From ef1fd6b8c0c36ff0b72f1c4d389093ff76ba548f Mon Sep 17 00:00:00 2001
From: Eduardo Gonzalez <dabarren@gmail.com>
Date: Thu, 27 Oct 2016 10:36:35 +0200
Subject: [PATCH] Custom policy files

Allow operators to use their custom policy files.
Avoid maintain policy files in kolla repos, only copying
the files when an operator add their custom config.

Implements: blueprint custom-policies
Change-Id: Icf3c961b87cbc7a1f1dd2ffbfffcf271d151d862
---
 ansible/roles/aodh/tasks/config.yml                   | 11 +++++++++++
 ansible/roles/barbican/tasks/config.yml               | 11 +++++++++++
 ansible/roles/ceilometer/tasks/config.yml             | 11 +++++++++++
 ansible/roles/cinder/tasks/config.yml                 | 11 +++++++++++
 ansible/roles/cloudkitty/tasks/config.yml             | 11 +++++++++++
 ansible/roles/congress/tasks/config.yml               | 11 +++++++++++
 ansible/roles/glance/tasks/config.yml                 | 11 +++++++++++
 ansible/roles/gnocchi/tasks/config.yml                | 11 +++++++++++
 ansible/roles/heat/tasks/config.yml                   | 11 +++++++++++
 ansible/roles/ironic/tasks/config.yml                 | 11 +++++++++++
 ansible/roles/keystone/tasks/config.yml               |  2 +-
 ansible/roles/kuryr/tasks/config.yml                  | 11 +++++++++++
 ansible/roles/magnum/tasks/config.yml                 | 11 +++++++++++
 ansible/roles/manila/tasks/config.yml                 | 11 +++++++++++
 ansible/roles/mistral/tasks/config.yml                | 11 +++++++++++
 ansible/roles/murano/tasks/config.yml                 | 11 +++++++++++
 ansible/roles/neutron/tasks/config.yml                | 11 +++++++++++
 ansible/roles/nova/tasks/config.yml                   | 11 +++++++++++
 ansible/roles/rally/tasks/config.yml                  | 11 +++++++++++
 ansible/roles/sahara/tasks/config.yml                 | 11 +++++++++++
 ansible/roles/searchlight/tasks/config.yml            | 11 +++++++++++
 ansible/roles/senlin/tasks/config.yml                 | 11 +++++++++++
 ansible/roles/swift/tasks/config.yml                  | 11 +++++++++++
 ansible/roles/tempest/tasks/config.yml                | 11 +++++++++++
 ansible/roles/watcher/tasks/config.yml                | 11 +++++++++++
 .../notes/custom-policies-5a9bb2b59d19b484.yaml       |  3 +++
 26 files changed, 268 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/custom-policies-5a9bb2b59d19b484.yaml

diff --git a/ansible/roles/aodh/tasks/config.yml b/ansible/roles/aodh/tasks/config.yml
index d420bd6c61..90179933a9 100644
--- a/ansible/roles/aodh/tasks/config.yml
+++ b/ansible/roles/aodh/tasks/config.yml
@@ -45,3 +45,14 @@
     dest: "{{ node_config_directory }}/{{ item }}/wsgi-aodh.conf"
   with_items:
     - "aodh-api"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/aodh/policy.json"
+  register: aodh_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/aodh/policy.json"
+    dest: "{{ node_config_directory }}/aodh/policy.json"
+  when:
+    aodh_policy.stat.exists
diff --git a/ansible/roles/barbican/tasks/config.yml b/ansible/roles/barbican/tasks/config.yml
index 38383d5448..fab9b3ddac 100644
--- a/ansible/roles/barbican/tasks/config.yml
+++ b/ansible/roles/barbican/tasks/config.yml
@@ -51,3 +51,14 @@
     - "barbican-api"
     - "barbican-keystone-listener"
     - "barbican-worker"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/barbican/policy.json"
+  register: barbican_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/barbican/policy.json"
+    dest: "{{ node_config_directory }}/barbican/policy.json"
+  when:
+    barbican_policy.stat.exists
diff --git a/ansible/roles/ceilometer/tasks/config.yml b/ansible/roles/ceilometer/tasks/config.yml
index 5d9336fec9..ef990c4477 100644
--- a/ansible/roles/ceilometer/tasks/config.yml
+++ b/ansible/roles/ceilometer/tasks/config.yml
@@ -59,3 +59,14 @@
     - "event_definitions.yaml"
     - "event_pipeline.yaml"
     - "pipeline.yaml"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/ceilometer/policy.json"
+  register: ceilometer_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/ceilometer/policy.json"
+    dest: "{{ node_config_directory }}/ceilometer/policy.json"
+  when:
+    ceilometer_policy.stat.exist
diff --git a/ansible/roles/cinder/tasks/config.yml b/ansible/roles/cinder/tasks/config.yml
index f401878160..800401615b 100644
--- a/ansible/roles/cinder/tasks/config.yml
