[all][tc][goals] Migrate RBAC Policy Format from JSON to YAML: Week R-16 Update
zigo at debian.org
Tue Jan 19 23:25:46 UTC 2021
On 1/19/21 9:04 PM, Ben Nemec wrote:
> There was also a security concern with potentially having multiple
> policy files and it not being clear which was in use. If someone
> converted their JSON policy to YAML, but left the JSON one in place, it
> could result in oslo.policy using the wrong one (or not the one they
> expect). We decided it was better for each project to make a clean
> switchover, which allows for things like upgrade checks that oslo.policy
> couldn't have itself, than to try to handle it all in oslo.policy.
IMO, that's a downstream distro thing.
What I did in Debian (and for Victoria already) was having the postinst
of each package to rename any existing policy.json into a disabled
version. Here's an example with Cinder:
if [ -r /etc/cinder/policy.json ] ; then
mv /etc/cinder/policy.json /etc/cinder/disabled.policy.json.old
and then package the yaml file as (example from Nova):
and then setting-up this:
policy_dirs = /etc/nova/policy.d
The reason I'm doing this way, is that I'm expecting upstream to
generate a commented-only yaml file, and final users to drop non-default
supplementary files without touching the package default file.
So, someone upgrading to Victoria with a non-default policy.json will
see its manual tweaks go away, but not completely gone (ie: recoverable
Does this seem to be a correct approach?
Thomas Goirand (zigo)
More information about the openstack-discuss