Merge "[goal] Deprecate the JSON formatted policy file"
This commit is contained in:
Zuul
Gerrit Code Review
commit
ebef6408c3
@ -562,13 +562,13 @@ You also can force-delete a share.
|
||||
The shares cannot be deleted in transitional states. The transitional
|
||||
states are ``creating``, ``deleting``, ``managing``, ``unmanaging``,
|
||||
``migrating``, ``extending``, and ``shrinking`` statuses for the shares.
|
||||
Force-deletion deletes an object in any state. Use the ``policy.json`` file
|
||||
Force-deletion deletes an object in any state. Use the ``policy.yaml`` file
|
||||
to grant permissions for this action to other roles.
|
||||
|
||||
.. tip::
|
||||
|
||||
The configuration file ``policy.json`` may be used from different places.
|
||||
The path ``/etc/manila/policy.json`` is one of expected paths by default.
|
||||
The configuration file ``policy.yaml`` may be used from different places.
|
||||
The path ``/etc/manila/policy.yaml`` is one of expected paths by default.
|
||||
|
||||
Use **manila delete <share_name_or_ID>** command to delete a specified share:
|
||||
|
||||
|
||||
@ -599,7 +599,7 @@ Use the :command:`manila share-replica-delete` command with the
|
||||
.. note::
|
||||
This command has no output.
|
||||
|
||||
Use the ``policy.json`` file to grant permissions for these actions to other
|
||||
Use the ``policy.yaml`` file to grant permissions for these actions to other
|
||||
roles.
|
||||
|
||||
|
||||
|
||||
@ -48,7 +48,7 @@ The Shared File Systems service contains the following components:
|
||||
allowed to perform. In the default configuration, most actions do not
|
||||
require a particular role unless they are restricted to administrators, but
|
||||
this can be configured by the system administrator in the appropriate
|
||||
``policy.json`` file that maintains the rules. A user's access to manage
|
||||
``policy.yaml`` file that maintains the rules. A user's access to manage
|
||||
particular shares is limited by tenant. Guest access to mount and use shares
|
||||
is secured by IP and/or user access rules. Quotas used to control resource
|
||||
consumption across available hardware resources are per tenant.
|
||||
|
||||
@ -2,6 +2,14 @@
|
||||
Policy configuration
|
||||
====================
|
||||
|
||||
.. warning::
|
||||
|
||||
JSON formatted policy file is deprecated since Manila 12.0.0 (Wallaby).
|
||||
This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
|
||||
JSON-formatted policy file to YAML in a backward-compatible way.
|
||||
|
||||
.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
|
||||
|
||||
Configuration
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
|
||||
@ -2,6 +2,14 @@
|
||||
Manila Sample Policy
|
||||
====================
|
||||
|
||||
.. warning::
|
||||
|
||||
JSON formatted policy file is deprecated since Manila 12.0.0 (Wallaby).
|
||||
This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
|
||||
JSON-formatted policy file to YAML in a backward-compatible way.
|
||||
|
||||
.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
|
||||
|
||||
The following is a sample Manila policy file that has been auto-generated
|
||||
from default policy values in code. If you're using the default policies, then
|
||||
the maintenance of this file is not necessary.
|
||||
@ -10,7 +18,7 @@ but it is not suggested to copy and paste into a deployment unless you're planni
|
||||
on providing a different policy for an operation that is not the default. For
|
||||
instance, if you want to change the default value of "share:create", you only
|
||||
need to keep this single rule in your policy config
|
||||
file (**/etc/manila/policy.json**).
|
||||
file (**/etc/manila/policy.yaml**).
|
||||
|
||||
.. literalinclude:: ../../../_static/manila.policy.yaml.sample
|
||||
:language: ini
|
||||
|
||||
@ -105,7 +105,7 @@ OpenStack Security Guide
|
||||
- Any feature that has a security impact needs to be documented here.
|
||||
- In general, administrators will follow the guidelines regarding best
|
||||
practices of setting up their manila deployments with this guide.
