Merge "Horizon: Manage policy files"

deployment/cinder/cinder-api-container-puppet.yaml

@@ -239,6 +239,8 @@ outputs:
           cinder::db::mysql::user: cinder
           cinder::db::mysql::host: '%'
           cinder::db::mysql::dbname: cinder
+        horizon:
+          horizon::policy::cinder_policies: {get_param: CinderApiPolicies}
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: cinder

deployment/glance/glance-api-container-puppet.yaml

@@ -653,6 +653,8 @@ outputs:
         rsyslog:
           tripleo_logging_sources_glance_api:
             - {get_param: GlanceApiLoggingSource}
+        horizon:
+          horizon::policy::glance_policies: {get_param: GlanceApiPolicies}
       # BEGIN DOCKER SETTINGS #
       puppet_config:
         config_volume: glance_api

deployment/heat/heat-api-container-puppet.yaml

@@ -199,6 +199,8 @@ outputs:
         rsyslog:
           tripleo_logging_sources_heat_api:
             - {get_param: HeatApiLoggingSource}
+        horizon:
+          horizon::dashboards::heat::policies: {get_param: HeatApiPolicies}
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: heat_api

deployment/keystone/keystone-container-puppet.yaml

@@ -708,10 +708,12 @@ outputs:
           keystone::endpoint::region: {get_param: KeystoneRegion}
           keystone::admin_password: {get_param: AdminPassword}
         horizon:
-          if:
-          - {get_param: KeystoneLDAPDomainEnable}
-          - horizon::keystone_multidomain_support: true
-            horizon::keystone_default_domain: 'Default'
+          map_merge:
+            - if:
+              - {get_param: KeystoneLDAPDomainEnable}
+              - horizon::keystone_multidomain_support: true
+                horizon::keystone_default_domain: 'Default'
+            - horizon::policy::keystone_policies: {get_param: KeystonePolicies}
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: keystone

deployment/manila/manila-api-container-puppet.yaml

@@ -52,6 +52,12 @@ parameters:
     type: string
     default: 'regionOne'
     description: Keystone region for endpoint
+  ManilaApiPolicies:
+    description: |
+      A hash of policies to configure for Manila API.
+      e.g. { manila-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json
   MonitoringSubscriptionManilaApi:
     default: 'overcloud-manila-api'
     type: string
@@ -225,6 +231,7 @@ outputs:
             manila::api::service_name: 'httpd'
             manila::api::enable_proxy_headers_parsing: true
             manila::api::default_share_type: 'default'
+            manila::api::policies: {get_param: ManilaApiPolicies}
             manila_enabled_share_protocols: {get_param: ManilaEnabledShareProtocols}
             manila::cron::db_purge::minute: {get_param: ManilaCronDbPurgeMinute}
             manila::cron::db_purge::hour: {get_param: ManilaCronDbPurgeHour}
@@ -242,7 +249,11 @@ outputs:
                 params:
                   $NETWORK: {get_param: [ServiceNetMap, ManilaApiNetwork]}
             manila::wsgi::apache::workers: {get_param: ManilaWorkers}
-      service_config_settings: {get_attr: [ManilaBase, role_data, service_config_settings]}
+      service_config_settings:
+        map_merge:
+          - {get_attr: [ManilaBase, role_data, service_config_settings]}
+          - horizon:
+              horizon::dashboard::manila::policies: {get_param: ManilaApiPolicies}
       # BEGIN DOCKER SETTINGS #
       puppet_config:
         config_volume: manila

deployment/neutron/neutron-api-container-puppet.yaml

@@ -467,7 +467,8 @@ outputs:
           neutron::db::mysql::user: neutron
           neutron::db::mysql::host: '%'
           neutron::db::mysql::dbname: ovs_neutron
-
+        horizon:
+          horizon::policy::neutron_policies: {get_param: NeutronApiPolicies}
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: neutron

deployment/nova/nova-api-container-puppet.yaml

@@ -433,6 +433,7 @@ outputs:
         rsyslog:
           tripleo_logging_sources_nova_api:
             - {get_param: NovaApiLoggingSource}
+        horizon: {get_attr: [NovaBase, role_data, service_config_settings], horizon}
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: nova

deployment/nova/nova-base-puppet.yaml

@@ -265,7 +265,7 @@ outputs:
           nova::policy::enforce_new_defaults: {get_param: EnforceSecureRbac}
           nova::policy::enforce_scope: {get_param: EnforceSecureRbac}
           nova::policy::purge_config: true
-          nova::policy::policies:
+          nova::policy::policies: &nova_policies
             map_merge:
             - {get_param: NovaApiPolicies}
             - if:
@@ -298,3 +298,5 @@ outputs:
       service_config_settings:
         rabbitmq:
           nova::rabbit_use_ssl: {get_param: RpcUseSSL}
+        horizon:
+          horizon::policy::nova_policies: *nova_policies

deployment/octavia/octavia-api-container-puppet.yaml

@@ -236,6 +236,8 @@ outputs:
           octavia::db::mysql::user: {get_param: OctaviaUserName}
           octavia::db::mysql::host: '%'
           octavia::db::mysql::dbname: octavia
+        horizon:
+          octavia::dashboards::heat::policies: {get_param: OctaviaApiPolicies}
       # BEGIN DOCKER SETTINGS #
       puppet_config:
         config_volume: octavia