openstack
/
keystone
Code Issues Proposed changes

Use oslo.policy instead of incubated version 

* pull in oslo.policy
* account for changes to Enforcer initialization
* account for changes to config options

partially implements bp graduate-policy

Change-Id: Ia23afda5acf92cdc4578ec4c85821603c56d3097
This commit is contained in:
Steve Martinelli 2015-01-20 11:38:20 -05:00
parent 3bb0a2bec6
commit 3ec2418673
11 changed files with 26 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config-generator/keystone.conf
View File

@ -4,9 +4,9 @@ wrap_width = 79
namespace = keystone namespace = keystone
namespace = keystone.notifications namespace = keystone.notifications
namespace = keystone.openstack.common.eventlet_backdoor namespace = keystone.openstack.common.eventlet_backdoor
namespace = keystone.openstack.common.policy
namespace = oslo.log namespace = oslo.log
namespace = oslo.messaging namespace = oslo.messaging
namespace = oslo.policy
namespace = oslo.db namespace = oslo.db
namespace = oslo.middleware namespace = oslo.middleware
# We don't use oslo.concurrency config options in # We don't use oslo.concurrency config options in

32
keystone/policy/backends/rules.py
View File

@ -15,14 +15,11 @@
"""Policy engine for keystone""" """Policy engine for keystone"""
import os.path
from oslo_config import cfg from oslo_config import cfg
from oslo_log import log from oslo_log import log
from oslo_policy import policy as common_policy
from keystone.common import utils
from keystone import exception from keystone import exception
from keystone.openstack.common import policy as common_policy
from keystone import policy from keystone import policy
@ -31,42 +28,17 @@ LOG = log.getLogger(__name__)
_ENFORCER = None _ENFORCER = None
_POLICY_PATH = None
_POLICY_CACHE = {}
def reset(): def reset():
global _POLICY_PATH
global _POLICY_CACHE
global _ENFORCER global _ENFORCER
_POLICY_PATH = None
_POLICY_CACHE = {}
_ENFORCER = None _ENFORCER = None
def init(): def init():
global _POLICY_PATH
global _POLICY_CACHE
global _ENFORCER global _ENFORCER
if not _POLICY_PATH:
_POLICY_PATH = CONF.policy_file
if not os.path.exists(_POLICY_PATH):
_POLICY_PATH = CONF.find_file(_POLICY_PATH)
if not _ENFORCER: if not _ENFORCER:
_ENFORCER = common_policy.Enforcer(policy_file=_POLICY_PATH) _ENFORCER = common_policy.Enforcer(CONF)
utils.read_cached_file(_POLICY_PATH,
_POLICY_CACHE,
reload_func=_set_rules)
def _set_rules(data):
global _ENFORCER
default_rule = CONF.policy_default_rule
try:
_ENFORCER.set_rules(common_policy.Rules.load_json(
data, default_rule))
except ValueError:
raise exception.PolicyParsingError(policy_file=_POLICY_PATH)
def enforce(credentials, action, target, do_raise=True): def enforce(credentials, action, target, do_raise=True):

11
keystone/tests/unit/core.py
View File

@ -52,18 +52,13 @@ from keystone import controllers
from keystone import exception from keystone import exception
from keystone.i18n import _LW from keystone.i18n import _LW
from keystone import notifications from keystone import notifications
from keystone.policy.backends import rules
from keystone.server import common from keystone.server import common
from keystone import service from keystone import service
from keystone.tests.unit import ksfixtures from keystone.tests.unit import ksfixtures
from keystone.tests.unit import utils from keystone.tests.unit import utils
# NOTE(dstanek): Tests inheriting from TestCase depend on having the
# policy_file command-line option declared before setUp runs. Importing the
# oslo policy module automatically declares the option.
from keystone.openstack.common import policy as common_policy # noqa
config.configure() config.configure()
LOG = log.getLogger(__name__) LOG = log.getLogger(__name__)
@ -86,6 +81,7 @@ TMPDIR = _calc_tmpdir()
CONF = cfg.CONF CONF = cfg.CONF
log.register_options(CONF) log.register_options(CONF)
rules.init()
IN_MEM_DB_CONN_STRING = 'sqlite://' IN_MEM_DB_CONN_STRING = 'sqlite://'
@ -307,7 +303,8 @@ class TestCase(BaseTestCase):
def config_overrides(self): def config_overrides(self):
signing_certfile = 'examples/pki/certs/signing_cert.pem' signing_certfile = 'examples/pki/certs/signing_cert.pem'
signing_keyfile = 'examples/pki/private/signing_key.pem' signing_keyfile = 'examples/pki/private/signing_key.pem'
self.config_fixture.config(policy_file=dirs.etc('policy.json')) self.config_fixture.config(group='oslo_policy',
policy_file=dirs.etc('policy.json'))
self.config_fixture.config( self.config_fixture.config(
# TODO(morganfainberg): Make Cache Testing a separate test case # TODO(morganfainberg): Make Cache Testing a separate test case
# in tempest, and move it out of the base unit tests. # in tempest, and move it out of the base unit tests.

