cinder/releasenotes/notes/bug-1805550-default-policy-file-db15eaa76fefa115.yaml
Brian Rosmaita f6c11c2cea Correct default policy file
Since Queens, the default policy file is policy.yaml, but the
code is still looking for policy.json.  This patch corrects the
location and includes a release note.

Change-Id: I997109d6bd1adbcbf72c056f78f1e01547d0fcbd
Closes-bug: #1805550
2018-11-28 09:49:52 -05:00

49 lines
2.5 KiB
YAML

---
upgrade:
- |
Beginning with Cinder version 12.0.0, as part of the Queens release
"policies in code" community effort, Cinder has had the ability to run
without a policy file because sensible default values are specified in
the code. Customizing the policies in effect at your site, however,
still requires a policy file. The default location of this file has been
``/etc/cinder/policy.json`` (although the documentation has indicated
otherwise). With this release, the default location of this file is
changed to ``/etc/cinder/policy.yaml``.
Some points to keep in mind:
- The policy file to be used may be specified in the
``/etc/cinder/cinder.conf`` file in the ``[oslo_policy]``
section as the value of the ``policy_file`` configuration option.
That way there's no question what file is being used.
- To find out what policies are available and what their default
values are, you can generate a sample policy file. To do this,
you must have a local copy of the Cinder source code repository.
From the top level directory, run the command::
tox -e genpolicy
This will generate a file named ``policy.yaml`` in the ``etc/cinder``
directory of your checked-out Cinder repository.
- The sample file is YAML (because unlike JSON, YAML allows comments).
If you prefer, you may use a JSON policy file.
- Beginning with Cinder 12.0.0, you only need to specify policies in
your policy file that you want to **differ** from the default values.
Unspecified policies will use the default values *defined in the code*.
Given that a default value *must* be specified *in the code* when a
new policy is introduced, the ``default`` policy, which was formerly
used as a catch-all for policy targets that were not defined elsewhere
in the policy file, has no effect. We mention this because an old
upgrade strategy was to use the policy file from the previous release
with ``"default": "role:admin"`` (or ``"default": "!"``) so that newly
introduced actions would be blocked from end users until the operator
had time to assess the implications of exposing these actions. This
strategy no longer works. Hopefully this isn't a problem because
we're defining sensible defaults in the code. It would be a good
idea, however, to generate the sample policy file with each release
(see instructions above) to verify this for yourself.