[goal] Deprecate the JSON formatted policy file
As per the community goal of migrating the policy file the format from JSON to YAML[1], we need to do two things: 1. Change the default value of '[oslo_policy] policy_file'' config option from 'policy.json' to 'policy.yaml' with upgrade checks. 2. Deprecate the JSON formatted policy file on the project side via warning in doc and releasenotes. Also replace policy.json to policy.yaml ref from doc and tests. [1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html Change-Id: I9028875399b54ab961ae46ca13f9cf6e6fc7ad89
This commit is contained in:
parent
5238a34c7d
commit
b5edbcbb6e
|
@ -16,6 +16,14 @@
|
||||||
Senlin Sample Policy Configuration File
|
Senlin Sample Policy Configuration File
|
||||||
=======================================
|
=======================================
|
||||||
|
|
||||||
|
.. warning::
|
||||||
|
|
||||||
|
JSON formatted policy file is deprecated since Senlin 11.0.0 (Wallaby).
|
||||||
|
This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
|
||||||
|
JSON-formatted policy file to YAML in a backward-compatible way.
|
||||||
|
|
||||||
|
.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
|
||||||
|
|
||||||
The following is an overview of all available access policies in Senlin.
|
The following is an overview of all available access policies in Senlin.
|
||||||
For a sample configuration file, refer to :doc:`sample-policy-yaml`.
|
For a sample configuration file, refer to :doc:`sample-policy-yaml`.
|
||||||
|
|
||||||
|
|
|
@ -16,7 +16,15 @@
|
||||||
policy.yaml
|
policy.yaml
|
||||||
===========
|
===========
|
||||||
|
|
||||||
|
.. warning::
|
||||||
|
|
||||||
|
JSON formatted policy file is deprecated since Senlin 11.0.0 (Wallaby).
|
||||||
|
This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
|
||||||
|
JSON-formatted policy file to YAML in a backward-compatible way.
|
||||||
|
|
||||||
|
.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
|
||||||
|
|
||||||
Use the ``policy.yaml`` file to define additional access controls that will be
|
Use the ``policy.yaml`` file to define additional access controls that will be
|
||||||
applied to Senlin:
|
applied to Senlin:
|
||||||
|
|
||||||
.. literalinclude:: ../_static/senlin.policy.yaml.sample
|
.. literalinclude:: ../_static/senlin.policy.yaml.sample
|
||||||
|
|
|
@ -57,19 +57,19 @@ os-client-config==1.29.0
|
||||||
os-service-types==1.7.0
|
os-service-types==1.7.0
|
||||||
oslo.cache==1.29.0
|
oslo.cache==1.29.0
|
||||||
oslo.concurrency==3.26.0
|
oslo.concurrency==3.26.0
|
||||||
oslo.config==5.2.0
|
oslo.config==6.8.0
|
||||||
oslo.context==2.22.0
|
oslo.context==2.22.0
|
||||||
oslo.db==6.0.0
|
oslo.db==6.0.0
|
||||||
oslo.i18n==3.20.0
|
oslo.i18n==3.20.0
|
||||||
oslo.log==3.36.0
|
oslo.log==3.36.0
|
||||||
oslo.messaging==5.29.0
|
oslo.messaging==5.29.0
|
||||||
oslo.middleware==3.31.0
|
oslo.middleware==3.31.0
|
||||||
oslo.policy==1.30.0
|
oslo.policy==3.6.0
|
||||||
oslo.reports==1.18.0
|
oslo.reports==1.18.0
|
||||||
oslo.serialization==2.25.0
|
oslo.serialization==2.25.0
|
||||||
oslo.service==1.31.0
|
oslo.service==1.31.0
|
||||||
oslo.upgradecheck==0.1.0
|
oslo.upgradecheck==1.3.0
|
||||||
oslo.utils==3.37.0
|
oslo.utils==4.5.0
|
||||||
oslo.versionedobjects==1.31.2
|
oslo.versionedobjects==1.31.2
|
||||||
oslotest==3.3.0
|
oslotest==3.3.0
|
||||||
osprofiler==2.3.0
|
osprofiler==2.3.0
|
||||||
|
@ -97,11 +97,11 @@ python-keystoneclient==3.15.0
|
||||||
python-mimeparse==1.6.0
|
python-mimeparse==1.6.0
|
||||||
python-subunit==1.2.0
|
python-subunit==1.2.0
|
||||||
pytz==2015.7
|
pytz==2015.7
|
||||||
PyYAML==3.13
|
PyYAML==5.1
|
||||||
repoze.lru==0.7
|
repoze.lru==0.7
|
||||||
requests==2.14.2
|
requests==2.20.0
|
||||||
requestsexceptions==1.4.0
|
requestsexceptions==1.4.0
|
||||||
rfc3986==1.1.0
|
rfc3986==1.2.0
|
||||||
Routes==2.3.1
|
Routes==2.3.1
|
||||||
smmap2==2.0.3
|
smmap2==2.0.3
|
||||||
sqlalchemy-migrate==0.13.0
|
sqlalchemy-migrate==0.13.0
|
||||||
|
|
|
@ -0,0 +1,20 @@
|
||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
The default value of ``[oslo_policy] policy_file`` config option has
|
||||||
|
been changed from ``policy.json`` to ``policy.yaml``.
