[goal] Deprecate the JSON formatted policy file

As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:

1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.

2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.

Also convert the ./glance/tests/etc/policy.json to policy.yaml
file. Replace policy.json to policy.yaml ref from doc and tests.

[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html

Depends-On: https://review.opendev.org/c/openstack/nova/+/773192
Change-Id: I17d0374dd4223688e5f95253802a4ae87377953a

doc/source/admin/interoperable-image-import.rst

@@ -437,7 +437,7 @@ this plugin to inject the properties automatically upon image import.
 
    You can guarantee that your end users must use interoperable image import by
    restricting the ``upload_image`` policy appropriately in the Glance
-   ``policy.json`` file.  By default, this policy is unrestricted (that is,
+   ``policy.yaml`` file.  By default, this policy is unrestricted (that is,
    any authorized user may make the image upload call).
 
    For example, to allow only admin or service users to make the image upload
@@ -534,7 +534,7 @@ converting the images to their end users.
 
    You can guarantee that your end users must use interoperable image import by
    restricting the ``upload_image`` policy appropriately in the Glance
-   ``policy.json`` file.  By default, this policy is unrestricted (that is,
+   ``policy.yaml`` file.  By default, this policy is unrestricted (that is,
    any authorized user may make the image upload call).
 
    For example, to allow only admin or service users to make the image upload
@@ -612,7 +612,7 @@ only compressed images.
 
    You can guarantee that your end users must use interoperable image import by
    restricting the ``upload_image`` policy appropriately in the Glance
-   ``policy.json`` file.  By default, this policy is unrestricted (that is,
+   ``policy.yaml`` file.  By default, this policy is unrestricted (that is,
    any authorized user may make the image upload call).
 
    For example, to allow only admin or service users to make the image upload

doc/source/admin/policies.rst

@@ -17,6 +17,14 @@
 Policies
 ========
 
+.. warning::
+
+   JSON formatted policy file is deprecated since Glance 22.0.0 (Wallaby).
+   This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
+   JSON-formatted policy file to YAML in a backward-compatible way.
+
+.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
+
 Glance's public API calls may be restricted to certain sets of users using a
 policy configuration file. This document explains exactly how policies are
 configured and what they apply to.

doc/source/admin/troubleshooting.rst

@@ -142,10 +142,10 @@ core properties and the image owner can manage additional properties.
 
 **To configure property protection**
 
-To configure property protection, edit the ``policy.json`` file. This file
+To configure property protection, edit the ``policy.yaml`` file. This file
 can also be used to set policies for Image service actions.
 
-#. Define roles or policies in the ``policy.json`` file:
+#. Define roles or policies in the ``policy.yaml`` file:
 
    .. code-block:: json
 
@@ -376,7 +376,7 @@ For a list of flavors that are available on your system, run:
 
 By default, administrative users can configure the flavors. You can
 change this behavior by redefining the access controls for
-``compute_extension:flavormanage`` in ``/etc/nova/policy.json`` on the
+``compute_extension:flavormanage`` in ``/etc/nova/policy.yaml`` on the
 ``compute-api`` server.
 
 

doc/source/contributor/domain_implementation.rst

@@ -107,7 +107,7 @@ Policy
 The fourth layer of the domain model is responsible for:
 
 #. Defining access rules to perform actions with an image. The rules are
-   defined in the :file:`etc/policy.json` file.
+   defined in the :file:`etc/policy.yaml` file.
 #. Monitoring of the rules implementation.
 
 .. _quota:

glance/api/policy.py

@@ -21,6 +21,7 @@ import copy
 
 from oslo_config import cfg
 from oslo_log import log as logging
+from oslo_policy import opts
 from oslo_policy import policy
 
 from glance.common import exception
@@ -34,6 +35,13 @@ CONF = cfg.CONF
 _ENFORCER = None
 
 
+# TODO(gmann): Remove setting the default value of config policy_file
+# once oslo_policy change the default value to 'policy.yaml'.
+# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+DEFAULT_POLICY_FILE = 'policy.yaml'
+opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
+
+
 class Enforcer(policy.Enforcer):
     """Responsible for loading and enforcing rules"""
 

glance/cmd/status.py

@@ -16,6 +16,7 @@ import sys
 
 import glance_store
 from oslo_config import cfg
+from oslo_upgradecheck import common_checks
 from oslo_upgradecheck import upgradecheck
 
 from glance.common import wsgi  # noqa
@@ -50,6 +51,9 @@ class Checks(upgradecheck.UpgradeCommands):
     _upgrade_checks = (
         # Added in Ussuri
         ('Sheepdog Driver Removal', _check_sheepdog_store),
+        # Added in Wallaby
+        ('Policy File JSON to YAML Migration',
+         (common_checks.check_policy_json, {'conf': CONF})),
     )
 
