[goal] Deprecate the JSON formatted policy file

As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:

1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.

2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.

Also replace policy.json to policy.yaml ref from doc and tests.

[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html

Change-Id: I3b9aeb3379a76f7e40dab0c46e27f4447a0c3d03

doc/source/admin/configuration/config-guide.rst

@@ -122,14 +122,14 @@ directory.
       target: my_favorite_executor
     ...Workflow YAML...
 
-#. Configure role based access policies for Mistral endpoints (policy.json)::
+#. Configure role based access policies for Mistral endpoints (policy.yaml)::
 
      [oslo_policy]
-     policy_file = <path-of-policy.json file>
+     policy_file = <path-of-policy.yaml file>
 
-   Default policy.json file is in ``mistral/etc/``.
+   Default policy.yaml file is in ``mistral/etc/``.
-   For more details see `policy.json file
+   For more details see `policy.yaml file
-   <https://docs.openstack.org/oslo.policy/latest/admin/policy-json-file.html>`_.
+   <https://docs.openstack.org/oslo.policy/latest/admin/policy-yaml-file.html>`_.
 
 #. Modify the action execution reporting configuration if needed.
 

doc/source/admin/configuration/policy-guide.rst

@@ -2,6 +2,14 @@
 Mistral Policy Configuration
 ============================
 
+.. warning::
+
+   JSON formatted policy file is deprecated since Mistral 12.0.0 (Wallaby).
+   This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
+   JSON-formatted policy file to YAML in a backward-compatible way.
+
+.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
+
 Configuration
 ~~~~~~~~~~~~~
 

doc/source/admin/configuration/samples/policy-yaml.rst

@@ -2,6 +2,14 @@
 policy.yaml
 ===========
 
+.. warning::
+
+   JSON formatted policy file is deprecated since Mistral 12.0.0 (Wallaby).
+   This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
+   JSON-formatted policy file to YAML in a backward-compatible way.
+
+.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
+
 Use the ``policy.yaml`` file to define additional access controls that apply to
 the Mistral services:
 

lower-constraints.txt

@@ -14,14 +14,14 @@ mistral-lib==2.3.0
 networkx==2.3
 nose==1.3.7
 oslo.concurrency==3.26.0
-oslo.config==5.2.0
+oslo.config==6.8.0
-oslo.context==2.20.0
+oslo.context==2.22.0
 oslo.db==4.40.0
 oslo.i18n==3.15.3
 oslo.log==3.36.0
 oslo.messaging==5.29.0
 oslo.middleware==3.31.0
-oslo.policy==1.30.0
+oslo.policy==3.6.0
 oslo.serialization==2.21.1
 oslo.service==2.1.0
 oslo.utils==4.0.0

mistral/api/access_control.py

@@ -16,6 +16,7 @@
 
 from keystonemiddleware import auth_token
 from oslo_config import cfg
+from oslo_policy import opts
 from oslo_policy import policy
 
 from mistral import exceptions as exc
@@ -27,6 +28,13 @@ CONF = cfg.CONF
 _ENFORCER = None
 
 
+# TODO(gmann): Remove setting the default value of config policy_file
+# once oslo_policy change the default value to 'policy.yaml'.
+# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+DEFAULT_POLICY_FILE = 'policy.yaml'
+opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
+
+
 def setup(app):
     if cfg.CONF.pecan.auth_enable and cfg.CONF.auth_type == 'keystone':
         conf = dict(cfg.CONF.keystone_authtoken)
@@ -71,7 +79,7 @@ def enforce(action, context, target=None, do_raise=True,
     target_obj.update(target or {})
 
     policy_context = context.to_policy_values()
-    # Because policy.json or policy.yaml example in Mistral repo still uses
+    # Because policy.yaml or policy.yaml example in Mistral repo still uses
     # the rule 'is_admin: True', we insert 'is_admin' key to the default
     # policy values.
