[goal] Deprecate the JSON formatted policy file
As per the community goal of migrating the policy file the format from JSON to YAML[1], we need to do two things: 1. Change the default value of '[oslo_policy] policy_file'' config option from 'policy.json' to 'policy.yaml' with upgrade checks. 2. Deprecate the JSON formatted policy file on the project side via warning in doc and releasenotes. Also replace policy.json to policy.yaml ref from doc. [1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html Change-Id: Icfd9e2a75d8fdfb24cbd1c850f498aadee91f543
This commit is contained in:
parent
3f40b9a1b7
commit
3b7a33eb64
|
@ -5,6 +5,14 @@ Policy configuration
|
||||||
Configuration
|
Configuration
|
||||||
~~~~~~~~~~~~~
|
~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
.. warning::
|
||||||
|
|
||||||
|
JSON formatted policy file is deprecated since Magnum 12.0.0 (Wallaby).
|
||||||
|
This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
|
||||||
|
JSON-formatted policy file to YAML in a backward-compatible way.
|
||||||
|
|
||||||
|
.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
|
||||||
|
|
||||||
The following is an overview of all available policies in Magnum. For a sample
|
The following is an overview of all available policies in Magnum. For a sample
|
||||||
configuration file, refer to :doc:`samples/policy-yaml`.
|
configuration file, refer to :doc:`samples/policy-yaml`.
|
||||||
|
|
||||||
|
|
|
@ -2,6 +2,14 @@
|
||||||
policy.yaml
|
policy.yaml
|
||||||
===========
|
===========
|
||||||
|
|
||||||
|
.. warning::
|
||||||
|
|
||||||
|
JSON formatted policy file is deprecated since Magnum 12.0.0 (Wallaby).
|
||||||
|
This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
|
||||||
|
JSON-formatted policy file to YAML in a backward-compatible way.
|
||||||
|
|
||||||
|
.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
|
||||||
|
|
||||||
Use the ``policy.yaml`` file to define additional access controls that apply to
|
Use the ``policy.yaml`` file to define additional access controls that apply to
|
||||||
the Container Infrastructure Management service:
|
the Container Infrastructure Management service:
|
||||||
|
|
||||||
|
|
|
@ -2782,12 +2782,12 @@ proceed as follows:
|
||||||
(`False` by default).
|
(`False` by default).
|
||||||
|
|
||||||
2. Update heat policy to allow magnum list stacks. To this end, edit your heat
|
2. Update heat policy to allow magnum list stacks. To this end, edit your heat
|
||||||
policy file, usually etc/heat/policy.json``:
|
policy file, usually etc/heat/policy.yaml``:
|
||||||
|
|
||||||
.. code-block:: ini
|
.. code-block:: ini
|
||||||
|
|
||||||
...
|
...
|
||||||
stacks:global_index: "rule:context_is_admin",
|
stacks:global_index: "rule:context_is_admin"
|
||||||
|
|
||||||
Now restart heat.
|
Now restart heat.
|
||||||
|
|
||||||
|
|
|
@ -78,11 +78,11 @@ oslo.i18n==5.0.0
|
||||||
oslo.log==4.2.0
|
oslo.log==4.2.0
|
||||||
oslo.messaging==12.2.0
|
oslo.messaging==12.2.0
|
||||||
oslo.middleware==4.1.0
|
oslo.middleware==4.1.0
|
||||||
oslo.policy==3.2.0
|
oslo.policy==3.6.0
|
||||||
oslo.reports==2.1.0
|
oslo.reports==2.1.0
|
||||||
oslo.serialization==3.2.0
|
oslo.serialization==3.2.0
|
||||||
oslo.service==2.2.0
|
oslo.service==2.2.0
|
||||||
oslo.upgradecheck==1.1.0
|
oslo.upgradecheck==1.3.0
|
||||||
oslo.utils==4.2.0
|
oslo.utils==4.2.0
|
||||||
oslo.versionedobjects==2.1.0
|
oslo.versionedobjects==2.1.0
|
||||||
oslotest==4.4.1
|
oslotest==4.4.1
|
||||||
|
|
|
@ -14,6 +14,7 @@
|
||||||
|
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
|
from oslo_upgradecheck import common_checks
|
||||||
from oslo_upgradecheck import upgradecheck
|
from oslo_upgradecheck import upgradecheck
|
||||||
|
|
||||||
import magnum.conf
|
import magnum.conf
|
||||||
|
@ -30,17 +31,9 @@ class Checks(upgradecheck.UpgradeCommands):
|
||||||
and added to _upgrade_checks tuple.
