remove default rule

The default rule no longer applies with the move of policy into code
so this change removes it.

In previous releases, the default rule was used by operators
customizing policy and not wanting to specify every rule in their
policy.json. But with the move of policy into code, all checks that
the code is going to make are defined in code, so there should never
be an occasion for the default rule to be checked. Leaving it defined
would confuse operators since it can no longer be used the way it was
used before.

Change-Id: Idafe1c906f1eb188200eab7af3eae8eb86c8154a
Closes-Bug: #1703392
This commit is contained in:
Matthew Edmonds 2017-07-10 10:42:29 -04:00
parent fa88f68448
commit fbec857384
3 changed files with 18 additions and 58 deletions

View File

@ -56,9 +56,6 @@ rules = [
policy.RuleDefault(
name='service_admin_or_token_subject',
check_str='rule:service_or_admin or rule:token_subject'),
policy.RuleDefault(
name='default',
check_str='rule:admin_required')
]

View File

@ -126,51 +126,6 @@ class PolicyTestCase(unit.TestCase):
policy.enforce(admin_credentials, uppercase_action, self.target)
class DefaultPolicyTestCase(unit.TestCase):
def setUp(self):
super(DefaultPolicyTestCase, self).setUp()
self.rules = {
"default": [],
"example:exist": [["false:false"]]
}
self._set_rules('default')
self.credentials = {}
# FIXME(gyee): latest Oslo policy Enforcer class reloads the rules in
# its enforce() method even though rules has been initialized via
# set_rules(). To make it easier to do our tests, we're going to
# monkeypatch load_roles() so it does nothing. This seem like a bug in
# Oslo policy as we shouldn't have to reload the rules if they have
# already been set using set_rules().
self._old_load_rules = policy._ENFORCER.load_rules
self.addCleanup(setattr, policy._ENFORCER, 'load_rules',
self._old_load_rules)
policy._ENFORCER.load_rules = lambda *args, **kwargs: None
def _set_rules(self, default_rule):
these_rules = common_policy.Rules.from_dict(self.rules, default_rule)
policy._ENFORCER.set_rules(these_rules)
def test_policy_called(self):
self.assertRaises(exception.ForbiddenAction, policy.enforce,
self.credentials, "example:exist", {})
def test_not_found_policy_calls_default(self):
policy.enforce(self.credentials, "example:noexist", {})
def test_default_not_found(self):
new_default_rule = "default_noexist"
# FIXME(gyee): need to overwrite the Enforcer's default_rule first
# as it is recreating the rules with its own default_rule instead
# of the default_rule passed in from set_rules(). I think this is a
# bug in Oslo policy.
policy._ENFORCER.default_rule = new_default_rule
self._set_rules(new_default_rule)
self.assertRaises(exception.ForbiddenAction, policy.enforce,
self.credentials, "example:noexist", {})
class PolicyJsonTestCase(unit.TestCase):
def _get_default_policy_rules(self):
@ -229,8 +184,8 @@ class PolicyJsonTestCase(unit.TestCase):
# These keys are in the policy.json but aren't targets.
policy_rule_keys = [
'admin_or_owner', 'admin_or_token_subject', 'admin_required',
'default', 'owner', 'service_admin_or_token_subject',
'service_or_admin', 'service_role', 'token_subject', ]
'owner', 'service_admin_or_token_subject', 'service_or_admin',
'service_role', 'token_subject', ]
def read_doc_targets():
# Parse the doc/source/policy_mapping.rst file and return the

View File

@ -5,10 +5,14 @@ features:
Keystone now supports the ability to register default policies in code.
This makes policy file maintenance easier by allowing duplicated default
policies to be removed from the policy file. The only policies that should
exist within a deployments policy file after Pike should be policy
overrides. To generate sample policy files from default values, prune
default policies from existing policy files, or familiarize yourself with
general policy usage, please see the `usage documentation
exist within a deployment's policy file after Pike should be policy
overrides. Note that there is no longer a default value for the default
rule. That rule is only checked when the more specific rule cannot be
found, and with policy in code all rules should be found in code even if
they are not in the policy file. To generate sample policy files from
default values, prune default policies from existing policy files, or
familiarize yourself with general policy usage, please see the
`usage documentation
<https://docs.openstack.org/developer/oslo.policy/usage.html>`_
provided in oslo.policy.
@ -18,9 +22,13 @@ upgrade:
Keystone now supports the ability to register default policies in code.
This makes policy file maintenance easier by allowing duplicated default
policies to be removed from the policy file. The only policies that should
exist within a deployments policy file after Pike should be policy
overrides. To generate sample policy files from default values, prune
default policies from existing policy files, or familiarize yourself with
general policy usage, please see the `usage documentation
exist within a deployment's policy file after Pike should be policy
overrides. Note that there is no longer a default value for the default
rule. That rule is only checked when the more specific rule cannot be
found, and with policy in code all rules should be found in code even if
they are not in the policy file. To generate sample policy files from
default values, prune default policies from existing policy files, or
familiarize yourself with general policy usage, please see the
`usage documentation
<https://docs.openstack.org/developer/oslo.policy/usage.html>`_
provided in oslo.policy.