Browse code
Migration logic for neutron policy-in-code
Neutron is in a process to migrate to policy-in-code.
DevStack needs to be able to handle both cases with and
without policy.json in the neutron repo.
Note that nova assumes neutron API access with admin
so user_name:neutron needs to be included in context_is_admin
to make DevStack work properly. Hopefully this can be cleanup
but this is a separate topic from policy-in-code.
Needed-By: https://review.openstack.org/#/c/585037/
Change-Id: Id1b0600d92e839ade1790a15c372e82e8e16ee9f
Akihiro Motoki authored on 2018/11/23 05:18:40Showing 2 changed files
| ... | ... |
@@ -183,9 +183,14 @@ function configure_neutron_new {
|
| 183 | 183 |
# Neutron API server & Neutron plugin |
| 184 | 184 |
if is_service_enabled neutron-api; then |
| 185 | 185 |
local policy_file=$NEUTRON_CONF_DIR/policy.json |
| 186 |
- cp $NEUTRON_DIR/etc/policy.json $policy_file |
|
| 187 | 186 |
# Allow neutron user to administer neutron to match neutron account |
| 188 |
- sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $policy_file |
|
| 187 |
+ # NOTE(amotoki): This is required for nova works correctly with neutron. |
|
| 188 |
+ if [ -f $NEUTRON_DIR/etc/policy.json ]; then |
|
| 189 |
+ cp $NEUTRON_DIR/etc/policy.json $policy_file |
|
| 190 |
+ sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $policy_file |
|
| 191 |
+ else |
|
| 192 |
+ echo '{"context_is_admin": "role:admin or user_name:neutron"}' > $policy_file
|
|
| 193 |
+ fi |
|
| 189 | 194 |
|
| 190 | 195 |
cp $NEUTRON_DIR/etc/api-paste.ini $NEUTRON_CONF_DIR/api-paste.ini |
| 191 | 196 |
|
| ... | ... |
@@ -699,10 +699,15 @@ function _configure_neutron_common {
|
| 699 | 699 |
cp $NEUTRON_DIR/etc/neutron.conf.sample $NEUTRON_CONF |
| 700 | 700 |
|
| 701 | 701 |
Q_POLICY_FILE=$NEUTRON_CONF_DIR/policy.json |
| 702 |
- cp $NEUTRON_DIR/etc/policy.json $Q_POLICY_FILE |
|
| 703 | 702 |
|
| 704 | 703 |
# allow neutron user to administer neutron to match neutron account |
| 705 |
- sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $Q_POLICY_FILE |
|
| 704 |
+ # NOTE(amotoki): This is required for nova works correctly with neutron. |
|
| 705 |
+ if [ -f $NEUTRON_DIR/etc/policy.json ]; then |
|
| 706 |
+ cp $NEUTRON_DIR/etc/policy.json $Q_POLICY_FILE |
|
| 707 |
+ sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $Q_POLICY_FILE |
|
| 708 |
+ else |
|
| 709 |
+ echo '{"context_is_admin": "role:admin or user_name:neutron"}' > $Q_POLICY_FILE
|
|
| 710 |
+ fi |
|
| 706 | 711 |
|
| 707 | 712 |
# Set plugin-specific variables ``Q_DB_NAME``, ``Q_PLUGIN_CLASS``. |
| 708 | 713 |
# For main plugin config file, set ``Q_PLUGIN_CONF_PATH``, ``Q_PLUGIN_CONF_FILENAME``. |