|
||||
- Any changes to ``policy.json`` based authorization, share network related
|
||||
- Any changes to ``policy.yaml`` based authorization, share network related
|
||||
security, ``access`` to manila resources, tenant and user related
|
||||
information needs to be documented here.
|
||||
- **Link**: `Security guide <http://docs.openstack.org/security-guide/>`_
|
||||
|
||||
@ -64,12 +64,12 @@ oslo.i18n==5.0.1
|
||||
oslo.log==4.4.0
|
||||
oslo.messaging==12.5.0
|
||||
oslo.middleware==4.1.1
|
||||
oslo.policy==3.5.0
|
||||
oslo.policy==3.6.0
|
||||
oslo.reports==2.2.0
|
||||
oslo.rootwrap==6.2.0
|
||||
oslo.serialization==4.0.1
|
||||
oslo.service==2.4.0
|
||||
oslo.upgradecheck==1.1.1
|
||||
oslo.upgradecheck==1.3.0
|
||||
oslo.utils==4.7.0
|
||||
oslotest==4.4.1
|
||||
packaging==20.4
|
||||
|
||||
@ -15,6 +15,7 @@
|
||||
import sys
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_upgradecheck import common_checks
|
||||
from oslo_upgradecheck import upgradecheck
|
||||
|
||||
from manila.i18n import _
|
||||
@ -42,6 +43,8 @@ class Checks(upgradecheck.UpgradeCommands):
|
||||
_upgrade_checks = (
|
||||
# In the future there should be some real checks added here
|
||||
(_('Placeholder'), _check_placeholder),
|
||||
(_('Policy File JSON to YAML Migration'),
|
||||
(common_checks.check_policy_json, {'conf': cfg.CONF})),
|
||||
)
|
||||
|
||||
|
||||
|
||||
@ -29,6 +29,7 @@ import socket
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log
|
||||
from oslo_middleware import cors
|
||||
from oslo_policy import opts as policy_opts
|
||||
from oslo_utils import netutils
|
||||
import six
|
||||
|
||||
@ -169,8 +170,8 @@ def verify_share_protocols():
|
||||
raise exception.ManilaException(message=msg)
|
||||
|
||||
|
||||
def set_middleware_defaults():
|
||||
"""Update default configuration options for oslo.middleware."""
|
||||
def set_lib_defaults():
|
||||
"""Update default configuration options for external lib namespace"""
|
||||
cors.set_defaults(
|
||||
allow_headers=['X-Auth-Token',
|
||||
'X-OpenStack-Request-ID',
|
||||
@ -193,3 +194,5 @@ def set_middleware_defaults():
|
||||
'DELETE',
|
||||
'PATCH']
|
||||
)
|
||||
# Update default value of oslo.policy policy_file config option.
|
||||
policy_opts.set_defaults(CONF, 'policy.yaml')
|
||||
|
||||
@ -20,6 +20,7 @@ import sys
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
from oslo_policy import opts
|
||||
from oslo_policy import policy
|
||||
from oslo_utils import excutils
|
||||
|
||||
@ -31,6 +32,13 @@ LOG = logging.getLogger(__name__)
