Switch oslo.policy over to yaml

Oslo.policy is moving away from using json format policy files[1].

This patch updates the Octavia documentation, policy configuration file, and
legacy admin-or-owner policy file to be in yaml format.

Octavia will continue to honor and support the json format file as long
as oslo.policy does, but this patch will encourage new deployments
to use the yaml format.

[1] https://docs.openstack.org/oslo.policy/latest/admin/policy-json-file.html

Change-Id: I925cc05981e677c0552b18f845fdbc512d2af22c

devstack/plugin.sh

@@ -407,7 +407,7 @@ function octavia_configure {
     iniset $OCTAVIA_CONF certificates server_certs_key_passphrase insecure-key-do-not-use-this-key
 
     if [[ "$OCTAVIA_USE_LEGACY_RBAC" == "True" ]]; then
-        cp $OCTAVIA_DIR/etc/policy/admin_or_owner-policy.json $OCTAVIA_CONF_DIR/policy.json
+        cp $OCTAVIA_DIR/etc/policy/admin_or_owner-policy.yaml $OCTAVIA_CONF_DIR/policy.yaml
     fi
 
     # create dhclient.conf file for dhclient

doc/source/configuration/policy.rst

@@ -36,19 +36,22 @@ the load-balancer API:
     It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
     if that would be valid syntax.
 
+Legacy Admin or Owner Policy
+----------------------------
+
 An alternate policy file has been provided in octavia/etc/policy called
-admin_or_owner-policy.json that removes the load-balancer RBAC role
+admin_or_owner-policy.yaml that removes the load-balancer RBAC role
 requirement. Please see the README.rst in that directory for more information.
 
 Sample File Generation
 ----------------------
 
-To generate a sample policy.json file from the Octavia defaults, run the
+To generate a sample policy.yaml file from the Octavia defaults, run the
 oslo policy generation script::
 
     oslopolicy-sample-generator
     --config-file etc/policy/octavia-policy-generator.conf
-    --output-file policy.json.sample
+    --output-file policy.yaml.sample
 
 Merged File Generation
 ----------------------

etc/policy/README.rst

@@ -2,10 +2,10 @@
 Octavia Sample Policy Files
 ===========================
 
-The sample policy.json files described here can be copied into
-/etc/octavia/policy.json to override the default RBAC policy for Octavia.
+The sample policy.yaml files described here can be copied into
+/etc/octavia/policy.yaml to override the default RBAC policy for Octavia.
 
-admin_or_owner-policy.json
+admin_or_owner-policy.yaml
 --------------------------
 This policy file disables the requirement for load-balancer service users to
 have one of the load-balancer:* roles.  It provides a similar policy to

etc/policy/admin_or_owner-policy.json

@@ -1,11 +0,0 @@
-{
-    "context_is_admin": "role:admin or role:load-balancer_admin",
-    "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
-
-    "load-balancer:read": "rule:admin_or_owner",
-    "load-balancer:read-global": "is_admin:True",
-    "load-balancer:write": "rule:admin_or_owner",
-    "load-balancer:read-quota": "rule:admin_or_owner",
-    "load-balancer:read-quota-global": "is_admin:True",
-    "load-balancer:write-quota": "is_admin:True"
-}

etc/policy/admin_or_owner-policy.yaml

@@ -0,0 +1,18 @@
+# This policy.yaml will revert the Octavia API to follow the legacy
+# admin-or-owner RBAC policies.
+# It provides a similar policy to legacy OpenStack policies where any
+# user or admin has access to load-balancer resources that they own.
+# Users with the admin role has access to all load-balancer resources,
+# whether they own them or not.
+
+# Role Rules
+"context_is_admin": "role:admin or role:load-balancer_admin"
+"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
+
+# Rules
+"load-balancer:read": "rule:admin_or_owner"
+"load-balancer:read-global": "is_admin:True"
+"load-balancer:write": "rule:admin_or_owner"
+"load-balancer:read-quota": "rule:admin_or_owner"
+"load-balancer:read-quota-global": "is_admin:True"
+"load-balancer:write-quota": "is_admin:True"

etc/policy/octavia-policy-generator.conf

@@ -1,4 +1,4 @@
 [DEFAULT]
-format = json
-output_file = etc/octavia/policy.json.sample
+format = yaml
+output_file = etc/octavia/policy.yaml.sample
 namespace = octavia

specs/template.rst

@@ -277,7 +277,7 @@ Neutron's attribute map facility should have the following:
 
 * Discuss any API policy changes, and discuss what things a deployer needs to
   think about when defining their API policy. This is in reference to the
-  policy.json file.
+  policy.yaml file.
 
 Note that the schema should be defined as restrictively as
 possible. Parameters which are required should be marked as such and

tools/misc-sanity-checks.sh

@@ -33,13 +33,13 @@ check_pot_files_errors () {
 }
 
 check_identical_policy_files () {
-    # For unit tests, we maintain their own policy.json file to make test suite
+    # For unit tests, we maintain their own policy.yaml file to make test suite
     # independent of whether it's executed from the octavia source tree or from
     # site-packages installation path. We don't want two copies of the same
     # file to diverge, so checking that they are identical
-    diff etc/policy.json octavia/tests/etc/policy.json 2>&1 > /dev/null
+    diff etc/policy.yaml octavia/tests/etc/policy.yaml 2>&1 > /dev/null
     if [ "$?" -ne 0 ]; then
-        echo "policy.json files must be identical!" >>$FAILURES
+        echo "policy.yaml files must be identical!" >>$FAILURES
     fi
 }