diff --git a/doc/source/admin/arch.rst b/doc/source/admin/arch.rst index 2590b497f0..047b44ef2f 100644 --- a/doc/source/admin/arch.rst +++ b/doc/source/admin/arch.rst @@ -112,7 +112,7 @@ For projects, you can use quota controls to limit the: Roles control the actions a user is allowed to perform. By default, most actions do not require a particular role, but you can configure them by editing -the ``policy.json`` file for user roles. For example, a rule can be defined so +the ``policy.yaml`` file for user roles. For example, a rule can be defined so that a user must have the ``admin`` role in order to be able to allocate a public IP address. @@ -237,7 +237,7 @@ The displayed image attributes are: Virtual hardware templates are called ``flavors``. By default, these are configurable by admin users, however that behavior can be changed by redefining the access controls for ``compute_extension:flavormanage`` in -``/etc/nova/policy.json`` on the ``compute-api`` server. +``/etc/nova/policy.yaml`` on the ``compute-api`` server. For more information, refer to :doc:`/configuration/policy`. For a list of flavors that are available on your system: diff --git a/doc/source/admin/availability-zones.rst b/doc/source/admin/availability-zones.rst index 224242da09..9ab9c58b3a 100644 --- a/doc/source/admin/availability-zones.rst +++ b/doc/source/admin/availability-zones.rst @@ -211,7 +211,7 @@ where an instance is launched. For example: This is an admin-only operation by default, though you can modify this behavior using the ``os_compute_api:servers:create:forced_host`` rule in - ``policy.json``. + ``policy.yaml``. However, as discussed `previously `_, when launching instances in this manner the scheduler filters are not run. For this @@ -228,7 +228,7 @@ example: This is an admin-only operation by default, though you can modify this behavior using the ``compute:servers:create:requested_destination`` rule in - ``policy.json``. + ``policy.yaml``. This avoids the need to explicitly select an availability zone and ensures the scheduler filters are not bypassed. diff --git a/doc/source/admin/configuration/hypervisor-hyper-v.rst b/doc/source/admin/configuration/hypervisor-hyper-v.rst index 06065aa2a1..b85a32a6e0 100644 --- a/doc/source/admin/configuration/hypervisor-hyper-v.rst +++ b/doc/source/admin/configuration/hypervisor-hyper-v.rst @@ -348,7 +348,7 @@ on Hyper-V. Below is a sample ``nova.conf`` for Windows: use_cow_images = true force_config_drive = false injected_network_template = C:\Program Files (x86)\OpenStack\Nova\etc\interfaces.template - policy_file = C:\Program Files (x86)\OpenStack\Nova\etc\policy.json + policy_file = C:\Program Files (x86)\OpenStack\Nova\etc\policy.yaml mkisofs_cmd = C:\Program Files (x86)\OpenStack\Nova\bin\mkisofs.exe allow_resize_to_same_host = true running_deleted_instance_action = reap diff --git a/doc/source/admin/flavors.rst b/doc/source/admin/flavors.rst index 2b8043f730..abf939d111 100644 --- a/doc/source/admin/flavors.rst +++ b/doc/source/admin/flavors.rst @@ -21,7 +21,7 @@ manage flavors. To see information for this command, run: Configuration rights can be delegated to additional users by redefining the access controls for ``os_compute_api:os-flavor-manage:create``, ``os_compute_api:os-flavor-manage:update`` and - ``os_compute_api:os-flavor-manage:delete`` in ``/etc/nova/policy.json`` + ``os_compute_api:os-flavor-manage:delete`` in ``/etc/nova/policy.yaml`` on the ``nova-api`` server. .. note:: diff --git a/doc/source/admin/migration.rst