17
keystone/tests/unit/test_policy.py
View File

@ -16,12 +16,12 @@
import json import json
import mock import mock
from oslo_policy import policy as common_policy
import six import six
from six.moves.urllib import request as urlrequest from six.moves.urllib import request as urlrequest
from testtools import matchers from testtools import matchers
from keystone import exception from keystone import exception
from keystone.openstack.common import policy as common_policy
from keystone.policy.backends import rules from keystone.policy.backends import rules
from keystone.tests import unit as tests from keystone.tests import unit as tests
from keystone.tests.unit.ksfixtures import temporaryfile from keystone.tests.unit.ksfixtures import temporaryfile
@ -42,7 +42,8 @@ class PolicyFileTestCase(tests.TestCase):
def config_overrides(self): def config_overrides(self):
super(PolicyFileTestCase, self).config_overrides() super(PolicyFileTestCase, self).config_overrides()
self.config_fixture.config(policy_file=self.tmpfilename) self.config_fixture.config(group='oslo_policy',
policy_file=self.tmpfilename)
def test_modified_policy_reloads(self): def test_modified_policy_reloads(self):
action = "example:test" action = "example:test"
@ -52,8 +53,7 @@ class PolicyFileTestCase(tests.TestCase):
rules.enforce(empty_credentials, action, self.target) rules.enforce(empty_credentials, action, self.target)
with open(self.tmpfilename, "w") as policyfile: with open(self.tmpfilename, "w") as policyfile:
policyfile.write("""{"example:test": ["false:false"]}""") policyfile.write("""{"example:test": ["false:false"]}""")
# NOTE(vish): reset stored policy cache so we don't have to sleep(1) rules._ENFORCER.clear()
rules._POLICY_CACHE = {}
self.assertRaises(exception.ForbiddenAction, rules.enforce, self.assertRaises(exception.ForbiddenAction, rules.enforce,
empty_credentials, action, self.target) empty_credentials, action, self.target)
@ -63,7 +63,7 @@ class PolicyFileTestCase(tests.TestCase):
invalid_json = '{"example:test": [],}' invalid_json = '{"example:test": [],}'
with open(self.tmpfilename, "w") as policyfile: with open(self.tmpfilename, "w") as policyfile:
policyfile.write(invalid_json) policyfile.write(invalid_json)
self.assertRaises(exception.PolicyParsingError, rules.enforce, self.assertRaises(ValueError, rules.enforce,
empty_credentials, action, self.target) empty_credentials, action, self.target)
@ -93,8 +93,7 @@ class PolicyTestCase(tests.TestCase):
self.target = {} self.target = {}
def _set_rules(self): def _set_rules(self):
these_rules = common_policy.Rules( these_rules = common_policy.Rules.from_dict(self.rules)
{k: common_policy.parse_rule(v)for k, v in self.rules.items()})
rules._ENFORCER.set_rules(these_rules) rules._ENFORCER.set_rules(these_rules)
def test_enforce_nonexistent_action_throws(self): def test_enforce_nonexistent_action_throws(self):
@ -187,9 +186,7 @@ class DefaultPolicyTestCase(tests.TestCase):
setattr(rules._ENFORCER, 'load_rules', lambda *args, **kwargs: None) setattr(rules._ENFORCER, 'load_rules', lambda *args, **kwargs: None)
def _set_rules(self, default_rule): def _set_rules(self, default_rule):
these_rules = common_policy.Rules( these_rules = common_policy.Rules.from_dict(self.rules, default_rule)
{k: common_policy.parse_rule(v) for k, v in self.rules.items()},
default_rule)
rules._ENFORCER.set_rules(these_rules) rules._ENFORCER.set_rules(these_rules)
def test_policy_called(self): def test_policy_called(self):

3
keystone/tests/unit/test_v3_auth.py
View File

@ -567,13 +567,14 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
domain_id=self.domainA['id']) domain_id=self.domainA['id'])
# Finally, switch to the v3 sample policy file # Finally, switch to the v3 sample policy file
self.orig_policy_file = CONF.policy_file self.orig_policy_file = CONF.oslo_policy.policy_file
from keystone.policy.backends import rules from keystone.policy.backends import rules
rules.reset() rules.reset()
def config_overrides(self): def config_overrides(self):
super(TestTokenRevokeSelfAndAdmin, self).config_overrides() super(TestTokenRevokeSelfAndAdmin, self).config_overrides()
self.config_fixture.config( self.config_fixture.config(
group='oslo_policy',
policy_file=tests.dirs.etc('policy.v3cloudsample.json')) policy_file=tests.dirs.etc('policy.v3cloudsample.json'))
def test_user_revokes_own_token(self): def test_user_revokes_own_token(self):

