From 2404d486ac32fea5d1149211b49dc413605f658b Mon Sep 17 00:00:00 2001 From: Julia Kreger Date: Wed, 18 Nov 2020 12:43:18 -0800 Subject: [PATCH] Policy json to yaml migration Adds the status upgrade check for the JSON to YAML migration effort and updates the documentation where it seems appropriate to move from "policy.json" to "policy.yaml" Mostly shamelessly copied from https://review.opendev.org/#/c/748059/ however is in-line with ironic's configuration and patching methods. Related Blueprint: policy-json-to-yaml Change-Id: I1d5b3892451579ebfd4d75a0f7185e0ef3c984c8 --- doc/source/cli/ironic-status.rst | 5 +++++ doc/source/configuration/policy.rst | 10 ++++++++++ doc/source/install/configure-identity.rst | 4 ++-- ironic/cmd/status.py | 8 ++++++++ ironic/common/policy.py | 17 ++++++++++++---- ...t-policy-file-change-474a342d6b5a041a.yaml | 20 +++++++++++++++++++ requirements.txt | 8 ++++---- 7 files changed, 62 insertions(+), 10 deletions(-) create mode 100644 releasenotes/notes/default-policy-file-change-474a342d6b5a041a.yaml diff --git a/doc/source/cli/ironic-status.rst b/doc/source/cli/ironic-status.rst index 877518492a..c14cd376a8 100644 --- a/doc/source/cli/ironic-status.rst +++ b/doc/source/cli/ironic-status.rst @@ -77,3 +77,8 @@ Upgrade * Adds a check for compatibility of the object versions with the release of ironic. + + **Wallaby** + + * Adds a check to validate the configured policy file is not JSON + based as JSON based policies have been deprecated. diff --git a/doc/source/configuration/policy.rst b/doc/source/configuration/policy.rst index 251e45c223..1abb144cd3 100644 --- a/doc/source/configuration/policy.rst +++ b/doc/source/configuration/policy.rst @@ -2,6 +2,16 @@ Policies ======== +.. warning:: + JSON formatted policy files were deprecated in the Wallaby development + cycle due to the Victoria deprecation by the ``olso.policy`` library. + Use the `oslopolicy-convert-json-to-yaml`__ tool + to convert the existing JSON to YAML formatted policy file in backward + compatible way. + +.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html + + The following is an overview of all available policies in Ironic. For a sample configuration file, refer to :doc:`sample-policy`. diff --git a/doc/source/install/configure-identity.rst b/doc/source/install/configure-identity.rst index b7ea19891d..aa32a6e699 100644 --- a/doc/source/install/configure-identity.rst +++ b/doc/source/install/configure-identity.rst @@ -46,7 +46,7 @@ Configure the Identity service for the Bare Metal service If you choose to customize the names of Roles used with the Bare Metal service, do so by changing the "is_member", "is_observer", and "is_admin" - policy settings in ``/etc/ironic/policy.json``. + policy settings in ``/etc/ironic/policy.yaml``. More complete documentation on managing Users and Roles within your OpenStack deployment are outside the scope of this document, but may be @@ -75,6 +75,6 @@ Configure the Identity service for the Bare Metal service #. Further documentation is available elsewhere for the ``openstack`` :python-openstackclient-doc:`command-line client ` and the :keystone-doc:`Identity ` - service. A :doc:`policy.json.sample ` + service. A :doc:`policy.yaml.sample ` file, which enumerates the service's default policies, is provided for your convenience with the Bare Metal Service. diff --git a/ironic/cmd/status.py b/ironic/cmd/status.py index e7f10fb728..f4ab695001 100644 --- a/ironic/cmd/status.py +++ b/ironic/cmd/status.py @@ -15,10 +15,15 @@ import sys from oslo_config import cfg +from oslo_upgradecheck import common_checks from oslo_upgradecheck import upgradecheck from ironic.cmd import dbsync from ironic.common.i18n import _ +from ironic.common import policy # noqa importing to load policy config. +import ironic.conf + +CONF = ironic.conf.CONF class Checks(upgradecheck.UpgradeCommands): @@ -54,6 +59,9 @@ class Checks(upgradecheck.UpgradeCommands): # summary