From fafabad0422462e713da84b2467ba791b6af83dc Mon Sep 17 00:00:00 2001
From: Michael Johnson <johnsomor@gmail.com>
Date: Mon, 1 Jun 2020 14:28:38 -0700
Subject: [PATCH] Switch oslo.policy over to yaml

Oslo.policy is moving away from using json format policy files[1].

This patch updates the Octavia documentation, policy configuration file, and
legacy admin-or-owner policy file to be in yaml format.

Octavia will continue to honor and support the json format file as long
as oslo.policy does, but this patch will encourage new deployments
to use the yaml format.

[1] https://docs.openstack.org/oslo.policy/latest/admin/policy-json-file.html

Change-Id: I925cc05981e677c0552b18f845fdbc512d2af22c
---
 devstack/plugin.sh                       |  2 +-
 doc/source/configuration/policy.rst      |  9 ++++++---
 etc/policy/README.rst                    |  6 +++---
 etc/policy/admin_or_owner-policy.json    | 11 -----------
 etc/policy/admin_or_owner-policy.yaml    | 18 ++++++++++++++++++
 etc/policy/octavia-policy-generator.conf |  4 ++--
 specs/template.rst                       |  2 +-
 tools/misc-sanity-checks.sh              |  6 +++---
 8 files changed, 34 insertions(+), 24 deletions(-)
 delete mode 100644 etc/policy/admin_or_owner-policy.json
 create mode 100644 etc/policy/admin_or_owner-policy.yaml

diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index bafac8c395..e6bd7c8331 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -407,7 +407,7 @@ function octavia_configure {
     iniset $OCTAVIA_CONF certificates server_certs_key_passphrase insecure-key-do-not-use-this-key
 
     if [[ "$OCTAVIA_USE_LEGACY_RBAC" == "True" ]]; then
-        cp $OCTAVIA_DIR/etc/policy/admin_or_owner-policy.json $OCTAVIA_CONF_DIR/policy.json
+        cp $OCTAVIA_DIR/etc/policy/admin_or_owner-policy.yaml $OCTAVIA_CONF_DIR/policy.yaml
     fi
 
     # create dhclient.conf file for dhclient
diff --git a/doc/source/configuration/policy.rst b/doc/source/configuration/policy.rst
index fc8217b1d7..f257345ef3 100644
--- a/doc/source/configuration/policy.rst
+++ b/doc/source/configuration/policy.rst
@@ -36,19 +36,22 @@ the load-balancer API:
     It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
     if that would be valid syntax.
 
+Legacy Admin or Owner Policy
+----------------------------
+
 An alternate policy file has been provided in octavia/etc/policy called
-admin_or_owner-policy.json that removes the load-balancer RBAC role
+admin_or_owner-policy.yaml that removes the load-balancer RBAC role
 requirement. Please see the README.rst in that directory for more information.
 
 Sample File Generation
 ----------------------
 
-To generate a sample policy.json file from the Octavia defaults, run the
+To generate a sample policy.yaml file from the Octavia defaults, run the
 oslo policy generation script::
 
     oslopolicy-sample-generator
     --config-file etc/policy/octavia-policy-generator.conf
-    --output-file policy.json.sample
+    --output-file policy.yaml.sample
 
 Merged File Generation
 ----------------------
diff --git a/etc/policy/README.rst b/etc/policy/README.rst
index af7af02ba4..17b3318365 100644
--- a/etc/policy/README.rst
+++ b/etc/policy/README.rst
@@ -2,10 +2,10 @@
 Octavia Sample Policy Files
 ===========================
 
-The sample policy.json files described here can be copied into
-/etc/octavia/policy.json to override the default RBAC policy for Octavia.
+The sample policy.yaml files described here can be copied into
+/etc/octavia/policy.yaml to override the default RBAC policy for Octavia.
 
