diff --git a/doc/source/admin/shared-file-systems-crud-share.rst b/doc/source/admin/shared-file-systems-crud-share.rst index e07f45ad9d..8ab2dcfd05 100644 --- a/doc/source/admin/shared-file-systems-crud-share.rst +++ b/doc/source/admin/shared-file-systems-crud-share.rst @@ -562,13 +562,13 @@ You also can force-delete a share. The shares cannot be deleted in transitional states. The transitional states are ``creating``, ``deleting``, ``managing``, ``unmanaging``, ``migrating``, ``extending``, and ``shrinking`` statuses for the shares. -Force-deletion deletes an object in any state. Use the ``policy.json`` file +Force-deletion deletes an object in any state. Use the ``policy.yaml`` file to grant permissions for this action to other roles. .. tip:: - The configuration file ``policy.json`` may be used from different places. - The path ``/etc/manila/policy.json`` is one of expected paths by default. + The configuration file ``policy.yaml`` may be used from different places. + The path ``/etc/manila/policy.yaml`` is one of expected paths by default. Use **manila delete ** command to delete a specified share: diff --git a/doc/source/admin/shared-file-systems-share-replication.rst b/doc/source/admin/shared-file-systems-share-replication.rst index 869723a351..0632426405 100644 --- a/doc/source/admin/shared-file-systems-share-replication.rst +++ b/doc/source/admin/shared-file-systems-share-replication.rst @@ -599,7 +599,7 @@ Use the :command:`manila share-replica-delete` command with the .. note:: This command has no output. -Use the ``policy.json`` file to grant permissions for these actions to other +Use the ``policy.yaml`` file to grant permissions for these actions to other roles. diff --git a/doc/source/configuration/shared-file-systems/overview.rst b/doc/source/configuration/shared-file-systems/overview.rst index bbba1c365d..14845de100 100644 --- a/doc/source/configuration/shared-file-systems/overview.rst +++ b/doc/source/configuration/shared-file-systems/overview.rst @@ -48,7 +48,7 @@ The Shared File Systems service contains the following components: allowed to perform. In the default configuration, most actions do not require a particular role unless they are restricted to administrators, but this can be configured by the system administrator in the appropriate - ``policy.json`` file that maintains the rules. A user's access to manage + ``policy.yaml`` file that maintains the rules. A user's access to manage particular shares is limited by tenant. Guest access to mount and use shares is secured by IP and/or user access rules. Quotas used to control resource consumption across available hardware resources are per tenant. diff --git a/doc/source/configuration/shared-file-systems/samples/policy.rst b/doc/source/configuration/shared-file-systems/samples/policy.rst index f41a381d98..8a630e3404 100644 --- a/doc/source/configuration/shared-file-systems/samples/policy.rst +++ b/doc/source/configuration/shared-file-systems/samples/policy.rst @@ -2,6 +2,14 @@ Policy configuration ==================== +.. warning:: + + JSON formatted policy file is deprecated since Manila 12.0.0 (Wallaby). + This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing + JSON-formatted policy file to YAML in a backward-compatible way. + +.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html + Configuration ~~~~~~~~~~~~~ diff --git a/doc/source/configuration/shared-file-systems/samples/sample_policy.rst b/doc/source/configuration/shared-file-systems/samples/sample_policy.rst index 312fd273c4..e1f9b945d6 100644 --- a/doc/source/configuration/shared-file-systems/samples/sample_policy.rst +++ b/doc/source/configuration/shared-file-systems/samples/sample_policy.rst @@ -2,6 +2,14 @@ Manila Sample Policy ==================== +.. warning:: + + JSON formatted policy file is deprecated since Manila 12.0.0 (Wallaby). + This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing + JSON-formatted policy file to YAML in a backward-compatible way. + +.