Merge "[goal] Deprecate the JSON formatted policy file"

2021-01-15 23:43:15 +00:00 · 2021-01-15 23:43:15 +00:00 · ebef6408c3
commit ebef6408c3
parent a6b8d5b170 0cc7cbc36d
16 changed files with 182 additions and 151 deletions
--- a/doc/source/admin/shared-file-systems-crud-share.rst
+++ b/doc/source/admin/shared-file-systems-crud-share.rst
@ -562,13 +562,13 @@ You also can force-delete a share.
 The shares cannot be deleted in transitional states. The transitional
 states are ``creating``, ``deleting``, ``managing``, ``unmanaging``,
 ``migrating``, ``extending``, and ``shrinking`` statuses for the shares.
-Force-deletion deletes an object in any state. Use the ``policy.json`` file
+Force-deletion deletes an object in any state. Use the ``policy.yaml`` file
 to grant permissions for this action to other roles.
 .. tip::
-   The configuration file ``policy.json`` may be used from different places.
+   The configuration file ``policy.yaml`` may be used from different places.
-   The path ``/etc/manila/policy.json`` is one of expected paths by default.
+   The path ``/etc/manila/policy.yaml`` is one of expected paths by default.
 Use **manila delete <share_name_or_ID>** command to delete a specified share:
--- a/doc/source/admin/shared-file-systems-share-replication.rst
+++ b/doc/source/admin/shared-file-systems-share-replication.rst
@ -599,7 +599,7 @@ Use the :command:`manila share-replica-delete` command with the
 .. note::
   This command has no output.
-Use the ``policy.json`` file to grant permissions for these actions to other
+Use the ``policy.yaml`` file to grant permissions for these actions to other
 roles.
--- a/doc/source/configuration/shared-file-systems/overview.rst
+++ b/doc/source/configuration/shared-file-systems/overview.rst
@ -48,7 +48,7 @@ The Shared File Systems service contains the following components:
   allowed to perform. In the default configuration, most actions do not
   require a particular role unless they are restricted to administrators, but
   this can be configured by the system administrator in the appropriate
-   ``policy.json`` file that maintains the rules. A user's access to manage
+   ``policy.yaml`` file that maintains the rules. A user's access to manage
   particular shares is limited by tenant. Guest access to mount and use shares
   is secured by IP and/or user access rules. Quotas used to control resource
   consumption across available hardware resources are per tenant.
--- a/doc/source/configuration/shared-file-systems/samples/policy.rst
+++ b/doc/source/configuration/shared-file-systems/samples/policy.rst
@ -2,6 +2,14 @@
 Policy configuration
 ====================
 .. warning::
   JSON formatted policy file is deprecated since Manila 12.0.0 (Wallaby).
   This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
   JSON-formatted policy file to YAML in a backward-compatible way.
 .. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
 Configuration
 ~~~~~~~~~~~~~
--- a/doc/source/configuration/shared-file-systems/samples/sample_policy.rst
+++ b/doc/source/configuration/shared-file-systems/samples/sample_policy.rst
@ -2,6 +2,14 @@
 Manila Sample Policy
 ====================
 .. warning::
   JSON formatted policy file is deprecated since Manila 12.0.0 (Wallaby).
   This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
   JSON-formatted policy file to YAML in a backward-compatible way.
 .. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
 The following is a sample Manila policy file that has been auto-generated
 from default policy values in code. If you're using the default policies, then
 the maintenance of this file is not necessary.
@ -10,7 +18,7 @@ but it is not suggested to copy and paste into a deployment unless you're planni
 on providing a different policy for an operation that is not the default. For
 instance, if you want to change the default value of "share:create", you only
 need to keep this single rule in your policy config
-file (**/etc/manila/policy.json**).
+file (**/etc/manila/policy.yaml**).
 .. literalinclude:: ../../../_static/manila.policy.yaml.sample
   :language: ini
--- a/doc/source/contributor/documenting_your_work.rst
+++ b/doc/source/contributor/documenting_your_work.rst
@ -105,7 +105,7 @@ OpenStack Security Guide
 - Any feature that has a security impact needs to be documented here.
 - In general, administrators will follow the guidelines regarding best
  practices of setting up their manila deployments with this guide.
