[goal] Deprecate the JSON formatted policy file
As per the community goal of migrating the policy file the format from JSON to YAML[1], we need to do two things: 1. Change the default value of '[oslo_policy] policy_file'' config option from 'policy.json' to 'policy.yaml' with upgrade checks. 2. Deprecate the JSON formatted policy file on the project side via warning in doc and releasenotes. Also convert the ./glance/tests/etc/policy.json to policy.yaml file. Replace policy.json to policy.yaml ref from doc and tests. [1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html Depends-On: https://review.opendev.org/c/openstack/nova/+/773192 Change-Id: I17d0374dd4223688e5f95253802a4ae87377953a
This commit is contained in:
parent
cbc8519554
commit
c107629f90
doc/source
admin
contributor
glance
api
cmd
common
tests
releasenotes/notes
requirements.txtsetup.cfg@ -437,7 +437,7 @@ this plugin to inject the properties automatically upon image import.
|
||||
|
||||
You can guarantee that your end users must use interoperable image import by
|
||||
restricting the ``upload_image`` policy appropriately in the Glance
|
||||
``policy.json`` file. By default, this policy is unrestricted (that is,
|
||||
``policy.yaml`` file. By default, this policy is unrestricted (that is,
|
||||
any authorized user may make the image upload call).
|
||||
|
||||
For example, to allow only admin or service users to make the image upload
|
||||
@ -534,7 +534,7 @@ converting the images to their end users.
|
||||
|
||||
You can guarantee that your end users must use interoperable image import by
|
||||
restricting the ``upload_image`` policy appropriately in the Glance
|
||||
``policy.json`` file. By default, this policy is unrestricted (that is,
|
||||
``policy.yaml`` file. By default, this policy is unrestricted (that is,
|
||||
any authorized user may make the image upload call).
|
||||
|
||||
For example, to allow only admin or service users to make the image upload
|
||||
@ -612,7 +612,7 @@ only compressed images.
|
||||
|
||||
You can guarantee that your end users must use interoperable image import by
|
||||
restricting the ``upload_image`` policy appropriately in the Glance
|
||||
``policy.json`` file. By default, this policy is unrestricted (that is,
|
||||
``policy.yaml`` file. By default, this policy is unrestricted (that is,
|
||||
any authorized user may make the image upload call).
|
||||
|
||||
For example, to allow only admin or service users to make the image upload
|
||||
|
@ -17,6 +17,14 @@
|
||||
Policies
|
||||
========
|
||||
|
||||
.. warning::
|
||||
|
||||
JSON formatted policy file is deprecated since Glance 22.0.0 (Wallaby).
|
||||
This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
|
||||
JSON-formatted policy file to YAML in a backward-compatible way.
|
||||
|
||||
.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
|
||||
|
||||
Glance's public API calls may be restricted to certain sets of users using a
|
||||
policy configuration file. This document explains exactly how policies are
|
||||
configured and what they apply to.
|
||||
|
@ -142,10 +142,10 @@ core properties and the image owner can manage additional properties.
|
||||
|
||||
**To configure property protection**
|
||||
|
||||
To configure property protection, edit the ``policy.json`` file. This file
|
||||
To configure property protection, edit the ``policy.yaml`` file. This file
|
||||
can also be used to set policies for Image service actions.
|
||||
|
||||
#. Define roles or policies in the ``policy.json`` file:
|
||||
#. Define roles or policies in the ``policy.yaml`` file:
|
||||
|
||||
.. code-block:: json
|
||||
|
||||
@ -376,7 +376,7 @@ For a list of flavors that are available on your system, run:
|
||||
|
||||
By default, administrative users can configure the flavors. You can
|
||||
change this behavior by redefining the access controls for
|
||||
``compute_extension:flavormanage`` in ``/etc/nova/policy.json`` on the
|
||||
``compute_extension:flavormanage`` in ``/etc/nova/policy.yaml`` on the
|
||||
``compute-api`` server.
