Previously if a non-existent namespace was specified, we just got
a generic KeyError from stevedore that didn't say a whole lot about
what went wrong. You pretty much had to go read the code to figure
out what happened.
This change adds an explicit check for a missing namespace and raises
a KeyError with a more specific error message that explains what is
wrong.
Change-Id: Ia56d4655d70cee78661567188a977f67b7c3ee78
Closes-Bug: 1817953
Reading configurations will enable us to be able to use the
oslopolicy-checker to do external checks (which require the
configuration in the enforcer).
Change-Id: If2e697f9ac0317046f5a872ad668b42c1b32eb1e
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
By calling set_default[1] on a conf object it only applies to opts
registered to that object. This causes an incorrect value to appear in
the generated sample config because it deals with a list of raw opts,
not a conf object.
To fix this, we can call the global set_defaults[2] on the cfg module
which alters the opts directly. This is the method used in the cors
middleware[3] and works as expected there.
This does complicate the unit tests, however. Because we're altering
global state we need to save the original opts and restore them after
the test. Furthermore, the conf.reset() call in the config fixture
doesn't sufficiently reset the conf object to allow it to recognize
the replaced opts. For the purposes of this test we can just create
a standalone conf object though, which gets past that problem.
It's possible that we should fix reset() so it actually removes opts
in groups completely, but I'm unsure what implications that might
have for other users of the function.
1: b5df53543f/oslo_config/cfg.py (L2433)
2: b5df53543f/oslo_config/cfg.py (L391)
3: 8c7fa5bb10/oslo_middleware/cors.py (L88)
Change-Id: I3af9de1b39b6360ecfcb448d8c37b463e1a42ca7
Closes-Bug: 1807184
oslo.config already has a proper type to deal with boolean options.
Change-Id: I675c1dbfa13ca68506042f7907082b0e3d51672a
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
Small cleanups:
* Use openstack-lower-constraints-jobs template, remove individual
jobs.
* Sort list of templates
Change-Id: If1babd86d4695fe216ff703ed862c3f06d448e15
Needed-By: https://review.openstack.org/623229
Changing arg consumption from argparse to oslo.config in
order to also provide behavior control using config files.
Change-Id: Iec4dab763b973b70c98077cb29708acd9cbbcec4
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
Add a new "oslopolicy-policy-upgrade" commnd. Using this command,
operator can upgrade their self-defined policy files to follow
the new format in the new release when upgrading OpenStack services.
Change-Id: Iad9740bd8a5e4fdf1d1e64d61bc93f2483c531f3
A previous commit made some changes to allow for more robust logging
of RBAC enforcement data:
I4642c57990b145c0e691140970574412682e66a5
This also included logging of the target data, which is provided by
the service calling policy enforcement.
This commit makes it so that target data is protected from exposing
sensitive information. A good example is doing operations on users
in keystone since keystone would populate the target dictionary
with user information, and possibly passwords.
This issue was found in keystone unit testing while trying to consume
oslo.policy 1.43.0.
Change-Id: I2702df8f3d7c040312eb863f7772b129e0e2c45c
Data passed to the RBAC enforce function consistes of 3 items:
* rule name or rule object
* credential data
* target data
Both the credential and target are dicts. When policy enforcement
does not work as expected it's essential to capture the input to
the enforcement engine as to ascertain why the rule did not work
as expected. It would also be highly advantageous if the logging
were in a format that could be digested by other tools
(e.g. oslopolicy-checker).
This patch does two things:
1) It logs the policy relevant input to Enforcer.enforce()
2) It eschews the use of Python's string formatting which may not
fully dump the contents of the dicts and is not easily parsed in favor
of using JSON format which does fully capture the object's content and
can be used in data exchange (and can be read by oslopolicy-checker).
Contents of the credentials dict are filtered to scrub security
sensitive data.