|
||||
_ENFORCER = None
|
||||
|
||||
|
||||
# TODO(gmann): Remove setting the default value of config policy_file
|
||||
# once oslo_policy change the default value to 'policy.yaml'.
|
||||
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
|
||||
DEFAULT_POLICY_FILE = 'policy.yaml'
|
||||
opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
|
||||
|
||||
|
||||
def reset():
|
||||
global _ENFORCER
|
||||
if _ENFORCER:
|
||||
|
||||
@ -33,7 +33,7 @@ def set_defaults(conf):
|
||||
_safe_set_of_opts(conf, 'connection', "sqlite://", group='database')
|
||||
_safe_set_of_opts(conf, 'sqlite_synchronous', False)
|
||||
_POLICY_PATH = os.path.abspath(os.path.join(CONF.state_path,
|
||||
'manila/tests/policy.json'))
|
||||
'manila/tests/policy.yaml'))
|
||||
opts.set_defaults(conf, policy_file=_POLICY_PATH)
|
||||
_safe_set_of_opts(conf, 'share_export_ip', '0.0.0.0')
|
||||
_safe_set_of_opts(conf, 'service_instance_user', 'fake_user')
|
||||
|
||||
@ -1,136 +0,0 @@
|
||||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"admin_api": "is_admin:True",
|
||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||
"default": "rule:admin_or_owner",
|
||||
|
||||
"availability_zone:index": "rule:default",
|
||||
|
||||
"quota_set:update": "rule:admin_api",
|
||||
"quota_set:show": "rule:default",
|
||||
"quota_set:delete": "rule:admin_api",
|
||||
|
||||
"quota_class_set:show": "rule:default",
|
||||
"quota_class_set:update": "rule:admin_api",
|
||||
|
||||
"service:index": "rule:admin_api",
|
||||
"service:update": "rule:admin_api",
|
||||
|
||||
"share:create": "",
|
||||
"share:list_by_share_server_id": "rule:admin_api",
|
||||
"share:get": "",
|
||||
"share:get_all": "",
|
||||
"share:delete": "rule:default",
|
||||
"share:update": "rule:default",
|
||||
"share:snapshot_update": "",
|
||||
"share:create_snapshot": "",
|
||||
"share:delete_snapshot": "",
|
||||
"share:get_snapshot": "",
|
||||
"share:get_all_snapshots": "",
|
||||
"share:extend": "",
|
||||
"share:shrink": "",
|
||||
"share:manage": "rule:admin_api",
|
||||
"share:unmanage": "rule:admin_api",
|
||||
"share:force_delete": "rule:admin_api",
|
||||
"share:reset_status": "rule:admin_api",
|
||||
"share:migration_start": "rule:admin_api",
|
||||
"share:migration_complete": "rule:admin_api",
|
||||
"share:migration_cancel": "rule:admin_api",
|
||||
"share:migration_get_progress": "rule:admin_api",
|
||||
"share_export_location:index": "rule:default",
|
||||
"share_export_location:show": "rule:default",
|
||||
|
||||
"share_type:index": "rule:default",
|
||||
"share_type:show": "rule:default",
|
||||
"share_type:default": "rule:default",
|
||||
"share_type:create": "rule:default",
|
||||
"share_type:delete": "rule:default",
|
||||
"share_type:add_project_access": "rule:admin_api",
|
||||
"share_type:list_project_access": "rule:admin_api",
|
||||
"share_type:remove_project_access": "rule:admin_api",
|
||||
|
||||
"share_types_extra_spec:create": "rule:default",
|
||||
"share_types_extra_spec:update": "rule:default",
|
||||
"share_types_extra_spec:show": "rule:default",
|
||||
"share_types_extra_spec:index": "rule:default",
|
||||
"share_types_extra_spec:delete": "rule:default",
|
||||
|
||||
"share_instance:index": "rule:admin_api",
|
||||
"share_instance:show": "rule:admin_api",
|
||||