- Any changes to ``policy.json`` based authorization, share network related
+- Any changes to ``policy.yaml`` based authorization, share network related
  security, ``access`` to manila resources, tenant and user related
  information needs to be documented here.
 - **Link**: `Security guide <http://docs.openstack.org/security-guide/>`_
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@ -64,12 +64,12 @@ oslo.i18n==5.0.1
 oslo.log==4.4.0
 oslo.messaging==12.5.0
 oslo.middleware==4.1.1
-oslo.policy==3.5.0
+oslo.policy==3.6.0
 oslo.reports==2.2.0
 oslo.rootwrap==6.2.0
 oslo.serialization==4.0.1
 oslo.service==2.4.0
-oslo.upgradecheck==1.1.1
+oslo.upgradecheck==1.3.0
 oslo.utils==4.7.0
 oslotest==4.4.1
 packaging==20.4
--- a/manila/cmd/status.py
+++ b/manila/cmd/status.py
@ -15,6 +15,7 @@
 import sys
 from oslo_config import cfg
 from oslo_upgradecheck import common_checks
 from oslo_upgradecheck import upgradecheck
 from manila.i18n import _
@ -42,6 +43,8 @@ class Checks(upgradecheck.UpgradeCommands):
    _upgrade_checks = (
        # In the future there should be some real checks added here
        (_('Placeholder'), _check_placeholder),
        (_('Policy File JSON to YAML Migration'),
         (common_checks.check_policy_json, {'conf': cfg.CONF})),
    )
--- a/manila/common/config.py
+++ b/manila/common/config.py
@ -29,6 +29,7 @@ import socket
 from oslo_config import cfg
 from oslo_log import log
 from oslo_middleware import cors
 from oslo_policy import opts as policy_opts
 from oslo_utils import netutils
 import six
@ -169,8 +170,8 @@ def verify_share_protocols():
        raise exception.ManilaException(message=msg)
-def set_middleware_defaults():
+def set_lib_defaults():
-    """Update default configuration options for oslo.middleware."""
+    """Update default configuration options for external lib namespace"""
    cors.set_defaults(
        allow_headers=['X-Auth-Token',
                       'X-OpenStack-Request-ID',
@ -193,3 +194,5 @@ def set_middleware_defaults():
                       'DELETE',
                       'PATCH']
    )
    # Update default value of oslo.policy policy_file config option.
    policy_opts.set_defaults(CONF, 'policy.yaml')
--- a/manila/policy.py
+++ b/manila/policy.py
@ -20,6 +20,7 @@ import sys
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_policy import opts
 from oslo_policy import policy
 from oslo_utils import excutils
@ -31,6 +32,13 @@ LOG = logging.getLogger(__name__)
 _ENFORCER = None
 # TODO(gmann): Remove setting the default value of config policy_file
 # once oslo_policy change the default value to 'policy.yaml'.
 # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
 DEFAULT_POLICY_FILE = 'policy.yaml'
 opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
 def reset():
    global _ENFORCER
    if _ENFORCER:
--- a/manila/tests/conf_fixture.py
+++ b/manila/tests/conf_fixture.py
@ -33,7 +33,7 @@ def set_defaults(conf):
    _safe_set_of_opts(conf, 'connection', "sqlite://", group='database')
    _safe_set_of_opts(conf, 'sqlite_synchronous', False)
    _POLICY_PATH = os.path.abspath(os.path.join(CONF.state_path,
-                                                'manila/tests/policy.json'))
+                                                'manila/tests/policy.yaml'))
    opts.set_defaults(conf, policy_file=_POLICY_PATH)
    _safe_set_of_opts(conf, 'share_export_ip', '0.0.0.0')
    _safe_set_of_opts(conf, 'service_instance_user', 'fake_user')
--- a/manila/tests/policy.json
+++ b/manila/tests/policy.json
@ -1,136 +0,0 @@
 {
    "context_is_admin": "role:admin",
    "admin_api": "is_admin:True",
    "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
    "default": "rule:admin_or_owner",
    "availability_zone:index": "rule:default",
    "quota_set:update": "rule:admin_api",
    "quota_set:show": "rule:default",
    "quota_set:delete": "rule:admin_api",
    "quota_class_set:show": "rule:default",
    "quota_class_set:update": "rule:admin_api",
    "service:index": "rule:admin_api",
    "service:update": "rule:admin_api",
    "share:create": "",
    "share:list_by_share_server_id": "rule:admin_api",
    "share:get": "",
    "share:get_all": "",
    "share:delete": "rule:default",
    "share:update": "rule:default",
    "share:snapshot_update": "",
    "share:create_snapshot": "",
    "share:delete_snapshot": "",
