11 Commits

Author SHA1 Message Date
Zuul
c756724cda Merge "Support policy-in-code and deprecated policy" 2021-03-04 22:01:52 +00:00
Takashi Kajinami
82900d727f Try loading all policy files even if some files are invalid
This change ensures that horizon tries to load all policy files even
if an invalid policy file is found, so that horizon can use as many
policy rules as it can parse.

Closes-Bug: #1917483
Change-Id: I24f8da71460129ee7162af5f307a7e405addb15d
2021-03-04 00:42:59 +00:00
Akihiro Motoki
b7bb76eb20 Support policy-in-code and deprecated policy
This commit allows horizon to handle deprecated policy rules.
The approach is explained in the document updated by this change.

oslo.policy requirement is updated. oslo.policy 3.2.0 is chosen
just because it is the first release in Victoria cycle.
requirements.txt and lower-constraints.txt are updated accordingly
including oslo.policy dependencies.

Change-Id: If5059d03f6bd7e94796065aa1b51c0c23ac85f5e
2021-01-27 14:02:27 +00:00
Zuul
e1d2a8dfb3 Merge "Handle Permission Denied for policy files" 2019-09-26 18:39:54 +00:00
Ivan Kolodyazhny
f57b6ead57 Handle Permission Denied for policy files
oslo.policy doesn't handle Permission Denied error during file
parsing. This patch just ignores IOError exceptions to fallback to
the default behaviour.

Closes-Bug: #1845523
Change-Id: I87c2862e6e3a3f42d231552b00dc02364d6fa14f
2019-09-26 18:46:03 +03:00
Akihiro Motoki
e56e076ea8 Define default settings explicitly (openstack_auth)
This commit also moves descriptions of settings defined in openstack_auth
from openstack_dashboard/settings.py and local_settings.py(.example)
to openstack_auth/settings.py.

Note that if openstack_dashboard has different default settings
from openstack_auth defaults, they are now moved to
openstack_dashboard/defaults.py.

Part of blueprint ini-based-configuration
Change-Id: I59eebc388de0bcbd4d1fe35c6138efbd3e04c5b8
2019-09-12 15:05:56 +09:00
George Melikov
eca9c91494 Remove token object from credentials
Token is not used in policies,
and json.dumps can't dump it when http rules are used.

Closes-Bug: 1823977

Change-Id: Id1b0b94d27d24d7dfdd2f1542973088947d83ada
Signed-off-by: George Melikov <mail@gmelikov.ru>
2019-04-09 18:00:41 +03:00
Sumit Jamgade
96912aea91 fix checking if enforcer was loaded
enforcer for policy can be loaded from a single file or from multiple
files (policy_dir). so checking for policy_file is not good enough.

If a policy is loaded it will have some rules, if not loaded then,
oslo_policy rejects all acccess, but it is not saved to the
_ENFORCER object, which is holds the objects used for enforcing
policies. So checking for existance of rules is a better check.

Some refactoring for better logging
added tests: test_nonexisting_policy_file_load

Change-Id: Id1f65058014ef5b14449b502d6741da9d34767b3
Closes-Bug: 1804174
2018-12-22 22:42:54 +09:00
manchandavishal
c02b9fc2dd Get rid of keys() usage
for x in some_dict.keys() can be written as for x in some_dict

Change-Id: If5436647a30c02d0dab7daa23b2290456c66d654
2018-11-30 11:15:27 +00:00
Radomir Dopieralski
54365d7ef1 Fix api.keystone.is_cloud_admin/is_domain_admin handling with new policies
Allow an action if no policy exists for it and there is no default
policy.

Change-Id: Ief6dc5ff15a83c70ee171774d1bfc6470c0863d1
Closes-bug: 1739108
2018-01-17 15:14:33 +01:00
Rob Cresswell
e3e5812b19 Add Django OpenStack Auth to Horizon
Moves Django OpenStack Auth content to Horizon, since they are so
tightly coupled. This cleans up the development workflow and should
make keystone / auth related contributions easier.

Implements: blueprint merge-openstack-auth
Change-Id: Ia1cdc47bad1ca6e633073a9f9445b0c7f70d05bc
2017-09-27 12:06:57 +01:00