|
||||||
|
Operators who are utilizing customized or previously generated
|
||||||
|
static policy JSON files (which are not needed by default), should
|
||||||
|
generate new policy files or convert them in YAML format. Use the
|
||||||
|
`oslopolicy-convert-json-to-yaml
|
||||||
|
<https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
|
||||||
|
tool to convert a JSON to YAML formatted policy file in
|
||||||
|
backward compatible way.
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
Use of JSON policy files was deprecated by the ``oslo.policy`` library
|
||||||
|
during the Victoria development cycle. As a result, this deprecation is
|
||||||
|
being noted in the Wallaby cycle with an anticipated future removal of support
|
||||||
|
by ``oslo.policy``. As such operators will need to convert to YAML policy
|
||||||
|
files. Please see the upgrade notes for details on migration of any
|
||||||
|
custom policy files.
|
|
@ -11,7 +11,7 @@ keystoneauth1>=3.18.0 # Apache-2.0
|
||||||
keystonemiddleware>=4.17.0 # Apache-2.0
|
keystonemiddleware>=4.17.0 # Apache-2.0
|
||||||
microversion-parse>=0.2.1 # Apache-2.0
|
microversion-parse>=0.2.1 # Apache-2.0
|
||||||
openstacksdk>=0.42.0 # Apache-2.0
|
openstacksdk>=0.42.0 # Apache-2.0
|
||||||
oslo.config>=5.2.0 # Apache-2.0
|
oslo.config>=6.8.0 # Apache-2.0
|
||||||
oslo.context>=2.22.0 # Apache-2.0
|
oslo.context>=2.22.0 # Apache-2.0
|
||||||
oslo.db>=6.0.0 # Apache-2.0
|
oslo.db>=6.0.0 # Apache-2.0
|
||||||
oslo.i18n>=3.20.0 # Apache-2.0
|
oslo.i18n>=3.20.0 # Apache-2.0
|
||||||
|
@ -19,17 +19,17 @@ oslo.log>=3.36.0 # Apache-2.0
|
||||||
oslo.reports>=1.18.0 # Apache-2.0
|
oslo.reports>=1.18.0 # Apache-2.0
|
||||||
oslo.messaging>=5.29.0 # Apache-2.0
|
oslo.messaging>=5.29.0 # Apache-2.0
|
||||||
oslo.middleware>=3.31.0 # Apache-2.0
|
oslo.middleware>=3.31.0 # Apache-2.0
|
||||||
oslo.policy>=1.30.0 # Apache-2.0
|
oslo.policy>=3.6.0 # Apache-2.0
|
||||||
oslo.serialization>=2.25.0 # Apache-2.0
|
oslo.serialization>=2.25.0 # Apache-2.0
|
||||||
oslo.service>=1.31.0 # Apache-2.0
|
oslo.service>=1.31.0 # Apache-2.0
|
||||||
oslo.upgradecheck>=0.1.0 # Apache-2.0
|
oslo.upgradecheck>=1.3.0 # Apache-2.0
|
||||||
oslo.utils>=3.37.0 # Apache-2.0
|
oslo.utils>=4.5.0 # Apache-2.0
|
||||||
oslo.versionedobjects>=1.31.2 # Apache-2.0
|
oslo.versionedobjects>=1.31.2 # Apache-2.0
|
||||||
osprofiler>=2.3.0 # Apache-2.0
|
osprofiler>=2.3.0 # Apache-2.0
|
||||||
PasteDeploy>=1.5.0 # MIT
|
PasteDeploy>=1.5.0 # MIT
|
||||||
pytz>=2015.7 # MIT
|
pytz>=2015.7 # MIT
|
||||||
PyYAML>=3.13 # MIT
|
PyYAML>=5.1 # MIT
|
||||||
requests>=2.14.2 # Apache-2.0
|
requests>=2.20.0 # Apache-2.0
|
||||||
Routes>=2.3.1 # MIT
|
Routes>=2.3.1 # MIT
|
||||||
SQLAlchemy!=1.1.5,!=1.1.6,!=1.1.7,!=1.1.8,>=1.0.10 # MIT
|
SQLAlchemy!=1.1.5,!=1.1.6,!=1.1.7,!=1.1.8,>=1.0.10 # MIT
|
||||||
sqlalchemy-migrate>=0.13.0 # Apache-2.0
|
