Manage policy.json based on default file and user vars

Registered by Daniel Curran

Overview
########

The policy.json file default files in the Openstack projects are set and not touched in the ansible playbooks. Adding the ability to edit, update and customize these files and policies through configuration management will add flexibility to the deployment and allow it to cover a variety of use cases. This will help deployers meet the needs of operators in an efficient manner.

Problem Description
-------------------

Currently, the policy.json files for all Openstack projects is a flat file that is simply dropped into place. This means that updating the file requires users to either
  - modify the files post deployment (really cumbersome) or
  - create local and specific changes to the policy.json for the given use case
Both of these require significant upkeep between releases of both Openstack and the playbooks

Proposed Change
---------------

The proposed change is to create an ansible module based off of the ansible template core module.
This module will combine policy.json and user provided variables into a json object then compare this to the json object found in the deployed policy.json file.
If the comparison reveals and differences, the newly created json object will replace the currenlty deployed policy.json.

Playbook Impact
---------------

A new ansible module will be added and used in all playbooks handling policy.json files

Alternatives
------------

- Use the normal templating module but this will require a lot of upkeep/variables as each of the Openstack projects often have significant changes between versions.
- Give people ability to specify separate file whether it be local or remote. User experience is degraded and they end up needing to handle changes between versions manually.

Security Impact
---------------

Incorrect policies could give end users too many or too few permissions.

Performance Impact
------------------

None

End User Impact
---------------

The actions that end users are allowed to take will now be determined by the new policy.json instead of the default configuration.

Deployer Impact
---------------

Deployer will be able to set key/value pairs in policy.json as they see fit or leave it as the default.

Developer Impact
----------------

None

Dependencies
------------

Parts of this blueprint are related to:
https://blueprints.launchpad.net/openstack-ansible/+spec/tunable-openstack-configuration
but not strictly dependent

Documentation Impact
--------------------

Documentation will be required to explain the mechanism by which the templating is working.

References
----------

None

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
Daniel Curran
Direction:
Approved
Assignee:
Daniel Curran
Definition:
Approved
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Kevin Carter
Completed by
Kevin Carter

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/dynamically-manage-policy,n,z

Addressed by: https://review.openstack.org/168104
    Managing policy file with default file and user variables.

Addressed by: https://review.openstack.org/175024
    Applying copy_update to all policy.json files

Addressed by: https://review.openstack.org/175279
    Applying copy_update to all policy.json files

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.