diff --git a/aodh/api/hooks.py b/aodh/api/hooks.py index 0965ebca2..dfc813b7a 100644 --- a/aodh/api/hooks.py +++ b/aodh/api/hooks.py @@ -13,11 +13,19 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo_config import cfg +from oslo_policy import opts from oslo_policy import policy from pecan import hooks from aodh.api import policies +# TODO(gmann): Remove setting the default value of config policy_file +# once oslo_policy change the default value to 'policy.yaml'. +# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 +DEFAULT_POLICY_FILE = 'policy.yaml' +opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE) + class ConfigHook(hooks.PecanHook): """Attach the configuration and policy enforcer object to the request. diff --git a/aodh/cmd/status.py b/aodh/cmd/status.py index cefe168b3..db7762a32 100644 --- a/aodh/cmd/status.py +++ b/aodh/cmd/status.py @@ -15,6 +15,7 @@ import sys from oslo_config import cfg +from oslo_upgradecheck import common_checks from oslo_upgradecheck import upgradecheck from aodh.i18n import _ @@ -30,17 +31,9 @@ class Checks(upgradecheck.UpgradeCommands): and added to _upgrade_checks tuple. """ - def _sample_check(self): - """This is sample check added to test the upgrade check framework - - It needs to be removed after adding any real upgrade check - """ - return upgradecheck.Result(upgradecheck.Code.SUCCESS, 'Sample detail') - _upgrade_checks = ( - # Sample check added for now. - # Whereas in future real checks must be added here in tuple - (_('Sample Check'), _sample_check), + (_('policy File JSON to YAML Migration'), + (common_checks.check_policy_json, {'conf': CONF})), ) diff --git a/aodh/conf/defaults.py b/aodh/conf/defaults.py index 8750c9c1d..e6ace8550 100644 --- a/aodh/conf/defaults.py +++ b/aodh/conf/defaults.py @@ -12,7 +12,23 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo_config import cfg from oslo_middleware import cors +from oslo_policy import opts as policy_opts + + +def set_lib_defaults(): + """Update default value for configuration options from other namespace. + + Example, oslo lib config options. This is needed for + config generator tool to pick these default value changes. + https://docs.openstack.org/oslo.config/latest/cli/ + generator.html#modifying-defaults-from-other-namespaces + """ + set_cors_middleware_defaults() + + # Update default value of oslo.policy policy_file config option. + policy_opts.set_defaults(cfg.CONF, 'policy.yaml') def set_cors_middleware_defaults(): diff --git a/aodh/service.py b/aodh/service.py index e83198791..6e747709e 100644 --- a/aodh/service.py +++ b/aodh/service.py @@ -87,7 +87,7 @@ def prepare_service(argv=None, config_files=None): if profiler_opts: profiler_opts.set_defaults(conf) policy_opts.set_defaults(conf, policy_file=os.path.abspath( - os.path.join(os.path.dirname(__file__), "api", "policy.json"))) + os.path.join(os.path.dirname(__file__), "api", "policy.yaml"))) from aodh import opts # Register our own Aodh options for group, options in opts.list_opts(): diff --git a/aodh/tests/functional/api/v2/policy.json-test b/aodh/tests/functional/api/v2/policy.json-test deleted file mode 100644 index 58a01a7ab..000000000 --- a/aodh/tests/functional/api/v2/policy.json-test +++ /dev/null @@ -1,7 +0,0 @@ -{ - "context_is_admin": "role:admin", - "segregation": "rule:context_is_admin", - "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s", - "default": "rule:admin_or_owner", - "telemetry:get_alarms": "role:admin" -} diff --git a/aodh/tests/functional/api/v2/policy.yaml-test b/aodh/tests/functional/api/v2/policy.yaml-test new file mode 100644 index 000000000..7a09cb594 --- /dev/null +++ b/aodh/tests/functional/api/v2/policy.yaml-test @@ -0,0 +1,8 @@ +# WARNING: Below rules are either deprecated rules +# or extra rules in policy file, it is strongly +# recommended to switch to new rules. +"context_is_admin": "role:admin" +"segregation": "rule:context_is_admin" +"admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s" +"default": "rule:admin_or_owner" +"telemetry:get_alarms": "role:admin" diff --git a/aodh/tests/functional/api/v2/test_alarm_scenarios.py b/aodh/tests/functional/api/v2/test_alarm_scenarios.py index a6e380f62..3d2e55de3 100644 --- a/aodh/tests/functional/api/v2/test_alarm_scenarios.py +++ b/aodh/tests/functional/api/v2/test_alarm_scenarios.py @@ -414,7 +414,7 @@ class TestAlarms(TestAlarmsBase): _test('project_id') def test_get_alarm_forbiden(self): - pf = os.path.abspath('aodh/tests/functional/api/v2/policy.json-test') + pf = os.path.abspath('aodh/tests/functional/api/v2/policy.yaml-test') self.CONF.set_override('policy_file', pf, group='oslo_policy') self.CONF.set_override('auth_mode', None, group='api') self.app = webtest.TestApp(app.load_app(self.CONF)) diff --git a/aodh/tests/unit/cmd/test_status.py b/aodh/tests/unit/cmd/test_status.py index b5dc275ff..f479b2cde 100644 --- a/aodh/tests/unit/cmd/test_status.py +++ b/aodh/tests/unit/cmd/test_status.py @@ -12,6 +12,7 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo_config import cfg from oslo_upgradecheck.upgradecheck import Code from aodh.cmd import status @@ -23,8 +24,13 @@ class TestUpgradeChecks(base.BaseTestCase): def setUp(self): super(TestUpgradeChecks, self).setUp() self.cmd = status.Checks() + cfg.CONF(args=[], project='aodh') - def test__sample_check(self): - check_result = self.cmd._sample_check() - self.assertEqual( - Code.SUCCESS, check_result.code) + def test_checks(self): + for name, func in self.cmd._upgrade_checks: + if isinstance(func, tuple): + func_name, kwargs = func + result = func_name(self, **kwargs) + else: + result = func(self) + self.assertEqual(Code.SUCCESS, result.code) diff --git a/doc/source/configuration/policy.rst b/doc/source/configuration/policy.rst index 1593f24cc..f47f8bdcb 100644 --- a/doc/source/configuration/policy.rst +++ b/doc/source/configuration/policy.rst @@ -2,6 +2,14 @@ Aodh Sample Policy Configuration File ===================================== +.. warning:: + + JSON formatted policy file is deprecated since Aodh 12.0.0 (Wallaby). + This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing + JSON-formatted policy file to YAML in a backward-compatible way. + +.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html + The following is an overview of all available policies in Aodh. For a sample configuration file, refer to :doc:`sample-policy-yaml`. diff --git a/doc/source/configuration/sample-policy-yaml.rst b/doc/source/configuration/sample-policy-yaml.rst index 90e1e1183..01b29fd44 100644 --- a/doc/source/configuration/sample-policy-yaml.rst +++ b/doc/source/configuration/sample-policy-yaml.rst @@ -2,6 +2,14 @@ policy.yaml =========== +.. warning:: + + JSON formatted policy file is deprecated since Aodh 12.0.0 (Wallaby). + This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing + JSON-formatted policy file to YAML in a backward-compatible way. + +.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html + Use the ``policy.yaml`` file to define additional access controls that will be applied to Aodh: diff --git a/releasenotes/notes/deprecate-json-formatted-policy-file-fgb26387a9bdb3b9.yaml b/releasenotes/notes/deprecate-json-formatted-policy-file-fgb26387a9bdb3b9.yaml new file mode 100644 index 000000000..c9c530004 --- /dev/null +++ b/releasenotes/notes/deprecate-json-formatted-policy-file-fgb26387a9bdb3b9.yaml @@ -0,0 +1,20 @@ +--- +upgrade: + - | + The default value of ``[oslo_policy] policy_file`` config option has + been changed from ``policy.json`` to ``policy.yaml``. + Operators who are utilizing customized or previously generated + static policy JSON files (which are not needed by default), should + generate new policy files or convert them in YAML format. Use the + `oslopolicy-convert-json-to-yaml + `_ + tool to convert a JSON to YAML formatted policy file in + backward compatible way. +deprecations: + - | + Use of JSON policy files was deprecated by the ``oslo.policy`` library + during the Victoria development cycle. As a result, this deprecation is + being noted in the Wallaby cycle with an anticipated future removal of support + by ``oslo.policy``. As such operators will need to convert to YAML policy + files. Please see the upgrade notes for details on migration of any + custom policy files. diff --git a/requirements.txt b/requirements.txt index 435b8f900..54dabb670 100644 --- a/requirements.txt +++ b/requirements.txt @@ -10,12 +10,12 @@ keystonemiddleware>=5.1.0 # Apache-2.0 gnocchiclient>=3.1.0 # Apache-2.0 lxml>=2.3 oslo.db>=4.8.0,!=4.13.1,!=4.13.2,!=4.15.0 # Apache-2.0 -oslo.config>=2.6.0 # Apache-2.0 +oslo.config>=6.8.0 # Apache-2.0 oslo.context>=2.22.0 # Apache-2.0 oslo.i18n>=1.5.0 # Apache-2.0 oslo.log>=4.3.0 # Apache-2.0 oslo.policy>=3.6.0 # Apache-2.0 -oslo.upgradecheck>=0.1.1 # Apache-2.0 +oslo.upgradecheck>=1.3.0 # Apache-2.0 PasteDeploy>=1.5.0 pbr>=2.0.0 # Apache-2.0 pecan>=0.8.0 diff --git a/setup.cfg b/setup.cfg index d88c8faaf..539661748 100644 --- a/setup.cfg +++ b/setup.cfg @@ -110,7 +110,7 @@ oslo.config.opts = aodh-auth = aodh.opts:list_keystoneauth_opts oslo.config.opts.defaults = - aodh = aodh.conf.defaults:set_cors_middleware_defaults + aodh = aodh.conf.defaults:set_lib_defaults oslo.policy.policies = aodh = aodh.api.policies:list_rules