Add entry_point for oslo policy scripts

There are two helper scripts in oslo.policy to help deployers understand their policy configuration better. With the setup.cfg entry these can be called directly from oslo.policy. Change-Id: I08dc33367401ec1f98e1795a52d4e981f09a07de Implements: bp policy-in-code
2016-06-29 16:59:20 -04:00 · 2016-06-29 16:59:20 -04:00 · 3b609a52fb
commit 3b609a52fb
parent d23fb5ff9f
3 changed files with 38 additions and 0 deletions
--- a/nova/policy.py
+++ b/nova/policy.py
@ -14,6 +14,7 @@
 #    under the License.

 """Policy Engine For Nova."""
+import sys

 from oslo_config import cfg
 from oslo_log import log as logging
@ -155,3 +156,23 @@ def get_rules():

 def register_rules(enforcer):
    enforcer.register_defaults(policies.list_rules())
+
+
+def get_enforcer():
+    # This method is for use by oslopolicy CLI scripts. Those scripts need the
+    # 'output-file' and 'namespace' options, but having those in sys.argv means
+    # loading the Nova config options will fail as those are not expected to
+    # be present. So we pass in an arg list with those stripped out.
+    conf_args = []
+    # Start at 1 because cfg.CONF expects the equivalent of sys.argv[1:]
+    i = 1
+    while i < len(sys.argv):
+        if sys.argv[i].strip('-') in ['namespace', 'output-file']:
+            i += 2
+            continue
+        conf_args.append(sys.argv[i])
+        i += 1
+
+    cfg.CONF(conf_args, project='nova')
+    init()
+    return _ENFORCER
--- a/releasenotes/notes/oslopolicy-scripts-957b364b8ffd7c3f.yaml
+++ b/releasenotes/notes/oslopolicy-scripts-957b364b8ffd7c3f.yaml
@ -0,0 +1,14 @@
+---
+features:
+  - Nova is now configured to work with two oslo.policy CLI scripts that have
+    been added.
+
+    The first of these can be called like
+    "oslopolicy-list-redundant --namespace nova" and will output a list of
+    policy rules in policy.[json|yaml] that match the project defaults. These
+    rules can be removed from the policy file as they have no effect there.
+
+    The second script can be called like
+    "oslopolicy-policy-generator --namespace nova --output-file policy-merged.yaml"
+    and will populate the policy-merged.yaml file with the effective policy.
+    This is the merged results of project defaults and config file overrides.
--- a/setup.cfg
+++ b/setup.cfg
@ -31,6 +31,9 @@ oslo.config.opts =
 oslo.config.opts.defaults =
    nova.api = nova.common.config:set_middleware_defaults

+oslo.policy.enforcer =
+    nova = nova.policy:get_enforcer
+
 oslo.policy.policies =
    # The sample policies will be ordered by entry point and then by list
    # returned from that entry point. If more control is desired split out each