|
||||
|
||||
|
||||
|
@ -107,7 +107,7 @@ Policy
|
||||
The fourth layer of the domain model is responsible for:
|
||||
|
||||
#. Defining access rules to perform actions with an image. The rules are
|
||||
defined in the :file:`etc/policy.json` file.
|
||||
defined in the :file:`etc/policy.yaml` file.
|
||||
#. Monitoring of the rules implementation.
|
||||
|
||||
.. _quota:
|
||||
|
@ -21,6 +21,7 @@ import copy
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
from oslo_policy import opts
|
||||
from oslo_policy import policy
|
||||
|
||||
from glance.common import exception
|
||||
@ -34,6 +35,13 @@ CONF = cfg.CONF
|
||||
_ENFORCER = None
|
||||
|
||||
|
||||
# TODO(gmann): Remove setting the default value of config policy_file
|
||||
# once oslo_policy change the default value to 'policy.yaml'.
|
||||
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
|
||||
DEFAULT_POLICY_FILE = 'policy.yaml'
|
||||
opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
|
||||
|
||||
|
||||
class Enforcer(policy.Enforcer):
|
||||
"""Responsible for loading and enforcing rules"""
|
||||
|
||||
|
@ -16,6 +16,7 @@ import sys
|
||||
|
||||
import glance_store
|
||||
from oslo_config import cfg
|
||||
from oslo_upgradecheck import common_checks
|
||||
from oslo_upgradecheck import upgradecheck
|
||||
|
||||
from glance.common import wsgi # noqa
|
||||
@ -50,6 +51,9 @@ class Checks(upgradecheck.UpgradeCommands):
|
||||
_upgrade_checks = (
|
||||
# Added in Ussuri
|
||||
('Sheepdog Driver Removal', _check_sheepdog_store),
|
||||
# Added in Wallaby
|
||||
('Policy File JSON to YAML Migration',
|
||||
(common_checks.check_policy_json, {'conf': CONF})),
|
||||
)
|
||||
|
||||
|
||||
|
@ -23,6 +23,7 @@ import sys
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_middleware import cors
|
||||
from oslo_policy import opts
|
||||
from oslo_policy import policy
|
||||
from paste import deploy
|
||||
|
||||
@ -349,7 +350,7 @@ Related options:
|
||||
* location_strategy
|
||||
|
||||
""")),
|
||||
# NOTE(flaper87): The policy.json file should be updated and the locaiton
|
||||
# NOTE(flaper87): The policy.yaml file should be updated and the locaiton
|
||||
# related rules set to admin only once this option is finally removed.
|
||||
# NOTE(rosmaita): Unfortunately, this option is used to gate some code
|
||||
# paths; if the location related policies are set admin-only, then no
|
||||
@ -698,6 +699,12 @@ def set_config_defaults():
|
||||
"""This method updates all configuration default values."""
|
||||
set_cors_middleware_defaults()
|
||||
|
||||
# TODO(gmann): Remove setting the default value of config policy_file
|
||||
# once oslo_policy change the default value to 'policy.yaml'.
|
||||
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
|
||||
DEFAULT_POLICY_FILE = 'policy.yaml'
|
||||
opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
|
||||
|
||||
|
||||
def set_cors_middleware_defaults():
|
||||
"""Update default configuration options for oslo.middleware."""