will be rolled up at the end of the check() method. _upgrade_checks = ( (_('Object versions'), _check_obj_versions), + # Victoria -> Wallaby migration + (_('Policy File JSON to YAML Migration'), + (common_checks.check_policy_json, {'conf': CONF})), ) diff --git a/ironic/common/policy.py b/ironic/common/policy.py index 811198206d..efb92c5a55 100644 --- a/ironic/common/policy.py +++ b/ironic/common/policy.py @@ -21,6 +21,7 @@ import sys from oslo_concurrency import lockutils from oslo_config import cfg from oslo_log import log +from oslo_policy import opts from oslo_policy import policy from ironic.common import exception @@ -29,6 +30,13 @@ _ENFORCER = None CONF = cfg.CONF LOG = log.getLogger(__name__) + +# TODO(gmann): Remove setting the default value of config policy_file +# once oslo_policy change the default value to 'policy.yaml'. +# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 +DEFAULT_POLICY_FILE = 'policy.yaml' +opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE) + default_policies = [ # Legacy setting, don't remove. Likely to be overridden by operators who # forget to update their policy.json configuration file. @@ -591,10 +599,11 @@ def init_enforcer(policy_file=None, rules=None, # loaded exactly once - when this module-global is initialized. # Defining these in the relevant API modules won't work # because API classes lack singletons and don't use globals. - _ENFORCER = policy.Enforcer(CONF, policy_file=policy_file, - rules=rules, - default_rule=default_rule, - use_conf=use_conf) + _ENFORCER = policy.Enforcer( + CONF, policy_file=policy_file, + rules=rules, + default_rule=default_rule, + use_conf=use_conf) _ENFORCER.register_defaults(list_policies()) diff --git a/releasenotes/notes/default-policy-file-change-474a342d6b5a041a.yaml b/releasenotes/notes/default-policy-file-change-474a342d6b5a041a.yaml new file mode 100644 index 0000000000..5e24b2a761 --- /dev/null +++ b/releasenotes/notes/default-policy-file-change-474a342d6b5a041a.yaml @@ -0,0 +1,20 @@ +--- +upgrade: + - | + The default value of ``[oslo_policy] policy_file`` config option has been + changed from ``policy.json`` to ``policy.yaml``. + Operators who are utilizing customized policy files or previously generated + static policy files (which are not needed by default), should generate + new policy files and modify them to meet their needs in the event of + any new policies or rules have been added. + Please consult the `oslopolicy-convert-json-to-yaml `_ + tool to convert a JSON to YAML formatted policy file in + backward compatible way. +deprecations: + - | + Use of legacy policy format was deprecated by the ``oslo.policy`` library + during the Victoria development cycle. As a result, this deprecation is + being noted in the Wallaby with an anticipated future removal of support + by ``oslo.policy``. As such operators will need to convert to YAML policy + files. Please see the upgrade notes for details on migration of any + custom policy files. diff --git a/requirements.txt b/requirements.txt index b36a38789d..5dccb8abfd 100644 --- a/requirements.txt +++ b/requirements.txt @@ -16,17 +16,17 @@ pytz>=2013.6 # MIT stevedore>=1.20.0 # Apache-2.0 pysendfile>=2.0.0;sys_platform!='win32' # MIT oslo.concurrency>=4.2.0 # Apache-2.0 -oslo.config>=5.2.0 # Apache-2.0 +oslo.config>=6.8.0 # Apache-2.0 oslo.context>=2.19.2 # Apache-2.0 oslo.db>=6.0.0 # Apache-2.0 oslo.rootwrap>=5.8.0 # Apache-2.0 oslo.log>=3.36.0 # Apache-2.0 oslo.middleware>=3.31.0 # Apache-2.0 -oslo.policy>=1.30.0 # Apache-2.0 +oslo.policy>=3.6.0 # Apache-2.0 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 oslo.service!=1.28.1,>=1.24.0 # Apache-2.0 -oslo.upgradecheck>=0.1.0 # Apache-2.0 -oslo.utils>=3.38.0 # Apache-2.0 +oslo.upgradecheck>=1.3.0 # Apache-2.0 +oslo.utils>=4.5.0 # Apache-2.0 osprofiler>=1.5.0 # Apache-2.0 os-traits>=0.4.0 # Apache-2.0 pecan!=1.0.2,!=1.0.3,!=1.0.4,!=1.2,>=1.0.0 # BSD