Policy json to yaml migration

Adds the status upgrade check for the JSON to YAML migration
effort and updates the documentation where it seems appropriate
to move from "policy.json" to "policy.yaml"

Mostly shamelessly copied from https://review.opendev.org/#/c/748059/
however is in-line with ironic's configuration and patching methods.

Related Blueprint: policy-json-to-yaml

Change-Id: I1d5b3892451579ebfd4d75a0f7185e0ef3c984c8

7 files changed, 62 insertions, 10 deletions

diff --git a/doc/source/cli/ironic-status.rst b/doc/source/cli/ironic-status.rst
index 877518492..c14cd376a 100644
--- a/doc/source/cli/ironic-status.rst
+++ b/doc/source/cli/ironic-status.rst
@@ -77,3 +77,8 @@ Upgrade
 
   * Adds a check for compatibility of the object versions with the release
     of ironic.
+
+  **Wallaby**
+
+  * Adds a check to validate the configured policy file is not JSON
+    based as JSON based policies have been deprecated.
diff --git a/doc/source/configuration/policy.rst b/doc/source/configuration/policy.rst
index 251e45c22..1abb144cd 100644
--- a/doc/source/configuration/policy.rst
+++ b/doc/source/configuration/policy.rst
@@ -2,6 +2,16 @@
 Policies
 ========
 
+.. warning::
+   JSON formatted policy files were deprecated in the Wallaby development
+   cycle due to the Victoria deprecation by the ``olso.policy`` library.
+   Use the `oslopolicy-convert-json-to-yaml`__ tool
+   to convert the existing JSON to YAML formatted policy file in backward
+   compatible way.
+
+.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
+
+
 The following is an overview of all available policies in Ironic.  For
 a sample configuration file, refer to :doc:`sample-policy`.
 
diff --git a/doc/source/install/configure-identity.rst b/doc/source/install/configure-identity.rst
index b7ea19891..aa32a6e69 100644
--- a/doc/source/install/configure-identity.rst
+++ b/doc/source/install/configure-identity.rst
@@ -46,7 +46,7 @@ Configure the Identity service for the Bare Metal service
 
    If you choose to customize the names of Roles used with the Bare Metal
    service, do so by changing the "is_member", "is_observer", and "is_admin"
-   policy settings in ``/etc/ironic/policy.json``.
+   policy settings in ``/etc/ironic/policy.yaml``.
 
    More complete documentation on managing Users and Roles within your
    OpenStack deployment are outside the scope of this document, but may be
@@ -75,6 +75,6 @@ Configure the Identity service for the Bare Metal service
 #. Further documentation is available elsewhere for the ``openstack``
    :python-openstackclient-doc:`command-line client <cli/authentication.html>`
    and the :keystone-doc:`Identity <admin/cli-manage-projects-users-and-roles.html>`
-   service. A :doc:`policy.json.sample </configuration/sample-policy>`
+   service. A :doc:`policy.yaml.sample </configuration/sample-policy>`
    file, which enumerates the service's default policies, is provided for
    your convenience with the Bare Metal Service.
diff --git a/ironic/cmd/status.py b/ironic/cmd/status.py
index e7f10fb72..f4ab69500 100644
--- a/ironic/cmd/status.py
+++ b/ironic/cmd/status.py
@@ -15,10 +15,15 @@
 import sys
 
 from oslo_config import cfg
+from oslo_upgradecheck import common_checks
 from oslo_upgradecheck import upgradecheck
 
 from ironic.cmd import dbsync
 from ironic.common.i18n import _
+from ironic.common import policy  # noqa importing to load policy config.
+import ironic.conf
+
+CONF = ironic.conf.CONF
 
 
 class Checks(upgradecheck.UpgradeCommands):
@@ -54,6 +59,9 @@ class Checks(upgradecheck.UpgradeCommands):
     # summary will be rolled up at the end of the check() method.
     _upgrade_checks = (
         (_('Object versions'), _check_obj_versions),
+        # Victoria -> Wallaby migration
+        (_('Policy File JSON to YAML Migration'),
+         (common_checks.check_policy_json, {'conf': CONF})),
     )
 
 
diff --git a/ironic/common/policy.py b/ironic/common/policy.py
index 811198206..efb92c5a5 100644
--- a/ironic/common/policy.py
+++ b/ironic/common/policy.py
@@ -21,6 +21,7 @@ import sys
 from oslo_concurrency import lockutils
 from oslo_config import cfg
 from oslo_log import log
+from oslo_policy import opts
 from oslo_policy import policy
 
 from ironic.common import exception
@@ -29,6 +30,13 @@ _ENFORCER = None
 CONF = cfg.CONF
 LOG = log.getLogger(__name__)
 