 

glance/common/config.py

@@ -23,6 +23,7 @@ import sys
 
 from oslo_config import cfg
 from oslo_middleware import cors
+from oslo_policy import opts
 from oslo_policy import policy
 from paste import deploy
 
@@ -349,7 +350,7 @@ Related options:
     * location_strategy
 
 """)),
-    # NOTE(flaper87): The policy.json file should be updated and the locaiton
+    # NOTE(flaper87): The policy.yaml file should be updated and the locaiton
     # related rules set to admin only once this option is finally removed.
     # NOTE(rosmaita): Unfortunately, this option is used to gate some code
     # paths; if the location related policies are set admin-only, then no
@@ -698,6 +699,12 @@ def set_config_defaults():
     """This method updates all configuration default values."""
     set_cors_middleware_defaults()
 
+    # TODO(gmann): Remove setting the default value of config policy_file
+    # once oslo_policy change the default value to 'policy.yaml'.
+    # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+    DEFAULT_POLICY_FILE = 'policy.yaml'
+    opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
+
 
 def set_cors_middleware_defaults():
     """Update default configuration options for oslo.middleware."""

glance/common/property_utils.py

@@ -72,7 +72,7 @@ If the value is ``roles``, the property protection file must
 contain a comma separated list of user roles indicating
 permissions for each of the CRUD operations on each property
 being protected. If set to ``policies``, a policy defined in
-policy.json is used to express property protections for each
+policy.yaml is used to express property protections for each
 of the CRUD operations. Examples of how property protections
 are enforced based on ``roles`` or ``policies`` can be found at:
 https://docs.openstack.org/glance/latest/admin/property-protections.html#examples
@@ -196,7 +196,7 @@ class PropertyRules(object):
         create = glance_creator
         then the corresponding policy rule would be:
         "prop_a:create": "rule:glance_creator"
-        where glance_creator is defined in policy.json. For example:
+        where glance_creator is defined in policy.yaml. For example:
         "glance_creator": "role:admin or role:glance_create_user"
         """
         rule = "rule:%s" % rule

glance/tests/etc/policy.json

@@ -1,67 +0,0 @@
-{
-    "context_is_admin":  "role:admin",
-    "default": "",
-    "glance_creator": "role:admin or role:spl_role",
-
-    "add_image": "",
-    "delete_image": "",
-    "get_image": "",
-    "get_images": "",
-    "modify_image": "",
-    "publicize_image": "",
-    "communitize_image": "",
-
-    "download_image": "",
-    "upload_image": "",
-
-    "delete_image_location": "",
-    "get_image_location": "",
-    "set_image_location": "",
-
-    "add_member": "",
-    "delete_member": "",
-    "get_member": "",
-    "get_members": "",
-    "modify_member": "",
-
-    "manage_image_cache": "",
-
-    "get_task": "role:admin",
-    "get_tasks": "role:admin",
-    "add_task": "role:admin",
-    "modify_task": "role:admin",
-
-    "get_metadef_namespace": "",
-    "get_metadef_namespaces":"",
-    "modify_metadef_namespace":"",
-    "add_metadef_namespace":"",
-    "delete_metadef_namespace": "",
-
-    "get_metadef_object":"",
-    "get_metadef_objects":"",
-    "modify_metadef_object":"",
-    "add_metadef_object":"",
-    "delete_metadef_object": "",
-
-    "list_metadef_resource_types":"",
-    "get_metadef_resource_type":"",
-    "add_metadef_resource_type_association":"",
-    "remove_metadef_resource_type_association": "",
-
-    "get_metadef_property":"",
-    "get_metadef_properties":"",
-    "modify_metadef_property":"",
-    "add_metadef_property":"",
-    "remove_metadef_property": "",
-
-    "get_metadef_tag":"",
-    "get_metadef_tags":"",
-    "modify_metadef_tag":"",
-    "add_metadef_tag":"",
-    "add_metadef_tags":"",
-    "delete_metadef_tag": "",
-    "delete_metadef_tags": "",
-
-    "deactivate": "",
-    "reactivate": ""
-}

