diff --git a/barbican/cmd/status.py b/barbican/cmd/status.py index daab75589..e5f3e4d6d 100644 --- a/barbican/cmd/status.py +++ b/barbican/cmd/status.py @@ -13,6 +13,7 @@ # under the License. from oslo_config import cfg +from oslo_upgradecheck import common_checks from oslo_upgradecheck import upgradecheck from barbican.i18n import _ @@ -26,11 +27,6 @@ class Checks(upgradecheck.UpgradeCommands): and added to _upgrade_checks tuple. """ - def _check_placeholder(self): - # This is just a placeholder for upgrade checks, it should be - # removed when the actual checks are added - return upgradecheck.Result(upgradecheck.Code.SUCCESS) - # The format of the check functions is to return an # oslo_upgradecheck.upgradecheck.Result # object with the appropriate @@ -39,8 +35,8 @@ class Checks(upgradecheck.UpgradeCommands): # in the returned Result's "details" attribute. The # summary will be rolled up at the end of the check() method. _upgrade_checks = ( - # In the future there should be some real checks added here - (_('Placeholder'), _check_placeholder), + (_("Policy File JSON to YAML Migration"), + (common_checks.check_policy_json, {'conf': cfg.CONF})), ) diff --git a/barbican/common/config.py b/barbican/common/config.py index 766f0feb8..7abd83f15 100644 --- a/barbican/common/config.py +++ b/barbican/common/config.py @@ -23,6 +23,7 @@ import os from oslo_config import cfg from oslo_log import log from oslo_middleware import cors +from oslo_policy import opts as policy_opts from oslo_service import _options from barbican import i18n as u @@ -322,6 +323,24 @@ def setup_remote_pydev_debug(): raise +def set_lib_defaults(): + """Update default value for configuration options from other namespace. + + Example, oslo lib config options. This is needed for + config generator tool to pick these default value changes. + https://docs.openstack.org/oslo.config/latest/cli/ + generator.html#modifying-defaults-from-other-namespaces + """ + + set_middleware_defaults() + + # TODO(gmann): Remove setting the default value of config policy_file + # once oslo_policy change the default value to 'policy.yaml'. + # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 + DEFAULT_POLICY_FILE = 'policy.yaml' + policy_opts.set_defaults(CONF, DEFAULT_POLICY_FILE) + + def set_middleware_defaults(): """Update default configuration options for oslo.middleware.""" cors.set_defaults( diff --git a/barbican/common/policy.py b/barbican/common/policy.py index 42f7c3ed9..06bdd8d96 100644 --- a/barbican/common/policy.py +++ b/barbican/common/policy.py @@ -13,6 +13,7 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo_policy import opts from oslo_policy import policy from barbican.common import config @@ -22,6 +23,13 @@ CONF = config.CONF ENFORCER = None +# TODO(gmann): Remove setting the default value of config policy_file +# once oslo_policy change the default value to 'policy.yaml'. +# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 +DEFAULT_POLICY_FILE = 'policy.yaml' +opts.set_defaults(CONF, DEFAULT_POLICY_FILE) + + def reset(): global ENFORCER if ENFORCER: diff --git a/barbican/tests/api/test_resources_policy.py b/barbican/tests/api/test_resources_policy.py index 64fa25fe7..a892aa562 100644 --- a/barbican/tests/api/test_resources_policy.py +++ b/barbican/tests/api/test_resources_policy.py @@ -36,7 +36,7 @@ from barbican.model import models from barbican.tests import utils -# Point to the policy.json file located in source control. +# Point to the policy.yaml file located in source control. TEST_VAR_DIR = os.path.abspath(os.path.join(os.path.dirname(__file__), '../../../etc', 'barbican')) diff --git a/doc/source/admin/access_control.rst b/doc/source/admin/access_control.rst index e1fe38a13..8f5eae6d8 100644 --- a/doc/source/admin/access_control.rst +++ b/doc/source/admin/access_control.rst @@ -9,7 +9,7 @@ Like many other services, the Key Manager service supports the protection of its APIs by enforcing policy rules defined in a policy file. The Key Manager service stores a reference to a policy JSON file in its configuration file, :file:`/etc/barbican/barbican.conf`. Typically this file is named -``policy.json`` and it is stored in :file:`/etc/barbican/policy.json`. +``policy.yaml`` and it is stored in :file:`/etc/barbican/policy.yaml`. Each Key Manager API call has a line in the policy file that dictates which level of access applies: @@ -46,7 +46,7 @@ Default Policy The policy engine in OpenStack is very flexible and allows for customized policies that make sense for your particular cloud. The Key Manager service -comes with a sample ``policy.json`` file which can be used as the starting +comes with a sample ``policy.yaml`` file which can be used as the starting point for a customized policy. The sample policy defines 5 distinct roles: key-manager:service-admin diff --git a/doc/source/configuration/policy.rst b/doc/source/configuration/policy.rst index 6c6f80b9a..246308cb5 100644 --- a/doc/source/configuration/policy.rst +++ b/doc/source/configuration/policy.rst @@ -4,6 +4,14 @@ Policy configuration ==================== +.. warning:: + + JSON formatted policy file is deprecated since Barbican 12.0.0 (Wallaby). + This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing + JSON-formatted policy file to YAML in a backward-compatible way. + +.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html + Configuration ~~~~~~~~~~~~~ diff --git a/releasenotes/notes/deprecate-json-formatted-policy-file-b135aa7551e81066.yaml b/releasenotes/notes/deprecate-json-formatted-policy-file-b135aa7551e81066.yaml new file mode 100644 index 000000000..c9c530004 --- /dev/null +++ b/releasenotes/notes/deprecate-json-formatted-policy-file-b135aa7551e81066.yaml @@ -0,0 +1,20 @@ +--- +upgrade: + - | + The default value of ``[oslo_policy] policy_file`` config option has + been changed from ``policy.json`` to ``policy.yaml``. + Operators who are utilizing customized or previously generated + static policy JSON files (which are not needed by default), should + generate new policy files or convert them in YAML format. Use the + `oslopolicy-convert-json-to-yaml + `_ + tool to convert a JSON to YAML formatted policy file in + backward compatible way. +deprecations: + - | + Use of JSON policy files was deprecated by the ``oslo.policy`` library + during the Victoria development cycle. As a result, this deprecation is + being noted in the Wallaby cycle with an anticipated future removal of support + by ``oslo.policy``. As such operators will need to convert to YAML policy + files. Please see the upgrade notes for details on migration of any + custom policy files. diff --git a/requirements.txt b/requirements.txt index 3d6174dfb..61a1ed727 100644 --- a/requirements.txt +++ b/requirements.txt @@ -16,7 +16,7 @@ oslo.log>=4.3.0 # Apache-2.0 oslo.policy>=3.6.0 # Apache-2.0 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 oslo.service!=1.28.1,>=1.24.0 # Apache-2.0 -oslo.upgradecheck>=0.1.1 # Apache-2.0 +oslo.upgradecheck>=1.3.0 # Apache-2.0 oslo.utils>=3.33.0 # Apache-2.0 oslo.versionedobjects>=1.31.2 # Apache-2.0 Paste>=2.0.2 # MIT diff --git a/setup.cfg b/setup.cfg index ad01a3f9f..c73d5a19e 100644 --- a/setup.cfg +++ b/setup.cfg @@ -82,7 +82,7 @@ oslo.config.opts = barbican.certificate.plugin = barbican.plugin.interface.certificate_manager:list_opts barbican.certificate.plugin.snakeoil = barbican.plugin.snakeoil_ca:list_opts oslo.config.opts.defaults = - barbican.common.config = barbican.common.config:set_middleware_defaults + barbican.common.config = barbican.common.config:set_lib_defaults # TBD: OpenStack stuff... # NOTE(jkoelker) To run the test suite under nose install the following