[all][tc][goals] Migrate RBAC Policy Format from JSON to YAML: Week R-16 Update

Ghanshyam Mann gmann at ghanshyammann.com
Tue Jan 19 18:39:39 UTC 2021 

 ---- On Tue, 19 Jan 2021 11:02:44 -0600 Dmitriy Rabotyagov <noonedeadpunk at ya.ru> wrote ----
 > Hi! I have some follow up questions. On oslo.policy side it looks like it's better to explicitly set policy.yaml path
> in config and not rely if services have already moved to using yaml files. Or in case policy.json does not exist, oslo
> will try to load yaml instead? 

This was first thought but we can not do that as this will break the existing deployment relying on policy.json.
That is why we need to wait for all services to do 1. change the default value of CONF.policy_file to policy.yaml
2. officially deprecate the JSON format policy file support. And once that is done in all openstack services and
the operator has moved to policy.yaml then we can change it in oslo.policy safely.  Overall what we are trying to
achieve is "Convey the JSON->YAML policy file migration properly to the operator and then switch the flag" so
that we do not introduce any breaking change and migrate it smoothly. 


>Another question is more general one and very basic :( I have a feeling that policies are applied without
>related service reload which means that they're loaded from disk for each incoming request? Is that
>assumption right? I'm just thinking about the best way to do upgrade and at what point we should be 
>dropping old policy.json and if we can do this before placing policy.yaml or not. 

My plan is 1. finish the service side deprecation and default file change in Wallaby 2. give Xena cycle as a buffer
for the operator to notice these changes 3. In the Y cycle, we remove the JSON format and file support completly. 

-gmann


29.12.2020, 20:37, "Ghanshyam Mann" <gmann at ghanshyammann.com>: ---- On Tue, 29 Dec 2020 01:56:22 -0600 Dmitriy Rabotyagov <noonedeadpunk at ya.ru> wrote ----
 >  > Hi! Regarding OpenStack-Ansible I was planning to land patches early January. We eventually need to patch every role to change "dest" and "config_type" for placing template, ie. [1] Also we will need to think through removal of old json file for ppl that will perform upgrade, to avoid any possible conflicts and confusions because of the prescence of both files. [1] https://opendev.org/openstack/openstack-ansible-os_glance/src/branch/master/tasks/glance_post_install.yml#L78-L82
 > 
 > Thanks, Dmitriy, do let me know if you need help this is a large number of changes. I will be able to push changes for this.
 > 
 > On point of the presence of both files, yes this is a good point. From the service side default value change, I am taking care of
 > this on oslo.policy side[1]. If both files exist and deployment rely on the default value (config option is not overridden ) then
 > oslo policy will pick up the 'policy.json'. With this, we make sure we do not break any upgrade for deployment relying on this
 > default value. In the future, when we decide to remove the support of policy.json then we can remove this fallback logic.
 > 
 > -gmann
 > 
 > [1] https://github.com/openstack/oslo.policy/blob/0a228dea2ee96ec3eabed3361ca22502d0bbd4a1/oslo_policy/policy.py#L363
 > 
 > 
 >  > 26.12.2020, 00:41, "Ghanshyam Mann" <gmann at ghanshyammann.com>:Hello Everyone,
 >  >
 >  > Please find the week's R-16 updates on 'Migrate RBAC Policy Format from JSON to YAML' community-wide goals.
 >  >
 >  > Tracking: https://etherpad.opendev.org/p/migrate-policy-format-from-json-to-yaml
 >  >
 >  > Gerrit Topic: https://review.opendev.org/q/topic:%22policy-json-to-yaml%22+(status:open%20OR%20status:merged)
 >  >
 >  > Progress:
 >  > =======
 >  > * Projects completed: 5
 >  > * Projects left to merge the patches: 25
 >  > * Projects left to push the patches: 2 (horizon and Openstackansible)
 >  > * Projects do not need any work: 17
 >  >
 >  > Updates:
 >  > =======
 >  > * I have pushed the patches for all the required service projects.
 >  >
 >  > ** Because of many services gate is already broken for lower constraints job, these patches might not be green in the
 >  > test results. I request projects to fix the gate so that we can merge this goal work before m-2.
 >  >
 >  > ** There are many project tests where CONF object was not fully initialized before the policy is init. This was working till now
 >  > as policy init did not use the CONF object but oslo_policy 3.6.0 onwards it needs fully initialized CONF object during init only.
 >  >
 >  > ** Aodh work for this goal is blocked because it needs oslo_policy 3.6.0 but gnocchi is capped for oslo_policy 3.4.0 [1]
 >  > - https://review.opendev.org/c/openstack/aodh/+/768499
 >  >
 >  > * Horizon and Openstackansible work is pending to use/deploy the YAML formatted policy file. I will start exploring this
 >  > next week or so.
 >  >
 >  > [1] https://github.com/gnocchixyz/gnocchi/blob/e19fda590c7f7f07f1df0ba93177df07d9802300/setup.cfg#L33
 >  >
 >  > Merry Christmas and Happy Holidays!
 >  >
 >  > -gmann
 >  >
 >  > --
 >  > Kind Regards,Dmitriy Rabotyagov
 >   -- 
 > Kind Regards,Dmitriy Rabotyagov

More information about the openstack-discuss mailing list