Add enforcer logic for neutron policy

The oslopolicy-policy-generator command line tool does not run
currently, throwing a KeyError.  This is because a policy enforcer needs
to be added to Neutron for the command to run.

This change is a limited backport of "Convert policy.json into
policy-in-code" [1]. The feature of policy-in-code is not backported;
all that is backported is the changes needed for the
oslopolicy-policy-generator command line tool to function properly,
which were bundled in with the rest of the policy-in-code feature.

For reference, an analogous change was merged in keystone to solve the
same problem [2].

[1] https://review.openstack.org/585037
[2] https://review.openstack.org/530828

Change-Id: I912f23e9c6800b71672507c548cfab3f094de9c7
Closes-Bug: #1817953
(cherry picked from commit 96b0b90b89)
This commit is contained in:
Nate Johnston 2019-03-25 16:04:22 -04:00
parent 0701df157f
commit 44d34170cc
3 changed files with 36 additions and 0 deletions

View File

@ -15,6 +15,7 @@
import collections import collections
import re import re
import sys
from neutron_lib import constants from neutron_lib import constants
from neutron_lib import context from neutron_lib import context
@ -404,3 +405,24 @@ def enforce(context, action, target, plugin=None, pluralized=None):
log_rule_list(rule) log_rule_list(rule)
LOG.debug("Failed policy check for '%s'", action) LOG.debug("Failed policy check for '%s'", action)
return result return result
def get_enforcer():
# NOTE(amotoki): This was borrowed from nova/policy.py.
# This method is for use by oslo.policy CLI scripts. Those scripts need the
# 'output-file' and 'namespace' options, but having those in sys.argv means
# loading the neutron config options will fail as those are not expected to
# be present. So we pass in an arg list with those stripped out.
conf_args = []
# Start at 1 because cfg.CONF expects the equivalent of sys.argv[1:]
i = 1
while i < len(sys.argv):
if sys.argv[i].strip('-') in ['namespace', 'output-file']:
i += 2
continue
conf_args.append(sys.argv[i])
i += 1
cfg.CONF(conf_args, project='neutron')
init()
return _ENFORCER

View File

@ -59,6 +59,7 @@ from neutron.db import standard_attr
from neutron.ipam.drivers.neutrondb_ipam import driver as ipam_driver from neutron.ipam.drivers.neutrondb_ipam import driver as ipam_driver
from neutron.ipam import exceptions as ipam_exc from neutron.ipam import exceptions as ipam_exc
from neutron.objects import router as l3_obj from neutron.objects import router as l3_obj
from neutron import policy
from neutron.tests import base from neutron.tests import base
from neutron.tests import tools from neutron.tests import tools
from neutron.tests.unit.api import test_extensions from neutron.tests.unit.api import test_extensions
@ -169,6 +170,17 @@ class NeutronDbPluginV2TestCase(testlib_api.WebTestCase):
self._skip_native_sorting = not _is_native_sorting_support() self._skip_native_sorting = not _is_native_sorting_support()
if ext_mgr: if ext_mgr:
self.ext_api = test_extensions.setup_extensions_middleware(ext_mgr) self.ext_api = test_extensions.setup_extensions_middleware(ext_mgr)
# NOTE(amotoki): policy._ENFORCER is initialized in
# neutron.tests.base.BaseTestCase.setUp() but this is too early
# and neutron.policy.FieldCheck conv_func does not work
# because extended resources are not populated to
# attributes.RESOURCES yet.
# Thus we need to refresh the default policy rules after loading
# extensions. Especially it is important to re-instantiate
# DefaultRule() under neutron.conf.policies. To do this,
# we need to reload the default policy modules.
policy.reset()
policy.init()
def setup_config(self): def setup_config(self):
# Create the default configurations # Create the default configurations

View File

@ -137,6 +137,8 @@ oslo.config.opts =
nova.auth = neutron.opts:list_auth_opts nova.auth = neutron.opts:list_auth_opts
oslo.config.opts.defaults = oslo.config.opts.defaults =
neutron = neutron.common.config:set_cors_middleware_defaults neutron = neutron.common.config:set_cors_middleware_defaults
oslo.policy.enforcer =
neutron = neutron.policy:get_enforcer
neutron.db.alembic_migrations = neutron.db.alembic_migrations =
neutron = neutron.db.migration:alembic_migrations neutron = neutron.db.migration:alembic_migrations
neutron.interface_drivers = neutron.interface_drivers =