Add enforcer logic for neutron policy
The oslopolicy-policy-generator command line tool does not run
currently, throwing a KeyError. This is because a policy enforcer needs
to be added to Neutron for the command to run.
This change is a limited backport of "Convert policy.json into
policy-in-code" [1]. The feature of policy-in-code is not backported;
all that is backported is the changes needed for the
oslopolicy-policy-generator command line tool to function properly,
which were bundled in with the rest of the policy-in-code feature.
For reference, an analogous change was merged in keystone to solve the
same problem [2].
[1] https://review.openstack.org/585037
[2] https://review.openstack.org/530828
Change-Id: I912f23e9c6800b71672507c548cfab3f094de9c7
Closes-Bug: #1817953
(cherry picked from commit 96b0b90b89
)
This commit is contained in:
parent
0701df157f
commit
44d34170cc
@ -15,6 +15,7 @@
|
|||||||
|
|
||||||
import collections
|
import collections
|
||||||
import re
|
import re
|
||||||
|
import sys
|
||||||
|
|
||||||
from neutron_lib import constants
|
from neutron_lib import constants
|
||||||
from neutron_lib import context
|
from neutron_lib import context
|
||||||
@ -404,3 +405,24 @@ def enforce(context, action, target, plugin=None, pluralized=None):
|
|||||||
log_rule_list(rule)
|
log_rule_list(rule)
|
||||||
LOG.debug("Failed policy check for '%s'", action)
|
LOG.debug("Failed policy check for '%s'", action)
|
||||||
return result
|
return result
|
||||||
|
|
||||||
|
|
||||||
|
def get_enforcer():
|
||||||
|
# NOTE(amotoki): This was borrowed from nova/policy.py.
|
||||||
|
# This method is for use by oslo.policy CLI scripts. Those scripts need the
|
||||||
|
# 'output-file' and 'namespace' options, but having those in sys.argv means
|
||||||
|
# loading the neutron config options will fail as those are not expected to
|
||||||
|
# be present. So we pass in an arg list with those stripped out.
|
||||||
|
conf_args = []
|
||||||
|
# Start at 1 because cfg.CONF expects the equivalent of sys.argv[1:]
|
||||||
|
i = 1
|
||||||
|
while i < len(sys.argv):
|
||||||
|
if sys.argv[i].strip('-') in ['namespace', 'output-file']:
|
||||||
|
i += 2
|
||||||
|
continue
|
||||||
|
conf_args.append(sys.argv[i])
|
||||||
|
i += 1
|
||||||
|
|
||||||
|
cfg.CONF(conf_args, project='neutron')
|
||||||
|
init()
|
||||||
|
return _ENFORCER
|
||||||
|
@ -59,6 +59,7 @@ from neutron.db import standard_attr
|
|||||||
from neutron.ipam.drivers.neutrondb_ipam import driver as ipam_driver
|
from neutron.ipam.drivers.neutrondb_ipam import driver as ipam_driver
|
||||||
from neutron.ipam import exceptions as ipam_exc
|
from neutron.ipam import exceptions as ipam_exc
|
||||||
from neutron.objects import router as l3_obj
|
from neutron.objects import router as l3_obj
|
||||||
|
from neutron import policy
|
||||||
from neutron.tests import base
|
from neutron.tests import base
|
||||||
from neutron.tests import tools
|
from neutron.tests import tools
|
||||||
from neutron.tests.unit.api import test_extensions
|
from neutron.tests.unit.api import test_extensions
|
||||||
@ -169,6 +170,17 @@ class NeutronDbPluginV2TestCase(testlib_api.WebTestCase):
|
|||||||
self._skip_native_sorting = not _is_native_sorting_support()
|
self._skip_native_sorting = not _is_native_sorting_support()
|
||||||
if ext_mgr:
|
if ext_mgr:
|
||||||
self.ext_api = test_extensions.setup_extensions_middleware(ext_mgr)
|
self.ext_api = test_extensions.setup_extensions_middleware(ext_mgr)
|
||||||
|
# NOTE(amotoki): policy._ENFORCER is initialized in
|
||||||
|
# neutron.tests.base.BaseTestCase.setUp() but this is too early
|
||||||
|
# and neutron.policy.FieldCheck conv_func does not work
|
||||||
|
# because extended resources are not populated to
|
||||||
|
# attributes.RESOURCES yet.
|
||||||
|
# Thus we need to refresh the default policy rules after loading
|
||||||
|
# extensions. Especially it is important to re-instantiate
|
||||||
|
# DefaultRule() under neutron.conf.policies. To do this,
|
||||||
|
# we need to reload the default policy modules.
|
||||||
|
policy.reset()
|
||||||
|
policy.init()
|
||||||
|
|
||||||
def setup_config(self):
|
def setup_config(self):
|
||||||
# Create the default configurations
|
# Create the default configurations
|
||||||
|
@ -137,6 +137,8 @@ oslo.config.opts =
|
|||||||
nova.auth = neutron.opts:list_auth_opts
|
nova.auth = neutron.opts:list_auth_opts
|
||||||
oslo.config.opts.defaults =
|
oslo.config.opts.defaults =
|
||||||
neutron = neutron.common.config:set_cors_middleware_defaults
|
neutron = neutron.common.config:set_cors_middleware_defaults
|
||||||
|
oslo.policy.enforcer =
|
||||||
|
neutron = neutron.policy:get_enforcer
|
||||||
neutron.db.alembic_migrations =
|
neutron.db.alembic_migrations =
|
||||||
neutron = neutron.db.migration:alembic_migrations
|
neutron = neutron.db.migration:alembic_migrations
|
||||||
neutron.interface_drivers =
|
neutron.interface_drivers =
|
||||||
|
Loading…
Reference in New Issue
Block a user