    "share:get_snapshot": "",
    "share:get_all_snapshots": "",
    "share:extend": "",
    "share:shrink": "",
    "share:manage": "rule:admin_api",
    "share:unmanage": "rule:admin_api",
    "share:force_delete": "rule:admin_api",
    "share:reset_status": "rule:admin_api",
    "share:migration_start": "rule:admin_api",
    "share:migration_complete": "rule:admin_api",
    "share:migration_cancel": "rule:admin_api",
    "share:migration_get_progress": "rule:admin_api",
    "share_export_location:index": "rule:default",
    "share_export_location:show": "rule:default",
    "share_type:index": "rule:default",
    "share_type:show": "rule:default",
    "share_type:default": "rule:default",
    "share_type:create": "rule:default",
    "share_type:delete": "rule:default",
    "share_type:add_project_access": "rule:admin_api",
    "share_type:list_project_access": "rule:admin_api",
    "share_type:remove_project_access": "rule:admin_api",
    "share_types_extra_spec:create": "rule:default",
    "share_types_extra_spec:update": "rule:default",
    "share_types_extra_spec:show": "rule:default",
    "share_types_extra_spec:index": "rule:default",
    "share_types_extra_spec:delete": "rule:default",
    "share_instance:index": "rule:admin_api",
    "share_instance:show": "rule:admin_api",
    "share_instance:force_delete": "rule:admin_api",
    "share_instance:reset_status": "rule:admin_api",
    "share_snapshot:force_delete": "rule:admin_api",
    "share_snapshot:reset_status": "rule:admin_api",
    "share_snapshot:manage_snapshot": "rule:admin_api",
    "share_snapshot:unmanage_snapshot": "rule:admin_api",
    "share_network:create": "",
    "share_network:index": "",
    "share_network:detail": "",
    "share_network:show": "",
    "share_network:update": "",
    "share_network:delete": "",
    "share_network:get_all_share_networks": "rule:admin_api",
    "share_server:index": "rule:admin_api",
    "share_server:show": "rule:admin_api",
    "share_server:details": "rule:admin_api",
    "share_server:delete": "rule:admin_api",
    "share:get_share_metadata": "",
    "share:delete_share_metadata": "",
    "share:update_share_metadata": "",
    "share_extension:availability_zones": "",
     "security_service:index": "",
     "security_service:get_all_security_services": "rule:admin_api",
    "scheduler_stats:pools:index": "rule:admin_api",
    "scheduler_stats:pools:detail": "rule:admin_api",
    "share_group:create" : "rule:default",
    "share_group:delete": "rule:default",
    "share_group:update": "rule:default",
    "share_group:get": "rule:default",
    "share_group:get_all": "rule:default",
    "share_group:force_delete": "rule:admin_api",
    "share_group:reset_status": "rule:admin_api",
    "share_group_snapshot:create" : "rule:default",
    "share_group_snapshot:delete": "rule:default",
    "share_group_snapshot:update" : "rule:default",
    "share_group_snapshot:get": "rule:default",
    "share_group_snapshot:get_all": "rule:default",
    "share_group_snapshot:force_delete": "rule:admin_api",
    "share_group_snapshot:reset_status": "rule:admin_api",
    "share_replica:get_all": "rule:default",
    "share_replica:show": "rule:default",
    "share_replica:create" : "rule:default",
    "share_replica:delete": "rule:default",
    "share_replica:promote": "rule:default",
    "share_replica:resync": "rule:admin_api",
    "share_replica:reset_status": "rule:admin_api",
    "share_replica:force_delete": "rule:admin_api",
    "share_replica:reset_replica_state": "rule:admin_api",
    "share_group_type:index": "rule:default",
    "share_group_type:show": "rule:default",
    "share_group_type:default": "rule:default",
    "share_group_type:create": "rule:admin_api",
    "share_group_type:delete": "rule:admin_api",
    "share_group_type:add_project_access": "rule:admin_api",
    "share_group_type:list_project_access": "rule:admin_api",
    "share_group_type:remove_project_access": "rule:admin_api",
    "share_group_types_spec:create": "rule:admin_api",
    "share_group_types_spec:update": "rule:admin_api",
    "share_group_types_spec:show": "rule:admin_api",
    "share_group_types_spec:index": "rule:admin_api",
    "share_group_types_spec:delete": "rule:admin_api",
    "message:delete": "rule:default",
    "message:get": "rule:default",
    "message:get_all": "rule:default"
