
 class trove::policy (
  $enforce_scope        = $::os_service_default,
  $enforce_new_defaults = $::os_service_default,
  $policies             = {},
  $policy_path          = '/etc/trove/policy.yaml',
  $policy_dirs          = $::os_service_default,
  $purge_config         = false,
 ) {
  include trove::deps
@ -49,14 +55,16 @@ class trove::policy (
  validate_legacy(Hash, 'validate_hash', $policies)
-  Openstacklib::Policy::Base {
+  $policy_parameters = {
-    file_path   => $policy_path,
+    policies     => $policies,
-    file_user   => 'root',
+    policy_path  => $policy_path,
-    file_group  => $::trove::params::group,
+    file_user    => 'root',
-    file_format => 'yaml',
+    file_group   => $::trove::params::group,
    file_format  => 'yaml',
    purge_config => $purge_config,
  }
-  create_resources('openstacklib::policy::base', $policies)
+  create_resources('openstacklib::policy', { $policy_path => $policy_parameters })
  oslo::policy { 'trove_config':
    enforce_scope        => $enforce_scope,
--- a/releasenotes/notes/policy_purge_config-77dcdf6fec79a4fa.yaml
+++ b/releasenotes/notes/policy_purge_config-77dcdf6fec79a4fa.yaml
@ -0,0 +1,6 @@
 ---
 features:
  - |
    Adds new purge_config parameter. When set to true, the policy file is
    cleared during configuration process. This allows to remove any existing
    rules before applying them or clean the file when all policies got removed.
--- a/spec/classes/trove_policy_spec.rb
+++ b/spec/classes/trove_policy_spec.rb
@ -2,35 +2,72 @@ require 'spec_helper'
 describe 'trove::policy' do
  shared_examples 'trove::policy' do
-    let :params do
+
-      {
+    context 'setup policy with parameters' do
-        :enforce_scope        => false,
+      let :params do
-        :enforce_new_defaults => false,
+        {
-        :policy_path          => '/etc/trove/policy.yaml',
+          :enforce_scope        => false,
-        :policy_dirs          => '/etc/trove/policy.d',
+          :enforce_new_defaults => false,
-        :policies             => {
+          :policy_path          => '/etc/trove/policy.yaml',
-          'context_is_admin' => {
+          :policy_dirs          => '/etc/trove/policy.d',
-            'key'   => 'context_is_admin',
+          :policies             => {
-            'value' => 'foo:bar'
+            'context_is_admin' => {
              'key'   => 'context_is_admin',
              'value' => 'foo:bar'
            }
          }
        }
-      }
+      end
      it 'set up the policies' do
        is_expected.to contain_openstacklib__policy('/etc/trove/policy.yaml').with(
          :policies     => {
            'context_is_admin' => {
              'key'   => 'context_is_admin',
              'value' => 'foo:bar'
            }
          },
          :policy_path  => '/etc/trove/policy.yaml',
          :file_user    => 'root',
          :file_group   => 'trove',
          :file_format  => 'yaml',
          :purge_config => false,
        )
        is_expected.to contain_oslo__policy('trove_config').with(
          :enforce_scope        => false,
          :enforce_new_defaults => false,
          :policy_file          => '/etc/trove/policy.yaml',
          :policy_dirs          => '/etc/trove/policy.d',
        )
      end
    end
-    it 'set up the policies' do
+    context 'with empty policies and purge_config enabled' do
-      is_expected.to contain_openstacklib__policy__base('context_is_admin').with({
+      let :params do
-        :key         => 'context_is_admin',
+        {
-        :value       => 'foo:bar',
+          :enforce_scope        => false,
-        :file_user   => 'root',
+          :enforce_new_defaults => false,
-        :file_group  => 'trove',
+          :policy_path          => '/etc/trove/policy.yaml',
-        :file_format => 'yaml',
+          :policies             => {},
-      })
+          :purge_config         => true,
-      is_expected.to contain_oslo__policy('trove_config').with(
+        }
-        :enforce_scope        => false,
+      end
-        :enforce_new_defaults => false,
+
-        :policy_file          => '/etc/trove/policy.yaml',
+      it 'set up the policies' do
-        :policy_dirs          => '/etc/trove/policy.d',
+        is_expected.to contain_openstacklib__policy('/etc/trove/policy.yaml').with(
-      )
+          :policies     => {},
          :policy_path  => '/etc/trove/policy.yaml',
          :file_user    => 'root',
          :file_group   => 'trove',
          :file_format  => 'yaml',
          :purge_config => true,
        )
        is_expected.to contain_oslo__policy('trove_config').with(
          :enforce_scope        => false,
          :enforce_new_defaults => false,
          :policy_file          => '/etc/trove/policy.yaml',
        )
      end
    end
  end