Open Stack

On 1/19/21 9:04 PM, Ben Nemec wrote:
> There was also a security concern with potentially having multiple
> policy files and it not being clear which was in use. If someone
> converted their JSON policy to YAML, but left the JSON one in place, it
> could result in oslo.policy using the wrong one (or not the one they
> expect). We decided it was better for each project to make a clean
> switchover, which allows for things like upgrade checks that oslo.policy
> couldn't have itself, than to try to handle it all in oslo.policy.

IMO, that's a downstream distro thing.

What I did in Debian (and for Victoria already) was having the postinst
of each package to rename any existing policy.json into a disabled
version. Here's an example with Cinder:

if [ -r /etc/cinder/policy.json ] ; then
    mv /etc/cinder/policy.json /etc/cinder/disabled.policy.json.old
fi

and then package the yaml file as (example from Nova):
/etc/nova/policy.d/00_default_policy.yaml

and then setting-up this:
policy_dirs = /etc/nova/policy.d

The reason I'm doing this way, is that I'm expecting upstream to
generate a commented-only yaml file, and final users to drop non-default
supplementary files without touching the package default file.

So, someone upgrading to Victoria with a non-default policy.json will
see its manual tweaks go away, but not completely gone (ie: recoverable
from disabled.policy.json.old).

Does this seem to be a correct approach?

Cheers,

Thomas Goirand (zigo)