+++ b/ansible/roles/cinder/tasks/config.yml
@@ -38,3 +38,14 @@
     - "cinder-backup"
     - "cinder-scheduler"
     - "cinder-volume"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/cinder/policy.json"
+  register: cinder_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/cinder/policy.json"
+    dest: "{{ node_config_directory }}/cinder/policy.json"
+  when:
+    cinder_policy.stat.exists
diff --git a/ansible/roles/cloudkitty/tasks/config.yml b/ansible/roles/cloudkitty/tasks/config.yml
index 234109eba8..ea3d13cbbf 100644
--- a/ansible/roles/cloudkitty/tasks/config.yml
+++ b/ansible/roles/cloudkitty/tasks/config.yml
@@ -32,3 +32,14 @@
   with_items:
     - "cloudkitty-api"
     - "cloudkitty-processor"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/cloudkitty/policy.json"
+  register: cloudkitty_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/cloudkitty/policy.json"
+    dest: "{{ node_config_directory }}/cloudkitty/policy.json"
+  when:
+    cloudkitty_policy.stat.exists
diff --git a/ansible/roles/congress/tasks/config.yml b/ansible/roles/congress/tasks/config.yml
index 832a2da865..0e9a631356 100644
--- a/ansible/roles/congress/tasks/config.yml
+++ b/ansible/roles/congress/tasks/config.yml
@@ -35,3 +35,14 @@
     - "congress-api"
     - "congress-policy-engine"
     - "congress-datasource"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/congress/policy.json"
+  register: congress_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/congress/policy.json"
+    dest: "{{ node_config_directory }}/congress/policy.json"
+  when:
+    congress_policy.stat.exists
diff --git a/ansible/roles/glance/tasks/config.yml b/ansible/roles/glance/tasks/config.yml
index 88cb5c446a..743815ba88 100644
--- a/ansible/roles/glance/tasks/config.yml
+++ b/ansible/roles/glance/tasks/config.yml
@@ -29,3 +29,14 @@
     dest: "{{ node_config_directory }}/{{ item.service }}/{{ item.service }}.conf"
   when: inventory_hostname in groups[item.group]
   with_items: "{{ glance_service_groups }}"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/glance/policy.json"
+  register: glance_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/glance/policy.json"
+    dest: "{{ node_config_directory }}/glance/policy.json"
+  when:
+    glance_policy.stat.exists
diff --git a/ansible/roles/gnocchi/tasks/config.yml b/ansible/roles/gnocchi/tasks/config.yml
index 2e7a75a8a4..b6fa16dd07 100644
--- a/ansible/roles/gnocchi/tasks/config.yml
+++ b/ansible/roles/gnocchi/tasks/config.yml
@@ -50,3 +50,14 @@
     dest: "{{ node_config_directory }}/{{ item }}/wsgi-gnocchi.conf"
   with_items:
     - "gnocchi-api"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/gnocchi/policy.json"
+  register: gnocchi_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/gnocchi/policy.json"
+    dest: "{{ node_config_directory }}/gnocchi/policy.json"
+  when:
+    gnocchi_policy.stat.exists
diff --git a/ansible/roles/heat/tasks/config.yml b/ansible/roles/heat/tasks/config.yml
index 41b9effaf4..dca462a508 100644
--- a/ansible/roles/heat/tasks/config.yml
+++ b/ansible/roles/heat/tasks/config.yml
@@ -42,3 +42,14 @@
     - "heat-api"
     - "heat-api-cfn"
     - "heat-engine"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/heat/policy.json"
+  register: heat_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/heat/policy.json"
+    dest: "{{ node_config_directory }}/heat/policy.json"
+  when:
+    heat_policy.stat.exists
diff --git a/ansible/roles/ironic/tasks/config.yml b/ansible/roles/ironic/tasks/config.yml
index 89ac3b51c3..797b494824 100644
--- a/ansible/roles/ironic/tasks/config.yml
+++ b/ansible/roles/ironic/tasks/config.yml
@@ -37,3 +37,14 @@
     - "ironic-api"
     - "ironic-conductor"
     - "ironic-inspector"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/ironic/policy.json"
+  register: ironic_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/ironic/policy.json"
+    dest: "{{ node_config_directory }}/ironic/policy.json"
+  when:
+    ironic_policy.stat.exists
diff --git a/ansible/roles/keystone/tasks/config.yml b/ansible/roles/keystone/tasks/config.yml
index e39e7d6188..e531d68690 100644
--- a/ansible/roles/keystone/tasks/config.yml
+++ b/ansible/roles/keystone/tasks/config.yml
@@ -1,5 +1,5 @@
 ---
-- name: Check if Policies shall be overwritten
+- name: Check if policies shall be overwritten