|
and added to _upgrade_checks tuple.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def _sample_check(self):
|
|
||||||
"""This is sample check added to test the upgrade check framework
|
|
||||||
|
|
||||||
It needs to be removed after adding any real upgrade check
|
|
||||||
"""
|
|
||||||
return upgradecheck.Result(upgradecheck.Code.SUCCESS, 'Sample detail')
|
|
||||||
|
|
||||||
_upgrade_checks = (
|
_upgrade_checks = (
|
||||||
# Sample check added for now.
|
(_('Policy File JSON to YAML Migration'),
|
||||||
# Whereas in future real checks must be added here in tuple
|
(common_checks.check_policy_json, {'conf': CONF})),
|
||||||
(_('Sample Check'), _sample_check),
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -16,6 +16,7 @@
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
from oslo_middleware import cors
|
from oslo_middleware import cors
|
||||||
|
from oslo_policy import opts
|
||||||
|
|
||||||
from magnum.common import rpc
|
from magnum.common import rpc
|
||||||
import magnum.conf
|
import magnum.conf
|
||||||
|
@ -34,9 +35,20 @@ def parse_args(argv, default_config_files=None):
|
||||||
|
|
||||||
|
|
||||||
def set_config_defaults():
|
def set_config_defaults():
|
||||||
"""This method updates all configuration default values."""
|
"""Update default value for configuration options from other namespace.
|
||||||
|
|
||||||
|
Example, oslo lib config options. This is needed for
|
||||||
|
config generator tool to pick these default value changes.
|
||||||
|
https://docs.openstack.org/oslo.config/latest/cli/
|
||||||
|
generator.html#modifying-defaults-from-other-namespaces
|
||||||
|
"""
|
||||||
set_cors_middleware_defaults()
|
set_cors_middleware_defaults()
|
||||||
|
|
||||||
|
# TODO(gmann): Remove setting the default value of config policy_file
|
||||||
|
# once oslo_policy change the default value to 'policy.yaml'.
|
||||||
|
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
|
||||||
|
opts.set_defaults(CONF, 'policy.yaml')
|
||||||
|
|
||||||
|
|
||||||
def set_cors_middleware_defaults():
|
def set_cors_middleware_defaults():
|
||||||
"""Update default configuration options for oslo.middleware."""
|
"""Update default configuration options for oslo.middleware."""
|
||||||
|
|
|
@ -17,6 +17,7 @@
|
||||||
|
|
||||||
import decorator
|
import decorator
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
|
from oslo_policy import opts
|
||||||
from oslo_policy import policy
|
from oslo_policy import policy
|
||||||
from oslo_utils import importutils
|
from oslo_utils import importutils
|
||||||
import pecan
|
import pecan
|
||||||
|
@ -29,6 +30,12 @@ from magnum.common import policies
|
||||||
_ENFORCER = None
|
_ENFORCER = None
|
||||||
CONF = cfg.CONF
|
CONF = cfg.CONF
|
||||||
|
|
||||||
|
# TODO(gmann): Remove setting the default value of config policy_file
|
||||||
|
# once oslo_policy change the default value to 'policy.yaml'.
|
||||||
|
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
|
||||||
|
DEFAULT_POLICY_FILE = 'policy.yaml'
