[goal] Deprecate the JSON formatted policy file

As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:

1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.

2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.

[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html

Change-Id: I8b78c7b640ab18ddfc809cb4603decc739d494d1

doc/source/configuration/policy.rst

@@ -2,6 +2,14 @@
 Octavia Policies
 ================
 
+.. warning::
+
+   JSON formatted policy file is deprecated since Octavia 8.0.0 (Wallaby).
+   This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
+   JSON-formatted policy file to YAML in a backward-compatible way.
+
+.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
+
 .. _Keystone Default Roles: https://docs.openstack.org/keystone/latest/admin/service-api-protection.html
 
 Octavia Advanced Role Based Access Control (RBAC)

lower-constraints.txt

@@ -90,7 +90,7 @@ oslo.policy==3.6.2
 oslo.reports==1.18.0
 oslo.serialization==2.28.1
 oslo.service==1.30.0
-oslo.upgradecheck==0.1.0
+oslo.upgradecheck==1.3.0
 oslo.utils==4.5.0
 oslotest==3.2.0
 packaging==20.4
@@ -133,7 +133,7 @@ pytz==2018.3
 PyYAML==5.1
 redis==2.10.0
 repoze.lru==0.7
-requests==2.18.4
+requests==2.23.0
 requests-mock==1.2.0
 requestsexceptions==1.4.0
 restructuredtext-lint==1.1.3
@@ -164,7 +164,7 @@ testscenarios==0.4
 testtools==2.2.0
 traceback2==1.4.0
 unittest2==1.1.0
-urllib3==1.22
+urllib3==1.21.1
 vine==5.0.0
 voluptuous==0.11.1
 waitress==1.1.0

octavia/cmd/status.py

@@ -15,6 +15,7 @@
 import sys
 
 from oslo_config import cfg
+from oslo_upgradecheck import common_checks
 from oslo_upgradecheck import upgradecheck
 from stevedore import driver as stevedore_driver
 
@@ -113,6 +114,8 @@ class Checks(upgradecheck.UpgradeCommands):
     _upgrade_checks = (
         (_('AmphoraV2 Check'), _check_amphorav2),
         (_('YAML Policy File'), _check_yaml_policy),
+        (_('Policy File JSON to YAML Migration'),
+         (common_checks.check_policy_json, {'conf': CONF})),
     )
 
 

octavia/common/config.py

@@ -27,6 +27,7 @@ from oslo_config import cfg
 from oslo_db import options as db_options
 from oslo_log import log as logging
 import oslo_messaging as messaging
+from oslo_policy import opts as policy_opts
 
 from octavia.certificates.common import local
 from octavia.common import constants
@@ -979,3 +980,19 @@ def setup_remote_debugger():
                       {'debug-host': debugger_host,
                        'debug-port': debugger_port})
         raise
+
+
+def set_lib_defaults():
+    """Update default value for configuration options from other namespace.
+
+    Example, oslo lib config options. This is needed for
+    config generator tool to pick these default value changes.
+    https://docs.openstack.org/oslo.config/latest/cli/
+    generator.html#modifying-defaults-from-other-namespaces
+    """
+
+    # TODO(gmann): Remove setting the default value of config policy_file
+    # once oslo_policy change the default value to 'policy.yaml'.
+    # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+    # Update default value of oslo.policy policy_file config option.
+    policy_opts.set_defaults(cfg.CONF, 'policy.yaml')

octavia/common/policy.py

@@ -13,6 +13,7 @@
 """Policy Engine For Octavia."""
 from oslo_config import cfg
 from oslo_log import log as logging
+from oslo_policy import opts
 from oslo_policy import policy as oslo_policy
 from oslo_utils import excutils
 
@@ -24,6 +25,13 @@ LOG = logging.getLogger(__name__)
 OCTAVIA_POLICY = None
 
 
+# TODO(gmann): Remove setting the default value of config policy_file
+# once oslo_policy change the default value to 'policy.yaml'.
+# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+DEFAULT_POLICY_FILE = 'policy.yaml'
+opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
+
+
 def get_enforcer():
     global OCTAVIA_POLICY
     if OCTAVIA_POLICY is None:

octavia/tests/unit/cmd/test_status.py

@@ -127,8 +127,9 @@ class TestUpgradeChecks(base.TestCase):
             Code.FAILURE, check_result.code)
 
     def test__check_yaml_policy(self):
-        policy.Policy()
         self.conf = self.useFixture(oslo_fixture.Config(cfg.CONF))
+        self.conf.conf(args=[], project='octavia')
+        policy.Policy()
 
         self.conf.config(group='oslo_policy', policy_file='test.yaml')
         check_result = self.cmd._check_yaml_policy()

releasenotes/notes/deprecate-json-formatted-policy-file-cc3dbf8b07c2638e.yaml

@@ -0,0 +1,20 @@
+---
+upgrade:
+  - |
+    The default value of ``[oslo_policy] policy_file`` config option has
+    been changed from ``policy.json`` to ``policy.yaml``.
+    Operators who are utilizing customized or previously generated
+    static policy JSON files (which are not needed by default), should
+    generate new policy files or convert them in YAML format. Use the
+    `oslopolicy-convert-json-to-yaml
+    <https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
+    tool to convert a JSON to YAML formatted policy file in
+    backward compatible way.
+deprecations:
+  - |
+    Use of JSON policy files was deprecated by the ``oslo.policy`` library
+    during the Victoria development cycle. As a result, this deprecation is
+    being noted in the Wallaby cycle with an anticipated future removal of support
+    by ``oslo.policy``. As such operators will need to convert to YAML policy
+    files. Please see the upgrade notes for details on migration of any
+    custom policy files.

requirements.txt

@@ -8,7 +8,7 @@ pbr>=3.1.1 # Apache-2.0
 SQLAlchemy>=1.2.19 # MIT
 SQLAlchemy-Utils>=0.30.11
 futurist>=1.2.0 # Apache-2.0
-requests>=2.18.4 # Apache-2.0
+requests>=2.23.0 # Apache-2.0
 rfc3986>=1.2.0 # Apache-2.0
 keystoneauth1>=3.4.0 # Apache-2.0
 keystonemiddleware>=4.17.0 # Apache-2.0
@@ -25,7 +25,7 @@ oslo.middleware>=4.0.1 # Apache-2.0
 oslo.policy>=3.6.2 # Apache-2.0
 oslo.reports>=1.18.0 # Apache-2.0
 oslo.serialization>=2.28.1 # Apache-2.0
-oslo.upgradecheck>=0.1.0 # Apache-2.0
+oslo.upgradecheck>=1.3.0 # Apache-2.0
 oslo.utils>=4.5.0 # Apache-2.0
 pyasn1!=0.2.3,>=0.1.8 # BSD
 pyasn1-modules>=0.0.6 # BSD

setup.cfg

@@ -101,6 +101,8 @@ octavia.worker.jobboard_driver =
     zookeeper_taskflow_driver = octavia.controller.worker.v2.taskflow_jobboard_driver:ZookeeperTaskFlowDriver
 oslo.config.opts =
     octavia = octavia.opts:list_opts
+oslo.config.opts.defaults =
+    octavia = octavia.common.config:set_lib_defaults
 oslo.policy.policies =
     octavia = octavia.policies:list_rules
 oslo.policy.enforcer =