diff --git a/devstack/plugin.sh b/devstack/plugin.sh index bafac8c395..e6bd7c8331 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -407,7 +407,7 @@ function octavia_configure { iniset $OCTAVIA_CONF certificates server_certs_key_passphrase insecure-key-do-not-use-this-key if [[ "$OCTAVIA_USE_LEGACY_RBAC" == "True" ]]; then - cp $OCTAVIA_DIR/etc/policy/admin_or_owner-policy.json $OCTAVIA_CONF_DIR/policy.json + cp $OCTAVIA_DIR/etc/policy/admin_or_owner-policy.yaml $OCTAVIA_CONF_DIR/policy.yaml fi # create dhclient.conf file for dhclient diff --git a/doc/source/configuration/policy.rst b/doc/source/configuration/policy.rst index fc8217b1d7..f257345ef3 100644 --- a/doc/source/configuration/policy.rst +++ b/doc/source/configuration/policy.rst @@ -36,19 +36,22 @@ the load-balancer API: It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}' if that would be valid syntax. +Legacy Admin or Owner Policy +---------------------------- + An alternate policy file has been provided in octavia/etc/policy called -admin_or_owner-policy.json that removes the load-balancer RBAC role +admin_or_owner-policy.yaml that removes the load-balancer RBAC role requirement. Please see the README.rst in that directory for more information. Sample File Generation ---------------------- -To generate a sample policy.json file from the Octavia defaults, run the +To generate a sample policy.yaml file from the Octavia defaults, run the oslo policy generation script:: oslopolicy-sample-generator --config-file etc/policy/octavia-policy-generator.conf - --output-file policy.json.sample + --output-file policy.yaml.sample Merged File Generation ---------------------- diff --git a/etc/policy/README.rst b/etc/policy/README.rst index af7af02ba4..17b3318365 100644 --- a/etc/policy/README.rst +++ b/etc/policy/README.rst @@ -2,10 +2,10 @@ Octavia Sample Policy Files =========================== -The sample policy.json files described here can be copied into -/etc/octavia/policy.json to override the default RBAC policy for Octavia. +The sample policy.yaml files described here can be copied into +/etc/octavia/policy.yaml to override the default RBAC policy for Octavia. -admin_or_owner-policy.json +admin_or_owner-policy.yaml -------------------------- This policy file disables the requirement for load-balancer service users to have one of the load-balancer:* roles. It provides a similar policy to diff --git a/etc/policy/admin_or_owner-policy.json b/etc/policy/admin_or_owner-policy.json deleted file mode 100644 index 190516b3b0..0000000000 --- a/etc/policy/admin_or_owner-policy.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "context_is_admin": "role:admin or role:load-balancer_admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - - "load-balancer:read": "rule:admin_or_owner", - "load-balancer:read-global": "is_admin:True", - "load-balancer:write": "rule:admin_or_owner", - "load-balancer:read-quota": "rule:admin_or_owner", - "load-balancer:read-quota-global": "is_admin:True", - "load-balancer:write-quota": "is_admin:True" -} diff --git a/etc/policy/admin_or_owner-policy.yaml b/etc/policy/admin_or_owner-policy.yaml new file mode 100644 index 0000000000..d81d7a203f --- /dev/null +++ b/etc/policy/admin_or_owner-policy.yaml @@ -0,0 +1,18 @@ +# This policy.yaml will revert the Octavia API to follow the legacy +# admin-or-owner RBAC policies. +# It provides a similar policy to legacy OpenStack policies where any +# user or admin has access to load-balancer resources that they own. +# Users with the admin role has access to all load-balancer resources, +# whether they own them or not. + +# Role Rules +"context_is_admin": "role:admin or role:load-balancer_admin" +"admin_or_owner": "is_admin:True or project_id:%(project_id)s" + +# Rules +"load-balancer:read": "rule:admin_or_owner" +"load-balancer:read-global": "is_admin:True" +"load-balancer:write": "rule:admin_or_owner" +"load-balancer:read-quota": "rule:admin_or_owner" +"load-balancer:read-quota-global": "is_admin:True" +"load-balancer:write-quota": "is_admin:True" diff --git a/etc/policy/octavia-policy-generator.conf b/etc/policy/octavia-policy-generator.conf index 5bb27c1f96..0364582bb0 100644 --- a/etc/policy/octavia-policy-generator.conf +++ b/etc/policy/octavia-policy-generator.conf @@ -1,4 +1,4 @@ [DEFAULT] -format = json -output_file = etc/octavia/policy.json.sample +format = yaml +output_file = etc/octavia/policy.yaml.sample namespace = octavia diff --git a/specs/template.rst b/specs/template.rst index 2680c9c739..bb27668c13 100644 --- a/specs/template.rst +++ b/specs/template.rst @@ -277,7 +277,7 @@ Neutron's attribute map facility should have the following: * Discuss any API policy changes, and discuss what things a deployer needs to think about when defining their API policy. This is in reference to the - policy.json file. + policy.yaml file. Note that the schema should be defined as restrictively as possible. Parameters which are required should be marked as such and diff --git a/tools/misc-sanity-checks.sh b/tools/misc-sanity-checks.sh index 83f1e1e1ff..bb3d2e211c 100755 --- a/tools/misc-sanity-checks.sh +++ b/tools/misc-sanity-checks.sh @@ -33,13 +33,13 @@ check_pot_files_errors () { } check_identical_policy_files () { - # For unit tests, we maintain their own policy.json file to make test suite + # For unit tests, we maintain their own policy.yaml file to make test suite # independent of whether it's executed from the octavia source tree or from # site-packages installation path. We don't want two copies of the same # file to diverge, so checking that they are identical - diff etc/policy.json octavia/tests/etc/policy.json 2>&1 > /dev/null + diff etc/policy.yaml octavia/tests/etc/policy.yaml 2>&1 > /dev/null if [ "$?" -ne 0 ]; then - echo "policy.json files must be identical!" >>$FAILURES + echo "policy.yaml files must be identical!" >>$FAILURES fi }