Expose a get_enforcer method for oslo.policy scripts

Because we have policy in code, we should be able to use the oslo.policy CLI scripts to produce sample policy files and render complete policies based on overrides on disk. This was broken because keystone wasn't removing unexpected commandline arguments before passing them to oslo.config to parse. This prevented people from generating complete policy files like they would for horizon. This commit exposes a get_enforcer() that substitutes an empty list in place of arguments passed in through the system. This makes it so that oslo.config doesn't choke when processing configuration values. Change-Id: I22583258eac5b3a64208355d18ccfa62dba1871d Closes-Bug: 1740951
2018-01-03 02:18:13 +00:00 · 2018-01-03 02:18:13 +00:00 · 85c957c503
commit 85c957c503
parent 1e21c52f3b
4 changed files with 38 additions and 0 deletions
--- a/keystone/common/policy.py
+++ b/keystone/common/policy.py
@ -35,6 +35,17 @@ def init():
        register_rules(_ENFORCER)


+def get_enforcer():
+    # Here we pass an empty list of arguments because there aren't any
+    # arguments that oslo.config or oslo.policy shouldn't already understand
+    # from the CONF object. This makes things easier here because we don't have
+    # to parse arguments passed in from the command line and remove unexpected
+    # arguments before building a Config object.
+    CONF([], project='keystone')
+    init()
+    return _ENFORCER
+
+
 def enforce(credentials, action, target, do_raise=True):
    """Verify that the action is valid on the target in this context.

--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@ -15,6 +15,7 @@

 import json
 import os
+import subprocess
 import uuid

 from oslo_policy import policy as common_policy
@ -213,3 +214,18 @@ class PolicyJsonTestCase(unit.TestCase):

        doc_targets = list(read_doc_targets())
        self.assertItemsEqual(policy_keys, doc_targets + policy_rule_keys)
+
+
+class GeneratePolicyFileTestCase(unit.TestCase):
+
+    def test_policy_generator_from_command_line(self):
+        # This test ensures keystone.common.policy:get_enforcer ignores
+        # unexpected arguments before handing them off to oslo.config, which
+        # will fail and prevent users from generating policy files.
+        ret_val = subprocess.Popen(
+            ['oslopolicy-policy-generator', '--namespace', 'keystone'],
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE
+        )
+        ret_val.communicate()
+        self.assertEqual(ret_val.returncode, 0)
--- a/releasenotes/notes/bug-1740951-82b7e4bd608742ab.yaml
+++ b/releasenotes/notes/bug-1740951-82b7e4bd608742ab.yaml
@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    [`bug 1740951 <https://bugs.launchpad.net/keystone/+bug/1740951>`_]
+    A new method was added that made it so oslo.policy sample generation
+    scripts can be used with keystone. The ``oslopolicy-policy-generator``
+    script will now generate a policy file containing overrides and defaults
+    registered in code.
--- a/setup.cfg
+++ b/setup.cfg
@ -185,6 +185,9 @@ oslo.policy.policies =
    # the default defined polices.
    keystone = keystone.common.policies:list_rules

+oslo.policy.enforcer =
+    keystone = keystone.common.policy:get_enforcer
+
 paste.filter_factory =
    healthcheck = oslo_middleware:Healthcheck.factory
    cors = oslo_middleware:CORS.factory