From 3b609a52fb4ac030eef95dd8588e7d54abcc0615 Mon Sep 17 00:00:00 2001
From: Andrew Laski <andrew@lascii.com>
Date: Wed, 29 Jun 2016 16:59:20 -0400
Subject: [PATCH] Add entry_point for oslo policy scripts

There are two helper scripts in oslo.policy to help deployers understand
their policy configuration better. With the setup.cfg entry these can be
called directly from oslo.policy.

Change-Id: I08dc33367401ec1f98e1795a52d4e981f09a07de
Implements: bp policy-in-code
---
 nova/policy.py                                | 21 +++++++++++++++++++
 .../oslopolicy-scripts-957b364b8ffd7c3f.yaml  | 14 +++++++++++++
 setup.cfg                                     |  3 +++
 3 files changed, 38 insertions(+)
 create mode 100644 releasenotes/notes/oslopolicy-scripts-957b364b8ffd7c3f.yaml

diff --git a/nova/policy.py b/nova/policy.py
index 6a2bc8192da5..f494b323ede2 100644
--- a/nova/policy.py
+++ b/nova/policy.py
@@ -14,6 +14,7 @@
 #    under the License.
 
 """Policy Engine For Nova."""
+import sys
 
 from oslo_config import cfg
 from oslo_log import log as logging
@@ -155,3 +156,23 @@ def get_rules():
 
 def register_rules(enforcer):
     enforcer.register_defaults(policies.list_rules())
+
+
+def get_enforcer():
+    # This method is for use by oslopolicy CLI scripts. Those scripts need the
+    # 'output-file' and 'namespace' options, but having those in sys.argv means
+    # loading the Nova config options will fail as those are not expected to
+    # be present. So we pass in an arg list with those stripped out.
+    conf_args = []
+    # Start at 1 because cfg.CONF expects the equivalent of sys.argv[1:]
+    i = 1
+    while i < len(sys.argv):
+        if sys.argv[i].strip('-') in ['namespace', 'output-file']:
+            i += 2
+            continue
+        conf_args.append(sys.argv[i])
+        i += 1
+
+    cfg.CONF(conf_args, project='nova')
+    init()
+    return _ENFORCER
diff --git a/releasenotes/notes/oslopolicy-scripts-957b364b8ffd7c3f.yaml b/releasenotes/notes/oslopolicy-scripts-957b364b8ffd7c3f.yaml
new file mode 100644
index 000000000000..f386765abefa
--- /dev/null
+++ b/releasenotes/notes/oslopolicy-scripts-957b364b8ffd7c3f.yaml
@@ -0,0 +1,14 @@
+---
+features:
+  - Nova is now configured to work with two oslo.policy CLI scripts that have
+    been added.
+
+    The first of these can be called like
+    "oslopolicy-list-redundant --namespace nova" and will output a list of
+    policy rules in policy.[json|yaml] that match the project defaults. These
+    rules can be removed from the policy file as they have no effect there.
+
+    The second script can be called like
+    "oslopolicy-policy-generator --namespace nova --output-file policy-merged.yaml"
+    and will populate the policy-merged.yaml file with the effective policy.
+    This is the merged results of project defaults and config file overrides.
diff --git a/setup.cfg b/setup.cfg
index af43ef9c26e4..17c1304faf90 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -31,6 +31,9 @@ oslo.config.opts =
 oslo.config.opts.defaults =
     nova.api = nova.common.config:set_middleware_defaults
 
+oslo.policy.enforcer =
+    nova = nova.policy:get_enforcer
+
 oslo.policy.policies =
     # The sample policies will be ordered by entry point and then by list
     # returned from that entry point. If more control is desired split out each