-admin_or_owner-policy.json
+admin_or_owner-policy.yaml
 --------------------------
 This policy file disables the requirement for load-balancer service users to
 have one of the load-balancer:* roles.  It provides a similar policy to
diff --git a/etc/policy/admin_or_owner-policy.json b/etc/policy/admin_or_owner-policy.json
deleted file mode 100644
index 190516b3b0..0000000000
--- a/etc/policy/admin_or_owner-policy.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "context_is_admin": "role:admin or role:load-balancer_admin",
-    "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
-
-    "load-balancer:read": "rule:admin_or_owner",
-    "load-balancer:read-global": "is_admin:True",
-    "load-balancer:write": "rule:admin_or_owner",
-    "load-balancer:read-quota": "rule:admin_or_owner",
-    "load-balancer:read-quota-global": "is_admin:True",
-    "load-balancer:write-quota": "is_admin:True"
-}
diff --git a/etc/policy/admin_or_owner-policy.yaml b/etc/policy/admin_or_owner-policy.yaml
new file mode 100644
index 0000000000..d81d7a203f
--- /dev/null
+++ b/etc/policy/admin_or_owner-policy.yaml
@@ -0,0 +1,18 @@
+# This policy.yaml will revert the Octavia API to follow the legacy
+# admin-or-owner RBAC policies.
+# It provides a similar policy to legacy OpenStack policies where any
+# user or admin has access to load-balancer resources that they own.
+# Users with the admin role has access to all load-balancer resources,
+# whether they own them or not.
+
+# Role Rules
+"context_is_admin": "role:admin or role:load-balancer_admin"
+"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
+
+# Rules
+"load-balancer:read": "rule:admin_or_owner"
+"load-balancer:read-global": "is_admin:True"
+"load-balancer:write": "rule:admin_or_owner"
+"load-balancer:read-quota": "rule:admin_or_owner"
+"load-balancer:read-quota-global": "is_admin:True"
+"load-balancer:write-quota": "is_admin:True"
diff --git a/etc/policy/octavia-policy-generator.conf b/etc/policy/octavia-policy-generator.conf
index 5bb27c1f96..0364582bb0 100644
--- a/etc/policy/octavia-policy-generator.conf
+++ b/etc/policy/octavia-policy-generator.conf
@@ -1,4 +1,4 @@
 [DEFAULT]
-format = json
-output_file = etc/octavia/policy.json.sample
+format = yaml
+output_file = etc/octavia/policy.yaml.sample
 namespace = octavia
diff --git a/specs/template.rst b/specs/template.rst
index 2680c9c739..bb27668c13 100644
--- a/specs/template.rst
+++ b/specs/template.rst
@@ -277,7 +277,7 @@ Neutron's attribute map facility should have the following:
 
 * Discuss any API policy changes, and discuss what things a deployer needs to
   think about when defining their API policy. This is in reference to the
-  policy.json file.
+  policy.yaml file.
 
 Note that the schema should be defined as restrictively as
 possible. Parameters which are required should be marked as such and
diff --git a/tools/misc-sanity-checks.sh b/tools/misc-sanity-checks.sh
index 83f1e1e1ff..bb3d2e211c 100755
--- a/tools/misc-sanity-checks.sh
+++ b/tools/misc-sanity-checks.sh
@@ -33,13 +33,13 @@ check_pot_files_errors () {
 }
 
 check_identical_policy_files () {
-    # For unit tests, we maintain their own policy.json file to make test suite
+    # For unit tests, we maintain their own policy.yaml file to make test suite
     # independent of whether it's executed from the octavia source tree or from
     # site-packages installation path. We don't want two copies of the same
     # file to diverge, so checking that they are identical
-    diff etc/policy.json octavia/tests/etc/policy.json 2>&1 > /dev/null
+    diff etc/policy.yaml octavia/tests/etc/policy.yaml 2>&1 > /dev/null
     if [ "$?" -ne 0 ]; then
-        echo "policy.json files must be identical!" >>$FAILURES
+        echo "policy.yaml files must be identical!" >>$FAILURES
     fi
 }