[goal] Deprecate the JSON formatted policy file

As per the community goal of migrating the policy file the format from JSON to YAML[1], we need to do two things: 1. Change the default value of '[oslo_policy] policy_file'' config option from 'policy.json' to 'policy.yaml' with upgrade checks. 2. Deprecate the JSON formatted policy file on the project side via warning in doc and releasenotes. Also replace policy.json to policy.yaml ref from doc and tests. [1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html Change-Id: I6fc6f7d95e4efde6ea3bd0f1e4134aa54ce3889a
2020-12-24 10:01:22 -06:00 · 2020-12-24 10:01:22 -06:00 · 40a48bde6b
commit 40a48bde6b
parent d07b29a8c2
11 changed files with 77 additions and 37 deletions
--- a/doc/source/configuration/index.rst
+++ b/doc/source/configuration/index.rst
@ -19,7 +19,7 @@ Tacker Configuration Guide
 ==========================

 The static configuration for tacker lives in three main files:
-``api-paste.ini``, ``tacker.conf`` and ``policy.json``.
+``api-paste.ini``, ``tacker.conf`` and ``policy.yaml``.
 These are described below. For a bigger picture view on configuring
 tacker to solve specific problems.

--- a/doc/source/configuration/policy.rst
+++ b/doc/source/configuration/policy.rst
@ -2,6 +2,14 @@
 Tacker Policies
 ===============

+.. warning::
+
+   JSON formatted policy file is deprecated since Tacker 5.0.0 (Wallaby).
+   This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
+   JSON-formatted policy file to YAML in a backward-compatible way.
+
+.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
+
 The following is an overview of all available policies in Tacker.
 For a sample configuration file, refer to :doc:`/configuration/sample_policy`.

--- a/doc/source/configuration/sample_policy.rst
+++ b/doc/source/configuration/sample_policy.rst
@ -2,6 +2,14 @@
 Sample Tacker Policy File
 =========================

+.. warning::
+
+   JSON formatted policy file is deprecated since Tacker 5.0.0 (Wallaby).
+   This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
+   JSON-formatted policy file to YAML in a backward-compatible way.
+
+.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
+
 The following is a sample tacker policy file for adaptation and use.

 The sample policy can also be viewed in :download:`file form
--- a/doc/source/install/manual_installation.rst
+++ b/doc/source/install/manual_installation.rst
@ -195,7 +195,7 @@ Installing Tacker Server

      [DEFAULT]
      auth_strategy = keystone
-      policy_file = /etc/tacker/policy.json
+      policy_file = /etc/tacker/policy.yaml
      debug = True
      use_syslog = False
      bind_host = <TACKER_NODE_IP>
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@ -64,23 +64,23 @@ os-service-types==1.7.0
 osc-lib==1.10.0
 oslo.cache==1.29.0
 oslo.concurrency==3.26.0
-oslo.config==5.2.0
-oslo.context==2.19.2
+oslo.config==6.8.0
+oslo.context==2.22.0
 oslo.db==5.0.0
 oslo.i18n==3.20.0
 oslo.log==3.36.0
 oslo.messaging==9.3.0
 oslo.middleware==3.31.0
-oslo.policy==1.30.0
+oslo.policy==3.6.0
 oslo.reports==1.18.0
 oslo.rootwrap==5.8.0
 oslo.serialization==2.18.0
 oslo.service==1.24.0
-oslo.upgradecheck==0.1.0
-oslo.utils==3.33.0
+oslo.upgradecheck==1.3.0
+oslo.utils==4.5.0
 oslo.versionedobjects==1.33.3
 oslotest==3.2.0
-packaging==17.1
+packaging==20.4
 paramiko==2.7.1
 Paste==2.0.2
 PasteDeploy==1.5.0
@ -121,7 +121,7 @@ requests==2.20.0
 requests-mock==1.2.0
 requestsexceptions==1.4.0
 restructuredtext-lint==1.1.3
-rfc3986==1.1.0
+rfc3986==1.2.0
 Routes==2.3.1
 rsa==3.4.2
 setuptools==21.0.0
--- a/releasenotes/notes/deprecate-json-formatted-policy-file-fe2040675d7fea38.yaml
+++ b/releasenotes/notes/deprecate-json-formatted-policy-file-fe2040675d7fea38.yaml
@ -0,0 +1,20 @@
+---
+upgrade:
+  - |
+    The default value of ``[oslo_policy] policy_file`` config option has
+    been changed from ``policy.json`` to ``policy.yaml``.
+    Operators who are utilizing customized or previously generated
+    static policy JSON files (which are not needed by default), should
+    generate new policy files or convert them in YAML format. Use the
+    `oslopolicy-convert-json-to-yaml
+    <https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
+    tool to convert a JSON to YAML formatted policy file in
+    backward compatible way.
+deprecations:
+  - |
+    Use of JSON policy files was deprecated by the ``oslo.policy`` library
+    during the Victoria development cycle. As a result, this deprecation is
+    being noted in the Wallaby cycle with an anticipated future removal of support
+    by ``oslo.policy``. As such operators will need to convert to YAML policy
+    files. Please see the upgrade notes for details on migration of any
+    custom policy files.
--- a/requirements.txt
+++ b/requirements.txt
@ -22,24 +22,24 @@ python-keystoneclient>=3.8.0 # Apache-2.0
 alembic>=0.9.6 # MIT
 stevedore>=1.20.0 # Apache-2.0
 oslo.concurrency>=3.26.0 # Apache-2.0
-oslo.config>=5.2.0 # Apache-2.0
-oslo.context>=2.19.2 # Apache-2.0
+oslo.config>=6.8.0 # Apache-2.0
+oslo.context>=2.22.0 # Apache-2.0
 oslo.db>=5.0.0 # Apache-2.0
 oslo.log>=3.36.0 # Apache-2.0
 oslo.messaging>=9.3.0 # Apache-2.0
 oslo.middleware>=3.31.0 # Apache-2.0
-oslo.policy>=1.30.0 # Apache-2.0
+oslo.policy>=3.6.0 # Apache-2.0
 oslo.reports>=1.18.0 # Apache-2.0
 oslo.rootwrap>=5.8.0 # Apache-2.0
 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
 oslo.service!=1.28.1,>=1.24.0 # Apache-2.0
-oslo.upgradecheck>=0.1.0 # Apache-2.0
-oslo.utils>=3.33.0 # Apache-2.0
+oslo.upgradecheck>=1.3.0 # Apache-2.0
+oslo.utils>=4.5.0 # Apache-2.0
 oslo.versionedobjects>=1.33.3 # Apache-2.0
 openstacksdk>=0.44.0 # Apache-2.0
 python-neutronclient>=6.7.0 # Apache-2.0
 python-novaclient>=9.1.0 # Apache-2.0
-rfc3986>=1.1.0 # Apache-2.0
+rfc3986>=1.2.0 # Apache-2.0
 cryptography>=2.7 # BSD/Apache-2.0
 paramiko>=2.7.1 # LGPLv2.1+
 pyroute2>=0.4.21;sys_platform!='win32' # Apache-2.0 (+ dual licensed GPL2)
--- a/tacker/cmd/status.py
+++ b/tacker/cmd/status.py
@ -15,6 +15,7 @@
 import sys