|
||||
|
@ -72,7 +72,7 @@ If the value is ``roles``, the property protection file must
|
||||
contain a comma separated list of user roles indicating
|
||||
permissions for each of the CRUD operations on each property
|
||||
being protected. If set to ``policies``, a policy defined in
|
||||
policy.json is used to express property protections for each
|
||||
policy.yaml is used to express property protections for each
|
||||
of the CRUD operations. Examples of how property protections
|
||||
are enforced based on ``roles`` or ``policies`` can be found at:
|
||||
https://docs.openstack.org/glance/latest/admin/property-protections.html#examples
|
||||
@ -196,7 +196,7 @@ class PropertyRules(object):
|
||||
create = glance_creator
|
||||
then the corresponding policy rule would be:
|
||||
"prop_a:create": "rule:glance_creator"
|
||||
where glance_creator is defined in policy.json. For example:
|
||||
where glance_creator is defined in policy.yaml. For example:
|
||||
"glance_creator": "role:admin or role:glance_create_user"
|
||||
"""
|
||||
rule = "rule:%s" % rule
|
||||
|
@ -1,67 +0,0 @@
|
||||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"default": "",
|
||||
"glance_creator": "role:admin or role:spl_role",
|
||||
|
||||
"add_image": "",
|
||||
"delete_image": "",
|
||||
"get_image": "",
|
||||
"get_images": "",
|
||||
"modify_image": "",
|
||||
"publicize_image": "",
|
||||
"communitize_image": "",
|
||||
|
||||
"download_image": "",
|
||||
"upload_image": "",
|
||||
|
||||
"delete_image_location": "",
|
||||
"get_image_location": "",
|
||||
"set_image_location": "",
|
||||
|
||||
"add_member": "",
|
||||
"delete_member": "",
|
||||
"get_member": "",
|
||||
"get_members": "",
|
||||
"modify_member": "",
|
||||
|
||||
"manage_image_cache": "",
|
||||
|
||||
"get_task": "role:admin",
|
||||
"get_tasks": "role:admin",
|
||||
"add_task": "role:admin",
|
||||
"modify_task": "role:admin",
|
||||
|
||||
"get_metadef_namespace": "",
|
||||
"get_metadef_namespaces":"",
|
||||
"modify_metadef_namespace":"",
|
||||
"add_metadef_namespace":"",
|
||||
"delete_metadef_namespace": "",
|
||||
|
||||
"get_metadef_object":"",
|
||||
"get_metadef_objects":"",
|
||||
"modify_metadef_object":"",
|
||||
"add_metadef_object":"",
|
||||
"delete_metadef_object": "",
|
||||
|
||||
"list_metadef_resource_types":"",
|
||||
"get_metadef_resource_type":"",
|
||||
"add_metadef_resource_type_association":"",
|
||||
"remove_metadef_resource_type_association": "",
|
||||
|
||||
"get_metadef_property":"",
|
||||
"get_metadef_properties":"",
|
||||
"modify_metadef_property":"",
|
||||
"add_metadef_property":"",
|
||||
"remove_metadef_property": "",
|
||||
|
||||
"get_metadef_tag":"",
|
||||
"get_metadef_tags":"",
|
||||
"modify_metadef_tag":"",
|
||||
"add_metadef_tag":"",
|
||||
"add_metadef_tags":"",
|
||||
"delete_metadef_tag": "",
|
||||
"delete_metadef_tags": "",
|
||||
|
||||
"deactivate": "",
|
||||
"reactivate": ""
|
||||
}
|
161
glance/tests/etc/policy.yaml
Normal file
161
glance/tests/etc/policy.yaml
Normal file
@ -0,0 +1,161 @@
|
||||
# Defines the default rule used for policies that historically had an
|
||||
# empty policy in the supplied policy.yaml file.
|
||||
#"default": ""
