[goal] Deprecate the JSON formatted policy file

As per the community goal of migrating the policy file the format from JSON to YAML[1], we need to do two things: 1. Change the default value of '[oslo_policy] policy_file'' config option from 'policy.json' to 'policy.yaml' with upgrade checks. 2. Deprecate the JSON formatted policy file on the project side via warning in doc and releasenotes. Also replace policy.json to policy.yaml ref from doc and tests. [1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html Change-Id: Idaa65dac1c97324d671b9a07a2f3d51bb128e8c2
2020-12-06 14:19:06 -06:00 · 2020-12-06 14:19:06 -06:00 · d6c01bba59
commit d6c01bba59
parent 4b26965651
9 changed files with 63 additions and 12 deletions
--- a/barbican/cmd/status.py
+++ b/barbican/cmd/status.py
@ -13,6 +13,7 @@
 #    under the License.

 from oslo_config import cfg
+from oslo_upgradecheck import common_checks
 from oslo_upgradecheck import upgradecheck

 from barbican.i18n import _
@ -26,11 +27,6 @@ class Checks(upgradecheck.UpgradeCommands):
    and added to _upgrade_checks tuple.
    """

-    def _check_placeholder(self):
-        # This is just a placeholder for upgrade checks, it should be
-        # removed when the actual checks are added
-        return upgradecheck.Result(upgradecheck.Code.SUCCESS)
-
    # The format of the check functions is to return an
    # oslo_upgradecheck.upgradecheck.Result
    # object with the appropriate
@ -39,8 +35,8 @@ class Checks(upgradecheck.UpgradeCommands):
    # in the returned Result's "details" attribute. The
    # summary will be rolled up at the end of the check() method.
    _upgrade_checks = (
-        # In the future there should be some real checks added here
-        (_('Placeholder'), _check_placeholder),
+        (_("Policy File JSON to YAML Migration"),
+         (common_checks.check_policy_json, {'conf': cfg.CONF})),
    )


--- a/barbican/common/config.py
+++ b/barbican/common/config.py
@ -23,6 +23,7 @@ import os
 from oslo_config import cfg
 from oslo_log import log
 from oslo_middleware import cors
+from oslo_policy import opts as policy_opts
 from oslo_service import _options

 from barbican import i18n as u
@ -322,6 +323,24 @@ def setup_remote_pydev_debug():
            raise


+def set_lib_defaults():
+    """Update default value for configuration options from other namespace.
+
+    Example, oslo lib config options. This is needed for
+    config generator tool to pick these default value changes.
+    https://docs.openstack.org/oslo.config/latest/cli/
+    generator.html#modifying-defaults-from-other-namespaces
+    """
+
+    set_middleware_defaults()
+
+    # TODO(gmann): Remove setting the default value of config policy_file
+    # once oslo_policy change the default value to 'policy.yaml'.
+    # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+    DEFAULT_POLICY_FILE = 'policy.yaml'
+    policy_opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
+
+
 def set_middleware_defaults():
    """Update default configuration options for oslo.middleware."""
    cors.set_defaults(
--- a/barbican/common/policy.py
+++ b/barbican/common/policy.py
@ -13,6 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+from oslo_policy import opts
 from oslo_policy import policy

 from barbican.common import config
@ -22,6 +23,13 @@ CONF = config.CONF
 ENFORCER = None


+# TODO(gmann): Remove setting the default value of config policy_file
+# once oslo_policy change the default value to 'policy.yaml'.
+# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+DEFAULT_POLICY_FILE = 'policy.yaml'
+opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
+
+
 def reset():
    global ENFORCER
    if ENFORCER:
--- a/barbican/tests/api/test_resources_policy.py
+++ b/barbican/tests/api/test_resources_policy.py
@ -36,7 +36,7 @@ from barbican.model import models
 from barbican.tests import utils


