From fafabad0422462e713da84b2467ba791b6af83dc Mon Sep 17 00:00:00 2001 From: Michael Johnson Date: Mon, 1 Jun 2020 14:28:38 -0700 Subject: [PATCH] Switch oslo.policy over to yaml Oslo.policy is moving away from using json format policy files[1]. This patch updates the Octavia documentation, policy configuration file, and legacy admin-or-owner policy file to be in yaml format. Octavia will continue to honor and support the json format file as long as oslo.policy does, but this patch will encourage new deployments to use the yaml format. [1] https://docs.openstack.org/oslo.policy/latest/admin/policy-json-file.html Change-Id: I925cc05981e677c0552b18f845fdbc512d2af22c --- devstack/plugin.sh | 2 +- doc/source/configuration/policy.rst | 9 ++++++--- etc/policy/README.rst | 6 +++--- etc/policy/admin_or_owner-policy.json | 11 ----------- etc/policy/admin_or_owner-policy.yaml | 18 ++++++++++++++++++ etc/policy/octavia-policy-generator.conf | 4 ++-- specs/template.rst | 2 +- tools/misc-sanity-checks.sh | 6 +++--- 8 files changed, 34 insertions(+), 24 deletions(-) delete mode 100644 etc/policy/admin_or_owner-policy.json create mode 100644 etc/policy/admin_or_owner-policy.yaml diff --git a/devstack/plugin.sh b/devstack/plugin.sh index bafac8c395..e6bd7c8331 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -407,7 +407,7 @@ function octavia_configure { iniset $OCTAVIA_CONF certificates server_certs_key_passphrase insecure-key-do-not-use-this-key if [[ "$OCTAVIA_USE_LEGACY_RBAC" == "True" ]]; then - cp $OCTAVIA_DIR/etc/policy/admin_or_owner-policy.json $OCTAVIA_CONF_DIR/policy.json + cp $OCTAVIA_DIR/etc/policy/admin_or_owner-policy.yaml $OCTAVIA_CONF_DIR/policy.yaml fi # create dhclient.conf file for dhclient diff --git a/doc/source/configuration/policy.rst b/doc/source/configuration/policy.rst index fc8217b1d7..f257345ef3 100644 --- a/doc/source/configuration/policy.rst +++ b/doc/source/configuration/policy.rst @@ -36,19 +36,22 @@ the load-balancer API: It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}' if that would be valid syntax. +Legacy Admin or Owner Policy +---------------------------- + An alternate policy file has been provided in octavia/etc/policy called -admin_or_owner-policy.json that removes the load-balancer RBAC role +admin_or_owner-policy.yaml that removes the load-balancer RBAC role requirement. Please see the README.rst in that directory for more information. Sample File Generation ---------------------- -To generate a sample policy.json file from the Octavia defaults, run the +To generate a sample policy.yaml file from the Octavia defaults, run the oslo policy generation script:: oslopolicy-sample-generator --config-file etc/policy/octavia-policy-generator.conf - --output-file policy.json.sample + --output-file policy.yaml.sample Merged File Generation ---------------------- diff --git a/etc/policy/README.rst b/etc/policy/README.rst index af7af02ba4..17b3318365 100644 --- a/etc/policy/README.rst +++ b/etc/policy/README.rst @@ -2,10 +2,10 @@ Octavia Sample Policy Files =========================== -The sample policy.json files described here can be copied into -/etc/octavia/policy.json to override the default RBAC policy for Octavia. +The sample policy.yaml files described here can be copied into +/etc/octavia/policy.yaml to override the default RBAC policy for Octavia. -admin_or_owner-policy.json +admin_or_owner-policy.yaml -------------------------- This policy file disables the requirement for load-balancer service users to have one of the load-balancer:* roles. It provides a similar policy to diff --git a/etc/policy/admin_or_owner-policy.json b/etc/policy/admin_or_owner-policy.json deleted file mode 100644 index 190516b3b0..0000000000 --- a/etc/policy/admin_or_owner-policy.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "context_is_admin": "role:admin or role:load-balancer_admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - - "load-balancer:read": "rule:admin_or_owner", - "load-balancer:read-global": "is_admin:True", - "load-balancer:write": "rule:admin_or_owner", - "load-balancer:read-quota": "rule:admin_or_owner", - "load-balancer:read-quota-global": "is_admin:True", - "load-balancer:write-quota": "is_admin:True" -} diff --git a/etc/policy/admin_or_owner-policy.yaml b/etc/policy/admin_or_owner-policy.yaml new file mode 100644 index 0000000000..d81d7a203f --- /dev/null +++ b/etc/policy/admin_or_owner-policy.yaml @@ -0,0 +1,18 @@ +# This policy.yaml will revert the Octavia API to follow the legacy +# admin-or-owner RBAC policies. +# It provides a similar policy to legacy OpenStack policies where any +# user or admin has access to load-balancer resources that they own. +# Users with the admin role has access to all load-balancer resources, +# whether they own them or not. + +# Role Rules +"context_is_admin": "role:admin or role:load-balancer_admin" +"admin_or_owner": "is_admin:True or project_id:%(project_id)s" + +# Rules +"load-balancer:read": "rule:admin_or_owner" +"load-balancer:read-global": "is_admin:True" +"load-balancer:write": "rule:admin_or_owner" +"load-balancer:read-quota": "rule:admin_or_owner" +"load-balancer:read-quota-global": "is_admin:True" +"load-balancer:write-quota": "is_admin:True" diff --git a/etc/policy/octavia-policy-generator.conf b/etc/policy/octavia-policy-generator.conf index 5bb27c1f96..0364582bb0 100644 --- a/etc/policy/octavia-policy-generator.conf +++ b/etc/policy/octavia-policy-generator.conf @@ -1,4 +1,4 @@ [DEFAULT] -format = json -output_file = etc/octavia/policy.json.sample +format = yaml +output_file = etc/octavia/policy.yaml.sample namespace = octavia diff --git a/specs/template.rst b/specs/template.rst index 2680c9c739..bb27668c13 100644 --- a/specs/template.rst +++ b/specs/template.rst @@ -277,7 +277,7 @@ Neutron's attribute map facility should have the following: * Discuss any API policy changes, and discuss what things a deployer needs to think about when defining their API policy. This is in reference to the - policy.json file. + policy.yaml file. Note that the schema should be defined as restrictively as possible. Parameters which are required should be marked as such and diff --git a/tools/misc-sanity-checks.sh b/tools/misc-sanity-checks.sh index 83f1e1e1ff..bb3d2e211c 100755 --- a/tools/misc-sanity-checks.sh +++ b/tools/misc-sanity-checks.sh @@ -33,13 +33,13 @@ check_pot_files_errors () { } check_identical_policy_files () { - # For unit tests, we maintain their own policy.json file to make test suite + # For unit tests, we maintain their own policy.yaml file to make test suite # independent of whether it's executed from the octavia source tree or from # site-packages installation path. We don't want two copies of the same # file to diverge, so checking that they are identical - diff etc/policy.json octavia/tests/etc/policy.json 2>&1 > /dev/null + diff etc/policy.yaml octavia/tests/etc/policy.yaml 2>&1 > /dev/null if [ "$?" -ne 0 ]; then - echo "policy.json files must be identical!" >>$FAILURES + echo "policy.yaml files must be identical!" >>$FAILURES fi }