diff --git a/cinder/policy.py b/cinder/policy.py index fcf763d37cb..17f4f815324 100644 --- a/cinder/policy.py +++ b/cinder/policy.py @@ -51,7 +51,8 @@ def init(use_conf=True): if not _ENFORCER: _ENFORCER = policy.Enforcer( CONF, - use_conf=use_conf) + use_conf=use_conf, + fallback_to_json_file=False) register_rules(_ENFORCER) _ENFORCER.load_rules() diff --git a/cinder/tests/unit/policy.json b/cinder/tests/unit/policy.json deleted file mode 100644 index 3d85a2c488c..00000000000 --- a/cinder/tests/unit/policy.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "admin_api": "is_admin:True", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - - "volume:create_snapshot": "", - "volume:delete_snapshot": "", - "volume:get_snapshot": "", - "volume:get_all_snapshots": "", - "volume:update_snapshot": "", - "volume:get_snapshot_metadata": "", - "volume:delete_snapshot_metadata": "", - "volume:update_snapshot_metadata": "", - "volume:revert_to_snapshot": "", - "volume_extension:volume_actions:upload_image": "", - "volume_extension:types_manage": "", - "volume_extension:types_extra_specs:create": "", - "volume_extension:types_extra_specs:delete": "", - "volume_extension:types_extra_specs:index": "", - "volume_extension:types_extra_specs:show": "", - "volume_extension:types_extra_specs:update": "", - "volume_extension:volume_type_access": "", - "volume_extension:extended_snapshot_attributes": "", - "volume_extension:services:index": "", - "volume_extension:services:update" : "rule:admin_api", - - "limits_extension:used_limits": "", - - "volume:create_transfer": "", - "volume:delete_transfer": "", - "volume:get_transfer": "", - "volume:get_all_transfers": "", - - "backup:delete": "", - "backup:get": "", - "backup:get_all": "", - "backup:restore": "", - - "group:delete": "", - "group:update": "", - "group:get": "", - "group:get_all": "", - - "group:delete_group_snapshot": "", - "group:update_group_snapshot": "", - "group:get_group_snapshot": "", - "group:get_all_group_snapshots": "", - "group:reset_group_snapshot_status":"", - "group:reset_status":"", - "group:enable_replication": "", - "group:disable_replication": "", - "group:failover_replication": "", - "group:list_replication_targets": "" - -} diff --git a/cinder/tests/unit/policy.yaml b/cinder/tests/unit/policy.yaml new file mode 100644 index 00000000000..9cff066f4cd --- /dev/null +++ b/cinder/tests/unit/policy.yaml @@ -0,0 +1,198 @@ +# Default rule for most non-Admin APIs. +"admin_or_owner": "is_admin:True or project_id:%(project_id)s" + +# Default rule for most Admin APIs. +"admin_api": "is_admin:True" + +# Show snapshot's metadata or one specified metadata with a given key. +# GET /snapshots/{snapshot_id}/metadata +# GET /snapshots/{snapshot_id}/metadata/{key} +"volume:get_snapshot_metadata": "" + +# Update snapshot's metadata or one specified metadata with a given +# key. +# PUT /snapshots/{snapshot_id}/metadata +# PUT /snapshots/{snapshot_id}/metadata/{key} +"volume:update_snapshot_metadata": "" + +# Delete snapshot's specified metadata with a given key. +# DELETE /snapshots/{snapshot_id}/metadata/{key} +"volume:delete_snapshot_metadata": "" + +# List snapshots. +# GET /snapshots +# GET /snapshots/detail +"volume:get_all_snapshots": "" + +# List or show snapshots with extended attributes. +# GET /snapshots/{snapshot_id} +# GET /snapshots/detail +"volume_extension:extended_snapshot_attributes": "" + +# Create snapshot. +# POST /snapshots +"volume:create_snapshot": "" + +# Show snapshot. +# GET /snapshots/{snapshot_id} +"volume:get_snapshot": "" + +# Update snapshot. +# PUT /snapshots/{snapshot_id} +"volume:update_snapshot": "" + +# Delete snapshot. +# DELETE /snapshots/{snapshot_id} +"volume:delete_snapshot": "" + +# List backups. +# GET /backups +# GET /backups/detail +"backup:get_all": "" + +# Show backup. +# GET /backups/{backup_id} +"backup:get": "" + +# Delete backup. +# DELETE /backups/{backup_id} +"backup:delete": "" + +# Restore backup. +# POST /backups/{backup_id}/restore +"backup:restore": "" + +# List groups. +# GET /groups +# GET /groups/detail +"group:get_all": "" + +# Show group. +# GET /groups/{group_id} +"group:get": "" + +# Update group. +# PUT /groups/{group_id} +"group:update": "" + +# List group snapshots. +# GET /group_snapshots +# GET /group_snapshots/detail +"group:get_all_group_snapshots": "" + +# Show group snapshot. +# GET /group_snapshots/{group_snapshot_id} +"group:get_group_snapshot": "" + +# Delete group snapshot. +# DELETE /group_snapshots/{group_snapshot_id} +"group:delete_group_snapshot": "" + +# Update group snapshot. +# PUT /group_snapshots/{group_snapshot_id} +"group:update_group_snapshot": "" + +# Reset status of group snapshot. +# POST /group_snapshots/{g_snapshot_id}/action (reset_status) +"group:reset_group_snapshot_status": "" + +# Delete group. +# POST /groups/{group_id}/action (delete) +"group:delete": "" + +# Reset status of group. +# POST /groups/{group_id}/action (reset_status) +"group:reset_status": "" + +# Enable replication. +# POST /groups/{group_id}/action (enable_replication) +"group:enable_replication": "" + +# Disable replication. +# POST /groups/{group_id}/action (disable_replication) +"group:disable_replication": "" + +# Fail over replication. +# POST /groups/{group_id}/action (failover_replication) +"group:failover_replication": "" + +# List failover replication. +# POST /groups/{group_id}/action (list_replication_targets) +"group:list_replication_targets": "" + +# List all services. +# GET /os-services +"volume_extension:services:index": "" + +# Update service, including failover_host, thaw, freeze, disable, +# enable, set-log and get-log actions. +# PUT /os-services/{action} +#"volume_extension:services:update": "rule:admin_api" + +# Show limits with used limit attributes. +# GET /limits +"limits_extension:used_limits": "" + +# Create, update and delete volume type. +# POST /types +# PUT /types +# DELETE /types +"volume_extension:types_manage": "" + +# Volume type access related APIs. +# GET /types +# GET /types/detail +# GET /types/{type_id} +# POST /types +"volume_extension:volume_type_access": "" + +# Revert a volume to a snapshot. +# POST /volumes/{volume_id}/action (revert) +"volume:revert_to_snapshot": "" + +# Upload a volume to image. +# POST /volumes/{volume_id}/action (os-volume_upload_image) +"volume_extension:volume_actions:upload_image": "" + +# List volume transfer. +# GET /os-volume-transfer +# GET /os-volume-transfer/detail +# GET /volume_transfers +# GET /volume-transfers/detail +"volume:get_all_transfers": "" + +# Create a volume transfer. +# POST /os-volume-transfer +# POST /volume_transfers +"volume:create_transfer": "" + +# Show one specified volume transfer. +# GET /os-volume-transfer/{transfer_id} +# GET /volume-transfers/{transfer_id} +"volume:get_transfer": "" + +# Delete volume transfer. +# DELETE /os-volume-transfer/{transfer_id} +# DELETE /volume-transfers/{transfer_id} +"volume:delete_transfer": "" + +# List type extra specs. +# GET /types/{type_id}/extra_specs +"volume_extension:types_extra_specs:index": "" + +# Create type extra specs. +# POST /types/{type_id}/extra_specs +"volume_extension:types_extra_specs:create": "" + +# Show one specified type extra specs. +# GET /types/{type_id}/extra_specs/{extra_spec_key} +"volume_extension:types_extra_specs:show": "" + +# Update type extra specs. +# PUT /types/{type_id}/extra_specs/{extra_spec_key} +"volume_extension:types_extra_specs:update": "" + +# Delete type extra specs. +# DELETE /types/{type_id}/extra_specs/{extra_spec_key} +"volume_extension:types_extra_specs:delete": "" + diff --git a/cinder/tests/unit/test.py b/cinder/tests/unit/test.py index 739b61ca792..b687030ede7 100644 --- a/cinder/tests/unit/test.py +++ b/cinder/tests/unit/test.py @@ -106,7 +106,7 @@ class