Policy json to yaml migration

Adds the status upgrade check for the JSON to YAML migration
effort and updates the documentation where it seems appropriate
to move from "policy.json" to "policy.yaml"

Mostly shamelessly copied from https://review.opendev.org/#/c/748059/
however is in-line with ironic's configuration and patching methods.

Related Blueprint: policy-json-to-yaml

Change-Id: I1d5b3892451579ebfd4d75a0f7185e0ef3c984c8
This commit is contained in:
Julia Kreger 2020-11-18 12:43:18 -08:00
parent 1e96ecbdbc
commit 2404d486ac
7 changed files with 62 additions and 10 deletions

View File

@ -77,3 +77,8 @@ Upgrade
* Adds a check for compatibility of the object versions with the release
of ironic.
**Wallaby**
* Adds a check to validate the configured policy file is not JSON
based as JSON based policies have been deprecated.

View File

@ -2,6 +2,16 @@
Policies
========
.. warning::
JSON formatted policy files were deprecated in the Wallaby development
cycle due to the Victoria deprecation by the ``olso.policy`` library.
Use the `oslopolicy-convert-json-to-yaml`__ tool
to convert the existing JSON to YAML formatted policy file in backward
compatible way.
.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
The following is an overview of all available policies in Ironic. For
a sample configuration file, refer to :doc:`sample-policy`.

View File

@ -46,7 +46,7 @@ Configure the Identity service for the Bare Metal service
If you choose to customize the names of Roles used with the Bare Metal
service, do so by changing the "is_member", "is_observer", and "is_admin"
policy settings in ``/etc/ironic/policy.json``.
policy settings in ``/etc/ironic/policy.yaml``.
More complete documentation on managing Users and Roles within your
OpenStack deployment are outside the scope of this document, but may be
@ -75,6 +75,6 @@ Configure the Identity service for the Bare Metal service
#. Further documentation is available elsewhere for the ``openstack``
:python-openstackclient-doc:`command-line client <cli/authentication.html>`
and the :keystone-doc:`Identity <admin/cli-manage-projects-users-and-roles.html>`
service. A :doc:`policy.json.sample </configuration/sample-policy>`
service. A :doc:`policy.yaml.sample </configuration/sample-policy>`
file, which enumerates the service's default policies, is provided for
your convenience with the Bare Metal Service.

View File

@ -15,10 +15,15 @@
import sys
from oslo_config import cfg
from oslo_upgradecheck import common_checks
from oslo_upgradecheck import upgradecheck
from ironic.cmd import dbsync
from ironic.common.i18n import _
from ironic.common import policy # noqa importing to load policy config.
import ironic.conf
CONF = ironic.conf.CONF
class Checks(upgradecheck.UpgradeCommands):
@ -54,6 +59,9 @@ class Checks(upgradecheck.UpgradeCommands):
# summary will be rolled up at the end of the check() method.
_upgrade_checks = (
(_('Object versions'), _check_obj_versions),
# Victoria -> Wallaby migration
(_('Policy File JSON to YAML Migration'),
(common_checks.check_policy_json, {'conf': CONF})),
)

View File

@ -21,6 +21,7 @@ import sys
from oslo_concurrency import lockutils
from oslo_config import cfg
from oslo_log import log
from oslo_policy import opts
from oslo_policy import policy
from ironic.common import exception
@ -29,6 +30,13 @@ _ENFORCER = None
CONF = cfg.CONF
LOG = log.getLogger(__name__)
# TODO(gmann): Remove setting the default value of config policy_file
# once oslo_policy change the default value to 'policy.yaml'.
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
DEFAULT_POLICY_FILE = 'policy.yaml'
opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
default_policies = [
# Legacy setting, don't remove. Likely to be overridden by operators who
# forget to update their policy.json configuration file.
@ -591,7 +599,8 @@ def init_enforcer(policy_file=None, rules=None,
# loaded exactly once - when this module-global is initialized.
# Defining these in the relevant API modules won't work
# because API classes lack singletons and don't use globals.
_ENFORCER = policy.Enforcer(CONF, policy_file=policy_file,
_ENFORCER = policy.Enforcer(
CONF, policy_file=policy_file,
rules=rules,
default_rule=default_rule,
use_conf=use_conf)

View File

@ -0,0 +1,20 @@
---
upgrade:
- |
The default value of ``[oslo_policy] policy_file`` config option has been
changed from ``policy.json`` to ``policy.yaml``.
Operators who are utilizing customized policy files or previously generated
static policy files (which are not needed by default), should generate
new policy files and modify them to meet their needs in the event of
any new policies or rules have been added.
Please consult the `oslopolicy-convert-json-to-yaml <https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
tool to convert a JSON to YAML formatted policy file in
backward compatible way.
deprecations:
- |
Use of legacy policy format was deprecated by the ``oslo.policy`` library
during the Victoria development cycle. As a result, this deprecation is
being noted in the Wallaby with an anticipated future removal of support
by ``oslo.policy``. As such operators will need to convert to YAML policy
files. Please see the upgrade notes for details on migration of any
custom policy files.

View File

@ -16,17 +16,17 @@ pytz>=2013.6 # MIT
stevedore>=1.20.0 # Apache-2.0
pysendfile>=2.0.0;sys_platform!='win32' # MIT
oslo.concurrency>=4.2.0 # Apache-2.0
oslo.config>=5.2.0 # Apache-2.0
oslo.config>=6.8.0 # Apache-2.0
oslo.context>=2.19.2 # Apache-2.0
oslo.db>=6.0.0 # Apache-2.0
oslo.rootwrap>=5.8.0 # Apache-2.0
oslo.log>=3.36.0 # Apache-2.0
oslo.middleware>=3.31.0 # Apache-2.0
oslo.policy>=1.30.0 # Apache-2.0
oslo.policy>=3.6.0 # Apache-2.0
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
oslo.service!=1.28.1,>=1.24.0 # Apache-2.0
oslo.upgradecheck>=0.1.0 # Apache-2.0
oslo.utils>=3.38.0 # Apache-2.0
oslo.upgradecheck>=1.3.0 # Apache-2.0
oslo.utils>=4.5.0 # Apache-2.0
osprofiler>=1.5.0 # Apache-2.0
os-traits>=0.4.0 # Apache-2.0
pecan!=1.0.2,!=1.0.3,!=1.0.4,!=1.2,>=1.0.0 # BSD