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html + The following is a sample Manila policy file that has been auto-generated from default policy values in code. If you're using the default policies, then the maintenance of this file is not necessary. @@ -10,7 +18,7 @@ but it is not suggested to copy and paste into a deployment unless you're planni on providing a different policy for an operation that is not the default. For instance, if you want to change the default value of "share:create", you only need to keep this single rule in your policy config -file (**/etc/manila/policy.json**). +file (**/etc/manila/policy.yaml**). .. literalinclude:: ../../../_static/manila.policy.yaml.sample :language: ini diff --git a/doc/source/contributor/documenting_your_work.rst b/doc/source/contributor/documenting_your_work.rst index a31bcac1f5..843707aab0 100644 --- a/doc/source/contributor/documenting_your_work.rst +++ b/doc/source/contributor/documenting_your_work.rst @@ -105,7 +105,7 @@ OpenStack Security Guide - Any feature that has a security impact needs to be documented here. - In general, administrators will follow the guidelines regarding best practices of setting up their manila deployments with this guide. -- Any changes to ``policy.json`` based authorization, share network related +- Any changes to ``policy.yaml`` based authorization, share network related security, ``access`` to manila resources, tenant and user related information needs to be documented here. - **Link**: `Security guide `_ diff --git a/lower-constraints.txt b/lower-constraints.txt index abf5f0e7cd..dbc4daecfd 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -64,12 +64,12 @@ oslo.i18n==5.0.1 oslo.log==4.4.0 oslo.messaging==12.5.0 oslo.middleware==4.1.1 -oslo.policy==3.5.0 +oslo.policy==3.6.0 oslo.reports==2.2.0 oslo.rootwrap==6.2.0 oslo.serialization==4.0.1 oslo.service==2.4.0 -oslo.upgradecheck==1.1.1 +oslo.upgradecheck==1.3.0 oslo.utils==4.7.0 oslotest==4.4.1 packaging==20.4 diff --git a/manila/cmd/status.py b/manila/cmd/status.py index 56a33d9a6b..7a6171fde7 100644 --- a/manila/cmd/status.py +++ b/manila/cmd/status.py @@ -15,6 +15,7 @@ import sys from oslo_config import cfg +from oslo_upgradecheck import common_checks from oslo_upgradecheck import upgradecheck from manila.i18n import _ @@ -42,6 +43,8 @@ class Checks(upgradecheck.UpgradeCommands): _upgrade_checks = ( # In the future there should be some real checks added here (_('Placeholder'), _check_placeholder), + (_('Policy File JSON to YAML Migration'), + (common_checks.check_policy_json, {'conf': cfg.CONF})), ) diff --git a/manila/common/config.py b/manila/common/config.py index 50849bf922..f225b235ee 100644 --- a/manila/common/config.py +++ b/manila/common/config.py @@ -29,6 +29,7 @@ import socket from oslo_config import cfg from oslo_log import log from oslo_middleware import cors +from oslo_policy import opts as policy_opts from oslo_utils import netutils import six @@ -169,8 +170,8 @@ def verify_share_protocols(): raise exception.ManilaException(message=msg) -def set_middleware_defaults(): - """Update default configuration options for oslo.middleware.""" +def set_lib_defaults(): + """Update default configuration options for external lib namespace""" cors.set_defaults( allow_headers=['X-Auth-Token', 'X-OpenStack-Request-ID', @@ -193,3 +194,5 @@ def set_middleware_defaults(): 'DELETE', 'PATCH'] ) + # Update default value of oslo.policy policy_file config option. + policy_opts.set_defaults(CONF, 'policy.yaml') diff --git a/manila/policy.py b/manila/policy.py index 9d767ecddd..7c1bb13be5 100644 --- a/manila/policy.py +++ b/manila/policy.py @@ -20,6 +20,7 @@ import sys from oslo_config import cfg from oslo_log import log as logging +from oslo_policy import opts from oslo_policy import policy from oslo_utils import excutils @@ -31,6 +32,13 @@ LOG = logging.getLogger(__name__) _ENFORCER = None +# TODO(gmann): Remove setting the default value of config policy_file +# once oslo_policy change the default value to 'policy.yaml'. +# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 +DEFAULT_POLICY_FILE = 'policy.yaml' +opts.set_defaults(CONF, DEFAULT_POLICY_FILE) + + def reset(): global _ENFORCER if _ENFORCER: diff --git a/manila/tests/conf_fixture.py b/manila/tests/conf_fixture.py index 28a1325f25..f4d0316ad7 100644 --- a/manila/tests/conf_fixture.py +++ b/manila/tests/conf_fixture.py @@ -33,7 +33,7 @@ def set_defaults(conf): _safe_set_of_opts(conf, 'connection', "sqlite://", group='database') _safe_set_of_opts(conf, 