"share_instance:force_delete": "rule:admin_api",
|
||||
"share_instance:reset_status": "rule:admin_api",
|
||||
|
||||
"share_snapshot:force_delete": "rule:admin_api",
|
||||
"share_snapshot:reset_status": "rule:admin_api",
|
||||
"share_snapshot:manage_snapshot": "rule:admin_api",
|
||||
"share_snapshot:unmanage_snapshot": "rule:admin_api",
|
||||
|
||||
"share_network:create": "",
|
||||
"share_network:index": "",
|
||||
"share_network:detail": "",
|
||||
"share_network:show": "",
|
||||
"share_network:update": "",
|
||||
"share_network:delete": "",
|
||||
"share_network:get_all_share_networks": "rule:admin_api",
|
||||
|
||||
"share_server:index": "rule:admin_api",
|
||||
"share_server:show": "rule:admin_api",
|
||||
"share_server:details": "rule:admin_api",
|
||||
"share_server:delete": "rule:admin_api",
|
||||
|
||||
"share:get_share_metadata": "",
|
||||
"share:delete_share_metadata": "",
|
||||
"share:update_share_metadata": "",
|
||||
"share_extension:availability_zones": "",
|
||||
|
||||
"security_service:index": "",
|
||||
"security_service:get_all_security_services": "rule:admin_api",
|
||||
|
||||
"scheduler_stats:pools:index": "rule:admin_api",
|
||||
"scheduler_stats:pools:detail": "rule:admin_api",
|
||||
|
||||
"share_group:create" : "rule:default",
|
||||
"share_group:delete": "rule:default",
|
||||
"share_group:update": "rule:default",
|
||||
"share_group:get": "rule:default",
|
||||
"share_group:get_all": "rule:default",
|
||||
"share_group:force_delete": "rule:admin_api",
|
||||
"share_group:reset_status": "rule:admin_api",
|
||||
|
||||
"share_group_snapshot:create" : "rule:default",
|
||||
"share_group_snapshot:delete": "rule:default",
|
||||
"share_group_snapshot:update" : "rule:default",
|
||||
"share_group_snapshot:get": "rule:default",
|
||||
"share_group_snapshot:get_all": "rule:default",
|
||||
"share_group_snapshot:force_delete": "rule:admin_api",
|
||||
"share_group_snapshot:reset_status": "rule:admin_api",
|
||||
|
||||
"share_replica:get_all": "rule:default",
|
||||
"share_replica:show": "rule:default",
|
||||
"share_replica:create" : "rule:default",
|
||||
"share_replica:delete": "rule:default",
|
||||
"share_replica:promote": "rule:default",
|
||||
"share_replica:resync": "rule:admin_api",
|
||||
"share_replica:reset_status": "rule:admin_api",
|
||||
"share_replica:force_delete": "rule:admin_api",
|
||||
"share_replica:reset_replica_state": "rule:admin_api",
|
||||
|
||||
"share_group_type:index": "rule:default",
|
||||
"share_group_type:show": "rule:default",
|
||||
"share_group_type:default": "rule:default",
|
||||
"share_group_type:create": "rule:admin_api",
|
||||
"share_group_type:delete": "rule:admin_api",
|
||||
"share_group_type:add_project_access": "rule:admin_api",
|
||||
"share_group_type:list_project_access": "rule:admin_api",
|
||||
"share_group_type:remove_project_access": "rule:admin_api",
|
||||
|
||||
"share_group_types_spec:create": "rule:admin_api",
|
||||
"share_group_types_spec:update": "rule:admin_api",
|
||||
"share_group_types_spec:show": "rule:admin_api",
|
||||
"share_group_types_spec:index": "rule:admin_api",
|
||||
"share_group_types_spec:delete": "rule:admin_api",
|
||||
|
||||
"message:delete": "rule:default",
|
||||
"message:get": "rule:default",
|
||||
"message:get_all": "rule:default"
