def update_image_location_policy():
"""Update *_image_location policy to restrict to admin role.
We do this unconditonally and keep a record of the original as installed by
the package.
"""
if CompareOpenStackReleases(os_release('glance-common')) < 'kilo':
# NOTE(hopem): at the time of writing we are unable to do this for
# earlier than Kilo due to LP: #1502136
return
db = kv()
policies = [
"get_image_location", "set_image_location", "delete_image_location"
]
for policy_key in policies:
# Save original value at time of first install in case we ever need to
# revert.
db_key = "policy_{}".format(policy_key)
if db.get(db_key) is None:
p = json.loads(open(GLANCE_POLICY_FILE).read())
if policy_key in p:
db.set(db_key, p[policy_key])
db.flush()
else:
log("key '{}' not found in policy file".format(policy_key),
level=INFO)
policy_value = 'role:admin'
log("Updating Glance policy file setting policy "
"'{}':'{}'".format(policy_key, policy_value),
level=INFO)
update_json_file(GLANCE_POLICY_FILE, {policy_key: policy_value})
def test_update_json_file(self):
TEST_POLICY = """{
"delete_image_location": "",
"get_image_location": "",
"set_image_location": "",
"extra_property": "False"
}"""
TEST_POLICY_FILE = "/etc/glance/policy.json"
item_to_update = {
"get_image_location": "role:admin",
"extra_policy": "extra",
}
mock_open = mock.mock_open(read_data=TEST_POLICY)
with mock.patch(builtin_open, mock_open) as mock_file:
utils.update_json_file(TEST_POLICY_FILE, item_to_update)
mock_file.assert_has_calls([
mock.call(TEST_POLICY_FILE),
mock.call(TEST_POLICY_FILE, 'w'),
],
any_order=True)
modified_policy = json.loads(TEST_POLICY)
modified_policy.update(item_to_update)
mock_open().write.assert_called_with(
json.dumps(modified_policy, indent=4))
def update_image_location_policy():
"""Update *_image_location policy to restrict to admin role.
We do this unconditonally and keep a record of the original as installed by
the package.
"""
if CompareOpenStackReleases(os_release('glance-common')) < 'kilo':
# NOTE(hopem): at the time of writing we are unable to do this for
# earlier than Kilo due to LP: #1502136
return
db = kv()
policies = ["get_image_location", "set_image_location",
"delete_image_location"]
for policy_key in policies:
# Save original value at time of first install in case we ever need to
# revert.
db_key = "policy_{}".format(policy_key)
if db.get(db_key) is None:
p = json.loads(open(GLANCE_POLICY_FILE).read())
if policy_key in p:
db.set(db_key, p[policy_key])
db.flush()
else:
log("key '{}' not found in policy file".format(policy_key),
level=INFO)
if config('restrict-image-location-operations'):
policy_value = 'role:admin'
else:
policy_value = ''
log("Updating Glance policy file setting policy "
"'{}':'{}'".format(policy_key, policy_value), level=INFO)
update_json_file(GLANCE_POLICY_FILE, {policy_key: policy_value})
def update_image_location_policy(configs=None):
"""Update *_image_location policy to restrict to admin role.
We do this unconditonally and keep a record of the original as installed by
the package.
For ussuri, the charm updates/writes the policy.yaml file. The configs
param is optional as the caller may already be writing all the configs.
From ussuri onwards glance is policy-in-code (rather than using a
policy.json) and, therefore, policy files are essentially all overrides.
From ussuri, this function deletes the policy.json file and alternatively
writes the GLANCE_POLICY_YAML file via the configs object.
:param configs: The configs for the charm
:type configs: Optional[:class:templating.OSConfigRenderer()]
"""
_res = os_release('glance-common')
cmp = CompareOpenStackReleases(_res)
if cmp < 'kilo':
# NOTE(hopem): at the time of writing we are unable to do this for
# earlier than Kilo due to LP: #1502136
return
if cmp >= 'ussuri':
# If the policy.json exists, then remove it as it's the packaged
# version from a previous version of OpenStack, and thus not used.
if os.path.isfile(GLANCE_POLICY_FILE):
try:
os.remove(GLANCE_POLICY_FILE)
except Exception as e:
log("Problem removing file: {}: {}".format(
GLANCE_POLICY_FILE, str(e)))
# if the caller supplied a configs param then update the
# GLANCE_POLICY_FILE using its context.
if configs is not None:
configs.write(GLANCE_POLICY_YAML)
return
# otherwise the OpenStack release after kilo and before ussuri, so continue
# modifying the existing policy.json file.
db = kv()
policies = [
"get_image_location", "set_image_location", "delete_image_location"
]
try:
with open(GLANCE_POLICY_FILE) as f:
pmap = json.load(f)
except IOError as e:
log("Problem opening glance policy file: {}. Error was:{}".format(
GLANCE_POLICY_FILE, str(e)),
level=WARNING)
return
for policy_key in policies:
# Save original value at time of first install in case we ever need to
# revert.
db_key = "policy_{}".format(policy_key)
if db.get(db_key) is None:
if policy_key in pmap:
db.set(db_key, pmap[policy_key])
db.flush()
else:
log("key '{}' not found in policy file".format(policy_key),
level=INFO)
if config('restrict-image-location-operations'):
policy_value = 'role:admin'
else:
policy_value = ''
new_policies = {k: policy_value for k in policies}
for policy_key, policy_value in new_policies.items():
log("Updating Glance policy file setting policy "
"'{}': '{}'".format(policy_key, policy_value),
level=INFO)
update_json_file(GLANCE_POLICY_FILE, new_policies)