|
||||||
|
opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
|
||||||
|
|
||||||
|
|
||||||
# we can get a policy enforcer by this init.
|
# we can get a policy enforcer by this init.
|
||||||
# oslo policy support change policy rule dynamically.
|
# oslo policy support change policy rule dynamically.
|
||||||
|
|
|
@ -9,7 +9,7 @@ RUN dnf -y install openvswitch \
|
||||||
&& dnf clean all
|
&& dnf clean all
|
||||||
RUN cd /opt \
|
RUN cd /opt \
|
||||||
&& git clone https://git.openstack.org/openstack/neutron \
|
&& git clone https://git.openstack.org/openstack/neutron \
|
||||||
&& cp neutron/etc/policy.json /etc/neutron/. \
|
&& cp neutron/etc/policy.yaml /etc/neutron/. \
|
||||||
&& rm -rf neutron \
|
&& rm -rf neutron \
|
||||||
&& dnf -y remove git
|
&& dnf -y remove git
|
||||||
VOLUME /var/run/openvswitch
|
VOLUME /var/run/openvswitch
|
||||||
|
|
|
@ -39,11 +39,11 @@ For the Neutron agent, you will need to provide 3 files at these
|
||||||
locations:
|
locations:
|
||||||
|
|
||||||
- /etc/neutron/neutron.conf
|
- /etc/neutron/neutron.conf
|
||||||
- /etc/neutron/policy.json
|
- /etc/neutron/policy.yaml
|
||||||
- /etc/neutron/plugins/ml2/ml2_conf.ini
|
- /etc/neutron/plugins/ml2/ml2_conf.ini
|
||||||
|
|
||||||
These files are typically installed in the same locations on the
|
These files are typically installed in the same locations on the
|
||||||
Neutron controller node. The policy.json file is copied into the
|
Neutron controller node. The policy.yaml file is copied into the
|
||||||
Docker image because it is fairly static and does not require
|
Docker image because it is fairly static and does not require
|
||||||
customization for the cluster. If it is changed in the Neutron master
|
customization for the cluster. If it is changed in the Neutron master
|
||||||
repo, you just need to rebuild the Docker image to update the file.
|
repo, you just need to rebuild the Docker image to update the file.
|
||||||
|
|
|
@ -115,7 +115,7 @@ EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
function add_flavor {
|
function add_flavor {
|
||||||
# because of policy.json change in nova, flavor-create is now an admin-only feature
|
# because of policy.yaml change in nova, flavor-create is now an admin-only feature
|
||||||
# moving this out to only be used by admins
|
# moving this out to only be used by admins
|
||||||
|
|
||||||
# Get admin credentials
|
# Get admin credentials
|
||||||
|
|
|
@ -14,7 +14,6 @@
|
||||||
|
|
||||||
import fixtures
|
import fixtures
|
||||||
from oslo_policy import _parser
|
from oslo_policy import _parser
|
||||||
from oslo_policy import opts as policy_opts
|
|
||||||
|
|
||||||
from magnum.common import policy as magnum_policy
|
from magnum.common import policy as magnum_policy
|
||||||
import magnum.conf
|
import magnum.conf
|
||||||
|
@ -25,7 +24,7 @@ CONF = magnum.conf.CONF
|
||||||
class PolicyFixture(fixtures.Fixture):
|
class PolicyFixture(fixtures.Fixture):
|
||||||
|
|
||||||
def _setUp(self):
|
def _setUp(self):
|
||||||
policy_opts.set_defaults(CONF)
|
CONF(args=[], project='magnum')
|
||||||
magnum_policy._ENFORCER = None
|
magnum_policy._ENFORCER = None
|
||||||
self.addCleanup(magnum_policy.init().clear)
|
self.addCleanup(magnum_policy.init().clear)
|
||||||
|
|
||||||
|
|
|
@ -24,7 +24,11 @@ class TestUpgradeChecks(base.TestCase):
|
||||||
super(TestUpgradeChecks, self).setUp()
|
super(TestUpgradeChecks, self).setUp()
|
||||||
self.cmd = status.Checks()
|
self.cmd = status.Checks()
|
||||||
|
|
||||||
def test__sample_check(self):
|
def test_checks(self):
|
||||||
check_result = self.cmd._sample_check()
|
for name, func in self.cmd._upgrade_checks:
|
||||||
self.assertEqual(
|
if isinstance(func, tuple):
|
||||||
Code.SUCCESS, check_result.code)
|
func_name, kwargs = func
|
||||||
|
result = func_name(self, **kwargs)
|
||||||
|
else:
|
||||||
|
result = func(self)
|
||||||
|
self.assertEqual(Code.SUCCESS, result.code)
|
||||||
|
|
|
@ -0,0 +1,20 @@
|
||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
The default value of ``[oslo_policy] policy_file`` config option has
|
||||||
|
been changed from ``policy.json`` to ``policy.yaml``.
