Merge "Policy json to yaml migration"

doc/source/cli/ironic-status.rst

@@ -77,3 +77,8 @@ Upgrade
 
   * Adds a check for compatibility of the object versions with the release
     of ironic.
+
+  **Wallaby**
+
+  * Adds a check to validate the configured policy file is not JSON
+    based as JSON based policies have been deprecated.

doc/source/configuration/policy.rst

@@ -2,6 +2,16 @@
 Policies
 ========
 
+.. warning::
+   JSON formatted policy files were deprecated in the Wallaby development
+   cycle due to the Victoria deprecation by the ``olso.policy`` library.
+   Use the `oslopolicy-convert-json-to-yaml`__ tool
+   to convert the existing JSON to YAML formatted policy file in backward
+   compatible way.
+
+.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
+
+
 The following is an overview of all available policies in Ironic.  For
 a sample configuration file, refer to :doc:`sample-policy`.
 

doc/source/install/configure-identity.rst

@@ -46,7 +46,7 @@ Configure the Identity service for the Bare Metal service
 
    If you choose to customize the names of Roles used with the Bare Metal
    service, do so by changing the "is_member", "is_observer", and "is_admin"
-   policy settings in ``/etc/ironic/policy.json``.
+   policy settings in ``/etc/ironic/policy.yaml``.
 
    More complete documentation on managing Users and Roles within your
    OpenStack deployment are outside the scope of this document, but may be
@@ -75,6 +75,6 @@ Configure the Identity service for the Bare Metal service
 #. Further documentation is available elsewhere for the ``openstack``
    :python-openstackclient-doc:`command-line client <cli/authentication.html>`
    and the :keystone-doc:`Identity <admin/cli-manage-projects-users-and-roles.html>`
-   service. A :doc:`policy.json.sample </configuration/sample-policy>`
+   service. A :doc:`policy.yaml.sample </configuration/sample-policy>`
    file, which enumerates the service's default policies, is provided for
    your convenience with the Bare Metal Service.

ironic/cmd/status.py

@@ -15,10 +15,15 @@
 import sys
 
 from oslo_config import cfg
+from oslo_upgradecheck import common_checks
 from oslo_upgradecheck import upgradecheck
 
 from ironic.cmd import dbsync
 from ironic.common.i18n import _
+from ironic.common import policy  # noqa importing to load policy config.
+import ironic.conf
+
+CONF = ironic.conf.CONF
 
 
 class Checks(upgradecheck.UpgradeCommands):
@@ -54,6 +59,9 @@ class Checks(upgradecheck.UpgradeCommands):
     # summary will be rolled up at the end of the check() method.
     _upgrade_checks = (
         (_('Object versions'), _check_obj_versions),
+        # Victoria -> Wallaby migration
+        (_('Policy File JSON to YAML Migration'),
+         (common_checks.check_policy_json, {'conf': CONF})),
     )
 
 

ironic/common/policy.py

@@ -21,6 +21,7 @@ import sys
 from oslo_concurrency import lockutils
 from oslo_config import cfg
 from oslo_log import log
+from oslo_policy import opts
 from oslo_policy import policy
 
 from ironic.common import exception
@@ -29,6 +30,13 @@ _ENFORCER = None
 CONF = cfg.CONF
 LOG = log.getLogger(__name__)
 
+
+# TODO(gmann): Remove setting the default value of config policy_file
+# once oslo_policy change the default value to 'policy.yaml'.
+# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+DEFAULT_POLICY_FILE = 'policy.yaml'
+opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
+
 default_policies = [
     # Legacy setting, don't remove. Likely to be overridden by operators who
     # forget to update their policy.json configuration file.
@@ -591,10 +599,11 @@ def init_enforcer(policy_file=None, rules=None,
     # loaded exactly once - when this module-global is initialized.
     # Defining these in the relevant API modules won't work
     # because API classes lack singletons and don't use globals.
-    _ENFORCER = policy.Enforcer(CONF, policy_file=policy_file,
-                                rules=rules,
-                                default_rule=default_rule,
-                                use_conf=use_conf)
+    _ENFORCER = policy.Enforcer(
+        CONF, policy_file=policy_file,
+        rules=rules,
+        default_rule=default_rule,
+        use_conf=use_conf)
     _ENFORCER.register_defaults(list_policies())
 
 

releasenotes/notes/default-policy-file-change-474a342d6b5a041a.yaml

@@ -0,0 +1,20 @@
+---
+upgrade:
+  - |
+    The default value of ``[oslo_policy] policy_file`` config option has been
+    changed from ``policy.json`` to ``policy.yaml``.
+    Operators who are utilizing customized policy files or previously generated
+    static policy files (which are not needed by default), should generate
+    new policy files and modify them to meet their needs in the event of
+    any new policies or rules have been added.
+    Please consult the `oslopolicy-convert-json-to-yaml <https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
+    tool to convert a JSON to YAML formatted policy file in
+    backward compatible way.
+deprecations:
+  - |
+    Use of legacy policy format was deprecated by the ``oslo.policy`` library
+    during the Victoria development cycle. As a result, this deprecation is
+    being noted in the Wallaby with an anticipated future removal of support
+    by ``oslo.policy``. As such operators will need to convert to YAML policy
+    files. Please see the upgrade notes for details on migration of any
+    custom policy files.

requirements.txt

@@ -16,17 +16,17 @@ pytz>=2013.6 # MIT
 stevedore>=1.20.0 # Apache-2.0
 pysendfile>=2.0.0;sys_platform!='win32' # MIT
 oslo.concurrency>=4.2.0 # Apache-2.0
-oslo.config>=5.2.0 # Apache-2.0
+oslo.config>=6.8.0 # Apache-2.0
 oslo.context>=2.19.2 # Apache-2.0
 oslo.db>=6.0.0 # Apache-2.0
 oslo.rootwrap>=5.8.0 # Apache-2.0
 oslo.log>=3.36.0 # Apache-2.0
 oslo.middleware>=3.31.0 # Apache-2.0
-oslo.policy>=1.30.0 # Apache-2.0
+oslo.policy>=3.6.0 # Apache-2.0
 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
 oslo.service!=1.28.1,>=1.24.0 # Apache-2.0
-oslo.upgradecheck>=0.1.0 # Apache-2.0
-oslo.utils>=3.38.0 # Apache-2.0
+oslo.upgradecheck>=1.3.0 # Apache-2.0
+oslo.utils>=4.5.0 # Apache-2.0
 osprofiler>=1.5.0 # Apache-2.0
 os-traits>=0.4.0 # Apache-2.0
 pecan!=1.0.2,!=1.0.3,!=1.0.4,!=1.2,>=1.0.0 # BSD