   local_action: stat path="{{ node_custom_config }}/keystone/policy.json"
   register: keystone_policy
 
diff --git a/ansible/roles/kuryr/tasks/config.yml b/ansible/roles/kuryr/tasks/config.yml
index 8b31c7ab14..001793780c 100644
--- a/ansible/roles/kuryr/tasks/config.yml
+++ b/ansible/roles/kuryr/tasks/config.yml
@@ -23,3 +23,14 @@
   template:
     src: "kuryr.spec.j2"
     dest: "{{ node_config_directory }}/kuryr/kuryr.spec"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/kuryr/policy.json"
+  register: kuryr_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/kuryr/policy.json"
+    dest: "{{ node_config_directory }}/kuryr/policy.json"
+  when:
+    kuryr_policy.stat.exists
diff --git a/ansible/roles/magnum/tasks/config.yml b/ansible/roles/magnum/tasks/config.yml
index 183b6bb43f..5baa4a6ca8 100644
--- a/ansible/roles/magnum/tasks/config.yml
+++ b/ansible/roles/magnum/tasks/config.yml
@@ -32,3 +32,14 @@
   with_items:
     - "magnum-api"
     - "magnum-conductor"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/magnum/policy.json"
+  register: magnum_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/magnum/policy.json"
+    dest: "{{ node_config_directory }}/magnum/policy.json"
+  when:
+    magnum_policy.stat.exists
diff --git a/ansible/roles/manila/tasks/config.yml b/ansible/roles/manila/tasks/config.yml
index 4f83ff55b4..9ae45d1d66 100644
--- a/ansible/roles/manila/tasks/config.yml
+++ b/ansible/roles/manila/tasks/config.yml
@@ -52,3 +52,14 @@
     dest: "{{ node_config_directory }}/{{ item }}/manila.conf"
   with_items:
     - "manila-share"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/manila/policy.json"
+  register: manila_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/manila/policy.json"
+    dest: "{{ node_config_directory }}/manila/policy.json"
+  when:
+    manila_policy.stat.exists
diff --git a/ansible/roles/mistral/tasks/config.yml b/ansible/roles/mistral/tasks/config.yml
index 8c6d0d616c..723074eac4 100644
--- a/ansible/roles/mistral/tasks/config.yml
+++ b/ansible/roles/mistral/tasks/config.yml
@@ -35,3 +35,14 @@
     - "mistral-api"
     - "mistral-engine"
     - "mistral-executor"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/mistral/policy.json"
+  register: mistral_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/mistral/policy.json"
+    dest: "{{ node_config_directory }}/mistral/policy.json"
+  when:
+    mistral_policy.stat.exists
diff --git a/ansible/roles/murano/tasks/config.yml b/ansible/roles/murano/tasks/config.yml
index a544a4a087..779c277d54 100644
--- a/ansible/roles/murano/tasks/config.yml
+++ b/ansible/roles/murano/tasks/config.yml
@@ -32,3 +32,14 @@
   with_items:
     - "murano-api"
     - "murano-engine"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/murano/policy.json"
+  register: murano_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/murano/policy.json"
+    dest: "{{ node_config_directory }}/murano/policy.json"
+  when:
+    murano_policy.stat.exists
diff --git a/ansible/roles/neutron/tasks/config.yml b/ansible/roles/neutron/tasks/config.yml
index 1c7d0238b7..82921cd96e 100644
--- a/ansible/roles/neutron/tasks/config.yml
+++ b/ansible/roles/neutron/tasks/config.yml
@@ -183,3 +183,14 @@
     dest: "{{ node_config_directory }}/{{ item }}/vpnaas_agent.ini"
   with_items:
     - "neutron-vpnaas-agent"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/neutron/policy.json"
+  register: neutron_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/neutron/policy.json"
+    dest: "{{ node_config_directory }}/neutron/policy.json"
+  when:
+    neutron_policy.stat.exists
diff --git a/ansible/roles/nova/tasks/config.yml b/ansible/roles/nova/tasks/config.yml
index 8841635704..b8750b9300 100644
--- a/ansible/roles/nova/tasks/config.yml
+++ b/ansible/roles/nova/tasks/config.yml
@@ -83,3 +83,14 @@
     - { src: "id_rsa", dest: "id_rsa" }
     - { src: "id_rsa.pub", dest: "id_rsa.pub" }
     - { src: "ssh_config.j2", dest: "ssh_config" }
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/nova/policy.json"
+  register: nova_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/nova/policy.json"
+    dest: "{{ node_config_directory }}/nova/policy.json"
+  when:
+    nova_policy.stat.exists
diff --git a/ansible/roles/rally/tasks/config.yml b/ansible/roles/rally/tasks/config.yml
index c210dc338f..3304915de3 100644