|
||||
}
|
||||
117
manila/tests/policy.yaml
Normal file
117
manila/tests/policy.yaml
Normal file
@ -0,0 +1,117 @@
|
||||
# WARNING: Below rules are either deprecated rules
|
||||
# or extra rules in policy file, it is strongly
|
||||
# recommended to switch to new rules.
|
||||
"context_is_admin": "role:admin"
|
||||
"admin_api": "is_admin:True"
|
||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
|
||||
"default": "rule:admin_or_owner"
|
||||
"availability_zone:index": "rule:default"
|
||||
"quota_set:update": "rule:admin_api"
|
||||
"quota_set:show": "rule:default"
|
||||
"quota_set:delete": "rule:admin_api"
|
||||
"quota_class_set:show": "rule:default"
|
||||
"quota_class_set:update": "rule:admin_api"
|
||||
"service:index": "rule:admin_api"
|
||||
"service:update": "rule:admin_api"
|
||||
"share:create": ""
|
||||
"share:list_by_share_server_id": "rule:admin_api"
|
||||
"share:get": ""
|
||||
"share:get_all": ""
|
||||
"share:delete": "rule:default"
|
||||
"share:update": "rule:default"
|
||||
"share:snapshot_update": ""
|
||||
"share:create_snapshot": ""
|
||||
"share:delete_snapshot": ""
|
||||
"share:get_snapshot": ""
|
||||
"share:get_all_snapshots": ""
|
||||
"share:extend": ""
|
||||
"share:shrink": ""
|
||||
"share:manage": "rule:admin_api"
|
||||
"share:unmanage": "rule:admin_api"
|
||||
"share:force_delete": "rule:admin_api"
|
||||
"share:reset_status": "rule:admin_api"
|
||||
"share:migration_start": "rule:admin_api"
|
||||
"share:migration_complete": "rule:admin_api"
|
||||
"share:migration_cancel": "rule:admin_api"
|
||||
"share:migration_get_progress": "rule:admin_api"
|
||||
"share_export_location:index": "rule:default"
|
||||
"share_export_location:show": "rule:default"
|
||||
"share_type:index": "rule:default"
|
||||
"share_type:show": "rule:default"
|
||||
"share_type:default": "rule:default"
|
||||
"share_type:create": "rule:default"
|
||||
"share_type:delete": "rule:default"
|
||||
"share_type:add_project_access": "rule:admin_api"
|
||||
"share_type:list_project_access": "rule:admin_api"
|
||||
"share_type:remove_project_access": "rule:admin_api"
|
||||
"share_types_extra_spec:create": "rule:default"
|
||||
"share_types_extra_spec:update": "rule:default"
|
||||
"share_types_extra_spec:show": "rule:default"
|
||||
"share_types_extra_spec:index": "rule:default"
|
||||
"share_types_extra_spec:delete": "rule:default"
|
||||
"share_instance:index": "rule:admin_api"
|
||||
"share_instance:show": "rule:admin_api"
|
||||
"share_instance:force_delete": "rule:admin_api"
|
||||
"share_instance:reset_status": "rule:admin_api"
|
||||
"share_snapshot:force_delete": "rule:admin_api"
|
||||
"share_snapshot:reset_status": "rule:admin_api"
|
||||
"share_snapshot:manage_snapshot": "rule:admin_api"
|
||||
"share_snapshot:unmanage_snapshot": "rule:admin_api"
|
||||
"share_network:create": ""
|
||||
"share_network:index": ""
|
||||
"share_network:detail": ""
|
||||
"share_network:show": ""
|
||||
"share_network:update": ""
|
||||
"share_network:delete": ""
|
||||
"share_network:get_all_share_networks": "rule:admin_api"
|
||||
"share_server:index": "rule:admin_api"
|
||||
"share_server:show": "rule:admin_api"
|
||||
"share_server:details": "rule:admin_api"
|
||||
"share_server:delete": "rule:admin_api"
|
||||
"share:get_share_metadata": ""
|
||||
"share:delete_share_metadata": ""
|
||||
"share:update_share_metadata": ""
|
||||
"share_extension:availability_zones": ""
|
||||
"security_service:index": ""
|
||||
"security_service:get_all_security_services": "rule:admin_api"
|
||||
"scheduler_stats:pools:index": "rule:admin_api"
|
||||
"scheduler_stats:pools:detail": "rule:admin_api"
|
||||
"share_group:create": "rule:default"
|
||||
"share_group:delete": "rule:default"
|
||||
"share_group:update": "rule:default"
|
||||
"share_group:get": "rule:default"
|
||||
"share_group:get_all": "rule:default"
|
||||
