Policy json to yaml migration
Adds the status upgrade check for the JSON to YAML migration effort and updates the documentation where it seems appropriate to move from "policy.json" to "policy.yaml" Mostly shamelessly copied from https://review.opendev.org/#/c/748059/ however is in-line with ironic's configuration and patching methods. Related Blueprint: policy-json-to-yaml Change-Id: I1d5b3892451579ebfd4d75a0f7185e0ef3c984c8
This commit is contained in:
parent
1e96ecbdbc
commit
2404d486ac
@ -77,3 +77,8 @@ Upgrade
|
||||
|
||||
* Adds a check for compatibility of the object versions with the release
|
||||
of ironic.
|
||||
|
||||
**Wallaby**
|
||||
|
||||
* Adds a check to validate the configured policy file is not JSON
|
||||
based as JSON based policies have been deprecated.
|
||||
|
@ -2,6 +2,16 @@
|
||||
Policies
|
||||
========
|
||||
|
||||
.. warning::
|
||||
JSON formatted policy files were deprecated in the Wallaby development
|
||||
cycle due to the Victoria deprecation by the ``olso.policy`` library.
|
||||
Use the `oslopolicy-convert-json-to-yaml`__ tool
|
||||
to convert the existing JSON to YAML formatted policy file in backward
|
||||
compatible way.
|
||||
|
||||
.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
|
||||
|
||||
|
||||
The following is an overview of all available policies in Ironic. For
|
||||
a sample configuration file, refer to :doc:`sample-policy`.
|
||||
|
||||
|
@ -46,7 +46,7 @@ Configure the Identity service for the Bare Metal service
|
||||
|
||||
If you choose to customize the names of Roles used with the Bare Metal
|
||||
service, do so by changing the "is_member", "is_observer", and "is_admin"
|
||||
policy settings in ``/etc/ironic/policy.json``.
|
||||
policy settings in ``/etc/ironic/policy.yaml``.
|
||||
|
||||
More complete documentation on managing Users and Roles within your
|
||||
OpenStack deployment are outside the scope of this document, but may be
|
||||
@ -75,6 +75,6 @@ Configure the Identity service for the Bare Metal service
|
||||
#. Further documentation is available elsewhere for the ``openstack``
|
||||
:python-openstackclient-doc:`command-line client <cli/authentication.html>`
|
||||
and the :keystone-doc:`Identity <admin/cli-manage-projects-users-and-roles.html>`
|
||||
service. A :doc:`policy.json.sample </configuration/sample-policy>`
|
||||
service. A :doc:`policy.yaml.sample </configuration/sample-policy>`
|
||||
file, which enumerates the service's default policies, is provided for
|
||||
your convenience with the Bare Metal Service.
|
||||
|
@ -15,10 +15,15 @@
|
||||
import sys
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_upgradecheck import common_checks
|
||||
from oslo_upgradecheck import upgradecheck
|
||||
|
||||
from ironic.cmd import dbsync
|
||||
from ironic.common.i18n import _
|
||||
from ironic.common import policy # noqa importing to load policy config.
|
||||
import ironic.conf
|
||||
|
||||
CONF = ironic.conf.CONF
|
||||
|
||||
|
||||
class Checks(upgradecheck.UpgradeCommands):
|
||||
@ -54,6 +59,9 @@ class Checks(upgradecheck.UpgradeCommands):
|
||||
# summary will be rolled up at the end of the check() method.
|
||||
_upgrade_checks = (
|
||||
(_('Object versions'), _check_obj_versions),
|
||||
# Victoria -> Wallaby migration
|
||||
(_('Policy File JSON to YAML Migration'),
|
||||
(common_checks.check_policy_json, {'conf': CONF})),
|
||||
)
|
||||
|
||||
|
||||
|
@ -21,6 +21,7 @@ import sys
|
||||
from oslo_concurrency import lockutils
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log
|
||||
from oslo_policy import opts
|
||||
from oslo_policy import policy
|
||||
|
||||
from ironic.common import exception
|
||||
@ -29,6 +30,13 @@ _ENFORCER = None
|
||||
CONF = cfg.CONF
|
||||
LOG = log.getLogger(__name__)
