Browse Source

Switch oslo.policy over to yaml

Oslo.policy is moving away from using json format policy files[1].

This patch updates the Octavia documentation, policy configuration file, and
legacy admin-or-owner policy file to be in yaml format.

Octavia will continue to honor and support the json format file as long
as oslo.policy does, but this patch will encourage new deployments
to use the yaml format.

[1] https://docs.openstack.org/oslo.policy/latest/admin/policy-json-file.html

Change-Id: I925cc05981e677c0552b18f845fdbc512d2af22c
changes/53/732453/2
Michael Johnson 1 year ago
parent
commit
fafabad042
  1. 2
      devstack/plugin.sh
  2. 9
      doc/source/configuration/policy.rst
  3. 6
      etc/policy/README.rst
  4. 11
      etc/policy/admin_or_owner-policy.json
  5. 18
      etc/policy/admin_or_owner-policy.yaml
  6. 4
      etc/policy/octavia-policy-generator.conf
  7. 2
      specs/template.rst
  8. 6
      tools/misc-sanity-checks.sh

2
devstack/plugin.sh

@ -407,7 +407,7 @@ function octavia_configure {
iniset $OCTAVIA_CONF certificates server_certs_key_passphrase insecure-key-do-not-use-this-key
if [[ "$OCTAVIA_USE_LEGACY_RBAC" == "True" ]]; then
cp $OCTAVIA_DIR/etc/policy/admin_or_owner-policy.json $OCTAVIA_CONF_DIR/policy.json
cp $OCTAVIA_DIR/etc/policy/admin_or_owner-policy.yaml $OCTAVIA_CONF_DIR/policy.yaml
fi
# create dhclient.conf file for dhclient

9
doc/source/configuration/policy.rst

@ -36,19 +36,22 @@ the load-balancer API:
It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
if that would be valid syntax.
Legacy Admin or Owner Policy
----------------------------
An alternate policy file has been provided in octavia/etc/policy called
admin_or_owner-policy.json that removes the load-balancer RBAC role
admin_or_owner-policy.yaml that removes the load-balancer RBAC role
requirement. Please see the README.rst in that directory for more information.
Sample File Generation
----------------------
To generate a sample policy.json file from the Octavia defaults, run the
To generate a sample policy.yaml file from the Octavia defaults, run the
oslo policy generation script::
oslopolicy-sample-generator
--config-file etc/policy/octavia-policy-generator.conf
--output-file policy.json.sample
--output-file policy.yaml.sample
Merged File Generation
----------------------

6
etc/policy/README.rst

@ -2,10 +2,10 @@
Octavia Sample Policy Files
===========================
The sample policy.json files described here can be copied into
/etc/octavia/policy.json to override the default RBAC policy for Octavia.
The sample policy.yaml files described here can be copied into
/etc/octavia/policy.yaml to override the default RBAC policy for Octavia.
admin_or_owner-policy.json
admin_or_owner-policy.yaml
--------------------------
This policy file disables the requirement for load-balancer service users to
have one of the load-balancer:* roles. It provides a similar policy to

11
etc/policy/admin_or_owner-policy.json

@ -1,11 +0,0 @@
{
"context_is_admin": "role:admin or role:load-balancer_admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"load-balancer:read": "rule:admin_or_owner",
"load-balancer:read-global": "is_admin:True",
"load-balancer:write": "rule:admin_or_owner",
"load-balancer:read-quota": "rule:admin_or_owner",
"load-balancer:read-quota-global": "is_admin:True",
"load-balancer:write-quota": "is_admin:True"
}

18
etc/policy/admin_or_owner-policy.yaml

@ -0,0 +1,18 @@
# This policy.yaml will revert the Octavia API to follow the legacy
# admin-or-owner RBAC policies.
# It provides a similar policy to legacy OpenStack policies where any
# user or admin has access to load-balancer resources that they own.
# Users with the admin role has access to all load-balancer resources,
# whether they own them or not.
# Role Rules
"context_is_admin": "role:admin or role:load-balancer_admin"
"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
# Rules
"load-balancer:read": "rule:admin_or_owner"
"load-balancer:read-global": "is_admin:True"
"load-balancer:write": "rule:admin_or_owner"
"load-balancer:read-quota": "rule:admin_or_owner"
"load-balancer:read-quota-global": "is_admin:True"
"load-balancer:write-quota": "is_admin:True"

4
etc/policy/octavia-policy-generator.conf

@ -1,4 +1,4 @@
[DEFAULT]
format = json
output_file = etc/octavia/policy.json.sample
format = yaml
output_file = etc/octavia/policy.yaml.sample
namespace = octavia

2
specs/template.rst

@ -277,7 +277,7 @@ Neutron's attribute map facility should have the following:
* Discuss any API policy changes, and discuss what things a deployer needs to
think about when defining their API policy. This is in reference to the
policy.json file.
policy.yaml file.
Note that the schema should be defined as restrictively as
possible. Parameters which are required should be marked as such and

6
tools/misc-sanity-checks.sh

@ -33,13 +33,13 @@ check_pot_files_errors () {
}
check_identical_policy_files () {
# For unit tests, we maintain their own policy.json file to make test suite
# For unit tests, we maintain their own policy.yaml file to make test suite
# independent of whether it's executed from the octavia source tree or from
# site-packages installation path. We don't want two copies of the same
# file to diverge, so checking that they are identical
diff etc/policy.json octavia/tests/etc/policy.json 2>&1 > /dev/null
diff etc/policy.yaml octavia/tests/etc/policy.yaml 2>&1 > /dev/null
if [ "$?" -ne 0 ]; then
echo "policy.json files must be identical!" >>$FAILURES
echo "policy.yaml files must be identical!" >>$FAILURES
fi
}

Loading…
Cancel
Save