'sqlite_synchronous', False) _POLICY_PATH = os.path.abspath(os.path.join(CONF.state_path, - 'manila/tests/policy.json')) + 'manila/tests/policy.yaml')) opts.set_defaults(conf, policy_file=_POLICY_PATH) _safe_set_of_opts(conf, 'share_export_ip', '0.0.0.0') _safe_set_of_opts(conf, 'service_instance_user', 'fake_user') diff --git a/manila/tests/policy.json b/manila/tests/policy.json deleted file mode 100644 index 1d5a0be257..0000000000 --- a/manila/tests/policy.json +++ /dev/null @@ -1,136 +0,0 @@ -{ - "context_is_admin": "role:admin", - "admin_api": "is_admin:True", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner", - - "availability_zone:index": "rule:default", - - "quota_set:update": "rule:admin_api", - "quota_set:show": "rule:default", - "quota_set:delete": "rule:admin_api", - - "quota_class_set:show": "rule:default", - "quota_class_set:update": "rule:admin_api", - - "service:index": "rule:admin_api", - "service:update": "rule:admin_api", - - "share:create": "", - "share:list_by_share_server_id": "rule:admin_api", - "share:get": "", - "share:get_all": "", - "share:delete": "rule:default", - "share:update": "rule:default", - "share:snapshot_update": "", - "share:create_snapshot": "", - "share:delete_snapshot": "", - "share:get_snapshot": "", - "share:get_all_snapshots": "", - "share:extend": "", - "share:shrink": "", - "share:manage": "rule:admin_api", - "share:unmanage": "rule:admin_api", - "share:force_delete": "rule:admin_api", - "share:reset_status": "rule:admin_api", - "share:migration_start": "rule:admin_api", - "share:migration_complete": "rule:admin_api", - "share:migration_cancel": "rule:admin_api", - "share:migration_get_progress": "rule:admin_api", - "share_export_location:index": "rule:default", - "share_export_location:show": "rule:default", - - "share_type:index": "rule:default", - "share_type:show": "rule:default", - "share_type:default": "rule:default", - "share_type:create": "rule:default", - "share_type:delete": "rule:default", - "share_type:add_project_access": "rule:admin_api", - "share_type:list_project_access": "rule:admin_api", - "share_type:remove_project_access": "rule:admin_api", - - "share_types_extra_spec:create": "rule:default", - "share_types_extra_spec:update": "rule:default", - "share_types_extra_spec:show": "rule:default", - "share_types_extra_spec:index": "rule:default", - "share_types_extra_spec:delete": "rule:default", - - "share_instance:index": "rule:admin_api", - "share_instance:show": "rule:admin_api", - "share_instance:force_delete": "rule:admin_api", - "share_instance:reset_status": "rule:admin_api", - - "share_snapshot:force_delete": "rule:admin_api", - "share_snapshot:reset_status": "rule:admin_api", - "share_snapshot:manage_snapshot": "rule:admin_api", - "share_snapshot:unmanage_snapshot": "rule:admin_api", - - "share_network:create": "", - "share_network:index": "", - "share_network:detail": "", - "share_network:show": "", - "share_network:update": "", - "share_network:delete": "", - "share_network:get_all_share_networks": "rule:admin_api", - - "share_server:index": "rule:admin_api", - "share_server:show": "rule:admin_api", - "share_server:details": "rule:admin_api", - "share_server:delete": "rule:admin_api", - - "share:get_share_metadata": "", - "share:delete_share_metadata": "", - "share:update_share_metadata": "", - "share_extension:availability_zones": "", - - "security_service:index": "", - "security_service:get_all_security_services": "rule:admin_api", - - "scheduler_stats:pools:index": "rule:admin_api", - "scheduler_stats:pools:detail": "rule:admin_api", - - "share_group:create" : "rule:default", - "share_group:delete": "rule:default", - "share_group:update": "rule:default", - "share_group:get": "rule:default", - "share_group:get_all": "rule:default", - "share_group:force_delete": "rule:admin_api", - "share_group:reset_status": "rule:admin_api", - - "share_group_snapshot:create" : "rule:default", - "share_group_snapshot:delete": "rule:default", - "share_group_snapshot:update" : "rule:default", - "share_group_snapshot:get": "rule:default", - "share_group_snapshot:get_all": "rule:default", - "share_group_snapshot:force_delete": "rule:admin_api", - "share_group_snapshot:reset_status": "rule:admin_api", - - "share_replica:get_all": "rule:default", - "share_replica:show": "rule:default", - "share_replica:create" : "rule:default", - "share_replica:delete": "rule:default", - "share_replica:promote": "rule:default", - "share_replica:resync": "rule:admin_api", - "share_replica:reset_status": "rule:admin_api", - "share_replica:force_delete": "rule:admin_api", - "share_replica:reset_replica_state": "rule:admin_api", - - "share_group_type:index": "rule:default", - "share_group_type:show": "rule:default", - "share_group_type:default": "rule:default", - "share_group_type:create": "rule:admin_api", - "share_group_type:delete": "rule:admin_api", - "share_group_type:add_project_access": "rule:admin_api", - "share_group_type:list_project_access": "rule:admin_api", - "share_group_type:remove_project_access": "rule:admin_api", - - "share_group_types_spec:create": "rule:admin_api", - "share_group_types_spec:update": "rule:admin_api", - "share_group_types_spec:show": "rule:admin_api", - "share_group_types_spec:index": "rule:admin_api", - "share_group_types_spec:delete": "rule:admin_api", - - "message:delete": "rule:default", - "message:get": "rule:default", - "message:get_all": "rule:default" -} diff --git a/manila/tests/policy.yaml b/manila/tests/policy.yaml new file mode 100644 index 0000000000..964deaedd5 --- /dev/null +++ b/manila/tests/policy.yaml @@ -0,0 +1,117 @@ +# WARNING: Below rules are either deprecated rules +# or extra rules in policy file, it is strongly +# recommended to switch to new rules. +"context_is_admin": "role:admin" +"admin_api": "is_admin:True" +"admin_or_owner": "is_admin:True or project_id:%(project_id)s" +"default": "rule:admin_or_owner" +"availability_zone:index": "rule:default" +"quota_set:update": "rule:admin_api" +"quota_set:show": "rule:default" +"quota_set:delete": "rule:admin_api" +"quota_class_set:show": "rule:default" +"quota_class_set:update": "rule:admin_api" +"service:index": "rule:admin_api" +"service:update": "rule:admin_api" +"share:create": "" +"share:list_by_share_server_id": "rule:admin_api" +"share:get": "" +"share:get_all": "" +"share:delete": "rule:default" +"share:update": "rule:default" +"share:snapshot_update": "" +"share:create_snapshot": "" +"share:delete_snapshot": "" +"share:get_snapshot": "" +"share:get_all_snapshots": "" +"share:extend": "" +"share:shrink": "" +"share:manage": "rule:admin_api" +"share:unmanage": "rule:admin_api" +"share:force_delete": "rule:admin_api" +"share:reset_status": "rule:admin_api" +"share:migration_start": "rule:admin_api" +"share:migration_complete": "rule:admin_api" +"share:migration_cancel": "rule:admin_api" +"share:migration_get_progress": "rule:admin_api" +"share_export_location:index": "rule:default" +"share_export_location:show": "rule:default" +"share_type:index": "rule:default" +"share_type:show": "rule:default" +"share_type:default": "rule:default" +"share_type:create": "rule:default" +"share_type:delete": "rule:default" +"share_type:add_project_access": "rule:admin_api" +"share_type:list_project_access": "rule:admin_api" +"share_type:remove_project_access": "rule:admin_api" +"share_types_extra_spec:create": "rule:default" +"share_types_extra_spec:update": "rule:default" +"share_types_extra_spec:show": "rule:default" +"share_types_extra_spec:index": "rule:default" +"share_types_extra_spec:delete": "rule:default" +"share_instance:index": "rule:admin_api" +"share_instance:show": "rule:admin_api" +"share_instance:force_delete": "rule:admin_api" +"share_instance:reset_status": "rule:admin_api" +"share_snapshot:force_delete": "rule:admin_api" +"share_snapshot:reset_status": "rule:admin_api" +"share_snapshot:manage_snapshot": "rule:admin_api" +"share_snapshot:unmanage_snapshot": "rule:admin_api" +"share_network:create": "" +"share_network:index": "" +"share_network:detail": "" +"share_network:show": "" +"share_network:update": "" +"share_network:delete": "" +"share_network:get_all_share_networks": "rule:admin_api" +"share_server:index": "rule:admin_api" +"share_server:show": "rule:admin_api" +"share_server:details": "rule:admin_api" +"share_server:delete": "rule:admin_api" +"share:get_share_metadata": "" +"share:delete_share_metadata": "" +"share:update_share_metadata": "" +"share_extension:availability_zones": "" +"security