
oslo.policy has enabled the new RBAC config options enforce_scope and enforce_new_defaults by default[1][2]. Barbican new RBAC was disable by default. To give more time to operator, let's continue the same setting in this release also. Also, there are many test modification is needed for the new RBAC (using the new RBAC default role in tests) - https://ce83b06baa590a9f8123-eae5def07f653ed6fc0c0045180a6a87.ssl.cf2.rackcdn.com/925464/3/check/cross-barbican-py311/86af837/testr_results.html As oslo.policy enable them by default, we override the setting for the Barbican. NOTE: there is no change in behaviour, Barbican continue with the old RBAC as default. ref: https://review.opendev.org/c/openstack/requirements/+/925464 [1] https://review.opendev.org/c/openstack/oslo.policy/+/924283 [2] https://review.opendev.org/c/openstack/releases/+/925032 Change-Id: I8514969e12851d03f3dbee93b040d6c8763ebc5c
79 lines
2.4 KiB
Python
79 lines
2.4 KiB
Python
# Copyright 2011-2012 OpenStack LLC.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from oslo_policy import opts
|
|
from oslo_policy import policy
|
|
|
|
from barbican.common import config
|
|
from barbican.common import policies
|
|
|
|
CONF = config.CONF
|
|
ENFORCER = None
|
|
|
|
|
|
# TODO(gmann): Remove setting the default value of config:
|
|
# - policy_file once oslo_policy change the default value to 'policy.yaml'.
|
|
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
|
|
# - 'enforce_scope', and 'enforce_new_defaults' once barbican is ready with the
|
|
# new RBAC (oslo_policy enable them by default)
|
|
DEFAULT_POLICY_FILE = 'policy.yaml'
|
|
opts.set_defaults(
|
|
CONF,
|
|
DEFAULT_POLICY_FILE,
|
|
enforce_scope=False,
|
|
enforce_new_defaults=False)
|
|
|
|
|
|
def reset():
|
|
global ENFORCER
|
|
if ENFORCER:
|
|
ENFORCER.clear()
|
|
ENFORCER = None
|
|
|
|
|
|
def init(suppress_deprecation_warnings=False):
|
|
"""Init an Enforcer class.
|
|
|
|
:param suppress_deprecation_warnings: Whether to suppress the deprecation
|
|
warnings.
|
|
"""
|
|
global ENFORCER
|
|
global saved_file_rules
|
|
|
|
if not ENFORCER:
|
|
ENFORCER = policy.Enforcer(CONF)
|
|
|
|
# NOTE(gmann): Explictly disable the warnings for policies
|
|
# changing their default check_str. During policy-defaults-refresh
|
|
# work, all the policy defaults have been changed and warning for
|
|
# each policy started filling the logs limit for various tool.
|
|
# Once we move to new defaults only world then we can enable these
|
|
# warning again.
|
|
ENFORCER.suppress_default_change_warnings = True
|
|
if suppress_deprecation_warnings:
|
|
ENFORCER.suppress_deprecation_warnings = True
|
|
|
|
register_rules(ENFORCER)
|
|
ENFORCER.load_rules()
|
|
|
|
|
|
def register_rules(enforcer):
|
|
enforcer.register_defaults(policies.list_rules())
|
|
|
|
|
|
def get_enforcer():
|
|
init()
|
|
return ENFORCER
|