Expose a get_enforcer method for oslo.policy scripts
Because we have policy in code, we should be able to use the oslo.policy CLI scripts to produce sample policy files and render complete policies based on overrides on disk. This was broken because keystone wasn't removing unexpected commandline arguments before passing them to oslo.config to parse. This prevented people from generating complete policy files like they would for horizon. This commit exposes a get_enforcer() that substitutes an empty list in place of arguments passed in through the system. This makes it so that oslo.config doesn't choke when processing configuration values. Change-Id: I22583258eac5b3a64208355d18ccfa62dba1871d Closes-Bug: 1740951
This commit is contained in:
parent
1e21c52f3b
commit
85c957c503
@ -35,6 +35,17 @@ def init():
|
|||||||
register_rules(_ENFORCER)
|
register_rules(_ENFORCER)
|
||||||
|
|
||||||
|
|
||||||
|
def get_enforcer():
|
||||||
|
# Here we pass an empty list of arguments because there aren't any
|
||||||
|
# arguments that oslo.config or oslo.policy shouldn't already understand
|
||||||
|
# from the CONF object. This makes things easier here because we don't have
|
||||||
|
# to parse arguments passed in from the command line and remove unexpected
|
||||||
|
# arguments before building a Config object.
|
||||||
|
CONF([], project='keystone')
|
||||||
|
init()
|
||||||
|
return _ENFORCER
|
||||||
|
|
||||||
|
|
||||||
def enforce(credentials, action, target, do_raise=True):
|
def enforce(credentials, action, target, do_raise=True):
|
||||||
"""Verify that the action is valid on the target in this context.
|
"""Verify that the action is valid on the target in this context.
|
||||||
|
|
||||||
|
@ -15,6 +15,7 @@
|
|||||||
|
|
||||||
import json
|
import json
|
||||||
import os
|
import os
|
||||||
|
import subprocess
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
from oslo_policy import policy as common_policy
|
from oslo_policy import policy as common_policy
|
||||||
@ -213,3 +214,18 @@ class PolicyJsonTestCase(unit.TestCase):
|
|||||||
|
|
||||||
doc_targets = list(read_doc_targets())
|
doc_targets = list(read_doc_targets())
|
||||||
self.assertItemsEqual(policy_keys, doc_targets + policy_rule_keys)
|
self.assertItemsEqual(policy_keys, doc_targets + policy_rule_keys)
|
||||||
|
|
||||||
|
|
||||||
|
class GeneratePolicyFileTestCase(unit.TestCase):
|
||||||
|
|
||||||
|
def test_policy_generator_from_command_line(self):
|
||||||
|
# This test ensures keystone.common.policy:get_enforcer ignores
|
||||||
|
# unexpected arguments before handing them off to oslo.config, which
|
||||||
|
# will fail and prevent users from generating policy files.
|
||||||
|
ret_val = subprocess.Popen(
|
||||||
|
['oslopolicy-policy-generator', '--namespace', 'keystone'],
|
||||||
|
stdout=subprocess.PIPE,
|
||||||
|
stderr=subprocess.PIPE
|
||||||
|
)
|
||||||
|
ret_val.communicate()
|
||||||
|
self.assertEqual(ret_val.returncode, 0)
|
||||||
|
8
releasenotes/notes/bug-1740951-82b7e4bd608742ab.yaml
Normal file
8
releasenotes/notes/bug-1740951-82b7e4bd608742ab.yaml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1740951 <https://bugs.launchpad.net/keystone/+bug/1740951>`_]
|
||||||
|
A new method was added that made it so oslo.policy sample generation
|
||||||
|
scripts can be used with keystone. The ``oslopolicy-policy-generator``
|
||||||
|
script will now generate a policy file containing overrides and defaults
|
||||||
|
registered in code.
|
@ -185,6 +185,9 @@ oslo.policy.policies =
|
|||||||
# the default defined polices.
|
# the default defined polices.
|
||||||
keystone = keystone.common.policies:list_rules
|
keystone = keystone.common.policies:list_rules
|
||||||
|
|
||||||
|
oslo.policy.enforcer =
|
||||||
|
keystone = keystone.common.policy:get_enforcer
|
||||||
|
|
||||||
paste.filter_factory =
|
paste.filter_factory =
|
||||||
healthcheck = oslo_middleware:Healthcheck.factory
|
healthcheck = oslo_middleware:Healthcheck.factory
|
||||||
cors = oslo_middleware:CORS.factory
|
cors = oslo_middleware:CORS.factory
|
||||||
|
Loading…
Reference in New Issue
Block a user