sqlalchemy-migrate>=0.13.0 # Apache-2.0
|
||||||
|
|
|
@ -15,6 +15,7 @@
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
|
from oslo_upgradecheck import common_checks
|
||||||
from oslo_upgradecheck import upgradecheck
|
from oslo_upgradecheck import upgradecheck
|
||||||
|
|
||||||
from senlin.common.i18n import _
|
from senlin.common.i18n import _
|
||||||
|
@ -71,6 +72,8 @@ class Checks(upgradecheck.UpgradeCommands):
|
||||||
_upgrade_checks = (
|
_upgrade_checks = (
|
||||||
# In the future there should be some real checks added here
|
# In the future there should be some real checks added here
|
||||||
(_('HealthPolicy'), _check_healthpolicy),
|
(_('HealthPolicy'), _check_healthpolicy),
|
||||||
|
(_('Policy File JSON to YAML Migration'),
|
||||||
|
(common_checks.check_policy_json, {'conf': cfg.CONF})),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -15,6 +15,7 @@ Routines for configuring Senlin
|
||||||
"""
|
"""
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_middleware import cors
|
from oslo_middleware import cors
|
||||||
|
from oslo_policy import opts
|
||||||
from oslo_utils import importutils
|
from oslo_utils import importutils
|
||||||
|
|
||||||
import senlin.conf
|
import senlin.conf
|
||||||
|
@ -61,3 +62,8 @@ def set_config_defaults():
|
||||||
'POST',
|
'POST',
|
||||||
'DELETE',
|
'DELETE',
|
||||||
'PATCH'])
|
'PATCH'])
|
||||||
|
|
||||||
|
# TODO(gmann): Remove setting the default value of config policy_file
|
||||||
|
# once oslo_policy change the default value to 'policy.yaml'.
|
||||||
|
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
|
||||||
|
opts.set_defaults(CONF, 'policy.yaml')
|
||||||
|
|
|
@ -16,6 +16,7 @@ Policy Engine For Senlin
|
||||||
|
|
||||||
# from oslo_concurrency import lockutils
|
# from oslo_concurrency import lockutils
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
|
from oslo_policy import opts
|
||||||
from oslo_policy import policy
|
from oslo_policy import policy
|
||||||
|
|
||||||
from senlin.common import exception
|
from senlin.common import exception
|
||||||
|
@ -24,6 +25,12 @@ from senlin.common import policies
|
||||||
POLICY_ENFORCER = None
|
POLICY_ENFORCER = None
|
||||||
CONF = cfg.CONF
|
CONF = cfg.CONF
|
||||||
|
|
||||||
|
# TODO(gmann): Remove setting the default value of config policy_file
|
||||||
|
# once oslo_policy change the default value to 'policy.yaml'.
|
||||||
|
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
|
||||||
|
DEFAULT_POLICY_FILE = 'policy.yaml'
|
||||||
|
opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
|
||||||
|
|
||||||
|
|
||||||
# @lockutils.synchronized('policy_enforcer', 'senlin-')
|
# @lockutils.synchronized('policy_enforcer', 'senlin-')
|
||||||
def _get_enforcer(policy_file=None, rules=None, default_rule=None):
|
def _get_enforcer(policy_file=None, rules=None, default_rule=None):
|
||||||
|
|
Loading…
Reference in New Issue