diff --git a/doc/source/cli/ironic-status.rst b/doc/source/cli/ironic-status.rst index 877518492a..c14cd376a8 100644 --- a/doc/source/cli/ironic-status.rst +++ b/doc/source/cli/ironic-status.rst @@ -77,3 +77,8 @@ Upgrade * Adds a check for compatibility of the object versions with the release of ironic. + + **Wallaby** + + * Adds a check to validate the configured policy file is not JSON + based as JSON based policies have been deprecated. diff --git a/doc/source/configuration/policy.rst b/doc/source/configuration/policy.rst index 251e45c223..1abb144cd3 100644 --- a/doc/source/configuration/policy.rst +++ b/doc/source/configuration/policy.rst @@ -2,6 +2,16 @@ Policies ======== +.. warning:: + JSON formatted policy files were deprecated in the Wallaby development + cycle due to the Victoria deprecation by the ``olso.policy`` library. + Use the `oslopolicy-convert-json-to-yaml`__ tool + to convert the existing JSON to YAML formatted policy file in backward + compatible way. + +.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html + + The following is an overview of all available policies in Ironic. For a sample configuration file, refer to :doc:`sample-policy`. diff --git a/doc/source/install/configure-identity.rst b/doc/source/install/configure-identity.rst index b7ea19891d..aa32a6e699 100644 --- a/doc/source/install/configure-identity.rst +++ b/doc/source/install/configure-identity.rst @@ -46,7 +46,7 @@ Configure the Identity service for the Bare Metal service If you choose to customize the names of Roles used with the Bare Metal service, do so by changing the "is_member", "is_observer", and "is_admin" - policy settings in ``/etc/ironic/policy.json``. + policy settings in ``/etc/ironic/policy.yaml``. More complete documentation on managing Users and Roles within your OpenStack deployment are outside the scope of this document, but may be @@ -75,6 +75,6 @@ Configure the Identity service for the Bare Metal service #. Further documentation is available elsewhere for the ``openstack`` :python-openstackclient-doc:`command-line client ` and the :keystone-doc:`Identity ` - service. A :doc:`policy.json.sample ` + service. A :doc:`policy.yaml.sample ` file, which enumerates the service's default policies, is provided for your convenience with the Bare Metal Service. diff --git a/ironic/cmd/status.py b/ironic/cmd/status.py index e7f10fb728..f4ab695001 100644 --- a/ironic/cmd/status.py +++ b/ironic/cmd/status.py @@ -15,10 +15,15 @@ import sys from oslo_config import cfg +from oslo_upgradecheck import common_checks from oslo_upgradecheck import upgradecheck from ironic.cmd import dbsync from ironic.common.i18n import _ +from ironic.common import policy # noqa importing to load policy config. +import ironic.conf + +CONF = ironic.conf.CONF class Checks(upgradecheck.UpgradeCommands): @@ -54,6 +59,9 @@ class Checks(upgradecheck.UpgradeCommands): # summary will be rolled up at the end of the check() method. _upgrade_checks = ( (_('Object versions'), _check_obj_versions), + # Victoria -> Wallaby migration + (_('Policy File JSON to YAML Migration'), + (common_checks.check_policy_json, {'conf': CONF})), ) diff --git a/ironic/common/policy.py b/ironic/common/policy.py index 811198206d..efb92c5a55 100644 --- a/ironic/common/policy.py +++ b/ironic/common/policy.py @@ -21,6 +21,7 @@ import sys from oslo_concurrency import lockutils from oslo_config import cfg from oslo_log import log +from oslo_policy import opts from oslo_policy import policy from ironic.common import exception @@ -29,6 +30,13 @@ _ENFORCER = None CONF = cfg.CONF LOG = log.getLogger(__name__) + +# TODO(gmann): Remove setting the default value of config policy_file +# once oslo_policy change the default value to 'policy.yaml'. +# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 +DEFAULT_POLICY_FILE = 'policy.yaml' +opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE) + default_policies = [ # Legacy setting, don't remove. Likely to be overridden by operators who # forget to update their policy.json configuration file. @@ -591,10 +599,11 @@ def init_enforcer(policy_file=None, rules=None, # loaded exactly once - when this module-global is initialized. # Defining these in the relevant API modules won't work # because API classes lack singletons and don't use globals. - _ENFORCER = policy.Enforcer(CONF, policy_file=policy_file, - rules=rules, - default_rule=default_rule, - use_conf=use_conf) + _ENFORCER = policy.Enforcer( + CONF, policy_file=policy_file, + rules=rules, + default_rule=default_rule, + use_conf=use_conf) _ENFORCER.register_defaults(list_policies()) diff --git a/releasenotes/notes/default-policy-file-change-474a342d6b5a041a.yaml b/releasenotes/notes/default-policy-file-change-474a342d6b5a041a.yaml new file mode 100644 index 0000000000..5e24b2a761 --- /dev/null +++ b/releasenotes/notes/default-policy-file-change-474a342d6b5a041a.yaml @@ -0,0 +1,20 @@ +--- +upgrade: + - | + The default value of ``[oslo_policy] policy_file`` config option has been + changed from ``policy.json`` to ``policy.yaml``. + Operators who are utilizing customized policy files or previously generated + static policy files (which are not needed by default), should generate + new policy files and modify them to meet their needs in the event of + any new policies or rules have been added. + Please consult the `oslopolicy-convert-json-to-yaml `_ + tool to convert a JSON to YAML formatted policy file in + backward compatible way. +deprecations: + - | + Use of legacy policy format was deprecated by the ``oslo.policy`` library + during the Victoria development cycle. As a result, this deprecation is + being noted in the Wallaby with an anticipated future removal of support + by ``oslo.policy``. As such operators will need to convert to YAML policy + files. Please see the upgrade notes for details on migration of any + custom policy files. diff --git a/requirements.txt b/requirements.txt index b36a38789d..5dccb8abfd 100644 --- a/requirements.txt +++ b/requirements.txt @@ -16,17 +16,17 @@ pytz>=2013.6 # MIT stevedore>=1.20.0 # Apache-2.0 pysendfile>=2.0.0;sys_platform!='win32' # MIT oslo.concurrency>=4.2.0 # Apache-2.0 -oslo.config>=5.2.0 # Apache-2.0 +oslo.config>=6.8.0 # Apache-2.0 oslo.context>=2.19.2 # Apache-2.0 oslo.db>=6.0.0 # Apache-2.0 oslo.rootwrap>=5.8.0 # Apache-2.0 oslo.log>=3.36.0 # Apache-2.0 oslo.middleware>=3.31.0 # Apache-2.0 -oslo.policy>=1.30.0 # Apache-2.0 +oslo.policy>=3.6.0 # Apache-2.0 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 oslo.service!=1.28.1,>=1.24.0 # Apache-2.0 -oslo.upgradecheck>=0.1.0 # Apache-2.0 -oslo.utils>=3.38.0 # Apache-2.0 +oslo.upgradecheck>=1.3.0 # Apache-2.0 +oslo.utils>=4.5.0 # Apache-2.0 osprofiler>=1.5.0 # Apache-2.0 os-traits>=0.4.0 # Apache-2.0 pecan!=1.0.2,!=1.0.3,!=1.0.4,!=1.2,>=1.0.0 # BSD