Expose a get_enforcer method for oslo.policy scripts

Because we have policy in code, we should be able to use the
oslo.policy CLI scripts to produce sample policy files and render
complete policies based on overrides on disk. This was broken
because keystone wasn't removing unexpected commandline arguments
before passing them to oslo.config to parse. This prevented
people from generating complete policy files like they would for
horizon.

This commit exposes a get_enforcer() that substitutes an empty list
in place of arguments passed in through the system. This makes it
so that oslo.config doesn't choke when processing configuration
values.

Change-Id: I22583258eac5b3a64208355d18ccfa62dba1871d
Closes-Bug: 1740951
This commit is contained in:
Lance Bragstad 2018-01-03 02:18:13 +00:00
parent 1e21c52f3b
commit 85c957c503
4 changed files with 38 additions and 0 deletions

View File

@ -35,6 +35,17 @@ def init():
register_rules(_ENFORCER)
def get_enforcer():
# Here we pass an empty list of arguments because there aren't any
# arguments that oslo.config or oslo.policy shouldn't already understand
# from the CONF object. This makes things easier here because we don't have
# to parse arguments passed in from the command line and remove unexpected
# arguments before building a Config object.
CONF([], project='keystone')
init()
return _ENFORCER
def enforce(credentials, action, target, do_raise=True):
"""Verify that the action is valid on the target in this context.

View File

@ -15,6 +15,7 @@
import json
import os
import subprocess
import uuid
from oslo_policy import policy as common_policy
@ -213,3 +214,18 @@ class PolicyJsonTestCase(unit.TestCase):
doc_targets = list(read_doc_targets())
self.assertItemsEqual(policy_keys, doc_targets + policy_rule_keys)
class GeneratePolicyFileTestCase(unit.TestCase):
def test_policy_generator_from_command_line(self):
# This test ensures keystone.common.policy:get_enforcer ignores
# unexpected arguments before handing them off to oslo.config, which
# will fail and prevent users from generating policy files.
ret_val = subprocess.Popen(
['oslopolicy-policy-generator', '--namespace', 'keystone'],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
)
ret_val.communicate()
self.assertEqual(ret_val.returncode, 0)

View File

@ -0,0 +1,8 @@
---
fixes:
- |
[`bug 1740951 <https://bugs.launchpad.net/keystone/+bug/1740951>`_]
A new method was added that made it so oslo.policy sample generation
scripts can be used with keystone. The ``oslopolicy-policy-generator``
script will now generate a policy file containing overrides and defaults
registered in code.

View File

@ -185,6 +185,9 @@ oslo.policy.policies =
# the default defined polices.
keystone = keystone.common.policies:list_rules
oslo.policy.enforcer =
keystone = keystone.common.policy:get_enforcer
paste.filter_factory =
healthcheck = oslo_middleware:Healthcheck.factory
cors = oslo_middleware:CORS.factory