Merge "Switch oslo.policy over to yaml"

2020-06-11 22:11:11 +00:00 · 2020-06-11 22:11:11 +00:00 · 0a697a352c
parent 18918267e3 fafabad042
commit 0a697a352c
8 changed files with 34 additions and 24 deletions
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -407,7 +407,7 @@ function octavia_configure {
    iniset $OCTAVIA_CONF certificates server_certs_key_passphrase insecure-key-do-not-use-this-key

    if [[ "$OCTAVIA_USE_LEGACY_RBAC" == "True" ]]; then
-        cp $OCTAVIA_DIR/etc/policy/admin_or_owner-policy.json $OCTAVIA_CONF_DIR/policy.json
+        cp $OCTAVIA_DIR/etc/policy/admin_or_owner-policy.yaml $OCTAVIA_CONF_DIR/policy.yaml
    fi

    # create dhclient.conf file for dhclient
--- a/doc/source/configuration/policy.rst
+++ b/doc/source/configuration/policy.rst
@ -36,19 +36,22 @@ the load-balancer API:
    It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
    if that would be valid syntax.

+Legacy Admin or Owner Policy
+----------------------------
+
 An alternate policy file has been provided in octavia/etc/policy called
-admin_or_owner-policy.json that removes the load-balancer RBAC role
+admin_or_owner-policy.yaml that removes the load-balancer RBAC role
 requirement. Please see the README.rst in that directory for more information.

 Sample File Generation
 ----------------------

-To generate a sample policy.json file from the Octavia defaults, run the
+To generate a sample policy.yaml file from the Octavia defaults, run the
 oslo policy generation script::

    oslopolicy-sample-generator
    --config-file etc/policy/octavia-policy-generator.conf
-    --output-file policy.json.sample
+    --output-file policy.yaml.sample

 Merged File Generation
 ----------------------
--- a/etc/policy/README.rst
+++ b/etc/policy/README.rst
@ -2,10 +2,10 @@
 Octavia Sample Policy Files
 ===========================

-The sample policy.json files described here can be copied into
-/etc/octavia/policy.json to override the default RBAC policy for Octavia.
+The sample policy.yaml files described here can be copied into
+/etc/octavia/policy.yaml to override the default RBAC policy for Octavia.

-admin_or_owner-policy.json
+admin_or_owner-policy.yaml
 --------------------------
 This policy file disables the requirement for load-balancer service users to
 have one of the load-balancer:* roles.  It provides a similar policy to
--- a/etc/policy/admin_or_owner-policy.json
+++ b/etc/policy/admin_or_owner-policy.json
@ -1,11 +0,0 @@
-{
-    "context_is_admin": "role:admin or role:load-balancer_admin",
-    "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
-
-    "load-balancer:read": "rule:admin_or_owner",
-    "load-balancer:read-global": "is_admin:True",
-    "load-balancer:write": "rule:admin_or_owner",
-    "load-balancer:read-quota": "rule:admin_or_owner",
-    "load-balancer:read-quota-global": "is_admin:True",
-    "load-balancer:write-quota": "is_admin:True"
-}
--- a/etc/policy/admin_or_owner-policy.yaml
+++ b/etc/policy/admin_or_owner-policy.yaml
@ -0,0 +1,18 @@
+# This policy.yaml will revert the Octavia API to follow the legacy
+# admin-or-owner RBAC policies.
+# It provides a similar policy to legacy OpenStack policies where any
+# user or admin has access to load-balancer resources that they own.
+# Users with the admin role has access to all load-balancer resources,
+# whether they own them or not.
+
+# Role Rules
+"context_is_admin": "role:admin or role:load-balancer_admin"
+"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
+
+# Rules
+"load-balancer:read": "rule:admin_or_owner"
+"load-balancer:read-global": "is_admin:True"
+"load-balancer:write": "rule:admin_or_owner"
+"load-balancer:read-quota": "rule:admin_or_owner"
+"load-balancer:read-quota-global": "is_admin:True"
+"load-balancer:write-quota": "is_admin:True"
--- a/etc/policy/octavia-policy-generator.conf
+++ b/etc/policy/octavia-policy-generator.conf
@ -1,4 +1,4 @@
 [DEFAULT]
-format = json
-output_file = etc/octavia/policy.json.sample
+format = yaml
+output_file = etc/octavia/policy.yaml.sample
 namespace = octavia
--- a/specs/template.rst
+++ b/specs/template.rst
@ -277,7 +277,7 @@ Neutron's attribute map facility should have the following:

 * Discuss any API policy changes, and discuss what things a deployer needs to
  think about when defining their API policy. This is in reference to the
-  policy.json file.
+  policy.yaml file.

 Note that the schema should be defined as restrictively as
 possible. Parameters which are required should be marked as such and
--- a/tools/misc-sanity-checks.sh
+++ b/tools/misc-sanity-checks.sh
@ -33,13 +33,13 @@ check_pot_files_errors () {
 }

 check_identical_policy_files () {
-    # For unit tests, we maintain their own policy.json file to make test suite
+    # For unit tests, we maintain their own policy.yaml file to make test suite
    # independent of whether it's executed from the octavia source tree or from
    # site-packages installation path. We don't want two copies of the same
    # file to diverge, so checking that they are identical
-    diff etc/policy.json octavia/tests/etc/policy.json 2>&1 > /dev/null
+    diff etc/policy.yaml octavia/tests/etc/policy.yaml 2>&1 > /dev/null
    if [ "$?" -ne 0 ]; then
-        echo "policy.json files must be identical!" >>$FAILURES
+        echo "policy.yaml files must be identical!" >>$FAILURES
    fi
 }