openstack/aodh
Code Issues Proposed changes

Merge "[goal] Deprecate the JSON formatted policy file"

Browse Source
This commit is contained in:
Zuul
2021-01-13 20:12:43 +00:00
committed by Gerrit Code Review
parent 3115c71a36 5e7a0519cf
commit 7ad4ae15c3
13 changed files with 86 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
aodh/api/hooks.py
View File

@@ -13,11 +13,19 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from oslo_config import cfg
from oslo_policy import opts
from oslo_policy import policy from oslo_policy import policy
from pecan import hooks from pecan import hooks
from aodh.api import policies from aodh.api import policies
# TODO(gmann): Remove setting the default value of config policy_file
# once oslo_policy change the default value to 'policy.yaml'.
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
DEFAULT_POLICY_FILE = 'policy.yaml'
opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
class ConfigHook(hooks.PecanHook): class ConfigHook(hooks.PecanHook):
"""Attach the configuration and policy enforcer object to the request. """Attach the configuration and policy enforcer object to the request.

13
aodh/cmd/status.py
View File

@@ -15,6 +15,7 @@
import sys import sys
from oslo_config import cfg from oslo_config import cfg
from oslo_upgradecheck import common_checks
from oslo_upgradecheck import upgradecheck from oslo_upgradecheck import upgradecheck
from aodh.i18n import _ from aodh.i18n import _
@@ -30,17 +31,9 @@ class Checks(upgradecheck.UpgradeCommands):
and added to _upgrade_checks tuple. and added to _upgrade_checks tuple.
""" """
def _sample_check(self):
"""This is sample check added to test the upgrade check framework
It needs to be removed after adding any real upgrade check
"""
return upgradecheck.Result(upgradecheck.Code.SUCCESS, 'Sample detail')
_upgrade_checks = ( _upgrade_checks = (
# Sample check added for now. (_('policy File JSON to YAML Migration'),
# Whereas in future real checks must be added here in tuple (common_checks.check_policy_json, {'conf': CONF})),
(_('Sample Check'), _sample_check),
) )

16
aodh/conf/defaults.py
View File

@@ -12,7 +12,23 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from oslo_config import cfg
from oslo_middleware import cors from oslo_middleware import cors
from oslo_policy import opts as policy_opts
def set_lib_defaults():
"""Update default value for configuration options from other namespace.
Example, oslo lib config options. This is needed for
config generator tool to pick these default value changes.
https://docs.openstack.org/oslo.config/latest/cli/
generator.html#modifying-defaults-from-other-namespaces
"""
set_cors_middleware_defaults()
# Update default value of oslo.policy policy_file config option.
policy_opts.set_defaults(cfg.CONF, 'policy.yaml')
def set_cors_middleware_defaults(): def set_cors_middleware_defaults():

2
aodh/service.py
View File

@@ -87,7 +87,7 @@ def prepare_service(argv=None, config_files=None):
if profiler_opts: if profiler_opts:
profiler_opts.set_defaults(conf) profiler_opts.set_defaults(conf)
policy_opts.set_defaults(conf, policy_file=os.path.abspath( policy_opts.set_defaults(conf, policy_file=os.path.abspath(
os.path.join(os.path.dirname(__file__), "api", "policy.json"))) os.path.join(os.path.dirname(__file__), "api", "policy.yaml")))
from aodh import opts from aodh import opts
# Register our own Aodh options # Register our own Aodh options
for group, options in opts.list_opts(): for group, options in opts.list_opts():

7
aodh/tests/functional/api/v2/policy.json-test
View File

@@ -1,7 +0,0 @@
{
"context_is_admin": "role:admin",
"segregation": "rule:context_is_admin",
"admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"telemetry:get_alarms": "role:admin"
}

8
aodh/tests/functional/api/v2/policy.yaml-test Normal file
View File

@@ -0,0 +1,8 @@
# WARNING: Below rules are either deprecated rules
# or extra rules in policy file, it is strongly
# recommended to switch to new rules.
"context_is_admin": "role:admin"
"segregation": "rule:context_is_admin"
"admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s"
"default": "rule:admin_or_owner"
"telemetry:get_alarms": "role:admin"

2
aodh/tests/functional/api/v2/test_alarm_scenarios.py
View File

@@ -414,7 +414,7 @@ class TestAlarms(TestAlarmsBase):
_test('project_id') _test('project_id')
def test_get_alarm_forbiden(self): def test_get_alarm_forbiden(self):
pf = os.path.abspath('aodh/tests/functional/api/v2/policy.json-test') pf = os.path.abspath('aodh/tests/functional/api/v2/policy.yaml-test')
self.CONF.set_override('policy_file', pf, group='oslo_policy') self.CONF.set_override('policy_file', pf, group='oslo_policy')
self.CONF.set_override('auth_mode', None, group='api') self.CONF.set_override('auth_mode', None, group='api')
self.app = webtest.TestApp(app.load_app(self.CONF)) self.app = webtest.TestApp(app.load_app(self.CONF))