TestCase(testtools.TestCase): os.path.dirname(__file__), '../../../')) POLICY_PATH = os.path.join(SOURCE_TREE_ROOT, - 'cinder/tests/unit/policy.json') + 'cinder/tests/unit/policy.yaml') RESOURCE_FILTER_FILENAME = 'etc/cinder/resource_filters.json' RESOURCE_FILTER_PATH = os.path.join(SOURCE_TREE_ROOT, RESOURCE_FILTER_FILENAME) diff --git a/doc/source/admin/blockstorage-consistency-groups.rst b/doc/source/admin/blockstorage-consistency-groups.rst index aacd38463db..34af49fe2e9 100644 --- a/doc/source/admin/blockstorage-consistency-groups.rst +++ b/doc/source/admin/blockstorage-consistency-groups.rst @@ -11,9 +11,12 @@ group operations can be performed using the Block Storage command line. .. note:: - Block Storage API supports consistency groups since V2 version. You can - specify ``--os-volume-api-version 2`` when using Block Storage - command line for consistency group operations. + The Consistency Group APIs have been deprecated since the Queens release. + Use the Generic Volume Group APIs instead. + + The Consistency Group APIs are governed by the same policies as the + Generic Volume Group APIs. For information about configuring cinder + policies, see :ref:`policy-configuration`. Before using consistency groups, make sure the Block Storage driver that you are running has consistency group support by reading the Block @@ -22,46 +25,6 @@ number of drivers that have implemented this feature. The default LVM driver does not support consistency groups yet because the consistency technology is not available at the storage level. -Before using consistency groups, you must change policies for the -consistency group APIs in the ``/etc/cinder/policy.json`` file. -By default, the consistency group APIs are disabled. -Enable them before running consistency group operations. - -Here are existing policy entries for consistency groups: - -.. code-block:: json - - { - "consistencygroup:create": "group:nobody", - "consistencygroup:delete": "group:nobody", - "consistencygroup:update": "group:nobody", - "consistencygroup:get": "group:nobody", - "consistencygroup:get_all": "group:nobody", - "consistencygroup:create_cgsnapshot" : "group:nobody", - "consistencygroup:delete_cgsnapshot": "group:nobody", - "consistencygroup:get_cgsnapshot": "group:nobody", - "consistencygroup:get_all_cgsnapshots": "group:nobody", - } - -Remove ``group:nobody`` to enable these APIs: - -.. code-block:: json - - { - "consistencygroup:create": "", - "consistencygroup:delete": "", - "consistencygroup:update": "", - "consistencygroup:get": "", - "consistencygroup:get_all": "", - "consistencygroup:create_cgsnapshot" : "", - "consistencygroup:delete_cgsnapshot": "", - "consistencygroup:get_cgsnapshot": "", - "consistencygroup:get_all_cgsnapshots": "", - } - - -Restart Block Storage API service after changing policies. - The following consistency group operations are supported: - Create a consistency group, given volume types. diff --git a/doc/source/admin/blockstorage-volume-multiattach.rst b/doc/source/admin/blockstorage-volume-multiattach.rst index 1c974f1fd1b..577a9660e4f 100644 --- a/doc/source/admin/blockstorage-volume-multiattach.rst +++ b/doc/source/admin/blockstorage-volume-multiattach.rst @@ -58,8 +58,10 @@ volume type the following way: .. note:: - Creating a new volume type is an admin-only operation by default, you can - change the settings in the 'policy.json' configuration file if needed. + Creating a new volume type is an admin-only operation by default. You can + change the settings in the cinder policy file if needed. For more + information about configuring cinder policies, see + :ref:`policy-configuration`. To create the volume you need to use the volume type you created earlier, like this: @@ -101,9 +103,10 @@ information on which back end provides the functionality. Policy rules ~~~~~~~~~~~~ -You can control the availability of volume multi-attach through policies. We -describe the default values in this documentation, you need to modify the -'policy.json' configuration file if you would like to changes these settings. +You can control the availability of volume multi-attach through policies that +you can configure in the cinder policy file. For more information about the +cinder policy file, including how to generate a sample file so you can view +the default policy settings, see :ref:`policy-configuration`. Multiattach policy ------------------ @@ -111,8 +114,6 @@ Multiattach policy The general policy rule to allow the creation or retyping of multiattach volumes is named ``volume:multiattach``. -The default setting of this policy is ``rule:admin_or_owner``. - Multiattach policy for bootable volumes --------------------------------------- @@ -120,8 +121,6 @@ This is a policy to disallow the ability to create multiple attachments on a volume that is marked as bootable with the name ``volume:multiattach_bootable_volume``. -This is an attachment policy with a default setting of ``rule:admin_or_owner``. - Known issues and limitations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/doc/source/configuration/block-storage/block-storage-overview.rst b/doc/source/configuration/block-storage/block-storage-overview.rst index d06609ec7da..0ceb896960c 100644 --- a/doc/source/configuration/block-storage/block-storage-overview.rst +++ b/doc/source/configuration/block-storage/block-storage-overview.rst @@ -51,11 +51,16 @@ The Block Storage service contains the following components: Roles control the actions that a user is allowed to perform. In the default configuration, most actions do not require a particular role, but this can be configured by the system administrator in the - appropriate ``policy.json`` file that maintains the rules. A user's - access to particular volumes is limited by tenant, but the user name - and password are assigned per user. Key pairs granting access to a - volume are enabled per user, but quotas to control resource - consumption across available hardware resources are per tenant. + cinder policy file that maintains the rules. + + .. note:: + For more information about configuring cinder policies, see + :ref:`policy-configuration`. + + A user's access to particular volumes is limited by tenant, but the user + name and password are assigned per user. Key pairs granting access to a + volume are enabled per user, but quotas to control resource consumption + across available hardware resources are per tenant. For tenants, quota controls are available to limit: diff --git a/doc/source/configuration/block-storage/policy-config-HOWTO.rst b/doc/source/configuration/block-storage/policy-config-HOWTO.rst index cf3e844a509..51285d313c7 100644 --- a/doc/source/configuration/block-storage/policy-config-HOWTO.rst +++ b/doc/source/configuration/block-storage/policy-config-HOWTO.rst @@ -44,6 +44,13 @@ model Cinder employs and how it can be modified by adjusting policies. `_ (or its `github mirror `_). +* OpenStack has deprecated the use of a JSON policy file since the Wallaby + release (Cinder 18.0.0). If you are still using the JSON format, there + is a `oslopolicy-convert-json-to-yaml`__ tool that will migrate your + existing JSON-formatted policy file to YAML in a backward-compatible way. + + .. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html + Vocabulary Note ~~~~~~~~~~~~~~~ diff --git a/doc/source/configuration/block-storage/policy.rst b/doc/source/configuration/block-storage/policy.rst index bb024df9bfb..ee8c14e7e95 100644 --- a/doc/source/configuration/block-storage/policy.rst +++ b/doc/source/configuration/block-storage/policy.rst @@ -1,3 +1,5 @@ +.. _policy-configuration: + ==================== Policy configuration ==================== @@ -5,7 +7,9 @@ Policy configuration Configuration ~~~~~~~~~~~~~ -The following is an overview of all available policies in Cinder. +The following