|
||||
|
||||
|
||||
# TODO(gmann): Remove setting the default value of config policy_file
|
||||
# once oslo_policy change the default value to 'policy.yaml'.
|
||||
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
|
||||
DEFAULT_POLICY_FILE = 'policy.yaml'
|
||||
opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
|
||||
|
||||
default_policies = [
|
||||
# Legacy setting, don't remove. Likely to be overridden by operators who
|
||||
# forget to update their policy.json configuration file.
|
||||
@ -591,7 +599,8 @@ def init_enforcer(policy_file=None, rules=None,
|
||||
# loaded exactly once - when this module-global is initialized.
|
||||
# Defining these in the relevant API modules won't work
|
||||
# because API classes lack singletons and don't use globals.
|
||||
_ENFORCER = policy.Enforcer(CONF, policy_file=policy_file,
|
||||
_ENFORCER = policy.Enforcer(
|
||||
CONF, policy_file=policy_file,
|
||||
rules=rules,
|
||||
default_rule=default_rule,
|
||||
use_conf=use_conf)
|
||||
|
@ -0,0 +1,20 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
The default value of ``[oslo_policy] policy_file`` config option has been
|
||||
changed from ``policy.json`` to ``policy.yaml``.
|
||||
Operators who are utilizing customized policy files or previously generated
|
||||
static policy files (which are not needed by default), should generate
|
||||
new policy files and modify them to meet their needs in the event of
|
||||
any new policies or rules have been added.
|
||||
Please consult the `oslopolicy-convert-json-to-yaml <https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
|
||||
tool to convert a JSON to YAML formatted policy file in
|
||||
backward compatible way.
|
||||
deprecations:
|
||||
- |
|
||||
Use of legacy policy format was deprecated by the ``oslo.policy`` library
|
||||
during the Victoria development cycle. As a result, this deprecation is
|
||||
being noted in the Wallaby with an anticipated future removal of support
|
||||
by ``oslo.policy``. As such operators will need to convert to YAML policy
|
||||
files. Please see the upgrade notes for details on migration of any
|
||||
custom policy files.
|
@ -16,17 +16,17 @@ pytz>=2013.6 # MIT
|
||||
stevedore>=1.20.0 # Apache-2.0
|
||||
pysendfile>=2.0.0;sys_platform!='win32' # MIT
|
||||
oslo.concurrency>=4.2.0 # Apache-2.0
|
||||
oslo.config>=5.2.0 # Apache-2.0
|
||||
oslo.config>=6.8.0 # Apache-2.0
|
||||
oslo.context>=2.19.2 # Apache-2.0
|
||||
oslo.db>=6.0.0 # Apache-2.0
|
||||
oslo.rootwrap>=5.8.0 # Apache-2.0
|
||||
oslo.log>=3.36.0 # Apache-2.0
|
||||
oslo.middleware>=3.31.0 # Apache-2.0
|
||||
oslo.policy>=1.30.0 # Apache-2.0
|
||||
oslo.policy>=3.6.0 # Apache-2.0
|
||||
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
|
||||
oslo.service!=1.28.1,>=1.24.0 # Apache-2.0
|
||||
oslo.upgradecheck>=0.1.0 # Apache-2.0
|
||||
oslo.utils>=3.38.0 # Apache-2.0
|
||||
oslo.upgradecheck>=1.3.0 # Apache-2.0
|
||||
oslo.utils>=4.5.0 # Apache-2.0
|
||||
osprofiler>=1.5.0 # Apache-2.0
|
||||
os-traits>=0.4.0 # Apache-2.0
|
||||
pecan!=1.0.2,!=1.0.3,!=1.0.4,!=1.2,>=1.0.0 # BSD
|
||||
|
Loading…
Reference in New Issue
Block a user