325001045c
As per the community goal of migrating the policy file format from JSON to YAML[1], we need to do two things: 1. Change the default value of '[oslo_policy] policy_file'' config option from 'policy.json' to 'policy.yaml' with upgrade checks. 2. Deprecate the JSON formatted policy file on project side via warning in doc and format releasenotes. 1st item if already done by cinder in Stein so this commit only cover the 2nd item. Since oslo.policy 3.6.0, by default oslo policy will fallback to existing policy.json file to give operator some time to migrate it to new default policy.yaml. But cinder already changed the default value to policy.yaml long back since Stein so no need to fallback to default JSON file. To do that it disable this fallback via flag to oslo.policy. Also convert the tests/unit/policy.json to policy.yaml file. Additionally, made some corrections to outdated documentation when removing references to a "policy.json" file. [1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html Co-Authored-By: Brian Rosmaita <rosmaita.fossdev@gmail.com> Change-Id: Iaf8a454e60d1e4b66981b61175f89203cc15e439
55 lines
2.3 KiB
ReStructuredText
55 lines
2.3 KiB
ReStructuredText
.. _policy-file:
|
|
|
|
===========
|
|
policy.yaml
|
|
===========
|
|
|
|
The ``policy.yaml`` file defines additional access controls that apply
|
|
to the Block Storage service.
|
|
|
|
Prior to Cinder 12.0.0 (the Queens release), a JSON policy file was required to
|
|
run Cinder. From the Queens release onward, the following hold:
|
|
|
|
* It is possible to run Cinder safely without a policy file, as sensible
|
|
default values are defined in the code.
|
|
|
|
* If you wish to run Cinder with policies different from the default, you may
|
|
write a policy file.
|
|
|
|
* Given that JSON does not allow comments, we recommend using YAML to write
|
|
a custom policy file. (Also, see next item.)
|
|
|
|
* OpenStack has deprecated the use of a JSON policy file since the Wallaby
|
|
release (Cinder 18.0.0). If you are still using the JSON format, there
|
|
is a `oslopolicy-convert-json-to-yaml`__ tool that will migrate your
|
|
existing JSON-formatted policy file to YAML in a backward-compatible way.
|
|
|
|
.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
|
|
|
|
* If you supply a custom policy file, you only need to supply entries for the
|
|
policies you wish to change from their default values. For instance, if you
|
|
want to change the default value of "volume:create", you only need to keep
|
|
this single rule in your policy config file.
|
|
|
|
* The default policy file location is ``/etc/cinder/policy.yaml``. You may
|
|
override this by specifying a different file location as the value of the
|
|
``policy_file`` configuration option in the ``[oslo_policy]`` section of the
|
|
the Cinder configuration file.
|
|
|
|
* Instructions for generating a sample ``policy.yaml`` file directly from the
|
|
Cinder source code can be found in the file ``README-policy.generate.md``
|
|
in the ``etc/cinder`` directory in the Cinder `source code repository
|
|
<https://opendev.org/openstack/cinder>`_ (or its `github mirror
|
|
<https://github.com/openstack/cinder>`_).
|
|
|
|
The following provides a listing of the default policies. It is not recommended
|
|
to copy this file into ``/etc/cinder`` unless you are planning on providing a
|
|
different policy for an operation that is not the default.
|
|
|
|
.. only:: html
|
|
|
|
The sample policy file can also be viewed in `file form
|
|
<../../../_static/cinder.policy.yaml.sample>`_.
|
|
|
|
.. literalinclude:: ../../../_static/cinder.policy.yaml.sample
|