 }
--- a/manila/tests/policy.yaml
+++ b/manila/tests/policy.yaml
@ -0,0 +1,117 @@
 # WARNING: Below rules are either deprecated rules
 # or extra rules in policy file, it is strongly
 # recommended to switch to new rules.
 "context_is_admin": "role:admin"
 "admin_api": "is_admin:True"
 "admin_or_owner": "is_admin:True or project_id:%(project_id)s"
 "default": "rule:admin_or_owner"
 "availability_zone:index": "rule:default"
 "quota_set:update": "rule:admin_api"
 "quota_set:show": "rule:default"
 "quota_set:delete": "rule:admin_api"
 "quota_class_set:show": "rule:default"
 "quota_class_set:update": "rule:admin_api"
 "service:index": "rule:admin_api"
 "service:update": "rule:admin_api"
 "share:create": ""
 "share:list_by_share_server_id": "rule:admin_api"
 "share:get": ""
 "share:get_all": ""
 "share:delete": "rule:default"
 "share:update": "rule:default"
 "share:snapshot_update": ""
 "share:create_snapshot": ""
 "share:delete_snapshot": ""
 "share:get_snapshot": ""
 "share:get_all_snapshots": ""
 "share:extend": ""
 "share:shrink": ""
 "share:manage": "rule:admin_api"
 "share:unmanage": "rule:admin_api"
 "share:force_delete": "rule:admin_api"
 "share:reset_status": "rule:admin_api"
 "share:migration_start": "rule:admin_api"
 "share:migration_complete": "rule:admin_api"
 "share:migration_cancel": "rule:admin_api"
 "share:migration_get_progress": "rule:admin_api"
 "share_export_location:index": "rule:default"
 "share_export_location:show": "rule:default"
 "share_type:index": "rule:default"
 "share_type:show": "rule:default"
 "share_type:default": "rule:default"
 "share_type:create": "rule:default"
 "share_type:delete": "rule:default"
 "share_type:add_project_access": "rule:admin_api"
 "share_type:list_project_access": "rule:admin_api"
 "share_type:remove_project_access": "rule:admin_api"
 "share_types_extra_spec:create": "rule:default"
 "share_types_extra_spec:update": "rule:default"
 "share_types_extra_spec:show": "rule:default"
 "share_types_extra_spec:index": "rule:default"
 "share_types_extra_spec:delete": "rule:default"
 "share_instance:index": "rule:admin_api"
 "share_instance:show": "rule:admin_api"
 "share_instance:force_delete": "rule:admin_api"
 "share_instance:reset_status": "rule:admin_api"
 "share_snapshot:force_delete": "rule:admin_api"
 "share_snapshot:reset_status": "rule:admin_api"
 "share_snapshot:manage_snapshot": "rule:admin_api"
 "share_snapshot:unmanage_snapshot": "rule:admin_api"
 "share_network:create": ""
 "share_network:index": ""
 "share_network:detail": ""
 "share_network:show": ""
 "share_network:update": ""
 "share_network:delete": ""
 "share_network:get_all_share_networks": "rule:admin_api"
 "share_server:index": "rule:admin_api"
 "share_server:show": "rule:admin_api"
 "share_server:details": "rule:admin_api"
 "share_server:delete": "rule:admin_api"
 "share:get_share_metadata": ""
 "share:delete_share_metadata": ""
 "share:update_share_metadata": ""
 "share_extension:availability_zones": ""
 "security_service:index": ""
 "security_service:get_all_security_services": "rule:admin_api"
 "scheduler_stats:pools:index": "rule:admin_api"
 "scheduler_stats:pools:detail": "rule:admin_api"
 "share_group:create": "rule:default"
 "share_group:delete": "rule:default"
 "share_group:update": "rule:default"
 "share_group:get": "rule:default"
 "share_group:get_all": "rule:default"
 "share_group:force_delete": "rule:admin_api"
 "share_group:reset_status": "rule:admin_api"
 "share_group_snapshot:create": "rule:default"
 "share_group_snapshot:delete": "rule:default"
