Browse Source

[goal] Deprecate the JSON formatted policy file

As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:

1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.

2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.

Also replace policy.json to policy.yaml ref from doc.

[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html

Change-Id: Icfd9e2a75d8fdfb24cbd1c850f498aadee91f543
changes/42/767242/9
Ghanshyam Mann 6 months ago
committed by Ghanshyam
parent
commit
3b7a33eb64
15 changed files with 79 additions and 28 deletions
  1. +8
    -0
      doc/source/configuration/sample-policy.rst
  2. +8
    -0
      doc/source/configuration/samples/policy-yaml.rst
  3. +2
    -2
      doc/source/user/index.rst
  4. +2
    -2
      lower-constraints.txt
  5. +3
    -10
      magnum/cmd/status.py
  6. +13
    -1
      magnum/common/config.py
  7. +7
    -0
      magnum/common/policy.py
  8. +1
    -1
      magnum/drivers/swarm_fedora_atomic_v1/image/openvswitch/Dockerfile
  9. +2
    -2
      magnum/drivers/swarm_fedora_atomic_v1/image/openvswitch/README.rst
  10. +1
    -1
      magnum/tests/contrib/post_test_hook.sh
  11. +1
    -2
      magnum/tests/policy_fixture.py
  12. +8
    -4
      magnum/tests/unit/cmd/test_status.py
  13. +20
    -0
      releasenotes/notes/deprecate-json-formatted-policy-file-b52d805359bc73b7.yaml
  14. +2
    -2
      requirements.txt
  15. +1
    -1
      setup.cfg