glance/tests/etc/policy.yaml

@@ -0,0 +1,161 @@
+# Defines the default rule used for policies that historically had an
+# empty policy in the supplied policy.yaml file.
+#"default": ""
+
+# Defines the rule for the is_admin:True check.
+#"context_is_admin": "role:admin"
+
+# add_image
+"add_image": ""
+
+# delete_image
+"delete_image": ""
+
+# get_image
+"get_image": ""
+
+# get_images
+"get_images": ""
+
+# modify_image
+"modify_image": ""
+
+# publicize_image
+"publicize_image": ""
+
+# communitize_image
+"communitize_image": ""
+
+# download_image
+"download_image": ""
+
+# upload_image
+"upload_image": ""
+
+# delete_image_location
+"delete_image_location": ""
+
+# get_image_location
+"get_image_location": ""
+
+# set_image_location
+"set_image_location": ""
+
+# add_member
+"add_member": ""
+
+# delete_member
+"delete_member": ""
+
+# get_member
+"get_member": ""
+
+# get_members
+"get_members": ""
+
+# modify_member
+"modify_member": ""
+
+# manage_image_cache
+"manage_image_cache": ""
+
+# deactivate
+"deactivate": ""
+
+# reactivate
+"reactivate": ""
+
+# get_task
+"get_task": "role:admin"
+
+# get_tasks
+"get_tasks": "role:admin"
+
+# add_task
+"add_task": "role:admin"
+
+# modify_task
+"modify_task": "role:admin"
+
+# get_metadef_namespace
+"get_metadef_namespace": ""
+
+# get_metadef_namespaces
+"get_metadef_namespaces": ""
+
+# modify_metadef_namespace
+"modify_metadef_namespace": ""
+
+# add_metadef_namespace
+"add_metadef_namespace": ""
+
+# delete_metadef_namespace
+"delete_metadef_namespace": ""
+
+# get_metadef_object
+"get_metadef_object": ""
+
+# get_metadef_objects
+"get_metadef_objects": ""
+
+# modify_metadef_object
+"modify_metadef_object": ""
+
+# add_metadef_object
+"add_metadef_object": ""
+
+# delete_metadef_object
+"delete_metadef_object": ""
+
+# list_metadef_resource_types
+"list_metadef_resource_types": ""
+
+# get_metadef_resource_type
+"get_metadef_resource_type": ""
+
+# add_metadef_resource_type_association
+"add_metadef_resource_type_association": ""
+
+# remove_metadef_resource_type_association
+"remove_metadef_resource_type_association": ""
+
+# get_metadef_property
+"get_metadef_property": ""
+
+# get_metadef_properties
+"get_metadef_properties": ""
+
+# modify_metadef_property
+"modify_metadef_property": ""
+
+# add_metadef_property
+"add_metadef_property": ""
+
+# remove_metadef_property
+"remove_metadef_property": ""
+
+# get_metadef_tag
+"get_metadef_tag": ""
+
+# get_metadef_tags
+"get_metadef_tags": ""
+
+# modify_metadef_tag
+"modify_metadef_tag": ""
+
+# add_metadef_tag
+"add_metadef_tag": ""
+
+# add_metadef_tags
+"add_metadef_tags": ""
+
+# delete_metadef_tag
+"delete_metadef_tag": ""
+
+# delete_metadef_tags
+"delete_metadef_tags": ""
+
+# WARNING: Below rules are either deprecated rules
+# or extra rules in policy file, it is strongly
+# recommended to switch to new rules.
+"glance_creator": "role:admin or role:spl_role"

glance/tests/functional/__init__.py

@@ -804,7 +804,7 @@ class FunctionalTest(test_utils.BaseTestCase):
         conf_dir = os.path.join(self.test_dir, 'etc')
         utils.safe_mkdirs(conf_dir)
         self.copy_data_file('schema-image.json', conf_dir)
-        self.copy_data_file('policy.json', conf_dir)
+        self.copy_data_file('policy.yaml', conf_dir)
         self.copy_data_file('property-protections.conf', conf_dir)
         self.copy_data_file('property-protections-policies.conf', conf_dir)
         self.property_file_roles = os.path.join(conf_dir,
@@ -812,7 +812,7 @@ class FunctionalTest(test_utils.BaseTestCase):
         property_policies = 'property-protections-policies.conf'
         self.property_file_policies = os.path.join(conf_dir,
                                                    property_policies)
-        self.policy_file = os.path.join(conf_dir, 'policy.json')
+        self.policy_file = os.path.join(conf_dir, 'policy.yaml')
 
         self.api_server = ApiServer(self.test_dir,
                                     self.api_port,
@@ -1153,7 +1153,7 @@ class MultipleBackendFunctionalTest(test_utils.BaseTestCase):
         conf_dir = os.path.join(self.test_dir, 'etc')
         utils.safe_mkdirs(conf_dir)
         self.copy_data_file('schema-image.json', conf_dir)
-        self.copy_data_file('policy.json', conf_dir)
+        self.copy_data_file('policy.yaml', conf_dir)
         self.copy_data_file('property-protections.conf', conf_dir)
         self.copy_data_file('property-protections-policies.conf', conf_dir)
         self.property_file_roles = os.path.join(conf_dir,
@@ -1161,7 +1161,7 @@ class MultipleBackendFunctionalTest(test_utils.BaseTestCase):
         property_policies = 'property-protections-policies.conf'
         self.property_file_policies = os.path.join(conf_dir,
                                                    property_policies)
-        self.policy_file = os.path.join(conf_dir, 'policy.json')
+        self.policy_file = os.path.join(conf_dir, 'policy.yaml')
 
