Merge "Add entry_point for oslo policy scripts"

2016-08-25 10:32:49 +00:00 · 2016-08-25 10:32:49 +00:00 · f6f75db5bc
commit f6f75db5bc
parent 1ce9613f87 3b609a52fb
3 changed files with 38 additions and 0 deletions
--- a/nova/policy.py
+++ b/nova/policy.py
@ -14,6 +14,7 @@
 #    under the License.

 """Policy Engine For Nova."""
+import sys

 from oslo_config import cfg
 from oslo_log import log as logging
@ -155,3 +156,23 @@ def get_rules():

 def register_rules(enforcer):
    enforcer.register_defaults(policies.list_rules())
+
+
+def get_enforcer():
+    # This method is for use by oslopolicy CLI scripts. Those scripts need the
+    # 'output-file' and 'namespace' options, but having those in sys.argv means
+    # loading the Nova config options will fail as those are not expected to
+    # be present. So we pass in an arg list with those stripped out.
+    conf_args = []
+    # Start at 1 because cfg.CONF expects the equivalent of sys.argv[1:]
+    i = 1
+    while i < len(sys.argv):
+        if sys.argv[i].strip('-') in ['namespace', 'output-file']:
+            i += 2
+            continue
+        conf_args.append(sys.argv[i])
+        i += 1
+
+    cfg.CONF(conf_args, project='nova')
+    init()
+    return _ENFORCER
--- a/releasenotes/notes/oslopolicy-scripts-957b364b8ffd7c3f.yaml
+++ b/releasenotes/notes/oslopolicy-scripts-957b364b8ffd7c3f.yaml
@ -0,0 +1,14 @@
+---
+features:
+  - Nova is now configured to work with two oslo.policy CLI scripts that have
+    been added.
+
+    The first of these can be called like
+    "oslopolicy-list-redundant --namespace nova" and will output a list of
+    policy rules in policy.[json|yaml] that match the project defaults. These
+    rules can be removed from the policy file as they have no effect there.
+
+    The second script can be called like
+    "oslopolicy-policy-generator --namespace nova --output-file policy-merged.yaml"
+    and will populate the policy-merged.yaml file with the effective policy.
+    This is the merged results of project defaults and config file overrides.
--- a/setup.cfg
+++ b/setup.cfg
@ -31,6 +31,9 @@ oslo.config.opts =
 oslo.config.opts.defaults =
    nova.api = nova.common.config:set_middleware_defaults

+oslo.policy.enforcer =
+    nova = nova.policy:get_enforcer
+
 oslo.policy.policies =
    # The sample policies will be ordered by entry point and then by list
    # returned from that entry point. If more control is desired split out each