|
||||||
|
Operators who are utilizing customized or previously generated
|
||||||
|
static policy JSON files (which are not needed by default), should
|
||||||
|
generate new policy files or convert them in YAML format. Use the
|
||||||
|
`oslopolicy-convert-json-to-yaml
|
||||||
|
<https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
|
||||||
|
tool to convert a JSON to YAML formatted policy file in
|
||||||
|
backward compatible way.
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
Use of JSON policy files was deprecated by the ``oslo.policy`` library
|
||||||
|
during the Victoria development cycle. As a result, this deprecation is
|
||||||
|
being noted in the Wallaby cycle with an anticipated future removal of support
|
||||||
|
by ``oslo.policy``. As such operators will need to convert to YAML policy
|
||||||
|
files. Please see the upgrade notes for details on migration of any
|
||||||
|
custom policy files.
|
|
@ -30,11 +30,11 @@ oslo.i18n>=5.0.0 # Apache-2.0
|
||||||
oslo.log>=4.2.0 # Apache-2.0
|
oslo.log>=4.2.0 # Apache-2.0
|
||||||
oslo.messaging>=12.2.0 # Apache-2.0
|
oslo.messaging>=12.2.0 # Apache-2.0
|
||||||
oslo.middleware>=4.1.0 # Apache-2.0
|
oslo.middleware>=4.1.0 # Apache-2.0
|
||||||
oslo.policy>=3.2.0 # Apache-2.0
|
oslo.policy>=3.6.0 # Apache-2.0
|
||||||
oslo.reports>=2.1.0 # Apache-2.0
|
oslo.reports>=2.1.0 # Apache-2.0
|
||||||
oslo.serialization>=3.2.0 # Apache-2.0
|
oslo.serialization>=3.2.0 # Apache-2.0
|
||||||
oslo.service>=2.2.0 # Apache-2.0
|
oslo.service>=2.2.0 # Apache-2.0
|
||||||
oslo.upgradecheck>=1.1.0 # Apache-2.0
|
oslo.upgradecheck>=1.3.0 # Apache-2.0
|
||||||
oslo.utils>=4.2.0 # Apache-2.0
|
oslo.utils>=4.2.0 # Apache-2.0
|
||||||
oslo.versionedobjects>=2.1.0 # Apache-2.0
|
oslo.versionedobjects>=2.1.0 # Apache-2.0
|
||||||
pbr>=5.5.0 # Apache-2.0
|
pbr>=5.5.0 # Apache-2.0
|
||||||
|
|
|
@ -59,7 +59,7 @@ oslo.config.opts =
|
||||||
magnum.conf = magnum.conf.opts:list_opts
|
magnum.conf = magnum.conf.opts:list_opts
|
||||||
|
|
||||||
oslo.config.opts.defaults =
|
oslo.config.opts.defaults =
|
||||||
magnum = magnum.common.config:set_cors_middleware_defaults
|
magnum = magnum.common.config:set_config_defaults
|
||||||
|
|
||||||
oslo.policy.policies =
|
oslo.policy.policies =
|
||||||
magnum = magnum.common.policies:list_rules
|
magnum = magnum.common.policies:list_rules
|
||||||
|
|
Loading…
Reference in New Issue