|
||||
|
||||
# Defines the rule for the is_admin:True check.
|
||||
#"context_is_admin": "role:admin"
|
||||
|
||||
# add_image
|
||||
"add_image": ""
|
||||
|
||||
# delete_image
|
||||
"delete_image": ""
|
||||
|
||||
# get_image
|
||||
"get_image": ""
|
||||
|
||||
# get_images
|
||||
"get_images": ""
|
||||
|
||||
# modify_image
|
||||
"modify_image": ""
|
||||
|
||||
# publicize_image
|
||||
"publicize_image": ""
|
||||
|
||||
# communitize_image
|
||||
"communitize_image": ""
|
||||
|
||||
# download_image
|
||||
"download_image": ""
|
||||
|
||||
# upload_image
|
||||
"upload_image": ""
|
||||
|
||||
# delete_image_location
|
||||
"delete_image_location": ""
|
||||
|
||||
# get_image_location
|
||||
"get_image_location": ""
|
||||
|
||||
# set_image_location
|
||||
"set_image_location": ""
|
||||
|
||||
# add_member
|
||||
"add_member": ""
|
||||
|
||||
# delete_member
|
||||
"delete_member": ""
|
||||
|
||||
# get_member
|
||||
"get_member": ""
|
||||
|
||||
# get_members
|
||||
"get_members": ""
|
||||
|
||||
# modify_member
|
||||
"modify_member": ""
|
||||
|
||||
# manage_image_cache
|
||||
"manage_image_cache": ""
|
||||
|
||||
# deactivate
|
||||
"deactivate": ""
|
||||
|
||||
# reactivate
|
||||
"reactivate": ""
|
||||
|
||||
# get_task
|
||||
"get_task": "role:admin"
|
||||
|
||||
# get_tasks
|
||||
"get_tasks": "role:admin"
|
||||
|
||||
# add_task
|
||||
"add_task": "role:admin"
|
||||
|
||||
# modify_task
|
||||
"modify_task": "role:admin"
|
||||
|
||||
# get_metadef_namespace
|
||||
"get_metadef_namespace": ""
|
||||
|
||||
# get_metadef_namespaces
|
||||
"get_metadef_namespaces": ""
|
||||
|
||||
# modify_metadef_namespace
|
||||
"modify_metadef_namespace": ""
|
||||
|
||||
# add_metadef_namespace
|
||||
"add_metadef_namespace": ""
|
||||
|
||||
# delete_metadef_namespace
|
||||
"delete_metadef_namespace": ""
|
||||
|
||||
# get_metadef_object
|
||||
"get_metadef_object": ""
|
||||
|
||||
# get_metadef_objects
|
||||
"get_metadef_objects": ""
|
||||
|
||||
# modify_metadef_object
|
||||
"modify_metadef_object": ""
|
||||
|
||||
# add_metadef_object
|
||||
"add_metadef_object": ""
|
||||
|
||||
# delete_metadef_object
|
||||
"delete_metadef_object": ""
|
||||
|
||||
# list_metadef_resource_types
|
||||
"list_metadef_resource_types": ""
|
||||
|
||||
# get_metadef_resource_type
|
||||
"get_metadef_resource_type": ""
|
||||
|
||||
# add_metadef_resource_type_association
|
||||
"add_metadef_resource_type_association": ""
|
||||
|
||||
# remove_metadef_resource_type_association
|
||||
"remove_metadef_resource_type_association": ""
|
||||
|
||||
# get_metadef_property
|
||||
"get_metadef_property": ""
|
||||
|
||||
# get_metadef_properties
|
||||
"get_metadef_properties": ""
|
||||
|
||||
# modify_metadef_property
|
||||
"modify_metadef_property": ""
|
||||
|
||||
# add_metadef_property
|
||||
"add_metadef_property": ""
|
||||
|
||||
# remove_metadef_property
|
||||
"remove_metadef_property": ""
|
||||
|
||||
# get_metadef_tag
|
||||
"get_metadef_tag": ""
|
||||
|
||||
# get_metadef_tags
|
||||
"get_metadef_tags": ""
|
||||
|
||||
# modify_metadef_tag
|
||||
"modify_metadef_tag": ""
|
||||
|
||||
# add_metadef_tag
|
||||
"add_metadef_tag": ""
|
||||
|
||||
# add_metadef_tags
|
||||
"add_metadef_tags": ""
|
||||
|
||||
# delete_metadef_tag
|
||||
"delete_metadef_tag": ""
|
||||
|
||||
# delete_metadef_tags
|
||||
"delete_metadef_tags": ""