b/doc/source/admin/migration.rst index d156218d48..978a91a51f 100644 --- a/doc/source/admin/migration.rst +++ b/doc/source/admin/migration.rst @@ -94,7 +94,7 @@ To migrate an instance and watch the status, use this example script: .. note:: If you see the following error, it means you are either running the command - with the wrong credentials, such as a non-admin user, or the ``policy.json`` + with the wrong credentials, such as a non-admin user, or the ``policy.yaml`` file prevents migration for your user:: Policy doesn't allow os_compute_api:os-migrate-server:migrate to be performed. (HTTP 403) diff --git a/doc/source/cli/nova-api-metadata.rst b/doc/source/cli/nova-api-metadata.rst index d4e3c2fa1c..2845ab09c6 100644 --- a/doc/source/cli/nova-api-metadata.rst +++ b/doc/source/cli/nova-api-metadata.rst @@ -29,7 +29,7 @@ Files * ``/etc/nova/nova.conf`` * ``/etc/nova/api-paste.ini`` -* ``/etc/nova/policy.json`` +* ``/etc/nova/policy.yaml`` * ``/etc/nova/rootwrap.conf`` * ``/etc/nova/rootwrap.d/`` diff --git a/doc/source/cli/nova-api-os-compute.rst b/doc/source/cli/nova-api-os-compute.rst index 5323e844cc..2127a97389 100644 --- a/doc/source/cli/nova-api-os-compute.rst +++ b/doc/source/cli/nova-api-os-compute.rst @@ -27,7 +27,7 @@ Files * ``/etc/nova/nova.conf`` * ``/etc/nova/api-paste.ini`` -* ``/etc/nova/policy.json`` +* ``/etc/nova/policy.yaml`` * ``/etc/nova/rootwrap.conf`` * ``/etc/nova/rootwrap.d/`` diff --git a/doc/source/cli/nova-api.rst b/doc/source/cli/nova-api.rst index d6ab828270..cc61124217 100644 --- a/doc/source/cli/nova-api.rst +++ b/doc/source/cli/nova-api.rst @@ -27,7 +27,7 @@ Files * ``/etc/nova/nova.conf`` * ``/etc/nova/api-paste.ini`` -* ``/etc/nova/policy.json`` +* ``/etc/nova/policy.yaml`` * ``/etc/nova/rootwrap.conf`` * ``/etc/nova/rootwrap.d/`` diff --git a/doc/source/cli/nova-compute.rst b/doc/source/cli/nova-compute.rst index 67776f2e93..a2d8967498 100644 --- a/doc/source/cli/nova-compute.rst +++ b/doc/source/cli/nova-compute.rst @@ -28,7 +28,7 @@ Files ===== * ``/etc/nova/nova.conf`` -* ``/etc/nova/policy.json`` +* ``/etc/nova/policy.yaml`` * ``/etc/nova/rootwrap.conf`` * ``/etc/nova/rootwrap.d/`` diff --git a/doc/source/cli/nova-novncproxy.rst b/doc/source/cli/nova-novncproxy.rst index 8066d45a77..306b42ad2d 100644 --- a/doc/source/cli/nova-novncproxy.rst +++ b/doc/source/cli/nova-novncproxy.rst @@ -27,7 +27,7 @@ Files ===== * ``/etc/nova/nova.conf`` -* ``/etc/nova/policy.json`` +* ``/etc/nova/policy.yaml`` * ``/etc/nova/rootwrap.conf`` * ``/etc/nova/rootwrap.d/`` diff --git a/doc/source/cli/nova-scheduler.rst b/doc/source/cli/nova-scheduler.rst index 6128d7960a..59b0519acb 100644 --- a/doc/source/cli/nova-scheduler.rst +++ b/doc/source/cli/nova-scheduler.rst @@ -27,7 +27,7 @@ Files ===== * ``/etc/nova/nova.conf`` -* ``/etc/nova/policy.json`` +* ``/etc/nova/policy.yaml`` * ``/etc/nova/rootwrap.conf`` * ``/etc/nova/rootwrap.d/`` diff --git a/doc/source/cli/nova-serialproxy.rst b/doc/source/cli/nova-serialproxy.rst index 7efdc2a153..dff32f2c84 100644 --- a/doc/source/cli/nova-serialproxy.rst +++ b/doc/source/cli/nova-serialproxy.rst @@ -27,7 +27,7 @@ Files ===== * ``/etc/nova/nova.conf`` -* ``/etc/nova/policy.json`` +* ``/etc/nova/policy.yaml`` * ``/etc/nova/rootwrap.conf`` * ``/etc/nova/rootwrap.d/`` diff --git a/doc/source/cli/nova-spicehtml5proxy.rst b/doc/source/cli/nova-spicehtml5proxy.rst index 34716aedd5..e7779e2715 100644 --- a/doc/source/cli/nova-spicehtml5proxy.rst +++ b/doc/source/cli/nova-spicehtml5proxy.rst @@ -27,7 +27,7 @@ Files ===== * ``/etc/nova/nova.conf`` -* ``/etc/nova/policy.json`` +* ``/etc/nova/policy.yaml`` * ``/etc/nova/rootwrap.conf`` * ``/etc/nova/rootwrap.d/`` diff --git a/doc/source/configuration/index.rst b/doc/source/configuration/index.rst index de3bdba1dd..7fd6a43810 100644 --- a/doc/source/configuration/index.rst +++ b/doc/source/configuration/index.rst @@ -3,7 +3,7 @@ Configuration Guide =================== The static configuration for nova lives in two main files: ``nova.conf`` and -``policy.json``. These are described below. For a bigger picture view on +``policy.yaml``. These are described below. For a bigger picture view on configuring nova to solve specific problems, refer to the :doc:`Nova Admin Guide `. diff --git a/nova/tests/unit/policies/test_agents.py b/nova/tests/unit/policies/test_agents.py index 79b8c1f56b..d4c5f28b31 100644 --- a/nova/tests/unit/policies/test_agents.py +++ b/nova/tests/unit/policies/test_agents.py @@ -167,7 +167,7 @@ class AgentsScopeTypePolicyTest(AgentsPolicyTest): class AgentsDeprecatedPolicyTest(base.BasePolicyTest): """Test os-agents APIs Deprecated policies. This class checks if deprecated policy rules are - overridden by user on policy.json file then they + overridden by user on policy.yaml file then they still work because oslo.policy add deprecated rules in logical OR condition and enforce them for policy checks if overridden. @@ -196,7 +196,7 @@ class AgentsDeprecatedPolicyTest(base.BasePolicyTest): # Test to verify if deprecatd overridden policy is working. # check for success as admin role. Deprecated rule - # has been overridden with admin checks in policy.json + # has been overridden with admin checks in policy.yaml # If admin role pass it means overridden rule is enforced by # olso.policy because new default is system reader and the old # default is admin. diff --git a/nova/tests/unit/policies/test_attach_interfaces.py b/nova/tests/unit/policies/test_attach_interfaces.py index afe38e998f..87da6d3fe0 100644 --- a/nova/tests/unit/policies/test_attach_interfaces.py +++ b/nova/tests/unit/policies/test_attach_interfaces.py @@ -143,7 +143,7 @@ class AttachInterfacesScopeTypePolicyTest(AttachInterfacesPolicyTest): class AttachInterfacesDeprecatedPolicyTest(base.BasePolicyTest): """Test Attach Interfaces APIs Deprecated policies. This class checks if deprecated policy rules are - overridden by user on policy.json file then they + overridden by user on policy.yaml file then they still work because oslo.policy add deprecated rules in logical OR condition and enforce them for policy checks if overridden. @@ -176,7 +176,7 @@ class AttachInterfacesDeprecatedPolicyTest(base.BasePolicyTest): # Test to verify if deprecatd overridden policy is working. # check for success as admin role. Deprecated rule - # has been overridden with admin checks in policy.json + # has been overridden with admin checks in policy.yaml # If admin role pass it means overridden rule is enforced by # olso.policy because new default is system or project reader and the # old default is admin. diff --git a/nova/tests/unit/policies/test_instance_actions.py b/nova/tests/unit/policies/test_instance_actions.py index e94d66a2e6..7f84c02178 100644 --- a/nova/tests/unit/policies/test_instance_actions.py +++ b/nova/tests/unit/policies/test_instance_actions.py @@ -153,7 +153,7 @@ class InstanceActionsDeprecatedPolicyTest(base.BasePolicyTest): """Test os-instance-actions APIs Deprecated policies. This class