[all][tc][goals] Migrate RBAC Policy Format from JSON to YAML: Week R-16 Update

Ben Nemec openstack at nemebean.com
Tue Jan 19 20:04:07 UTC 2021

On 1/19/21 12:39 PM, Ghanshyam Mann wrote:
>   ---- On Tue, 19 Jan 2021 11:02:44 -0600 Dmitriy Rabotyagov <noonedeadpunk at ya.ru> wrote ----
>   > Hi! I have some follow up questions. On oslo.policy side it looks like it's better to explicitly set policy.yaml path
>> in config and not rely if services have already moved to using yaml files. Or in case policy.json does not exist, oslo
>> will try to load yaml instead?
> This was first thought but we can not do that as this will break the existing deployment relying on policy.json.
> That is why we need to wait for all services to do 1. change the default value of CONF.policy_file to policy.yaml
> 2. officially deprecate the JSON format policy file support. And once that is done in all openstack services and
> the operator has moved to policy.yaml then we can change it in oslo.policy safely.  Overall what we are trying to
> achieve is "Convey the JSON->YAML policy file migration properly to the operator and then switch the flag" so
> that we do not introduce any breaking change and migrate it smoothly.

There was also a security concern with potentially having multiple 
policy files and it not being clear which was in use. If someone 
converted their JSON policy to YAML, but left the JSON one in place, it 
could result in oslo.policy using the wrong one (or not the one they 
expect). We decided it was better for each project to make a clean 
switchover, which allows for things like upgrade checks that oslo.policy 
couldn't have itself, than to try to handle it all in oslo.policy.

More information about the openstack-discuss mailing list