--- a/ansible/roles/rally/tasks/config.yml
+++ b/ansible/roles/rally/tasks/config.yml
@@ -24,3 +24,14 @@
     dest: "{{ node_config_directory }}/{{ item }}/rally.conf"
   with_items:
     - "rally"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/rally/policy.json"
+  register: rally_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/rally/policy.json"
+    dest: "{{ node_config_directory }}/rally/policy.json"
+  when:
+    rally_policy.stat.exists
diff --git a/ansible/roles/sahara/tasks/config.yml b/ansible/roles/sahara/tasks/config.yml
index b3a3405cca..a83df50cae 100644
--- a/ansible/roles/sahara/tasks/config.yml
+++ b/ansible/roles/sahara/tasks/config.yml
@@ -32,3 +32,14 @@
   with_items:
     - "sahara-api"
     - "sahara-engine"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/sahara/policy.json"
+  register: sahara_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/sahara/policy.json"
+    dest: "{{ node_config_directory }}/sahara/policy.json"
+  when:
+    sahara_policy.stat.exists
diff --git a/ansible/roles/searchlight/tasks/config.yml b/ansible/roles/searchlight/tasks/config.yml
index b31b1d81e1..4237b6bdd9 100644
--- a/ansible/roles/searchlight/tasks/config.yml
+++ b/ansible/roles/searchlight/tasks/config.yml
@@ -30,3 +30,14 @@
   with_items:
     - "searchlight-api"
     - "searchlight-listener"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/searchlight/policy.json"
+  register: searchlight_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/searchlight/policy.json"
+    dest: "{{ node_config_directory }}/searchlight/policy.json"
+  when:
+    searchlight_policy.stat.exists
diff --git a/ansible/roles/senlin/tasks/config.yml b/ansible/roles/senlin/tasks/config.yml
index fa714f5508..17ff0f83aa 100644
--- a/ansible/roles/senlin/tasks/config.yml
+++ b/ansible/roles/senlin/tasks/config.yml
@@ -32,3 +32,14 @@
   with_items:
     - "senlin-api"
     - "senlin-engine"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/senlin/policy.json"
+  register: senlin_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/senlin/policy.json"
+    dest: "{{ node_config_directory }}/senlin/policy.json"
+  when:
+    senlin_policy.stat.exists
diff --git a/ansible/roles/swift/tasks/config.yml b/ansible/roles/swift/tasks/config.yml
index dc04ffaff5..10c26de5a6 100644
--- a/ansible/roles/swift/tasks/config.yml
+++ b/ansible/roles/swift/tasks/config.yml
@@ -152,3 +152,14 @@
     - "container.ring.gz"
     - "object.builder"
     - "object.ring.gz"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/swift/policy.json"
+  register: swift_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/swift/policy.json"
+    dest: "{{ node_config_directory }}/swift/policy.json"
+  when:
+    swift_policy.stat.exists
diff --git a/ansible/roles/tempest/tasks/config.yml b/ansible/roles/tempest/tasks/config.yml
index 3375790f90..6422270d3a 100644
--- a/ansible/roles/tempest/tasks/config.yml
+++ b/ansible/roles/tempest/tasks/config.yml
@@ -24,3 +24,14 @@
     dest: "{{ node_config_directory }}/{{ item }}/tempest.conf"
   with_items:
     - "tempest"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/tempest/policy.json"
+  register: tempest_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/tempest/policy.json"
+    dest: "{{ node_config_directory }}/tempest/policy.json"
+  when:
+    tempest_policy.stat.exists
diff --git a/ansible/roles/watcher/tasks/config.yml b/ansible/roles/watcher/tasks/config.yml
index 5116c3ebb4..9d4ae9f7a9 100644
--- a/ansible/roles/watcher/tasks/config.yml
+++ b/ansible/roles/watcher/tasks/config.yml
@@ -35,3 +35,14 @@
     - "watcher-api"
     - "watcher-engine"
     - "watcher-applier"
+
+- name: Check if policies shall be overwritten
+  local_action: stat path="{{ node_custom_config }}/watcher/policy.json"
+  register: watcher_policy
+
+- name: Copying over existing policy.json
+  template:
+    src: "{{ node_custom_config }}/watcher/policy.json"
+    dest: "{{ node_config_directory }}/watcher/policy.json"
+  when:
+    watcher_policy.stat.exists
diff --git a/releasenotes/notes/custom-policies-5a9bb2b59d19b484.yaml b/releasenotes/notes/custom-policies-5a9bb2b59d19b484.yaml
new file mode 100644
index 0000000000..8097b2c2d1
--- /dev/null
+++ b/releasenotes/notes/custom-policies-5a9bb2b59d19b484.yaml
@@ -0,0 +1,3 @@
+---
+features:
+  - Allow customisation of policy.json files per service.
-- 
GitLab