is an overview of all available policies in Cinder. For +information on how to write a custom policy file to modify these policies, +see :ref:`policy-file` in the Cinder configuration documentation. .. show-policy:: :config-file: tools/config/cinder-policy-generator.conf diff --git a/doc/source/configuration/block-storage/samples/policy.yaml.rst b/doc/source/configuration/block-storage/samples/policy.yaml.rst index 98e15d1cb53..8fa5433e69d 100644 --- a/doc/source/configuration/block-storage/samples/policy.yaml.rst +++ b/doc/source/configuration/block-storage/samples/policy.yaml.rst @@ -1,3 +1,5 @@ +.. _policy-file: + =========== policy.yaml =========== @@ -12,10 +14,17 @@ run Cinder. From the Queens release onward, the following hold: default values are defined in the code. * If you wish to run Cinder with policies different from the default, you may - write a policy file in either JSON or YAML. + write a policy file. * Given that JSON does not allow comments, we recommend using YAML to write - a custom policy file. + a custom policy file. (Also, see next item.) + + * OpenStack has deprecated the use of a JSON policy file since the Wallaby + release (Cinder 18.0.0). If you are still using the JSON format, there + is a `oslopolicy-convert-json-to-yaml`__ tool that will migrate your + existing JSON-formatted policy file to YAML in a backward-compatible way. + + .. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html * If you supply a custom policy file, you only need to supply entries for the policies you wish to change from their default values. For instance, if you @@ -27,6 +36,12 @@ run Cinder. From the Queens release onward, the following hold: ``policy_file`` configuration option in the ``[oslo_policy]`` section of the the Cinder configuration file. +* Instructions for generating a sample ``policy.yaml`` file directly from the + Cinder source code can be found in the file ``README-policy.generate.md`` + in the ``etc/cinder`` directory in the Cinder `source code repository + `_ (or its `github mirror + `_). + The following provides a listing of the default policies. It is not recommended to copy this file into ``/etc/cinder`` unless you are planning on providing a different policy for an operation that is not the default. diff --git a/lower-constraints.txt b/lower-constraints.txt index 718f6d8fdd9..9ffc24bde66 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -62,7 +62,7 @@ oslo.i18n==5.0.1 oslo.log==4.4.0 oslo.messaging==12.5.0 oslo.middleware==4.1.1 -oslo.policy==3.5.0 +oslo.policy==3.6.0 oslo.privsep==2.4.0 oslo.reports==2.2.0 oslo.rootwrap==6.2.0 diff --git a/releasenotes/notes/deprecate-json-formatted-policy-file-dc3441a7b1dbfb47.yaml b/releasenotes/notes/deprecate-json-formatted-policy-file-dc3441a7b1dbfb47.yaml new file mode 100644 index 00000000000..09f7eb0f261 --- /dev/null +++ b/releasenotes/notes/deprecate-json-formatted-policy-file-dc3441a7b1dbfb47.yaml @@ -0,0 +1,12 @@ +--- +deprecations: + - | + Use of JSON formatted policy files was deprecated by the ``oslo.policy`` + library during the Victoria development cycle. As a result, this + deprecation is being noted in the Wallaby cycle with an anticipated future + removal of JSON formatted file support by ``oslo.policy``. As such + operators will need to convert to YAML policy files. + Use the `oslopolicy-convert-json-to-yaml + `_ + tool to convert the existing JSON formatted policy file to YAML in a backward + compatible way. diff --git a/requirements.txt b/requirements.txt index 9d283ca597a..d1887ac1040 100644 --- a/requirements.txt +++ b/requirements.txt @@ -21,7 +21,7 @@ oslo.db>=8.4.0 # Apache-2.0 oslo.log>=4.4.0 # Apache-2.0 oslo.messaging>=12.5.0 # Apache-2.0 oslo.middleware>=4.1.1 # Apache-2.0 -oslo.policy>=3.5.0 # Apache-2.0 +oslo.policy>=3.6.0 # Apache-2.0 oslo.privsep>=2.4.0 # Apache-2.0 oslo.reports>=2.2.0 # Apache-2.0 oslo.rootwrap>=6.2.0 # Apache-2.0