Migration logic for neutron policy-in-code
Neutron is in a process to migrate to policy-in-code.
DevStack needs to be able to handle both cases with and
without policy.json in the neutron repo.
Note that nova assumes neutron API access with admin
so user_name:neutron needs to be included in context_is_admin
to make DevStack work properly. Hopefully this can be cleanup
but this is a separate topic from policy-in-code.
Needed-By: https://review.openstack.org/#/c/585037/
Change-Id: Id1b0600d92e839ade1790a15c372e82e8e16ee9f
diff --git a/lib/neutron b/lib/neutron
index 4847e87..62f7366 100644
--- a/lib/neutron
+++ b/lib/neutron
@@ -183,9 +183,14 @@
# Neutron API server & Neutron plugin
if is_service_enabled neutron-api; then
local policy_file=$NEUTRON_CONF_DIR/policy.json
- cp $NEUTRON_DIR/etc/policy.json $policy_file
# Allow neutron user to administer neutron to match neutron account
- sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $policy_file
+ # NOTE(amotoki): This is required for nova works correctly with neutron.
+ if [ -f $NEUTRON_DIR/etc/policy.json ]; then
+ cp $NEUTRON_DIR/etc/policy.json $policy_file
+ sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $policy_file
+ else
+ echo '{"context_is_admin": "role:admin or user_name:neutron"}' > $policy_file
+ fi
cp $NEUTRON_DIR/etc/api-paste.ini $NEUTRON_CONF_DIR/api-paste.ini