"share_group:force_delete": "rule:admin_api"
|
||||
"share_group:reset_status": "rule:admin_api"
|
||||
"share_group_snapshot:create": "rule:default"
|
||||
"share_group_snapshot:delete": "rule:default"
|
||||
"share_group_snapshot:update": "rule:default"
|
||||
"share_group_snapshot:get": "rule:default"
|
||||
"share_group_snapshot:get_all": "rule:default"
|
||||
"share_group_snapshot:force_delete": "rule:admin_api"
|
||||
"share_group_snapshot:reset_status": "rule:admin_api"
|
||||
"share_replica:get_all": "rule:default"
|
||||
"share_replica:show": "rule:default"
|
||||
"share_replica:create": "rule:default"
|
||||
"share_replica:delete": "rule:default"
|
||||
"share_replica:promote": "rule:default"
|
||||
"share_replica:resync": "rule:admin_api"
|
||||
"share_replica:reset_status": "rule:admin_api"
|
||||
"share_replica:force_delete": "rule:admin_api"
|
||||
"share_replica:reset_replica_state": "rule:admin_api"
|
||||
"share_group_type:index": "rule:default"
|
||||
"share_group_type:show": "rule:default"
|
||||
"share_group_type:default": "rule:default"
|
||||
"share_group_type:create": "rule:admin_api"
|
||||
"share_group_type:delete": "rule:admin_api"
|
||||
"share_group_type:add_project_access": "rule:admin_api"
|
||||
"share_group_type:list_project_access": "rule:admin_api"
|
||||
"share_group_type:remove_project_access": "rule:admin_api"
|
||||
"share_group_types_spec:create": "rule:admin_api"
|
||||
"share_group_types_spec:update": "rule:admin_api"
|
||||
"share_group_types_spec:show": "rule:admin_api"
|
||||
"share_group_types_spec:index": "rule:admin_api"
|
||||
"share_group_types_spec:delete": "rule:admin_api"
|
||||
"message:delete": "rule:default"
|
||||
"message:get": "rule:default"
|
||||
"message:get_all": "rule:default"
|
||||
@ -0,0 +1,20 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
The default value of ``[oslo_policy] policy_file`` config option has
|
||||
been changed from ``policy.json`` to ``policy.yaml``.
|
||||
Operators who are utilizing customized or previously generated
|
||||
static policy JSON files (which are not needed by default), should
|
||||
generate new policy files or convert them in YAML format. Use the
|
||||
`oslopolicy-convert-json-to-yaml
|
||||
<https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
|
||||
tool to convert a JSON to YAML formatted policy file in
|
||||
backward compatible way.
|
||||
deprecations:
|
||||
- |
|
||||
Use of JSON policy files was deprecated by the ``oslo.policy`` library
|
||||
during the Victoria development cycle. As a result, this deprecation is
|
||||
being noted in the Wallaby cycle with an anticipated future removal of support
|
||||
by ``oslo.policy``. As such operators will need to convert to YAML policy
|
||||
files. Please see the upgrade notes for details on migration of any
|
||||
custom policy files.
|
||||
@ -17,12 +17,12 @@ oslo.i18n>=5.0.1 # Apache-2.0
|
||||
oslo.log>=4.4.0 # Apache-2.0
|
||||
oslo.messaging>=12.5.0 # Apache-2.0
|
||||
oslo.middleware>=4.1.1 # Apache-2.0
|
||||
oslo.policy>=3.5.0 # Apache-2.0
|
||||
oslo.policy>=3.6.0 # Apache-2.0
|
||||
oslo.reports>=2.2.0 # Apache-2.0
|
||||
oslo.rootwrap>=6.2.0 # Apache-2.0
|
||||
oslo.serialization>=4.0.1 # Apache-2.0
|
||||
oslo.service>=2.4.0 # Apache-2.0
|
||||
oslo.upgradecheck>=1.1.1 # Apache-2.0
|
||||
oslo.upgradecheck>=1.3.0 # Apache-2.0
|
||||
oslo.utils>=4.7.0 # Apache-2.0
|
||||
oslo.concurrency>=4.3.0 # Apache-2.0
|
||||
paramiko>=2.7.2 # LGPLv2.1+
|
||||
|
||||
@ -72,7 +72,7 @@ oslo_messaging.notify.drivers =
|
||||
oslo.config.opts =
|
||||
manila = manila.opts:list_opts
|
||||
oslo.config.opts.defaults =
|
||||
manila = manila.common.config:set_middleware_defaults
|
||||
manila = manila.common.config:set_lib_defaults
|
||||
oslo.policy.enforcer =
|
||||
manila = manila.policy:get_enforcer
|
||||
oslo.policy.policies =
|
||||
|
||||
Loading…
Reference in New Issue
Block a user