 from oslo_config import cfg
+from oslo_upgradecheck import common_checks
 from oslo_upgradecheck import upgradecheck

 from tacker._i18n import _
@ -30,17 +31,9 @@ class Checks(upgradecheck.UpgradeCommands):
    and added to _upgrade_checks tuple.
    """

-    def _sample_check(self):
-        """This is sample check added to test the upgrade check framework
-
-        It needs to be removed after adding any real upgrade check
-        """
-        return upgradecheck.Result(upgradecheck.Code.SUCCESS, 'Sample detail')
-
    _upgrade_checks = (
-        # Sample check added for now.
-        # Whereas in future real checks must be added here in tuple
-        (_('Sample Check'), _sample_check),
+        (_("Policy File JSON to YAML Migration"),
+         (common_checks.check_policy_json, {'conf': CONF})),
    )


--- a/tacker/policy.py
+++ b/tacker/policy.py
@ -20,6 +20,7 @@ import sys
 from oslo_config import cfg
 from oslo_db import exception as db_exc
 from oslo_log import log as logging
+from oslo_policy import opts
 from oslo_policy import policy
 from oslo_utils import excutils
 from oslo_utils import importutils
@ -35,6 +36,12 @@ LOG = logging.getLogger(__name__)
 _ENFORCER = None
 ADMIN_CTX_POLICY = 'context_is_admin'

+# TODO(gmann): Remove setting the default value of config policy_file
+# once oslo_policy change the default value to 'policy.yaml'.
+# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+DEFAULT_POLICY_FILE = 'policy.yaml'
+opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
+

 def reset():
    global _ENFORCER
@ -203,7 +210,7 @@ def _build_match_rule(action, target, pluralized):
 # This check is registered as 'tenant_id' so that it can override
 # GenericCheck which was used for validating parent resource ownership.
 # This will prevent us from having to handling backward compatibility
-# for policy.json
+# for policy.yaml
 # TODO(salv-orlando): Reinstate GenericCheck for simple tenant_id checks
@policy.register('tenant_id')
 class OwnerCheck(policy.Check):
@ -457,7 +464,7 @@ def get_enforcer():
        i += 1

    # 'project' must be 'tacker' so that get_enforcer looks at
-    # /etc/tacker/policy.json by default.
+    # /etc/tacker/policy.yaml by default.
    cfg.CONF(conf_args, project='tacker')
    init()
    return _ENFORCER
--- a/tacker/tests/etc/policy.yaml
+++ b/tacker/tests/etc/policy.yaml
@ -1,8 +1,8 @@
-"context_is_admin":  "role:admin",
-"admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s",
-"admin_only": "rule:context_is_admin",
-"regular_user": "",
-"shared": "field:vims:shared=True",
-"default": "rule:admin_or_owner",
+"context_is_admin":  "role:admin"
+"admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s"
+"admin_only": "rule:context_is_admin"
+"regular_user": ""
+"shared": "field:vims:shared=True"
+"default": "rule:admin_or_owner"

 "get_vim": "rule:admin_or_owner or rule:shared"
--- a/tacker/tests/unit/cmd/test_status.py
+++ b/tacker/tests/unit/cmd/test_status.py
@ -24,7 +24,11 @@ class TestUpgradeChecks(base.TestCase):
        super(TestUpgradeChecks, self).setUp()
        self.cmd = status.Checks()

-    def test__sample_check(self):
-        check_result = self.cmd._sample_check()
-        self.assertEqual(
-            Code.SUCCESS, check_result.code)
+    def test_checks(self):
+        for name, func in self.cmd._upgrade_checks:
+            if isinstance(func, tuple):
+                func_name, kwargs = func
+                result = func_name(self, **kwargs)
+            else:
+                result = func(self)
+            self.assertEqual(Code.SUCCESS, result.code)