+
+# TODO(gmann): Remove setting the default value of config policy_file
+# once oslo_policy change the default value to 'policy.yaml'.
+# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+DEFAULT_POLICY_FILE = 'policy.yaml'
+opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
+
 default_policies = [
     # Legacy setting, don't remove. Likely to be overridden by operators who
     # forget to update their policy.json configuration file.
@@ -591,10 +599,11 @@ def init_enforcer(policy_file=None, rules=None,
     # loaded exactly once - when this module-global is initialized.
     # Defining these in the relevant API modules won't work
     # because API classes lack singletons and don't use globals.
-    _ENFORCER = policy.Enforcer(CONF, policy_file=policy_file,
-                                rules=rules,
-                                default_rule=default_rule,
-                                use_conf=use_conf)
+    _ENFORCER = policy.Enforcer(
+        CONF, policy_file=policy_file,
+        rules=rules,
+        default_rule=default_rule,
+        use_conf=use_conf)
     _ENFORCER.register_defaults(list_policies())
 
 
diff --git a/releasenotes/notes/default-policy-file-change-474a342d6b5a041a.yaml b/releasenotes/notes/default-policy-file-change-474a342d6b5a041a.yaml
new file mode 100644
index 000000000..5e24b2a76
--- /dev/null
+++ b/releasenotes/notes/default-policy-file-change-474a342d6b5a041a.yaml
@@ -0,0 +1,20 @@
+---
+upgrade:
+  - |
+    The default value of ``[oslo_policy] policy_file`` config option has been
+    changed from ``policy.json`` to ``policy.yaml``.
+    Operators who are utilizing customized policy files or previously generated
+    static policy files (which are not needed by default), should generate
+    new policy files and modify them to meet their needs in the event of
+    any new policies or rules have been added.
+    Please consult the `oslopolicy-convert-json-to-yaml <https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
+    tool to convert a JSON to YAML formatted policy file in
+    backward compatible way.
+deprecations:
+  - |
+    Use of legacy policy format was deprecated by the ``oslo.policy`` library
+    during the Victoria development cycle. As a result, this deprecation is
+    being noted in the Wallaby with an anticipated future removal of support
+    by ``oslo.policy``. As such operators will need to convert to YAML policy
+    files. Please see the upgrade notes for details on migration of any
+    custom policy files.
diff --git a/requirements.txt b/requirements.txt
index b36a38789..5dccb8abf 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -16,17 +16,17 @@ pytz>=2013.6 # MIT
 stevedore>=1.20.0 # Apache-2.0
 pysendfile>=2.0.0;sys_platform!='win32' # MIT
 oslo.concurrency>=4.2.0 # Apache-2.0
-oslo.config>=5.2.0 # Apache-2.0
+oslo.config>=6.8.0 # Apache-2.0
 oslo.context>=2.19.2 # Apache-2.0
 oslo.db>=6.0.0 # Apache-2.0
 oslo.rootwrap>=5.8.0 # Apache-2.0
 oslo.log>=3.36.0 # Apache-2.0
 oslo.middleware>=3.31.0 # Apache-2.0
-oslo.policy>=1.30.0 # Apache-2.0
+oslo.policy>=3.6.0 # Apache-2.0
 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
 oslo.service!=1.28.1,>=1.24.0 # Apache-2.0
-oslo.upgradecheck>=0.1.0 # Apache-2.0
-oslo.utils>=3.38.0 # Apache-2.0
+oslo.upgradecheck>=1.3.0 # Apache-2.0
+oslo.utils>=4.5.0 # Apache-2.0
 osprofiler>=1.5.0 # Apache-2.0
 os-traits>=0.4.0 # Apache-2.0
 pecan!=1.0.2,!=1.0.3,!=1.0.4,!=1.2,>=1.0.0 # BSD