From 2447deec622a716abfa4495108e71f9c75c3c2fe Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <noonedeadpunk@ya.ru>
Date: Wed, 26 Aug 2020 18:46:46 +0300
Subject: [PATCH] Add option to override horizon policies

In case policies are overriden for services,
horizon maintain and ship it's own set of policies that should be
separatelly overriden.

Depends-On: https://review.opendev.org/754382
Change-Id: I7099a5b11390d3296c7b4bb74d69670c7fe64f58
---
 defaults/main.yml                                 |  6 ++++++
 ...horizon_policy_overrides-ca84702ef993ea92.yaml | 10 ++++++++++
 tasks/horizon_post_install.yml                    | 15 +++++++++++++++
 3 files changed, 31 insertions(+)
 create mode 100644 releasenotes/notes/horizon_policy_overrides-ca84702ef993ea92.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 9df717c8..2d874381 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -486,6 +486,12 @@ horizon_translations_pull: "{{ _horizon_translations_pull }}"
 # Set arbitrary horizon configuration options
 horizon_config_overrides: {}
 
+# Set overrides for horizon embedded policies
+#horizon_policy_overrides:
+#  cinder:
+#    "volume:create": "rule:admin_or_owner"
+horizon_policy_overrides: {}
+
 horizon_keystone_admin_roles:
   - admin
 
diff --git a/releasenotes/notes/horizon_policy_overrides-ca84702ef993ea92.yaml b/releasenotes/notes/horizon_policy_overrides-ca84702ef993ea92.yaml
new file mode 100644
index 00000000..7b172b37
--- /dev/null
+++ b/releasenotes/notes/horizon_policy_overrides-ca84702ef993ea92.yaml
@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Added variable `horizon_policy_overrides` which allows to customize horizon
+    specific policies. As we don't want to carry and maintain horizon policies
+    with OSA, they're retrieved from horizon hosts and adjusted in-place,
+    which means that they won't rollback in case you just remove override.
+    `horizon_policy_overrides` has also non-standart format, as it's nested
+    dictionary, where 1st level key represents service which policy needs to
+    be overriden, and it's value is normal policy override format.
diff --git a/tasks/horizon_post_install.yml b/tasks/horizon_post_install.yml
index 3ce7ae37..95a0fd03 100644
--- a/tasks/horizon_post_install.yml
+++ b/tasks/horizon_post_install.yml
@@ -42,6 +42,21 @@
   when: item.always_install
   notify: Restart apache2
 
+- name: Retrieve horizon policy files
+  slurp:
+    src: "{{ horizon_lib_dir }}/openstack_dashboard/conf/{{ item }}_policy.yaml"
+  with_items: "{{ horizon_policy_overrides.keys() | list }}"
+  register: _horizon_policy
+
+- name: Place policy overrides
+  config_template:
+    content: "{{ item.content | b64decode }}"
+    dest: "{{ item.source }}"
+    mode: "0644"
+    config_type: json
+    config_overrides: "{{ horizon_policy_overrides[item.item] }}"
+  with_items: "{{ _horizon_policy.results }}"
+
 - name: Uploading horizon custom files
   copy:
     src: "{{ item.value.src }}"