[goal] Deprecate the JSON formatted policy file

As per the community goal of migrating the policy file the format from JSON to YAML[1], we need to do two things: 1. Change the default value of '[oslo_policy] policy_file'' config option from 'policy.json' to 'policy.yaml' with upgrade checks. 2. Deprecate the JSON formatted policy file on the project side via warning in doc and releasenotes. Also replace policy.json to policy.yaml ref from doc and tests. [1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html Change-Id: Ia0fa4ba1fecf2740a291c5a65b906b089c95404d
2020-12-24 21:51:09 -06:00 · 2020-12-24 21:51:09 -06:00 · 5e7a0519cf
parent 0bac3700b3
commit 5e7a0519cf
13 changed files with 86 additions and 26 deletions
--- a/aodh/api/hooks.py
+++ b/aodh/api/hooks.py
@ -13,11 +13,19 @@
 # License for the specific language governing permissions and limitations
 # under the License.

+from oslo_config import cfg
+from oslo_policy import opts
 from oslo_policy import policy
 from pecan import hooks

 from aodh.api import policies

+# TODO(gmann): Remove setting the default value of config policy_file
+# once oslo_policy change the default value to 'policy.yaml'.
+# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+DEFAULT_POLICY_FILE = 'policy.yaml'
+opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
+

 class ConfigHook(hooks.PecanHook):
    """Attach the configuration and policy enforcer object to the request.
--- a/aodh/cmd/status.py
+++ b/aodh/cmd/status.py
@ -15,6 +15,7 @@
 import sys

 from oslo_config import cfg
+from oslo_upgradecheck import common_checks
 from oslo_upgradecheck import upgradecheck

 from aodh.i18n import _
@ -30,17 +31,9 @@ class Checks(upgradecheck.UpgradeCommands):
    and added to _upgrade_checks tuple.
    """

-    def _sample_check(self):
-        """This is sample check added to test the upgrade check framework
-
-        It needs to be removed after adding any real upgrade check
-        """
-        return upgradecheck.Result(upgradecheck.Code.SUCCESS, 'Sample detail')
-
    _upgrade_checks = (
-        # Sample check added for now.
-        # Whereas in future real checks must be added here in tuple
-        (_('Sample Check'), _sample_check),
+        (_('policy File JSON to YAML Migration'),
+         (common_checks.check_policy_json, {'conf': CONF})),
    )


--- a/aodh/conf/defaults.py
+++ b/aodh/conf/defaults.py
@ -12,7 +12,23 @@
 # License for the specific language governing permissions and limitations
 # under the License.

+from oslo_config import cfg
 from oslo_middleware import cors
+from oslo_policy import opts as policy_opts
+
+
+def set_lib_defaults():
+    """Update default value for configuration options from other namespace.
+
+    Example, oslo lib config options. This is needed for
+    config generator tool to pick these default value changes.
+    https://docs.openstack.org/oslo.config/latest/cli/
+    generator.html#modifying-defaults-from-other-namespaces
+    """
+    set_cors_middleware_defaults()
+
+    # Update default value of oslo.policy policy_file config option.
+    policy_opts.set_defaults(cfg.CONF, 'policy.yaml')


 def set_cors_middleware_defaults():
--- a/aodh/service.py
+++ b/aodh/service.py
@ -87,7 +87,7 @@ def prepare_service(argv=None, config_files=None):
    if profiler_opts:
        profiler_opts.set_defaults(conf)
    policy_opts.set_defaults(conf, policy_file=os.path.abspath(
-        os.path.join(os.path.dirname(__file__), "api", "policy.json")))
+        os.path.join(os.path.dirname(__file__), "api", "policy.yaml")))
    from aodh import opts
    # Register our own Aodh options
    for group, options in opts.list_opts():
--- a/aodh/tests/functional/api/v2/policy.json-test
+++ b/aodh/tests/functional/api/v2/policy.json-test
@ -1,7 +0,0 @@
-{
-    "context_is_admin": "role:admin",
-    "segregation": "rule:context_is_admin",
-    "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s",
-    "default": "rule:admin_or_owner",
-    "telemetry:get_alarms": "role:admin"
-}
--- a/aodh/tests/functional/api/v2/policy.yaml-test
+++ b/aodh/tests/functional/api/v2/policy.yaml-test
@ -0,0 +1,8 @@
+# WARNING: Below rules are either deprecated rules
+# or extra rules in policy file, it is strongly
+# recommended to switch to new rules.
+"context_is_admin": "role:admin"
+"segregation": "rule:context_is_admin"
+"admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s"
+"default": "rule:admin_or_owner"
+"telemetry:get_alarms": "role:admin"
--- a/aodh/tests/functional/api/v2/test_alarm_scenarios.py
+++ b/aodh/tests/functional/api/v2/test_alarm_scenarios.py
@ -414,7 +414,7 @@ class TestAlarms(TestAlarmsBase):
        _test('project_id')

