f6c11c2cea
Since Queens, the default policy file is policy.yaml, but the code is still looking for policy.json. This patch corrects the location and includes a release note. Change-Id: I997109d6bd1adbcbf72c056f78f1e01547d0fcbd Closes-bug: #1805550
49 lines
2.5 KiB
YAML
49 lines
2.5 KiB
YAML
---
|
|
upgrade:
|
|
- |
|
|
Beginning with Cinder version 12.0.0, as part of the Queens release
|
|
"policies in code" community effort, Cinder has had the ability to run
|
|
without a policy file because sensible default values are specified in
|
|
the code. Customizing the policies in effect at your site, however,
|
|
still requires a policy file. The default location of this file has been
|
|
``/etc/cinder/policy.json`` (although the documentation has indicated
|
|
otherwise). With this release, the default location of this file is
|
|
changed to ``/etc/cinder/policy.yaml``.
|
|
|
|
Some points to keep in mind:
|
|
|
|
- The policy file to be used may be specified in the
|
|
``/etc/cinder/cinder.conf`` file in the ``[oslo_policy]``
|
|
section as the value of the ``policy_file`` configuration option.
|
|
That way there's no question what file is being used.
|
|
|
|
- To find out what policies are available and what their default
|
|
values are, you can generate a sample policy file. To do this,
|
|
you must have a local copy of the Cinder source code repository.
|
|
From the top level directory, run the command::
|
|
|
|
tox -e genpolicy
|
|
|
|
This will generate a file named ``policy.yaml`` in the ``etc/cinder``
|
|
directory of your checked-out Cinder repository.
|
|
|
|
- The sample file is YAML (because unlike JSON, YAML allows comments).
|
|
If you prefer, you may use a JSON policy file.
|
|
|
|
- Beginning with Cinder 12.0.0, you only need to specify policies in
|
|
your policy file that you want to **differ** from the default values.
|
|
Unspecified policies will use the default values *defined in the code*.
|
|
Given that a default value *must* be specified *in the code* when a
|
|
new policy is introduced, the ``default`` policy, which was formerly
|
|
used as a catch-all for policy targets that were not defined elsewhere
|
|
in the policy file, has no effect. We mention this because an old
|
|
upgrade strategy was to use the policy file from the previous release
|
|
with ``"default": "role:admin"`` (or ``"default": "!"``) so that newly
|
|
introduced actions would be blocked from end users until the operator
|
|
had time to assess the implications of exposing these actions. This
|
|
strategy no longer works. Hopefully this isn't a problem because
|
|
we're defining sensible defaults in the code. It would be a good
|
|
idea, however, to generate the sample policy file with each release
|
|
(see instructions above) to verify this for yourself.
|
|
|