|
||||
|
||||
# WARNING: Below rules are either deprecated rules
|
||||
# or extra rules in policy file, it is strongly
|
||||
# recommended to switch to new rules.
|
||||
"glance_creator": "role:admin or role:spl_role"
|
@ -804,7 +804,7 @@ class FunctionalTest(test_utils.BaseTestCase):
|
||||
conf_dir = os.path.join(self.test_dir, 'etc')
|
||||
utils.safe_mkdirs(conf_dir)
|
||||
self.copy_data_file('schema-image.json', conf_dir)
|
||||
self.copy_data_file('policy.json', conf_dir)
|
||||
self.copy_data_file('policy.yaml', conf_dir)
|
||||
self.copy_data_file('property-protections.conf', conf_dir)
|
||||
self.copy_data_file('property-protections-policies.conf', conf_dir)
|
||||
self.property_file_roles = os.path.join(conf_dir,
|
||||
@ -812,7 +812,7 @@ class FunctionalTest(test_utils.BaseTestCase):
|
||||
property_policies = 'property-protections-policies.conf'
|
||||
self.property_file_policies = os.path.join(conf_dir,
|
||||
property_policies)
|
||||
self.policy_file = os.path.join(conf_dir, 'policy.json')
|
||||
self.policy_file = os.path.join(conf_dir, 'policy.yaml')
|
||||
|
||||
self.api_server = ApiServer(self.test_dir,
|
||||
self.api_port,
|
||||
@ -1153,7 +1153,7 @@ class MultipleBackendFunctionalTest(test_utils.BaseTestCase):
|
||||
conf_dir = os.path.join(self.test_dir, 'etc')
|
||||
utils.safe_mkdirs(conf_dir)
|
||||
self.copy_data_file('schema-image.json', conf_dir)
|
||||
self.copy_data_file('policy.json', conf_dir)
|
||||
self.copy_data_file('policy.yaml', conf_dir)
|
||||
self.copy_data_file('property-protections.conf', conf_dir)
|
||||
self.copy_data_file('property-protections-policies.conf', conf_dir)
|
||||
self.property_file_roles = os.path.join(conf_dir,
|
||||
@ -1161,7 +1161,7 @@ class MultipleBackendFunctionalTest(test_utils.BaseTestCase):
|
||||
property_policies = 'property-protections-policies.conf'
|
||||
self.property_file_policies = os.path.join(conf_dir,
|
||||
property_policies)
|
||||
self.policy_file = os.path.join(conf_dir, 'policy.json')
|
||||
self.policy_file = os.path.join(conf_dir, 'policy.yaml')
|
||||
|
||||
self.api_server_multiple_backend = ApiServerForMultipleBackend(
|
||||
self.test_dir, self.api_port, self.policy_file, sock=api_sock)
|
||||
|
@ -95,7 +95,7 @@ class BaseTestCase(testtools.TestCase):
|
||||
self.useFixture(glance_fixtures.StandardLogging())
|
||||
|
||||
def set_policy(self):
|
||||
conf_file = "policy.json"
|
||||
conf_file = "policy.yaml"
|
||||
self.policy_file = self._copy_data_file(conf_file, self.conf_dir)
|
||||
self.config(policy_file=self.policy_file, group='oslo_policy')
|
||||
|
||||
|
@ -57,18 +57,18 @@ networkx==2.2
|
||||
os-client-config==1.29.0
|
||||
os-win==4.0.1
|
||||
oslo.concurrency==3.26.0
|
||||
oslo.config==5.2.0
|
||||
oslo.config==6.0.0
|
||||
oslo.context==2.22.0
|
||||
oslo.db==5.0.0
|
||||
oslo.i18n==3.15.3
|
||||
oslo.log==3.36.0
|
||||
oslo.messaging==5.29.0
|
||||
oslo.middleware==3.31.0
|
||||
oslo.policy==2.4.1
|
||||
oslo.policy==3.6.0
|
||||
oslo.reports==1.18.0
|
||||
oslo.serialization==2.25.0
|
||||
oslo.service==1.41.1
|
||||
oslo.upgradecheck==0.1.0
|
||||
oslo.upgradecheck==1.3.0
|
||||
oslo.utils==4.7.0
|
||||
oslotest==3.2.0
|
||||
osprofiler==1.4.0
|
||||
@ -98,7 +98,7 @@ python-mimeparse==1.6.0
|
||||
python-subunit==1.2.0
|
||||
python-swiftclient==3.2.0
|
||||
pytz==2018.3
|
||||
PyYAML==3.12
|
||||
PyYAML==5.1
|
||||
repoze.lru==0.7
|
||||
requests==2.14.2
|
||||
requestsexceptions==1.4.0
|
||||
|
@ -0,0 +1,20 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
The default value of ``[oslo_policy] policy_file`` config option has
|
||||
been changed from ``policy.json`` to ``policy.yaml``.