_service:index": "" +"security_service:get_all_security_services": "rule:admin_api" +"scheduler_stats:pools:index": "rule:admin_api" +"scheduler_stats:pools:detail": "rule:admin_api" +"share_group:create": "rule:default" +"share_group:delete": "rule:default" +"share_group:update": "rule:default" +"share_group:get": "rule:default" +"share_group:get_all": "rule:default" +"share_group:force_delete": "rule:admin_api" +"share_group:reset_status": "rule:admin_api" +"share_group_snapshot:create": "rule:default" +"share_group_snapshot:delete": "rule:default" +"share_group_snapshot:update": "rule:default" +"share_group_snapshot:get": "rule:default" +"share_group_snapshot:get_all": "rule:default" +"share_group_snapshot:force_delete": "rule:admin_api" +"share_group_snapshot:reset_status": "rule:admin_api" +"share_replica:get_all": "rule:default" +"share_replica:show": "rule:default" +"share_replica:create": "rule:default" +"share_replica:delete": "rule:default" +"share_replica:promote": "rule:default" +"share_replica:resync": "rule:admin_api" +"share_replica:reset_status": "rule:admin_api" +"share_replica:force_delete": "rule:admin_api" +"share_replica:reset_replica_state": "rule:admin_api" +"share_group_type:index": "rule:default" +"share_group_type:show": "rule:default" +"share_group_type:default": "rule:default" +"share_group_type:create": "rule:admin_api" +"share_group_type:delete": "rule:admin_api" +"share_group_type:add_project_access": "rule:admin_api" +"share_group_type:list_project_access": "rule:admin_api" +"share_group_type:remove_project_access": "rule:admin_api" +"share_group_types_spec:create": "rule:admin_api" +"share_group_types_spec:update": "rule:admin_api" +"share_group_types_spec:show": "rule:admin_api" +"share_group_types_spec:index": "rule:admin_api" +"share_group_types_spec:delete": "rule:admin_api" +"message:delete": "rule:default" +"message:get": "rule:default" +"message:get_all": "rule:default" diff --git a/releasenotes/notes/deprecate-json-formatted-policy-file-fd0345f215e6ccd5.yaml b/releasenotes/notes/deprecate-json-formatted-policy-file-fd0345f215e6ccd5.yaml new file mode 100644 index 0000000000..c9c5300045 --- /dev/null +++ b/releasenotes/notes/deprecate-json-formatted-policy-file-fd0345f215e6ccd5.yaml @@ -0,0 +1,20 @@ +--- +upgrade: + - | + The default value of ``[oslo_policy] policy_file`` config option has + been changed from ``policy.json`` to ``policy.yaml``. + Operators who are utilizing customized or previously generated + static policy JSON files (which are not needed by default), should + generate new policy files or convert them in YAML format. Use the + `oslopolicy-convert-json-to-yaml + `_ + tool to convert a JSON to YAML formatted policy file in + backward compatible way. +deprecations: + - | + Use of JSON policy files was deprecated by the ``oslo.policy`` library + during the Victoria development cycle. As a result, this deprecation is + being noted in the Wallaby cycle with an anticipated future removal of support + by ``oslo.policy``. As such operators will need to convert to YAML policy + files. Please see the upgrade notes for details on migration of any + custom policy files. diff --git a/requirements.txt b/requirements.txt index c70afc3abc..8ca9379303 100644 --- a/requirements.txt +++ b/requirements.txt @@ -17,12 +17,12 @@ oslo.i18n>=5.0.1 # Apache-2.0 oslo.log>=4.4.0 # Apache-2.0 oslo.messaging>=12.5.0 # Apache-2.0 oslo.middleware>=4.1.1 # Apache-2.0 -oslo.policy>=3.5.0 # Apache-2.0 +oslo.policy>=3.6.0 # Apache-2.0 oslo.reports>=2.2.0 # Apache-2.0 oslo.rootwrap>=6.2.0 # Apache-2.0 oslo.serialization>=4.0.1 # Apache-2.0 oslo.service>=2.4.0 # Apache-2.0 -oslo.upgradecheck>=1.1.1 # Apache-2.0 +oslo.upgradecheck>=1.3.0 # Apache-2.0 oslo.utils>=4.7.0 # Apache-2.0 oslo.concurrency>=4.3.0 # Apache-2.0 paramiko>=2.7.2 # LGPLv2.1+ diff --git a/setup.cfg b/setup.cfg index d5a39cdcec..7e3146effb 100644 --- a/setup.cfg +++ b/setup.cfg @@ -72,7 +72,7 @@ oslo_messaging.notify.drivers = oslo.config.opts = manila = manila.opts:list_opts oslo.config.opts.defaults = - manila = manila.common.config:set_middleware_defaults + manila = manila.common.config:set_lib_defaults oslo.policy.enforcer = manila = manila.policy:get_enforcer oslo.policy.policies =