5
keystone/tests/unit/test_v3_filters.py
View File

@ -38,11 +38,12 @@ class IdentityTestFilteredCase(filtering.FilterTests,
# Initialize the policy engine and allow us to write to a temp # Initialize the policy engine and allow us to write to a temp
# file in each test to create the policies # file in each test to create the policies
self.orig_policy_file = CONF.policy_file self.orig_policy_file = CONF.oslo_policy.policy_file
rules.reset() rules.reset()
self.tempfile = self.useFixture(temporaryfile.SecureTempFile()) self.tempfile = self.useFixture(temporaryfile.SecureTempFile())
self.tmpfilename = self.tempfile.file_name self.tmpfilename = self.tempfile.file_name
self.config_fixture.config(policy_file=self.tmpfilename) self.config_fixture.config(group='oslo_policy',
policy_file=self.tmpfilename)
# drop the policy rules # drop the policy rules
self.addCleanup(rules.reset) self.addCleanup(rules.reset)

3
keystone/tests/unit/test_v3_oauth1.py
View File

@ -574,7 +574,8 @@ class AuthTokenTests(OAuthFlowTests):
def _set_policy(self, new_policy): def _set_policy(self, new_policy):
self.tempfile = self.useFixture(temporaryfile.SecureTempFile()) self.tempfile = self.useFixture(temporaryfile.SecureTempFile())
self.tmpfilename = self.tempfile.file_name self.tmpfilename = self.tempfile.file_name
self.config_fixture.config(policy_file=self.tmpfilename) self.config_fixture.config(group='oslo_policy',
policy_file=self.tmpfilename)
with open(self.tmpfilename, "w") as policyfile: with open(self.tmpfilename, "w") as policyfile:
policyfile.write(jsonutils.dumps(new_policy)) policyfile.write(jsonutils.dumps(new_policy))

4
keystone/tests/unit/test_v3_protection.py
View File

@ -59,7 +59,8 @@ class IdentityTestProtectedCase(test_v3.RestfulTestCase):
rules.reset() rules.reset()
self.tempfile = self.useFixture(temporaryfile.SecureTempFile()) self.tempfile = self.useFixture(temporaryfile.SecureTempFile())
self.tmpfilename = self.tempfile.file_name self.tmpfilename = self.tempfile.file_name
self.config_fixture.config(policy_file=self.tmpfilename) self.config_fixture.config(group='oslo_policy',
policy_file=self.tmpfilename)
# A default auth request we can use - un-scoped user token # A default auth request we can use - un-scoped user token
self.auth = self.build_authentication_request( self.auth = self.build_authentication_request(
@ -377,6 +378,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
self.addCleanup(rules.reset) self.addCleanup(rules.reset)
rules.reset() rules.reset()
self.config_fixture.config( self.config_fixture.config(
group='oslo_policy',
policy_file=tests.dirs.etc('policy.v3cloudsample.json')) policy_file=tests.dirs.etc('policy.v3cloudsample.json'))
def load_sample_data(self): def load_sample_data(self):

1
requirements-py3.txt
View File

@ -27,6 +27,7 @@ oslo.db>=1.5.0 # Apache-2.0
oslo.i18n>=1.3.0 # Apache-2.0 oslo.i18n>=1.3.0 # Apache-2.0
oslo.log>=0.4.0 # Apache-2.0 oslo.log>=0.4.0 # Apache-2.0
oslo.middleware>=0.3.0 # Apache-2.0 oslo.middleware>=0.3.0 # Apache-2.0
oslo.policy>=0.3.0 # Apache-2.0
oslo.serialization>=1.2.0 # Apache-2.0 oslo.serialization>=1.2.0 # Apache-2.0
oslo.utils>=1.2.0 # Apache-2.0 oslo.utils>=1.2.0 # Apache-2.0
oauthlib>=0.6 oauthlib>=0.6

1
requirements.txt
View File

@ -26,6 +26,7 @@ oslo.db>=1.5.0 # Apache-2.0
oslo.i18n>=1.3.0 # Apache-2.0 oslo.i18n>=1.3.0 # Apache-2.0
oslo.log>=0.4.0 # Apache-2.0 oslo.log>=0.4.0 # Apache-2.0
oslo.middleware>=0.3.0 # Apache-2.0 oslo.middleware>=0.3.0 # Apache-2.0
oslo.policy>=0.3.0 # Apache-2.0
oslo.serialization>=1.2.0 # Apache-2.0 oslo.serialization>=1.2.0 # Apache-2.0
oslo.utils>=1.2.0 # Apache-2.0 oslo.utils>=1.2.0 # Apache-2.0
oauthlib>=0.6 oauthlib>=0.6

1
setup.cfg
View File

@ -67,4 +67,3 @@ oslo.config.opts =
keystone = keystone.common.config:list_opts keystone = keystone.common.config:list_opts
keystone.notifications = keystone.notifications:list_opts keystone.notifications = keystone.notifications:list_opts
keystone.openstack.common.eventlet_backdoor = keystone.openstack.common.eventlet_backdoor:list_opts keystone.openstack.common.eventlet_backdoor = keystone.openstack.common.eventlet_backdoor:list_opts
keystone.openstack.common.policy = keystone.openstack.common.policy:list_opts