5c17e4c7ef
Instead of a default policy.json file, policy defaults are now defined in code. An operator need not supply policy.json data except to the extent they want to override the defaults. Currently an empty policy.json is still shipped because it is expected by devstack, but this can be removed later. A sample policy.yaml file can be generated using the genpolicy tox environment. This partly fulfils the requirements of the policy in code goal[1]. However, because policies don't map 1:1 with APIs, it will not be possible to fully document the policies until changes are made in how policies are applied as proposed in https://review.opendev.org/528021 Due to the fact that existing policy files may rely on a rule named "default" to specifiy policies not explicitly listed in the policy.json file, all policies that are not admin-only by default now default to "rule:default", so that the "default" rule will continue to apply to those policies that are not listed in policy.json. To ensure that this yields the expected policy in a standard policy-in-code config file, the default value of the "default" rule is now the empty string "". This is a change; between the Queens release and now the default was set to "role:admin" to match the value specified in the default policy.json file. An installation relying on both the "default" rule for some policies and the default value of the default rule may end up with a more permissive policy after upgrading. It's likely that no such policies exist in the wild, because prior to the Queens release the default value for the "default" rule was "@" (allow all requests), so anybody relying on this rule will surely have specified it explicitly in their policy.json. Policies whose default is "role:admin" no longer use the "default" rule. Therefore existing policy.json files that rely on the "default" rule for those policies, and who have specified a value for the "default" rule that is more permissive, will result in a more restrictive policy after upgrading. It is unlikely that any of these policies exist in the wild either. [1] https://governance.openstack.org/tc/goals/selected/queens/policy-in-code.html Change-Id: I8d1ccf5844078cc0b1652fb1130794daf07cedbc
23 lines
1.2 KiB
YAML
23 lines
1.2 KiB
YAML
---
|
|
upgrade:
|
|
- |
|
|
Policy defaults are now defined in code, as they already were in other
|
|
OpenStack services. After upgrading there is no need to provide a
|
|
``policy.json`` file (and you should not do so) unless you want to override
|
|
the default policies, and only policies you want to override need be
|
|
mentioned in the file. You should no longer rely on the ``default`` rule,
|
|
and especially not the default value of the rule (which has been relaxed),
|
|
to assign a non-default policy to rules not explicitly specified in the
|
|
policy file.
|
|
security:
|
|
- |
|
|
If the existing ``policy.json`` file relies on the ``default`` rule for
|
|
some policies (i.e. not all policies are explicitly specified in the file)
|
|
then the ``default`` rule must be explicitly set (e.g. to
|
|
``"role:admin"``) in the file. The new default value for the ``default``
|
|
rule is ``""``, whereas since the Queens release it has been
|
|
``"role:admin"`` (prior to Queens it was ``"@"``, which allows everything).
|
|
After upgrading to this release, the policy file should be replaced by one
|
|
that overrides only policies that need to be different from the defaults,
|
|
without relying on the ``default`` rule.
|