checks if deprecated policy rules are overridden - by user on policy.json file then they still work because + by user on policy.yaml file then they still work because oslo.policy add deprecated rules in logical OR condition and enforces them for policy checks if overridden. """ @@ -191,7 +191,7 @@ class InstanceActionsDeprecatedPolicyTest(base.BasePolicyTest): self.admin_or_owner_req.environ['nova.context']) # Check for success as admin_or_owner role. Deprecated rule - # has been overridden with admin checks in policy.json + # has been overridden with admin checks in policy.yaml # If admin role pass it means overridden rule is enforced by # olso.policy because new default is system reader and the old # default is admin. diff --git a/nova/tests/unit/policies/test_services.py b/nova/tests/unit/policies/test_services.py index 76dbd3b97d..7975ee19dd 100644 --- a/nova/tests/unit/policies/test_services.py +++ b/nova/tests/unit/policies/test_services.py @@ -155,7 +155,7 @@ class ServicesDeprecatedPolicyTest(base.BasePolicyTest): """Test os-services APIs Deprecated policies. This class checks if deprecated policy rules are - overridden by user on policy.json file then they + overridden by user on policy.yaml file then they still work because oslo.policy add deprecated rules in logical OR condition and enforce them for policy checks if overridden. @@ -185,7 +185,7 @@ class ServicesDeprecatedPolicyTest(base.BasePolicyTest): # Test to verify if deprecatd overridden policy is working. # check for success as member role. Deprecated rule - # has been overridden with member checks in policy.json + # has been overridden with member checks in policy.yaml # If member role pass it means overridden rule is enforced by # olso.policy because new default is system admin and the old # default is admin. diff --git a/nova/tests/unit/policy_fixture.py b/nova/tests/unit/policy_fixture.py index fee3d61641..70da6ac5d8 100644 --- a/nova/tests/unit/policy_fixture.py +++ b/nova/tests/unit/policy_fixture.py @@ -46,7 +46,7 @@ class RealPolicyFixture(fixtures.Fixture): def setUp(self): super(RealPolicyFixture, self).setUp() # policy_file can be overridden by subclasses - self.policy_file = paths.state_path_def('etc/nova/policy.json') + self.policy_file = paths.state_path_def('etc/nova/policy.yaml') self._prepare_policy() CONF.set_override('policy_file', self.policy_file, group='oslo_policy') nova.policy.reset() @@ -95,7 +95,7 @@ class PolicyFixture(RealPolicyFixture): def _prepare_policy(self): self.policy_dir = self.useFixture(fixtures.TempDir()) self.policy_file = os.path.join(self.policy_dir.path, - 'policy.json') + 'policy.yaml') # load the fake_policy data and add the missing default rules. policy_rules = jsonutils.loads(fake_policy.policy_data) @@ -126,7 +126,7 @@ class RoleBasedPolicyFixture(RealPolicyFixture): policy[rule.name] = 'role:%s' % self.role self.policy_dir = self.useFixture(fixtures.TempDir()) - self.policy_file = os.path.join(self.policy_dir.path, 'policy.json') + self.policy_file = os.path.join(self.policy_dir.path, 'policy.yaml') with open(self.policy_file, 'w') as f: jsonutils.dump(policy, f) @@ -164,7 +164,7 @@ class OverridePolicyFixture(RealPolicyFixture): def _prepare_policy(self): self.policy_dir = self.useFixture(fixtures.TempDir()) self.policy_file = os.path.join(self.policy_dir.path, - 'policy.json') + 'policy.yaml') with open(self.policy_file, 'w') as f: jsonutils.dump(self.rules_in_file, f) CONF.set_override('policy_dirs', [], group='oslo_policy')