As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:
1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.
2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.
Also replace policy.json to policy.yaml ref from doc and tests.
CONF object needs to be initialized before policy enforcer(). That
need to remove cfg.CONF.unregister_opts from TestAuthUtils cleanup
as this is taken care by cfg.clear() with proper workflow otherwise
it end up with error
"oslo_config.cfg.ArgsAlreadyParsedError: arguments
already parsed: reset before unregistering options"
- https://b132754ee7062a9ab187-9add4719a9922a9385555a8552fc2366.ssl.cf5.rackcdn.com/768520/5/check/openstack-tox-py38/7964354/testr_results.html
[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: I1b6c6485bc651fd0b87244a68204036dd4aa37f4
This commit removes the murano default policy.json file from
etc/murano and references to it in murano's devstack plugin.
(References to the policy.json in muranodashboard remain
the same).
This commit specifically:
- removes the default policy.json
- removes references to it in devstack plugin
- adds base rules to murano.common.policies.__init__ because
they are the last rules to be included
- updates base admin_api rule to is_admin:True from
is_admin:1 (because the latter was causing issues)
- updates Murano policy documentation
Partially Implements: blueprint policy-in-code
Depends-On: Ia372983d2bd1010cd19f04061f3276ed16e9c1c9
Change-Id: I1a8581a559e4333a74d56a5bdce7e6d1f117907d
This patch introduces the beginning implementation for registering
default policy rules in code. Default rules are defined under
murano.common.policies. Each API's policies are defined in a
sub-folder under that path and __init__.py contains all the
default policies in code which are registered in the ``init``
enforcer function in murano/common/policy.py.
The default rules for the environments API was removed from the
policy.json and moved into code under
murano.common.policies.environment. This can be gradually done
for the rest of the APIs in follow-up patches.
This commit does the following:
- Creates the ``policies`` module that contains all the default
policies in code.
- Adds the base policy rules into code (the admin_api,
context_is_admin, and default rules).
- Adds the environment default policy module with default
policy rules for the environments API.
Partially Implements: blueprint policy-in-code
Change-Id: Iebf2c60d1d31b73829fad189ada7ceee28e714bd
To follow latest community practices we need to use oslo_log in
murano instead of handcrafted libs.
Unsupported log level 'audit' was changed to 'info'.
Change-Id: I40c0f3790e34bf80d0b63554e86b3cbc019eefca
Corresponding changes were made in murano common policy file
and in requirements.
Change-Id: Ic7c4f61db0bb2655c4c0041500bd74e8890ea038
Closes-Bug: #1458945
The Oslo libraries have moved all of their code out of the 'oslo'
namespace package into per-library packages. The namespace package was
retained during kilo for backwards compatibility, but will be removed by
the liberty-2 milestone. This change removes the use of the namespace
package, replacing it with the new package names.
The patches in the libraries will be put on hold until application
patches have landed, or L2, whichever comes first. At that point, new
versions of the libraries without namespace packages will be released as
a major version update.
Please merge this patch, or an equivalent, before L2 to avoid problems
with those library releases.
Blueprint: remove-namespace-packages
https://blueprints.launchpad.net/oslo-incubator/+spec/remove-namespace-packages
Change-Id: I975592f3694be42d52685ebf606f6d3012caf1a8
* Set admin rule for a several API calls and remove direct check in code
* Now admin can configure policy.json and enable package management for regular users
* Update common policy module
Closes-Bug: #1412868
Change-Id: I8d0725b613564529d32a5acef289f4822f32915c
Remove gettextutils in favor of oslo.i18n suite for
internationalization purposes. Wrap murano.common.i18n around
oslo.i18n. Mark all logs messages of levels higher than
DEBUG for translation with _/_LI/_LW/_LE/_LC to conform with
oslo.i18n guidelines.
Change-Id: I09a2e2fc802e404f5c59fa4edd2a2124ad24101a
Implements: blueprint organize-translation
* Change to policy check signature to default to an empty target
* Tests for policy checks were very inflexible. Changed now so that
for each API test policy rules must be explicitly provided, and
tests must record which, how many, and in what order policy checks
should be expected
* Test requests look more like actual requests; rather than calling the
controller functions directly, tests go through the WSGI mapper/router
infrastructure and all input/output must be valid as far as the wsgi
is concerned.
Change-Id: I1dbf35249b4efd6ae9c85b08139e3a627fff6fc5
Adds ability for deploy-time auth checks to allow/disallow
functionality, in line with other openstack projects.
Includes update of code in openstack/common, which is why the
patchset is so large. oslo-incubator changeset is May 27th
caed79d8239679cb74476bb0d9e5011b4fcc39da.
Implements blueprint policy-checks-in-api
Change-Id: I67a431dcc74f0a77ed48b7a489136d5008773cea