Use oslo.policy instead of incubated version
* pull in oslo.policy * account for changes to Enforcer initialization * account for changes to config options partially implements bp graduate-policy Change-Id: Ia23afda5acf92cdc4578ec4c85821603c56d3097
This commit is contained in:
parent
3bb0a2bec6
commit
3ec2418673
|
@ -4,9 +4,9 @@ wrap_width = 79
|
|||
namespace = keystone
|
||||
namespace = keystone.notifications
|
||||
namespace = keystone.openstack.common.eventlet_backdoor
|
||||
namespace = keystone.openstack.common.policy
|
||||
namespace = oslo.log
|
||||
namespace = oslo.messaging
|
||||
namespace = oslo.policy
|
||||
namespace = oslo.db
|
||||
namespace = oslo.middleware
|
||||
# We don't use oslo.concurrency config options in
|
||||
|
|
|
@ -15,14 +15,11 @@
|
|||
|
||||
"""Policy engine for keystone"""
|
||||
|
||||
import os.path
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log
|
||||
from oslo_policy import policy as common_policy
|
||||
|
||||
from keystone.common import utils
|
||||
from keystone import exception
|
||||
from keystone.openstack.common import policy as common_policy
|
||||
from keystone import policy
|
||||
|
||||
|
||||
|
@ -31,42 +28,17 @@ LOG = log.getLogger(__name__)
|
|||
|
||||
|
||||
_ENFORCER = None
|
||||
_POLICY_PATH = None
|
||||
_POLICY_CACHE = {}
|
||||
|
||||
|
||||
def reset():
|
||||
global _POLICY_PATH
|
||||
global _POLICY_CACHE
|
||||
global _ENFORCER
|
||||
_POLICY_PATH = None
|
||||
_POLICY_CACHE = {}
|
||||
_ENFORCER = None
|
||||
|
||||
|
||||
def init():
|
||||
global _POLICY_PATH
|
||||
global _POLICY_CACHE
|
||||
global _ENFORCER
|
||||
if not _POLICY_PATH:
|
||||
_POLICY_PATH = CONF.policy_file
|
||||
if not os.path.exists(_POLICY_PATH):
|
||||
_POLICY_PATH = CONF.find_file(_POLICY_PATH)
|
||||
if not _ENFORCER:
|
||||
_ENFORCER = common_policy.Enforcer(policy_file=_POLICY_PATH)
|
||||
utils.read_cached_file(_POLICY_PATH,
|
||||
_POLICY_CACHE,
|
||||
reload_func=_set_rules)
|
||||
|
||||
|
||||
def _set_rules(data):
|
||||
global _ENFORCER
|
||||
default_rule = CONF.policy_default_rule
|
||||
try:
|
||||
_ENFORCER.set_rules(common_policy.Rules.load_json(
|
||||
data, default_rule))
|
||||
except ValueError:
|
||||
raise exception.PolicyParsingError(policy_file=_POLICY_PATH)
|
||||
_ENFORCER = common_policy.Enforcer(CONF)
|
||||
|
||||
|
||||
def enforce(credentials, action, target, do_raise=True):
|
||||
|
|
|
@ -52,18 +52,13 @@ from keystone import controllers
|
|||
from keystone import exception
|
||||
from keystone.i18n import _LW
|
||||
from keystone import notifications
|
||||
from keystone.policy.backends import rules
|
||||
from keystone.server import common
|
||||
from keystone import service
|
||||
from keystone.tests.unit import ksfixtures
|
||||
from keystone.tests.unit import utils
|
||||
|
||||
|
||||
# NOTE(dstanek): Tests inheriting from TestCase depend on having the
|
||||
# policy_file command-line option declared before setUp runs. Importing the
|
||||
# oslo policy module automatically declares the option.
|
||||
from keystone.openstack.common import policy as common_policy # noqa
|
||||
|
||||
|
||||
config.configure()
|
||||
|
||||
LOG = log.getLogger(__name__)
|
||||
|
@ -86,6 +81,7 @@ TMPDIR = _calc_tmpdir()
|
|||
|
||||
CONF = cfg.CONF
|
||||
log.register_options(CONF)
|
||||
rules.init()
|
||||
|
||||
IN_MEM_DB_CONN_STRING = 'sqlite://'
|
||||
|
||||
|
@ -307,7 +303,8 @@ class TestCase(BaseTestCase):
|
|||
def config_overrides(self):
|
||||
signing_certfile = 'examples/pki/certs/signing_cert.pem'
|
||||
signing_keyfile = 'examples/pki/private/signing_key.pem'
|
||||
self.config_fixture.config(policy_file=dirs.etc('policy.json'))
|
||||
self.config_fixture.config(group='oslo_policy',
|
||||
policy_file=dirs.etc('policy.json'))