 "share_group_snapshot:update": "rule:default"
 "share_group_snapshot:get": "rule:default"
 "share_group_snapshot:get_all": "rule:default"
 "share_group_snapshot:force_delete": "rule:admin_api"
 "share_group_snapshot:reset_status": "rule:admin_api"
 "share_replica:get_all": "rule:default"
 "share_replica:show": "rule:default"
 "share_replica:create": "rule:default"
 "share_replica:delete": "rule:default"
 "share_replica:promote": "rule:default"
 "share_replica:resync": "rule:admin_api"
 "share_replica:reset_status": "rule:admin_api"
 "share_replica:force_delete": "rule:admin_api"
 "share_replica:reset_replica_state": "rule:admin_api"
 "share_group_type:index": "rule:default"
 "share_group_type:show": "rule:default"
 "share_group_type:default": "rule:default"
 "share_group_type:create": "rule:admin_api"
 "share_group_type:delete": "rule:admin_api"
 "share_group_type:add_project_access": "rule:admin_api"
 "share_group_type:list_project_access": "rule:admin_api"
 "share_group_type:remove_project_access": "rule:admin_api"
 "share_group_types_spec:create": "rule:admin_api"
 "share_group_types_spec:update": "rule:admin_api"
 "share_group_types_spec:show": "rule:admin_api"
 "share_group_types_spec:index": "rule:admin_api"
 "share_group_types_spec:delete": "rule:admin_api"
 "message:delete": "rule:default"
 "message:get": "rule:default"
 "message:get_all": "rule:default"
--- a/releasenotes/notes/deprecate-json-formatted-policy-file-fd0345f215e6ccd5.yaml
+++ b/releasenotes/notes/deprecate-json-formatted-policy-file-fd0345f215e6ccd5.yaml
@ -0,0 +1,20 @@
 ---
 upgrade:
  - |
    The default value of ``[oslo_policy] policy_file`` config option has
    been changed from ``policy.json`` to ``policy.yaml``.
    Operators who are utilizing customized or previously generated
    static policy JSON files (which are not needed by default), should
    generate new policy files or convert them in YAML format. Use the
    `oslopolicy-convert-json-to-yaml
    <https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
    tool to convert a JSON to YAML formatted policy file in
    backward compatible way.
 deprecations:
  - |
    Use of JSON policy files was deprecated by the ``oslo.policy`` library
    during the Victoria development cycle. As a result, this deprecation is
    being noted in the Wallaby cycle with an anticipated future removal of support
    by ``oslo.policy``. As such operators will need to convert to YAML policy
    files. Please see the upgrade notes for details on migration of any
    custom policy files.
--- a/requirements.txt
+++ b/requirements.txt
@ -17,12 +17,12 @@ oslo.i18n>=5.0.1 # Apache-2.0
 oslo.log>=4.4.0 # Apache-2.0
 oslo.messaging>=12.5.0 # Apache-2.0
 oslo.middleware>=4.1.1 # Apache-2.0
-oslo.policy>=3.5.0 # Apache-2.0
+oslo.policy>=3.6.0 # Apache-2.0
 oslo.reports>=2.2.0 # Apache-2.0
 oslo.rootwrap>=6.2.0 # Apache-2.0
 oslo.serialization>=4.0.1 # Apache-2.0
 oslo.service>=2.4.0 # Apache-2.0
-oslo.upgradecheck>=1.1.1 # Apache-2.0
+oslo.upgradecheck>=1.3.0 # Apache-2.0
 oslo.utils>=4.7.0 # Apache-2.0
 oslo.concurrency>=4.3.0 # Apache-2.0
 paramiko>=2.7.2 # LGPLv2.1+
--- a/setup.cfg
+++ b/setup.cfg
@ -72,7 +72,7 @@ oslo_messaging.notify.drivers =
 oslo.config.opts =
    manila = manila.opts:list_opts
 oslo.config.opts.defaults =
-    manila = manila.common.config:set_middleware_defaults
+    manila = manila.common.config:set_lib_defaults
 oslo.policy.enforcer =
    manila = manila.policy:get_enforcer
 oslo.policy.policies =