-# Point to the policy.json file located in source control.
+# Point to the policy.yaml file located in source control.
 TEST_VAR_DIR = os.path.abspath(os.path.join(os.path.dirname(__file__),
                                            '../../../etc', 'barbican'))

--- a/doc/source/admin/access_control.rst
+++ b/doc/source/admin/access_control.rst
@ -9,7 +9,7 @@ Like many other services, the Key Manager service supports the protection of its
 APIs by enforcing policy rules defined in a policy file.  The Key Manager
 service stores a reference to a policy JSON file in its configuration file,
 :file:`/etc/barbican/barbican.conf`.  Typically this file is named
-``policy.json`` and it is stored in :file:`/etc/barbican/policy.json`.
+``policy.yaml`` and it is stored in :file:`/etc/barbican/policy.yaml`.

 Each Key Manager API call has a line in the policy file that dictates which
 level of access applies:
@ -46,7 +46,7 @@ Default Policy

 The policy engine in OpenStack is very flexible and allows for customized
 policies that make sense for your particular cloud.  The Key Manager service
-comes with a sample ``policy.json`` file which can be used as the starting
+comes with a sample ``policy.yaml`` file which can be used as the starting
 point for a customized policy.  The sample policy defines 5 distinct roles:

 key-manager:service-admin
--- a/doc/source/configuration/policy.rst
+++ b/doc/source/configuration/policy.rst
@ -4,6 +4,14 @@
 Policy configuration
 ====================

+.. warning::
+
+   JSON formatted policy file is deprecated since Barbican 12.0.0 (Wallaby).
+   This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
+   JSON-formatted policy file to YAML in a backward-compatible way.
+
+.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
+
 Configuration
 ~~~~~~~~~~~~~

--- a/releasenotes/notes/deprecate-json-formatted-policy-file-b135aa7551e81066.yaml
+++ b/releasenotes/notes/deprecate-json-formatted-policy-file-b135aa7551e81066.yaml
@ -0,0 +1,20 @@
+---
+upgrade:
+  - |
+    The default value of ``[oslo_policy] policy_file`` config option has
+    been changed from ``policy.json`` to ``policy.yaml``.
+    Operators who are utilizing customized or previously generated
+    static policy JSON files (which are not needed by default), should
+    generate new policy files or convert them in YAML format. Use the
+    `oslopolicy-convert-json-to-yaml
+    <https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
+    tool to convert a JSON to YAML formatted policy file in
+    backward compatible way.
+deprecations:
+  - |
+    Use of JSON policy files was deprecated by the ``oslo.policy`` library
+    during the Victoria development cycle. As a result, this deprecation is
+    being noted in the Wallaby cycle with an anticipated future removal of support
+    by ``oslo.policy``. As such operators will need to convert to YAML policy
+    files. Please see the upgrade notes for details on migration of any
+    custom policy files.
--- a/requirements.txt
+++ b/requirements.txt
@ -16,7 +16,7 @@ oslo.log>=4.3.0 # Apache-2.0
 oslo.policy>=3.6.0 # Apache-2.0
 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
 oslo.service!=1.28.1,>=1.24.0 # Apache-2.0
-oslo.upgradecheck>=0.1.1 # Apache-2.0
+oslo.upgradecheck>=1.3.0 # Apache-2.0
 oslo.utils>=3.33.0 # Apache-2.0
 oslo.versionedobjects>=1.31.2 # Apache-2.0
 Paste>=2.0.2 # MIT
--- a/setup.cfg
+++ b/setup.cfg
@ -82,7 +82,7 @@ oslo.config.opts =
    barbican.certificate.plugin = barbican.plugin.interface.certificate_manager:list_opts
    barbican.certificate.plugin.snakeoil = barbican.plugin.snakeoil_ca:list_opts
 oslo.config.opts.defaults =
-    barbican.common.config = barbican.common.config:set_middleware_defaults
+    barbican.common.config = barbican.common.config:set_lib_defaults

 # TBD: OpenStack stuff...
 # NOTE(jkoelker) To run the test suite under nose install the following