openstack/neutron-lib
Code Issues Proposed changes

[goal] Deprecate the JSON formatted policy file

Browse Source 
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:

1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.

2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.

Also convert the neutron_lib/tests/etc/policy.json and
neutron_lib/tests/etc/dummy_policy.json to policy.yaml
file. Replace policy.json to policy.yaml ref from doc and tests.

[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html

Change-Id: I63a41a21784fa6ce6d9c249f41991c0df3346135
This commit is contained in:
Ghanshyam Mann
2020-11-27 00:43:34 -06:00
committed by Rodolfo Alonso
parent 6e95fff9cf
commit 3cc97ca806
7 changed files with 19 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
neutron_lib/policy/_engine.py
View File

@@ -13,6 +13,7 @@
import sys import sys
from oslo_config import cfg from oslo_config import cfg
from oslo_policy import opts
from oslo_policy import policy from oslo_policy import policy
@@ -21,6 +22,13 @@ _ADMIN_CTX_POLICY = 'context_is_admin'
_ADVSVC_CTX_POLICY = 'context_is_advsvc' _ADVSVC_CTX_POLICY = 'context_is_advsvc'
# TODO(gmann): Remove setting the default value of config policy_file
# once oslo_policy change the default value to 'policy.yaml'.
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
DEFAULT_POLICY_FILE = 'policy.yaml'
opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
_BASE_RULES = [ _BASE_RULES = [
policy.RuleDefault( policy.RuleDefault(
_ADMIN_CTX_POLICY, _ADMIN_CTX_POLICY,
@@ -104,7 +112,7 @@ def get_enforcer():
i += 1 i += 1
# 'project' must be 'neutron' so that get_enforcer looks at # 'project' must be 'neutron' so that get_enforcer looks at
# /etc/neutron/policy.json by default. # /etc/neutron/policy.yaml by default.
cfg.CONF(conf_args, project='neutron') cfg.CONF(conf_args, project='neutron')
init() init()
return _ROLE_ENFORCER return _ROLE_ENFORCER

4
neutron_lib/tests/etc/dummy_policy.json
View File

@@ -1,4 +0,0 @@
{
"context_is_admin": "role:dummy",
"context_is_advsvc": "role:dummy"
}

2
neutron_lib/tests/etc/dummy_policy.yaml Normal file
View File

@@ -0,0 +1,2 @@
"context_is_admin": "role:dummy"
"context_is_advsvc": "role:dummy"

5
neutron_lib/tests/etc/policy.json
View File

@@ -1,5 +0,0 @@
{
"context_is_admin": "role:admin",
"context_is_advsvc": "role:advsvc",
"default": "rule:admin_or_owner"
}

3
neutron_lib/tests/etc/policy.yaml Normal file
View File

@@ -0,0 +1,3 @@
"context_is_admin": "role:admin"
"context_is_advsvc": "role:advsvc"
"default": "rule:admin_or_owner"

8
neutron_lib/tests/unit/policy/test__engine.py
View File

@@ -39,13 +39,13 @@ class TestPolicyEnforcer(base.BaseTestCase):
self.assertTrue(policy_engine.check_is_admin(ctx)) self.assertTrue(policy_engine.check_is_admin(ctx))
def test_check_is_admin_no_roles_no_admin(self): def test_check_is_admin_no_roles_no_admin(self):
policy_engine.init(policy_file='dummy_policy.json') policy_engine.init(policy_file='dummy_policy.yaml')
ctx = context.Context('me', 'my_project', roles=['user']).elevated() ctx = context.Context('me', 'my_project', roles=['user']).elevated()
# With no admin role, elevated() should not work. # With no admin role, elevated() should not work.
self.assertFalse(policy_engine.check_is_admin(ctx)) self.assertFalse(policy_engine.check_is_admin(ctx))
def test_check_user_elevated_is_admin_with_default_policy(self): def test_check_user_elevated_is_admin_with_default_policy(self):
policy_engine.init(policy_file='no_policy.json') policy_engine.init(policy_file='no_policy.yaml')
ctx = context.Context('me', 'my_project', roles=['user']).elevated() ctx = context.Context('me', 'my_project', roles=['user']).elevated()
self.assertTrue(policy_engine.check_is_admin(ctx)) self.assertTrue(policy_engine.check_is_admin(ctx))
@@ -63,12 +63,12 @@ class TestPolicyEnforcer(base.BaseTestCase):
self.assertFalse(policy_engine.check_is_advsvc(ctx)) self.assertFalse(policy_engine.check_is_advsvc(ctx))
def test_check_is_advsvc_no_roles_no_advsvc(self): def test_check_is_advsvc_no_roles_no_advsvc(self):
policy_engine.init(policy_file='dummy_policy.json') policy_engine.init(policy_file='dummy_policy.yaml')
ctx = context.Context('me', 'my_project', roles=['advsvc']) ctx = context.Context('me', 'my_project', roles=['advsvc'])
# No advsvc role in the policy file, so cannot assume the role. # No advsvc role in the policy file, so cannot assume the role.
self.assertFalse(policy_engine.check_is_advsvc(ctx)) self.assertFalse(policy_engine.check_is_advsvc(ctx))
def test_check_is_advsvc_role_with_default_policy(self): def test_check_is_advsvc_role_with_default_policy(self):
policy_engine.init(policy_file='no_policy.json') policy_engine.init(policy_file='no_policy.yaml')
ctx = context.Context('me', 'my_project', roles=['advsvc']) ctx = context.Context('me', 'my_project', roles=['advsvc'])
self.assertTrue(policy_engine.check_is_advsvc(ctx)) self.assertTrue(policy_engine.check_is_advsvc(ctx))

2
neutron_lib/utils/net.py
View File

@@ -78,7 +78,7 @@ def is_port_trusted(port):
"""Used to determine if port can be trusted not to attack network. """Used to determine if port can be trusted not to attack network.
Trust is currently based on the device_owner field starting with 'network:' Trust is currently based on the device_owner field starting with 'network:'
since we restrict who can use that in the default policy.json file. since we restrict who can use that in the default policy.yaml file.
:param port: The port dict to inspect the 'device_owner' for. :param port: The port dict to inspect the 'device_owner' for.
:returns: True if the port dict's 'device_owner' value starts with the :returns: True if the port dict's 'device_owner' value starts with the