|
||||
self.config_fixture.config(
|
||||
# TODO(morganfainberg): Make Cache Testing a separate test case
|
||||
# in tempest, and move it out of the base unit tests.
|
||||
|
|
|
@ -16,12 +16,12 @@
|
|||
import json
|
||||
|
||||
import mock
|
||||
from oslo_policy import policy as common_policy
|
||||
import six
|
||||
from six.moves.urllib import request as urlrequest
|
||||
from testtools import matchers
|
||||
|
||||
from keystone import exception
|
||||
from keystone.openstack.common import policy as common_policy
|
||||
from keystone.policy.backends import rules
|
||||
from keystone.tests import unit as tests
|
||||
from keystone.tests.unit.ksfixtures import temporaryfile
|
||||
|
@ -42,7 +42,8 @@ class PolicyFileTestCase(tests.TestCase):
|
|||
|
||||
def config_overrides(self):
|
||||
super(PolicyFileTestCase, self).config_overrides()
|
||||
self.config_fixture.config(policy_file=self.tmpfilename)
|
||||
self.config_fixture.config(group='oslo_policy',
|
||||
policy_file=self.tmpfilename)
|
||||
|
||||
def test_modified_policy_reloads(self):
|
||||
action = "example:test"
|
||||
|
@ -52,8 +53,7 @@ class PolicyFileTestCase(tests.TestCase):
|
|||
rules.enforce(empty_credentials, action, self.target)
|
||||
with open(self.tmpfilename, "w") as policyfile:
|
||||
policyfile.write("""{"example:test": ["false:false"]}""")
|
||||
# NOTE(vish): reset stored policy cache so we don't have to sleep(1)
|
||||
rules._POLICY_CACHE = {}
|
||||
rules._ENFORCER.clear()
|
||||
self.assertRaises(exception.ForbiddenAction, rules.enforce,
|
||||
empty_credentials, action, self.target)
|
||||
|
||||
|
@ -63,7 +63,7 @@ class PolicyFileTestCase(tests.TestCase):
|
|||
invalid_json = '{"example:test": [],}'
|
||||
with open(self.tmpfilename, "w") as policyfile:
|
||||
policyfile.write(invalid_json)
|
||||
self.assertRaises(exception.PolicyParsingError, rules.enforce,
|
||||
self.assertRaises(ValueError, rules.enforce,
|
||||
empty_credentials, action, self.target)
|
||||
|
||||
|
||||
|
@ -93,8 +93,7 @@ class PolicyTestCase(tests.TestCase):
|
|||
self.target = {}
|
||||
|
||||
def _set_rules(self):
|
||||
these_rules = common_policy.Rules(
|
||||
{k: common_policy.parse_rule(v)for k, v in self.rules.items()})
|
||||
these_rules = common_policy.Rules.from_dict(self.rules)
|
||||
rules._ENFORCER.set_rules(these_rules)
|
||||
|
||||
def test_enforce_nonexistent_action_throws(self):
|
||||
|
@ -187,9 +186,7 @@ class DefaultPolicyTestCase(tests.TestCase):
|
|||
setattr(rules._ENFORCER, 'load_rules', lambda *args, **kwargs: None)
|
||||
|
||||
def _set_rules(self, default_rule):
|
||||
these_rules = common_policy.Rules(
|
||||
{k: common_policy.parse_rule(v) for k, v in self.rules.items()},
|
||||
default_rule)
|
||||
these_rules = common_policy.Rules.from_dict(self.rules, default_rule)
|
||||
rules._ENFORCER.set_rules(these_rules)
|
||||
|
||||
def test_policy_called(self):
|
||||
|
|
|
@ -567,13 +567,14 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
|
|||
domain_id=self.domainA['id'])
|
||||
|
||||
# Finally, switch to the v3 sample policy file
|
||||
self.orig_policy_file = CONF.policy_file
|
||||
self.orig_policy_file = CONF.oslo_policy.policy_file
|
||||
from keystone.policy.backends import rules
|
||||
rules.reset()
|
||||
|
||||
def config_overrides(self):