|
||||
Operators who are utilizing customized or previously generated
|
||||
static policy JSON files (which are not needed by default), should
|
||||
generate new policy files or convert them in YAML format. Use the
|
||||
`oslopolicy-convert-json-to-yaml
|
||||
<https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
|
||||
tool to convert a JSON to YAML formatted policy file in
|
||||
backward compatible way.
|
||||
deprecations:
|
||||
- |
|
||||
Use of JSON policy files was deprecated by the ``oslo.policy`` library
|
||||
during the Victoria development cycle. As a result, this deprecation is
|
||||
being noted in the Wallaby cycle with an anticipated future removal of support
|
||||
by ``oslo.policy``. As such operators will need to convert to YAML policy
|
||||
files. Please see the upgrade notes for details on migration of any
|
||||
custom policy files.
|
@ -15,10 +15,10 @@ sqlalchemy-migrate>=0.11.0 # Apache-2.0
|
||||
sqlparse>=0.2.2 # BSD
|
||||
alembic>=0.9.6 # MIT
|
||||
httplib2>=0.9.1 # MIT
|
||||
oslo.config>=5.2.0 # Apache-2.0
|
||||
oslo.config>=6.0.0 # Apache-2.0
|
||||
oslo.concurrency>=3.26.0 # Apache-2.0
|
||||
oslo.context>=2.22.0 # Apache-2.0
|
||||
oslo.upgradecheck>=0.1.0 # Apache-2.0
|
||||
oslo.upgradecheck>=1.3.0 # Apache-2.0
|
||||
oslo.utils>=4.7.0 # Apache-2.0
|
||||
stevedore!=3.0.0,>=1.20.0 # Apache-2.0
|
||||
futurist>=1.2.0 # Apache-2.0
|
||||
@ -42,7 +42,7 @@ oslo.log>=3.36.0 # Apache-2.0
|
||||
oslo.messaging>=5.29.0,!=9.0.0 # Apache-2.0
|
||||
oslo.middleware>=3.31.0 # Apache-2.0
|
||||
oslo.reports>=1.18.0 # Apache-2.0
|
||||
oslo.policy>=2.4.1 # Apache-2.0
|
||||
oslo.policy>=3.6.0 # Apache-2.0
|
||||
|
||||
retrying!=1.3.0,>=1.2.3 # Apache-2.0
|
||||
osprofiler>=1.4.0 # Apache-2.0
|
||||
|
@ -55,7 +55,7 @@ oslo.config.opts =
|
||||
glance.manage = glance.opts:list_manage_opts
|
||||
glance = glance.opts:list_image_import_opts
|
||||
oslo.config.opts.defaults =
|
||||
glance.api = glance.common.config:set_cors_middleware_defaults
|
||||
glance.api = glance.common.config:set_config_defaults
|
||||
glance.database.migration_backend =
|
||||
sqlalchemy = oslo_db.sqlalchemy.migration
|
||||
glance.database.metadata_backend =
|
||||
|
Loading…
x
Reference in New Issue
Block a user