    def test_get_alarm_forbiden(self):
-        pf = os.path.abspath('aodh/tests/functional/api/v2/policy.json-test')
+        pf = os.path.abspath('aodh/tests/functional/api/v2/policy.yaml-test')
        self.CONF.set_override('policy_file', pf, group='oslo_policy')
        self.CONF.set_override('auth_mode', None, group='api')
        self.app = webtest.TestApp(app.load_app(self.CONF))
--- a/aodh/tests/unit/cmd/test_status.py
+++ b/aodh/tests/unit/cmd/test_status.py
@ -12,6 +12,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+from oslo_config import cfg
 from oslo_upgradecheck.upgradecheck import Code

 from aodh.cmd import status
@ -23,8 +24,13 @@ class TestUpgradeChecks(base.BaseTestCase):
    def setUp(self):
        super(TestUpgradeChecks, self).setUp()
        self.cmd = status.Checks()
+        cfg.CONF(args=[], project='aodh')

-    def test__sample_check(self):
-        check_result = self.cmd._sample_check()
-        self.assertEqual(
-            Code.SUCCESS, check_result.code)
+    def test_checks(self):
+        for name, func in self.cmd._upgrade_checks:
+            if isinstance(func, tuple):
+                func_name, kwargs = func
+                result = func_name(self, **kwargs)
+            else:
+                result = func(self)
+            self.assertEqual(Code.SUCCESS, result.code)
--- a/doc/source/configuration/policy.rst
+++ b/doc/source/configuration/policy.rst
@ -2,6 +2,14 @@
 Aodh Sample Policy Configuration File
 =====================================

+.. warning::
+
+   JSON formatted policy file is deprecated since Aodh 12.0.0 (Wallaby).
+   This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
+   JSON-formatted policy file to YAML in a backward-compatible way.
+
+.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
+
 The following is an overview of all available policies in Aodh.
 For a sample configuration file, refer to :doc:`sample-policy-yaml`.

--- a/doc/source/configuration/sample-policy-yaml.rst
+++ b/doc/source/configuration/sample-policy-yaml.rst
@ -2,6 +2,14 @@
 policy.yaml
 ===========

+.. warning::
+
+   JSON formatted policy file is deprecated since Aodh 12.0.0 (Wallaby).
+   This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
+   JSON-formatted policy file to YAML in a backward-compatible way.
+
+.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
+
 Use the ``policy.yaml`` file to define additional access controls that will be
 applied to Aodh:

--- a/releasenotes/notes/deprecate-json-formatted-policy-file-fgb26387a9bdb3b9.yaml
+++ b/releasenotes/notes/deprecate-json-formatted-policy-file-fgb26387a9bdb3b9.yaml
@ -0,0 +1,20 @@
+---
+upgrade:
+  - |
+    The default value of ``[oslo_policy] policy_file`` config option has
+    been changed from ``policy.json`` to ``policy.yaml``.
+    Operators who are utilizing customized or previously generated
+    static policy JSON files (which are not needed by default), should
+    generate new policy files or convert them in YAML format. Use the
+    `oslopolicy-convert-json-to-yaml
+    <https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
+    tool to convert a JSON to YAML formatted policy file in
+    backward compatible way.
+deprecations:
+  - |
+    Use of JSON policy files was deprecated by the ``oslo.policy`` library
+    during the Victoria development cycle. As a result, this deprecation is
+    being noted in the Wallaby cycle with an anticipated future removal of support
+    by ``oslo.policy``. As such operators will need to convert to YAML policy
+    files. Please see the upgrade notes for details on migration of any
+    custom policy files.
--- a/requirements.txt
+++ b/requirements.txt
@ -10,12 +10,12 @@ keystonemiddleware>=5.1.0 # Apache-2.0
 gnocchiclient>=3.1.0  # Apache-2.0
 lxml>=2.3
 oslo.db>=4.8.0,!=4.13.1,!=4.13.2,!=4.15.0 # Apache-2.0
-oslo.config>=2.6.0 # Apache-2.0
+oslo.config>=6.8.0 # Apache-2.0
 oslo.context>=2.22.0 # Apache-2.0
 oslo.i18n>=1.5.0 # Apache-2.0
 oslo.log>=4.3.0 # Apache-2.0
 oslo.policy>=3.6.0 # Apache-2.0
-oslo.upgradecheck>=0.1.1 # Apache-2.0
+oslo.upgradecheck>=1.3.0 # Apache-2.0
 PasteDeploy>=1.5.0
 pbr>=2.0.0 # Apache-2.0
 pecan>=0.8.0
--- a/setup.cfg
+++ b/setup.cfg
@ -110,7 +110,7 @@ oslo.config.opts =
    aodh-auth = aodh.opts:list_keystoneauth_opts

 oslo.config.opts.defaults =
-    aodh = aodh.conf.defaults:set_cors_middleware_defaults
+    aodh = aodh.conf.defaults:set_lib_defaults

 oslo.policy.policies =
    aodh = aodh.api.policies:list_rules