[goal] Deprecate the JSON formatted policy file

As per the community goal of migrating the policy file the format from JSON to YAML[1], we need to do two things: 1. Change the default value of '[oslo_policy] policy_file'' config option from 'policy.json' to 'policy.yaml' with upgrade checks. 2. Deprecate the JSON formatted policy file on the project side via warning in doc and releasenotes. Also convert the neutron_lib/tests/etc/policy.json and neutron_lib/tests/etc/dummy_policy.json to policy.yaml file. Replace policy.json to policy.yaml ref from doc and tests. [1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html Change-Id: I63a41a21784fa6ce6d9c249f41991c0df3346135
2020-11-27 00:43:34 -06:00 · 2020-11-27 00:43:34 -06:00 · 3cc97ca806
parent 6e95fff9cf
commit 3cc97ca806
7 changed files with 19 additions and 15 deletions
--- a/neutron_lib/policy/_engine.py
+++ b/neutron_lib/policy/_engine.py
@ -13,6 +13,7 @@
 import sys

 from oslo_config import cfg
+from oslo_policy import opts
 from oslo_policy import policy


@ -21,6 +22,13 @@ _ADMIN_CTX_POLICY = 'context_is_admin'
 _ADVSVC_CTX_POLICY = 'context_is_advsvc'


+# TODO(gmann): Remove setting the default value of config policy_file
+# once oslo_policy change the default value to 'policy.yaml'.
+# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+DEFAULT_POLICY_FILE = 'policy.yaml'
+opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
+
+
 _BASE_RULES = [
    policy.RuleDefault(
        _ADMIN_CTX_POLICY,
@ -104,7 +112,7 @@ def get_enforcer():
        i += 1

    # 'project' must be 'neutron' so that get_enforcer looks at
-    # /etc/neutron/policy.json by default.
+    # /etc/neutron/policy.yaml by default.
    cfg.CONF(conf_args, project='neutron')
    init()
    return _ROLE_ENFORCER
--- a/neutron_lib/tests/etc/dummy_policy.json
+++ b/neutron_lib/tests/etc/dummy_policy.json
@ -1,4 +0,0 @@
-{
-    "context_is_admin":  "role:dummy",
-    "context_is_advsvc":  "role:dummy"
-}
--- a/neutron_lib/tests/etc/dummy_policy.yaml
+++ b/neutron_lib/tests/etc/dummy_policy.yaml
@ -0,0 +1,2 @@
+"context_is_admin": "role:dummy"
+"context_is_advsvc": "role:dummy"
--- a/neutron_lib/tests/etc/policy.json
+++ b/neutron_lib/tests/etc/policy.json
@ -1,5 +0,0 @@
-{
-    "context_is_admin":  "role:admin",
-    "context_is_advsvc":  "role:advsvc",
-    "default": "rule:admin_or_owner"
-}
--- a/neutron_lib/tests/etc/policy.yaml
+++ b/neutron_lib/tests/etc/policy.yaml
@ -0,0 +1,3 @@
+"context_is_admin": "role:admin"
+"context_is_advsvc": "role:advsvc"
+"default": "rule:admin_or_owner"
--- a/neutron_lib/tests/unit/policy/test__engine.py
+++ b/neutron_lib/tests/unit/policy/test__engine.py
@ -39,13 +39,13 @@ class TestPolicyEnforcer(base.BaseTestCase):
        self.assertTrue(policy_engine.check_is_admin(ctx))

    def test_check_is_admin_no_roles_no_admin(self):
-        policy_engine.init(policy_file='dummy_policy.json')
+        policy_engine.init(policy_file='dummy_policy.yaml')
        ctx = context.Context('me', 'my_project', roles=['user']).elevated()
        # With no admin role, elevated() should not work.
        self.assertFalse(policy_engine.check_is_admin(ctx))

    def test_check_user_elevated_is_admin_with_default_policy(self):
-        policy_engine.init(policy_file='no_policy.json')
+        policy_engine.init(policy_file='no_policy.yaml')
        ctx = context.Context('me', 'my_project', roles=['user']).elevated()
        self.assertTrue(policy_engine.check_is_admin(ctx))

@ -63,12 +63,12 @@ class TestPolicyEnforcer(base.BaseTestCase):
        self.assertFalse(policy_engine.check_is_advsvc(ctx))

    def test_check_is_advsvc_no_roles_no_advsvc(self):
-        policy_engine.init(policy_file='dummy_policy.json')
+        policy_engine.init(policy_file='dummy_policy.yaml')
        ctx = context.Context('me', 'my_project', roles=['advsvc'])
        # No advsvc role in the policy file, so cannot assume the role.
        self.assertFalse(policy_engine.check_is_advsvc(ctx))

    def test_check_is_advsvc_role_with_default_policy(self):
-        policy_engine.init(policy_file='no_policy.json')
+        policy_engine.init(policy_file='no_policy.yaml')
        ctx = context.Context('me', 'my_project', roles=['advsvc'])
        self.assertTrue(policy_engine.check_is_advsvc(ctx))
--- a/neutron_lib/utils/net.py
+++ b/neutron_lib/utils/net.py
@ -78,7 +78,7 @@ def is_port_trusted(port):
    """Used to determine if port can be trusted not to attack network.

    Trust is currently based on the device_owner field starting with 'network:'
-    since we restrict who can use that in the default policy.json file.
+    since we restrict who can use that in the default policy.yaml file.

    :param port: The port dict to inspect the 'device_owner' for.
    :returns: True if the port dict's 'device_owner' value starts with the