From 5bffac018656145a986a9a8227167cf0e1890be8 Mon Sep 17 00:00:00 2001 From: Zane Bitter Date: Thu, 14 Nov 2019 14:05:38 -0500 Subject: [PATCH] Remove empty policy.json Supplying a policy.json file is no longer necessary. Change-Id: I33b84c4d68e8077271447bcbdea4b7052eb01204 Depends-On: https://review.opendev.org/694386 --- etc/policy.json | 2 -- etc/property-protections-policies.conf.sample | 9 +++++++-- ...cy-in-code-implications-438449a73af2893c.yaml | 16 ++++++++++++++++ 3 files changed, 23 insertions(+), 4 deletions(-) delete mode 100644 etc/policy.json create mode 100644 releasenotes/notes/policy-in-code-implications-438449a73af2893c.yaml diff --git a/etc/policy.json b/etc/policy.json deleted file mode 100644 index 2c63c08510..0000000000 --- a/etc/policy.json +++ /dev/null @@ -1,2 +0,0 @@ -{ -} diff --git a/etc/property-protections-policies.conf.sample b/etc/property-protections-policies.conf.sample index 38f611e5e8..9ceee30f6c 100644 --- a/etc/property-protections-policies.conf.sample +++ b/etc/property-protections-policies.conf.sample @@ -4,8 +4,13 @@ # property_protection_rule_format=policies is enabled. # # Specify regular expression for which properties will be protected in [] -# For each section, specify CRUD permissions. You may refer to policies defined -# in policy.json. +# For each section, specify CRUD permissions. +# +# The permissions specified may refer to policies defined in a policy file. +# The name of this file may be specified as the value of the policy_file +# option in the [oslo_policy] section of the glance-api.conf file. The +# format of this file may be JSON or YAML. +# # The property rules will be applied in the order specified. Once # a match is found the remaining property rules will not be applied. # diff --git a/releasenotes/notes/policy-in-code-implications-438449a73af2893c.yaml b/releasenotes/notes/policy-in-code-implications-438449a73af2893c.yaml new file mode 100644 index 0000000000..2e89134edf --- /dev/null +++ b/releasenotes/notes/policy-in-code-implications-438449a73af2893c.yaml @@ -0,0 +1,16 @@ +--- +upgrade: + - | + Operators who use property protections with the + ``property_protection_rule_format`` set to ``policies`` must still + define the policy rules used for property protections in a policy + file. The content of the file may be JSON or YAML. Additionally, + we suggest that the absolute pathname of this file be set as the + value of ``policy_file`` in the ``[oslo_policy]`` section of the + ``glance-api.conf`` file. + + Be aware that if you define a policy rule for ``default`` or + ``context_is_admin``, that policy rule will also be used by the + policies that govern permissions to perform actions using the + Images API, even if these actions are not specified in the policy + file.