[goal] Deprecate the JSON formatted policy file
As per the community goal of migrating the policy file the format from JSON to YAML[1], we need to do two things: 1. Change the default value of '[oslo_policy] policy_file'' config option from 'policy.json' to 'policy.yaml' with upgrade checks. 2. Deprecate the JSON formatted policy file on the project side via warning in doc and releasenotes. Also convert the neutron_lib/tests/etc/policy.json and neutron_lib/tests/etc/dummy_policy.json to policy.yaml file. Replace policy.json to policy.yaml ref from doc and tests. [1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html Change-Id: I63a41a21784fa6ce6d9c249f41991c0df3346135
This commit is contained in:
parent
6e95fff9cf
commit
3cc97ca806
|
@ -13,6 +13,7 @@
|
|||
import sys
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_policy import opts
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
|
@ -21,6 +22,13 @@ _ADMIN_CTX_POLICY = 'context_is_admin'
|
|||
_ADVSVC_CTX_POLICY = 'context_is_advsvc'
|
||||
|
||||
|
||||
# TODO(gmann): Remove setting the default value of config policy_file
|
||||
# once oslo_policy change the default value to 'policy.yaml'.
|
||||
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
|
||||
DEFAULT_POLICY_FILE = 'policy.yaml'
|
||||
opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
|
||||
|
||||
|
||||
_BASE_RULES = [
|
||||
policy.RuleDefault(
|
||||
_ADMIN_CTX_POLICY,
|
||||
|
@ -104,7 +112,7 @@ def get_enforcer():
|
|||
i += 1
|
||||
|
||||
# 'project' must be 'neutron' so that get_enforcer looks at
|
||||
# /etc/neutron/policy.json by default.
|
||||
# /etc/neutron/policy.yaml by default.
|
||||
cfg.CONF(conf_args, project='neutron')
|
||||
init()
|
||||
return _ROLE_ENFORCER
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"context_is_admin": "role:dummy",
|
||||
"context_is_advsvc": "role:dummy"
|
||||
}
|
|
@ -0,0 +1,2 @@
|
|||
"context_is_admin": "role:dummy"
|
||||
"context_is_advsvc": "role:dummy"
|
|
@ -1,5 +0,0 @@
|
|||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"context_is_advsvc": "role:advsvc",
|
||||
"default": "rule:admin_or_owner"
|
||||
}
|
|
@ -0,0 +1,3 @@
|
|||
"context_is_admin": "role:admin"
|
||||
"context_is_advsvc": "role:advsvc"
|
||||
"default": "rule:admin_or_owner"
|
|
@ -39,13 +39,13 @@ class TestPolicyEnforcer(base.BaseTestCase):
|
|||
self.assertTrue(policy_engine.check_is_admin(ctx))
|
||||
|
||||
def test_check_is_admin_no_roles_no_admin(self):
|
||||
policy_engine.init(policy_file='dummy_policy.json')
|
||||
policy_engine.init(policy_file='dummy_policy.yaml')
|
||||
ctx = context.Context('me', 'my_project', roles=['user']).elevated()
|
||||
# With no admin role, elevated() should not work.
|
||||
self.assertFalse(policy_engine.check_is_admin(ctx))
|
||||
|
||||
def test_check_user_elevated_is_admin_with_default_policy(self):
|
||||
policy_engine.init(policy_file='no_policy.json')
|
||||
policy_engine.init(policy_file='no_policy.yaml')
|
||||
ctx = context.Context('me', 'my_project', roles=['user']).elevated()
|
||||
self.assertTrue(policy_engine.check_is_admin(ctx))
|
||||
|
||||
|
@ -63,12 +63,12 @@ class TestPolicyEnforcer(base.BaseTestCase):
|
|||
self.assertFalse(policy_engine.check_is_advsvc(ctx))
|
||||
|
||||
def test_check_is_advsvc_no_roles_no_advsvc(self):
|
||||
policy_engine.init(policy_file='dummy_policy.json')
|
||||
policy_engine.init(policy_file='dummy_policy.yaml')
|
||||
ctx = context.Context('me', 'my_project', roles=['advsvc'])
|
||||
# No advsvc role in the policy file, so cannot assume the role.
|
||||
self.assertFalse(policy_engine.check_is_advsvc(ctx))
|
||||
|
||||
def test_check_is_advsvc_role_with_default_policy(self):
|
||||
policy_engine.init(policy_file='no_policy.json')
|
||||
policy_engine.init(policy_file='no_policy.yaml')
|
||||
ctx = context.Context('me', 'my_project', roles=['advsvc'])
|
||||
self.assertTrue(policy_engine.check_is_advsvc(ctx))
|
||||
|
|
|
@ -78,7 +78,7 @@ def is_port_trusted(port):
|
|||
"""Used to determine if port can be trusted not to attack network.
|
||||
|
||||
Trust is currently based on the device_owner field starting with 'network:'
|
||||
since we restrict who can use that in the default policy.json file.
|
||||
since we restrict who can use that in the default policy.yaml file.
|
||||
|
||||
:param port: The port dict to inspect the 'device_owner' for.
|
||||
:returns: True if the port dict's 'device_owner' value starts with the
|
||||
|
|
Loading…
Reference in New Issue