+ 8
- 0
doc/source/configuration/sample-policy.rst View File

@ -5,6 +5,14 @@ Policy configuration
Configuration
~~~~~~~~~~~~~
.. warning::
JSON formatted policy file is deprecated since Magnum 12.0.0 (Wallaby).
This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
JSON-formatted policy file to YAML in a backward-compatible way.
.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
The following is an overview of all available policies in Magnum. For a sample
configuration file, refer to :doc:`samples/policy-yaml`.


+ 8
- 0
doc/source/configuration/samples/policy-yaml.rst View File

@ -2,6 +2,14 @@
policy.yaml
===========
.. warning::
JSON formatted policy file is deprecated since Magnum 12.0.0 (Wallaby).
This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
JSON-formatted policy file to YAML in a backward-compatible way.
.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
Use the ``policy.yaml`` file to define additional access controls that apply to
the Container Infrastructure Management service:


+ 2
- 2
doc/source/user/index.rst View File

@ -2782,12 +2782,12 @@ proceed as follows:
(`False` by default).
2. Update heat policy to allow magnum list stacks. To this end, edit your heat
policy file, usually etc/heat/policy.json``:
policy file, usually etc/heat/policy.yaml``:
.. code-block:: ini
...
stacks:global_index: "rule:context_is_admin",
stacks:global_index: "rule:context_is_admin"
Now restart heat.


+ 2
- 2
lower-constraints.txt View File

@ -78,11 +78,11 @@ oslo.i18n==5.0.0
oslo.log==4.2.0
oslo.messaging==12.2.0
oslo.middleware==4.1.0
oslo.policy==3.2.0
oslo.policy==3.6.0
oslo.reports==2.1.0
oslo.serialization==3.2.0
oslo.service==2.2.0
oslo.upgradecheck==1.1.0
oslo.upgradecheck==1.3.0
oslo.utils==4.2.0
oslo.versionedobjects==2.1.0
oslotest==4.4.1


+ 3
- 10
magnum/cmd/status.py View File

@ -14,6 +14,7 @@
import sys
from oslo_upgradecheck import common_checks
from oslo_upgradecheck import upgradecheck
import magnum.conf
@ -30,17 +31,9 @@ class Checks(upgradecheck.UpgradeCommands):
and added to _upgrade_checks tuple.
"""
def _sample_check(self):
"""This is sample check added to test the upgrade check framework
It needs to be removed after adding any real upgrade check
"""
return upgradecheck.Result(upgradecheck.Code.SUCCESS, 'Sample detail')
_upgrade_checks = (
# Sample check added for now.
# Whereas in future real checks must be added here in tuple
(_('Sample Check'), _sample_check),
(_('Policy File JSON to YAML Migration'),
(common_checks.check_policy_json, {'conf': CONF})),
)


+ 13
- 1
magnum/common/config.py View File

@ -16,6 +16,7 @@
# under the License.
from oslo_middleware import cors
from oslo_policy import opts
from magnum.common import rpc
import magnum.conf
@ -34,9 +35,20 @@ def parse_args(argv, default_config_files=None):
def set_config_defaults():
"""This method updates all configuration default values."""
"""Update default value for configuration options from other namespace.
Example, oslo lib config options. This is needed for
config generator tool to pick these default value changes.
https://docs.openstack.org/oslo.config/latest/cli/
generator.html#modifying-defaults-from-other-namespaces
"""
set_cors_middleware_defaults()
# TODO(gmann): Remove setting the default value of config policy_file
# once oslo_policy change the default value to 'policy.yaml'.
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
opts.set_defaults(CONF, 'policy.yaml')
def set_cors_middleware_defaults():
"""Update default configuration options for oslo.middleware."""


+ 7
- 0
magnum/common/policy.py View File

@ -17,6 +17,7 @@
import decorator
from oslo_config import cfg
from oslo_policy import opts
from oslo_policy import policy
from oslo_utils import importutils
import pecan
@ -29,6 +30,12 @@ from magnum.common import policies
_ENFORCER = None
CONF = cfg.CONF
# TODO(gmann): Remove setting the default value of config policy_file
# once oslo_policy change the default value to 'policy.yaml'.
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
DEFAULT_POLICY_FILE = 'policy.yaml'
opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
# we can get a policy enforcer by this init.
# oslo policy support change policy rule dynamically.


+ 1
- 1
magnum/drivers/swarm_fedora_atomic_v1/image/openvswitch/Dockerfile View File

@ -9,7 +9,7 @@ RUN dnf -y install openvswitch \
&& dnf clean all
RUN cd /opt \
&& git clone https://git.openstack.org/openstack/neutron \
&& cp neutron/etc/policy.json /etc/neutron/. \
&& cp neutron/etc/policy.yaml /etc/neutron/. \
&& rm -rf neutron \
&& dnf -y remove git
VOLUME /var/run/openvswitch


+ 2
- 2
magnum/drivers/swarm_fedora_atomic_v1/image/openvswitch/README.rst View File

@ -39,11 +39,11 @@ For the Neutron agent, you will need to provide 3 files at these
locations:
- /etc/neutron/neutron.conf
- /etc/neutron/policy.json
- /etc/neutron/policy.yaml
- /etc/neutron/plugins/ml2/ml2_conf.ini
These files are typically installed in the same locations on the
Neutron controller node. The policy.json file is copied into the
Neutron controller node. The policy.yaml file is copied into the
Docker image because it is fairly static and does not require
customization for the cluster. If it is changed in the Neutron master
repo, you just need to rebuild the Docker image to update the file.


+ 1
- 1
magnum/tests/contrib/post_test_hook.sh View File

@ -115,7 +115,7 @@ EOF
}
function add_flavor {
# because of policy.json change in nova, flavor-create is now an admin-only feature
# because of policy.yaml change in nova, flavor-create is now an admin-only feature
# moving this out to only be used by admins
# Get admin credentials


+ 1
- 2
magnum/tests/policy_fixture.py View File

@ -14,7 +14,6 @@
import fixtures
from oslo_policy import _parser
from oslo_policy import opts as policy_opts
from magnum.common import policy as magnum_policy
import magnum.conf
@ -25,7 +24,7 @@ CONF = magnum.conf.CONF
class PolicyFixture(fixtures.Fixture):
def _setUp(self):
policy_opts.set_defaults(CONF)
CONF(args=[], project='magnum')
magnum_policy._ENFORCER = None
self.addCleanup(magnum_policy.init().clear)


+ 8
- 4
magnum/tests/unit/cmd/test_status.py View File

@ -24,7 +24,11 @@ class TestUpgradeChecks(base.TestCase):
super(TestUpgradeChecks, self).setUp()
self.cmd = status.Checks()
def test__sample_check(self):
check_result = self.cmd._sample_check()
self.assertEqual(
Code.SUCCESS, check_result.code)
def test_checks(self):
for name, func in self.cmd._upgrade_checks:
if isinstance(func, tuple):
func_name, kwargs = func
result = func_name(self, **kwargs)
else:
result = func(self)
self.assertEqual(Code.SUCCESS, result.code)

+ 20
- 0
releasenotes/notes/deprecate-json-formatted-policy-file-b52d805359bc73b7.yaml View File

@ -0,0 +1,20 @@
---
upgrade:
- |
The default value of ``[oslo_policy] policy_file`` config option has
been changed from ``policy.json`` to ``policy.yaml``.
Operators who are utilizing customized or previously generated
static policy JSON files (which are not needed by default), should
generate new policy files or convert them in YAML format. Use the
`oslopolicy-convert-json-to-yaml
<https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
tool to convert a JSON to YAML formatted policy file in
backward compatible way.
deprecations:
- |
Use of JSON policy files was deprecated by the ``oslo.policy`` library
during the Victoria development cycle. As a result, this deprecation is
being noted in the Wallaby cycle with an anticipated future removal of support
by ``oslo.policy``. As such operators will need to convert to YAML policy
files. Please see the upgrade notes for details on migration of any
custom policy files.

+ 2
- 2
requirements.txt View File

@ -30,11 +30,11 @@ oslo.i18n>=5.0.0 # Apache-2.0
oslo.log>=4.2.0 # Apache-2.0
oslo.messaging>=12.2.0 # Apache-2.0
oslo.middleware>=4.1.0 # Apache-2.0
oslo.policy>=3.2.0 # Apache-2.0
oslo.policy>=3.6.0 # Apache-2.0
oslo.reports>=2.1.0 # Apache-2.0
oslo.serialization>=3.2.0 # Apache-2.0
oslo.service>=2.2.0 # Apache-2.0
oslo.upgradecheck>=1.1.0 # Apache-2.0
oslo.upgradecheck>=1.3.0 # Apache-2.0
oslo.utils>=4.2.0 # Apache-2.0
oslo.versionedobjects>=2.1.0 # Apache-2.0
pbr>=5.5.0 # Apache-2.0


+ 1
- 1
setup.cfg View File

@ -59,7 +59,7 @@ oslo.config.opts =
magnum.conf = magnum.conf.opts:list_opts
oslo.config.opts.defaults =
magnum = magnum.common.config:set_cors_middleware_defaults
magnum = magnum.common.config:set_config_defaults
oslo.policy.policies =
magnum = magnum.common.policies:list_rules


Loading…
Cancel
Save