         self.api_server_multiple_backend = ApiServerForMultipleBackend(
             self.test_dir, self.api_port, self.policy_file, sock=api_sock)

glance/tests/utils.py

@@ -95,7 +95,7 @@ class BaseTestCase(testtools.TestCase):
         self.useFixture(glance_fixtures.StandardLogging())
 
     def set_policy(self):
-        conf_file = "policy.json"
+        conf_file = "policy.yaml"
         self.policy_file = self._copy_data_file(conf_file, self.conf_dir)
         self.config(policy_file=self.policy_file, group='oslo_policy')
 

lower-constraints.txt

@@ -57,18 +57,18 @@ networkx==2.2
 os-client-config==1.29.0
 os-win==4.0.1
 oslo.concurrency==3.26.0
-oslo.config==5.2.0
+oslo.config==6.0.0
 oslo.context==2.22.0
 oslo.db==5.0.0
 oslo.i18n==3.15.3
 oslo.log==3.36.0
 oslo.messaging==5.29.0
 oslo.middleware==3.31.0
-oslo.policy==2.4.1
+oslo.policy==3.6.0
 oslo.reports==1.18.0
 oslo.serialization==2.25.0
 oslo.service==1.41.1
-oslo.upgradecheck==0.1.0
+oslo.upgradecheck==1.3.0
 oslo.utils==4.7.0
 oslotest==3.2.0
 osprofiler==1.4.0
@@ -98,7 +98,7 @@ python-mimeparse==1.6.0
 python-subunit==1.2.0
 python-swiftclient==3.2.0
 pytz==2018.3
-PyYAML==3.12
+PyYAML==5.1
 repoze.lru==0.7
 requests==2.14.2
 requestsexceptions==1.4.0

releasenotes/notes/deprecate-json-formatted-policy-file-5cb692fe889eb52b.yaml

@@ -0,0 +1,20 @@
+---
+upgrade:
+  - |
+    The default value of ``[oslo_policy] policy_file`` config option has
+    been changed from ``policy.json`` to ``policy.yaml``.
+    Operators who are utilizing customized or previously generated
+    static policy JSON files (which are not needed by default), should
+    generate new policy files or convert them in YAML format. Use the
+    `oslopolicy-convert-json-to-yaml
+    <https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
+    tool to convert a JSON to YAML formatted policy file in
+    backward compatible way.
+deprecations:
+  - |
+    Use of JSON policy files was deprecated by the ``oslo.policy`` library
+    during the Victoria development cycle. As a result, this deprecation is
+    being noted in the Wallaby cycle with an anticipated future removal of support
+    by ``oslo.policy``. As such operators will need to convert to YAML policy
+    files. Please see the upgrade notes for details on migration of any
+    custom policy files.

requirements.txt

@@ -15,10 +15,10 @@ sqlalchemy-migrate>=0.11.0 # Apache-2.0
 sqlparse>=0.2.2 # BSD
 alembic>=0.9.6 # MIT
 httplib2>=0.9.1 # MIT
-oslo.config>=5.2.0 # Apache-2.0
+oslo.config>=6.0.0 # Apache-2.0
 oslo.concurrency>=3.26.0 # Apache-2.0
 oslo.context>=2.22.0 # Apache-2.0
-oslo.upgradecheck>=0.1.0 # Apache-2.0
+oslo.upgradecheck>=1.3.0 # Apache-2.0
 oslo.utils>=4.7.0 # Apache-2.0
 stevedore!=3.0.0,>=1.20.0 # Apache-2.0
 futurist>=1.2.0 # Apache-2.0
@@ -42,7 +42,7 @@ oslo.log>=3.36.0 # Apache-2.0
 oslo.messaging>=5.29.0,!=9.0.0 # Apache-2.0
 oslo.middleware>=3.31.0 # Apache-2.0
 oslo.reports>=1.18.0 # Apache-2.0
-oslo.policy>=2.4.1 # Apache-2.0
+oslo.policy>=3.6.0 # Apache-2.0
 
 retrying!=1.3.0,>=1.2.3 # Apache-2.0
 osprofiler>=1.4.0 # Apache-2.0

setup.cfg

@@ -55,7 +55,7 @@ oslo.config.opts =
     glance.manage = glance.opts:list_manage_opts
     glance = glance.opts:list_image_import_opts
 oslo.config.opts.defaults =
-    glance.api = glance.common.config:set_cors_middleware_defaults
+    glance.api = glance.common.config:set_config_defaults
 glance.database.migration_backend =
     sqlalchemy = oslo_db.sqlalchemy.migration
 glance.database.metadata_backend =