|
||||
super(TestTokenRevokeSelfAndAdmin, self).config_overrides()
|
||||
self.config_fixture.config(
|
||||
group='oslo_policy',
|
||||
policy_file=tests.dirs.etc('policy.v3cloudsample.json'))
|
||||
|
||||
def test_user_revokes_own_token(self):
|
||||
|
|
|
@ -38,11 +38,12 @@ class IdentityTestFilteredCase(filtering.FilterTests,
|
|||
|
||||
# Initialize the policy engine and allow us to write to a temp
|
||||
# file in each test to create the policies
|
||||
self.orig_policy_file = CONF.policy_file
|
||||
self.orig_policy_file = CONF.oslo_policy.policy_file
|
||||
rules.reset()
|
||||
self.tempfile = self.useFixture(temporaryfile.SecureTempFile())
|
||||
self.tmpfilename = self.tempfile.file_name
|
||||
self.config_fixture.config(policy_file=self.tmpfilename)
|
||||
self.config_fixture.config(group='oslo_policy',
|
||||
policy_file=self.tmpfilename)
|
||||
|
||||
# drop the policy rules
|
||||
self.addCleanup(rules.reset)
|
||||
|
|
|
@ -574,7 +574,8 @@ class AuthTokenTests(OAuthFlowTests):
|
|||
def _set_policy(self, new_policy):
|
||||
self.tempfile = self.useFixture(temporaryfile.SecureTempFile())
|
||||
self.tmpfilename = self.tempfile.file_name
|
||||
self.config_fixture.config(policy_file=self.tmpfilename)
|
||||
self.config_fixture.config(group='oslo_policy',
|
||||
policy_file=self.tmpfilename)
|
||||
with open(self.tmpfilename, "w") as policyfile:
|
||||
policyfile.write(jsonutils.dumps(new_policy))
|
||||
|
||||
|
|
|
@ -59,7 +59,8 @@ class IdentityTestProtectedCase(test_v3.RestfulTestCase):
|
|||
rules.reset()
|
||||
self.tempfile = self.useFixture(temporaryfile.SecureTempFile())
|
||||
self.tmpfilename = self.tempfile.file_name
|
||||
self.config_fixture.config(policy_file=self.tmpfilename)
|
||||
self.config_fixture.config(group='oslo_policy',
|
||||
policy_file=self.tmpfilename)
|
||||
|
||||
# A default auth request we can use - un-scoped user token
|
||||
self.auth = self.build_authentication_request(
|
||||
|
@ -377,6 +378,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
|
|||
self.addCleanup(rules.reset)
|
||||
rules.reset()
|
||||
self.config_fixture.config(
|
||||
group='oslo_policy',
|
||||
policy_file=tests.dirs.etc('policy.v3cloudsample.json'))
|
||||
|
||||
def load_sample_data(self):
|
||||
|
|
|
@ -27,6 +27,7 @@ oslo.db>=1.5.0 # Apache-2.0
|
|||
oslo.i18n>=1.3.0 # Apache-2.0
|
||||
oslo.log>=0.4.0 # Apache-2.0
|
||||
oslo.middleware>=0.3.0 # Apache-2.0
|
||||
oslo.policy>=0.3.0 # Apache-2.0
|
||||
oslo.serialization>=1.2.0 # Apache-2.0
|
||||
oslo.utils>=1.2.0 # Apache-2.0
|
||||
oauthlib>=0.6
|
||||
|
|
|
@ -26,6 +26,7 @@ oslo.db>=1.5.0 # Apache-2.0
|
|||
oslo.i18n>=1.3.0 # Apache-2.0
|
||||
oslo.log>=0.4.0 # Apache-2.0
|
||||
oslo.middleware>=0.3.0 # Apache-2.0
|
||||
oslo.policy>=0.3.0 # Apache-2.0
|
||||
oslo.serialization>=1.2.0 # Apache-2.0
|
||||
oslo.utils>=1.2.0 # Apache-2.0
|
||||
oauthlib>=0.6
|
||||
|
|
|
@ -67,4 +67,3 @@ oslo.config.opts =
|
|||
keystone = keystone.common.config:list_opts
|
||||
keystone.notifications = keystone.notifications:list_opts
|
||||
keystone.openstack.common.eventlet_backdoor = keystone.openstack.common.eventlet_backdoor:list_opts
|
||||
keystone.openstack.common.policy = keystone.openstack.common.policy:list_opts
|
||||
|
|
Loading…
Reference in New Issue