14
aodh/tests/unit/cmd/test_status.py
View File

@@ -12,6 +12,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from oslo_config import cfg
from oslo_upgradecheck.upgradecheck import Code from oslo_upgradecheck.upgradecheck import Code
from aodh.cmd import status from aodh.cmd import status
@@ -23,8 +24,13 @@ class TestUpgradeChecks(base.BaseTestCase):
def setUp(self): def setUp(self):
super(TestUpgradeChecks, self).setUp() super(TestUpgradeChecks, self).setUp()
self.cmd = status.Checks() self.cmd = status.Checks()
cfg.CONF(args=[], project='aodh')
def test__sample_check(self): def test_checks(self):
check_result = self.cmd._sample_check() for name, func in self.cmd._upgrade_checks:
self.assertEqual( if isinstance(func, tuple):
Code.SUCCESS, check_result.code) func_name, kwargs = func
result = func_name(self, **kwargs)
else:
result = func(self)
self.assertEqual(Code.SUCCESS, result.code)

8
doc/source/configuration/policy.rst
View File

@@ -2,6 +2,14 @@
Aodh Sample Policy Configuration File Aodh Sample Policy Configuration File
===================================== =====================================
.. warning::
JSON formatted policy file is deprecated since Aodh 12.0.0 (Wallaby).
This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
JSON-formatted policy file to YAML in a backward-compatible way.
.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
The following is an overview of all available policies in Aodh. The following is an overview of all available policies in Aodh.
For a sample configuration file, refer to :doc:`sample-policy-yaml`. For a sample configuration file, refer to :doc:`sample-policy-yaml`.

8
doc/source/configuration/sample-policy-yaml.rst
View File

@@ -2,6 +2,14 @@
policy.yaml policy.yaml
=========== ===========
.. warning::
JSON formatted policy file is deprecated since Aodh 12.0.0 (Wallaby).
This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
JSON-formatted policy file to YAML in a backward-compatible way.
.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
Use the ``policy.yaml`` file to define additional access controls that will be Use the ``policy.yaml`` file to define additional access controls that will be
applied to Aodh: applied to Aodh:

20
releasenotes/notes/deprecate-json-formatted-policy-file-fgb26387a9bdb3b9.yaml Normal file
View File

@@ -0,0 +1,20 @@
---
upgrade:
- |
The default value of ``[oslo_policy] policy_file`` config option has
been changed from ``policy.json`` to ``policy.yaml``.
Operators who are utilizing customized or previously generated
static policy JSON files (which are not needed by default), should
generate new policy files or convert them in YAML format. Use the
`oslopolicy-convert-json-to-yaml
<https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
tool to convert a JSON to YAML formatted policy file in
backward compatible way.
deprecations:
- |
Use of JSON policy files was deprecated by the ``oslo.policy`` library
during the Victoria development cycle. As a result, this deprecation is
being noted in the Wallaby cycle with an anticipated future removal of support
by ``oslo.policy``. As such operators will need to convert to YAML policy
files. Please see the upgrade notes for details on migration of any
custom policy files.

4
requirements.txt
View File

@@ -10,12 +10,12 @@ keystonemiddleware>=5.1.0 # Apache-2.0
gnocchiclient>=3.1.0 # Apache-2.0 gnocchiclient>=3.1.0 # Apache-2.0
lxml>=2.3 lxml>=2.3
oslo.db>=4.8.0,!=4.13.1,!=4.13.2,!=4.15.0 # Apache-2.0 oslo.db>=4.8.0,!=4.13.1,!=4.13.2,!=4.15.0 # Apache-2.0
oslo.config>=2.6.0 # Apache-2.0 oslo.config>=6.8.0 # Apache-2.0
oslo.context>=2.22.0 # Apache-2.0 oslo.context>=2.22.0 # Apache-2.0
oslo.i18n>=1.5.0 # Apache-2.0 oslo.i18n>=1.5.0 # Apache-2.0
oslo.log>=4.3.0 # Apache-2.0 oslo.log>=4.3.0 # Apache-2.0
oslo.policy>=3.6.0 # Apache-2.0 oslo.policy>=3.6.0 # Apache-2.0
oslo.upgradecheck>=0.1.1 # Apache-2.0 oslo.upgradecheck>=1.3.0 # Apache-2.0
PasteDeploy>=1.5.0 PasteDeploy>=1.5.0
pbr>=2.0.0 # Apache-2.0 pbr>=2.0.0 # Apache-2.0
pecan>=0.8.0 pecan>=0.8.0

2
setup.cfg
View File

@@ -110,7 +110,7 @@ oslo.config.opts =
aodh-auth = aodh.opts:list_keystoneauth_opts aodh-auth = aodh.opts:list_keystoneauth_opts
oslo.config.opts.defaults = oslo.config.opts.defaults =
aodh = aodh.conf.defaults:set_cors_middleware_defaults aodh = aodh.conf.defaults:set_lib_defaults
oslo.policy.policies = oslo.policy.policies =
aodh = aodh.api.policies:list_rules aodh = aodh.api.policies:list_rules