     policy_context['is_admin'] = context.is_admin

mistral/config.py

@@ -26,6 +26,7 @@ from keystoneauth1 import loading
 from oslo_config import cfg
 from oslo_log import log
 from oslo_middleware import cors
+from oslo_policy import opts
 from osprofiler import opts as profiler
 
 from mistral import version
@@ -796,6 +797,10 @@ def parse_args(args=None, usage=None, default_config_files=None):
 def set_config_defaults():
     """This method updates all configuration default values."""
     set_cors_middleware_defaults()
+    # TODO(gmann): Remove setting the default value of config policy_file
+    # once oslo_policy change the default value to 'policy.yaml'.
+    # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+    opts.set_defaults(CONF, 'policy.yaml')
 
 
 def set_cors_middleware_defaults():

mistral/tests/unit/mstrlfixtures/policy_fixtures.py

@@ -25,6 +25,8 @@ class PolicyFixture(fixtures.Fixture):
     def setUp(self):
         super(PolicyFixture, self).setUp()
 
+        cfg.CONF(args=[], project='mistral')
+
         policy_opts.set_defaults(cfg.CONF)
 
         acl._ENFORCER = oslo_policy.Enforcer(cfg.CONF)
@@ -35,12 +37,14 @@ class PolicyFixture(fixtures.Fixture):
 
     def register_rules(self, rules):
         enf = acl._ENFORCER
+
         for rule_name, rule_check_str in rules.items():
             enf.register_default(oslo_policy.RuleDefault(rule_name,
                                                          rule_check_str))
 
     def change_policy_definition(self, rules):
         enf = acl._ENFORCER
+
         for rule_name, rule_check_str in rules.items():
             enf.rules[rule_name] = oslo_policy.RuleDefault(
                 rule_name, rule_check_str).check

releasenotes/notes/deprecate-json-formatted-policy-file-0b46c3ef5c9450ef.yaml

@@ -0,0 +1,20 @@
+---
+upgrade:
+  - |
+    The default value of ``[oslo_policy] policy_file`` config option has
+    been changed from ``policy.json`` to ``policy.yaml``.
+    Operators who are utilizing customized or previously generated
+    static policy JSON files (which are not needed by default), should
+    generate new policy files or convert them in YAML format. Use the
+    `oslopolicy-convert-json-to-yaml
+    <https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
+    tool to convert a JSON to YAML formatted policy file in
+    backward compatible way.
+deprecations:
+  - |
+    Use of JSON policy files was deprecated by the ``oslo.policy`` library
+    during the Victoria development cycle. As a result, this deprecation is
+    being noted in the Wallaby cycle with an anticipated future removal of support
+    by ``oslo.policy``. As such operators will need to convert to YAML policy
+    files. Please see the upgrade notes for details on migration of any
+    custom policy files.

requirements.txt

@@ -14,13 +14,13 @@ kombu!=4.0.2,>=4.6.1 # BSD
 mistral-lib>=2.3.0 # Apache-2.0
 networkx>=2.3 # BSD
 oslo.concurrency>=3.26.0 # Apache-2.0
-oslo.config>=5.2.0 # Apache-2.0
+oslo.config>=6.8.0 # Apache-2.0
-oslo.context>=2.20.0 # Apache-2.0
+oslo.context>=2.22.0 # Apache-2.0
 oslo.db>=4.40.0 # Apache-2.0
 oslo.i18n>=3.15.3 # Apache-2.0
 oslo.messaging>=5.29.0 # Apache-2.0
 oslo.middleware>=3.31.0 # Apache-2.0
-oslo.policy>=1.30.0 # Apache-2.0
+oslo.policy>=3.6.0 # Apache-2.0
 oslo.utils>=4.0.0 # Apache-2.0
 oslo.log>=3.36.0 # Apache-2.0
 oslo.serialization>=2.21.1 # Apache-2.0

setup.cfg

@@ -41,7 +41,7 @@ oslo.config.opts =
     mistral.config = mistral.config:list_opts
 
 oslo.config.opts.defaults =
-    mistral.config = mistral.config:set_cors_middleware_defaults
+    mistral.config = mistral.config:set_config_defaults
 
 oslo.policy.policies =
     mistral = mistral.policies:list_rules