Browse Source

Add support for policy directories per service

This change introduces the POLICY_DIRS setting which adds the ability
to define multiple policy directories per service.

Blueprint: policy-dirs
Change-Id: Ie42f1aa68539b7388661ddfe2c265255cd574736
Mathieu Gagné 1 year ago
parent
commit
346c36d798
2 changed files with 29 additions and 5 deletions
  1. 17
    0
      doc/source/configuration/index.rst
  2. 12
    5
      openstack_auth/policy.py

+ 17
- 0
doc/source/configuration/index.rst View File

@@ -222,6 +222,23 @@ will deny the access and users must contact an admin to change their password.
222 222
 Setting this value to ``N`` days means the user will be alerted when the
223 223
 password expires in less than ``N+1`` days. ``-1`` disables the feature.
224 224
 
225
+``POLICY_DIRS``
226
+----------------
227
+
228
+Default: ``{}``
229
+
230
+Specifies a list of policy directories per service types. The directories
231
+are relative to ``POLICY_FILES_PATH``. Services whose additional policies
232
+are defined here must be defined in ``POLICY_FILES`` too. Otherwise,
233
+additional policies specified in ``POLICY_DIRS`` are not loaded.
234
+
235
+Example::
236
+
237
+    POLICY_DIRS = {
238
+        'identity': 'keystone_policy.d',
239
+        'compute': 'nova_policy.d'
240
+    }
241
+
225 242
 ``POLICY_FILES``
226 243
 ----------------
227 244
 

+ 12
- 5
openstack_auth/policy.py View File

@@ -30,16 +30,22 @@ _ENFORCER = None
30 30
 _BASE_PATH = getattr(settings, 'POLICY_FILES_PATH', '')
31 31
 
32 32
 
33
-def _get_policy_conf():
33
+def _get_policy_conf(policy_file, policy_dirs=None):
34 34
     conf = cfg.ConfigOpts()
35 35
     # Passing [] is required. Otherwise oslo.config looks up sys.argv.
36 36
     conf([])
37 37
     policy_opts.set_defaults(conf)
38
+    policy_file = os.path.join(_BASE_PATH, policy_file)
39
+    conf.set_default('policy_file', policy_file, 'oslo_policy')
38 40
     # Policy Enforcer has been updated to take in a policy directory
39 41
     # as a config option. However, the default value in is set to
40 42
     # ['policy.d'] which causes the code to break. Set the default
41 43
     # value to empty list for now.
42
-    conf.set_default('policy_dirs', [], 'oslo_policy')
44
+    if policy_dirs is None:
45
+        policy_dirs = []
46
+    policy_dirs = [os.path.join(_BASE_PATH, policy_dir)
47
+                   for policy_dir in policy_dirs]
48
+    conf.set_default('policy_dirs', policy_dirs, 'oslo_policy')
43 49
     return conf
44 50
 
45 51
 
@@ -48,10 +54,11 @@ def _get_enforcer():
48 54
     if not _ENFORCER:
49 55
         _ENFORCER = {}
50 56
         policy_files = getattr(settings, 'POLICY_FILES', {})
51
-        conf = _get_policy_conf()
57
+        policy_dirs = getattr(settings, 'POLICY_DIRS', {})
52 58
         for service in policy_files.keys():
53
-            policy_file = os.path.join(_BASE_PATH, policy_files[service])
54
-            enforcer = policy.Enforcer(conf, policy_file)
59
+            conf = _get_policy_conf(policy_file=policy_files[service],
60
+                                    policy_dirs=policy_dirs.get(service, []))
61
+            enforcer = policy.Enforcer(conf)
55 62
             # Ensure enforcer.policy_path is populated.
56 63
             enforcer.load_rules()
57 64
             if os.path.isfile(enforcer.policy_path):

Loading…
Cancel
Save