Closes-Bug: #1804073
Change-Id: I4642c57990b145c0e691140970574412682e66a5
Signed-off-by: John Dennis <jdennis@redhat.com>
This commit makes it easier for services to protect APIs meant for
domain-only operations. It does this by making "domain-scope" an
official scope type to check for during policy enforcement.
A good example of where this would be useful is protecting the user
API in keystone, since user's are technically owned by domains.
This commit bumps the version of oslo.context to 2.22.0, which also
has domain support.
Depends-On: https://review.openstack.org/#/c/613635/
Change-Id: Ifc83a5f261bc823060eca5c4d0a4bf07966794c4
Previously, we'd notify operators of changing or deprecated policies
by logging a warning while loading rules. However, this doesn't
prevent unintended access if an operator is overriding a policy
by its old policy name. In this case, let's make sure we check if the
old policy is being overridden and use that override for the new
policy's check value.
This commit introduces this change along with a few tests. It also
refactors the deprecated rule logic in load_rules() to separate
methods so that it's a little easier to understand where that logic
happens within the load_rules() method without cluttering it.
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Closes-Bug: 1800259
Change-Id: Ice27cdb44241da94693625776037ea6164bbb913
This makes it easier for folks checking their policies to just
execute their rule checks and compare them with the original output.
Instead of having to manually pipe the result and sort it.
Change-Id: I8d45173578d3b309b97caaa7d4e87cb2aec0e8f2
Change I43782d245d7652ba69613b26fe598ac79ec19929 added a policy
file parsing optimization that had the affect of allowing some
strictly speaking invalid JSON policy files to be accepted.
Enhance the test for bad JSON to look for this to prevent
formerly acceptable policy files from becoming invalid if
the code is refactored at some point.
Also updates two related comments that had gotten out of sync
with the code.
Change-Id: I6a269b91436cac29bd72e11dbdc51ee74feca028
In the "special checks" section, 'role' and 'rule' are keywords
and should not be enclosed in '< >'.
Change-Id: Ia3c1b47f1c8452bcca62961de4414d21d7ebf481
The way we were using the token fixture in the shell tests was modifying
the structure. If the test would get run by the same process, it would
then use the modified structure and the test would fail.
This uses deepcopy instead, so this way, we never modify that fixture.
Change-Id: Ib88feee7d7fe72c66b4e8af510f9f28411ac47df
This allows us to test the policy for other services which might have
different or unusual target data formats (such as Barbican). It would be
possible to pass it as a nested dictionary, e.g.:
{
"target": {
"secret": {
"project_id": "my project id"
}
}
}
or as a key pair (as oslo.policy would expect):
{
"target.secret.project_id": "my project id"
}
Both will work (note that this logic was taken from barbican).
This fixes around the limitation that the target is hardcoded to be
"project_id", and thus allows to test more scenarios (such as the
project ID not matching).
Change-Id: Ia9f7462072a8cb142251c8bb5ef19d9a25a98119
We were not passing the policy name, which made it quite hard to test
out external checks given that this is information that is passed in
there. This passes that parameter.
Change-Id: I217a6545bdf753470e08b39de2c0df08ffa1f82f
This adds unit tests for the shell.py file, which is what we use for the
oslopolicy-checker command.
Change-Id: I52d8669b30e868a4fbdb33316f4db31947b08fa2
Sphinx 1.6 deprecated using the application object to perform logging
and it will be removed in the upcoming 2.0 release. This updates our
extensions to use the recommended sphinx.util.logging instead.
Change-Id: Ia9edbfd551d260b798818940e4d156957f382324
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
Developers run all sorts of different tools within Git repositories,
any of which can leave their own special trashfiles all over the
place. We can't every hope to catalog them all, so better to
recommend developers simply configure a global core.excludesfile to
filter the irrelevant files which tend to get created by their
personal choice of tools.
To this end, remove the long-standing sections for "Mr Developer"
and "Editors" since their mere existence here sends the signal that
we welcome (and have time to review) additions for any old tool
someone ever might happen to try. Also add a comment block
explaining this, for clarity.
We can, and should of course, continue to list files created by the
tools recommended by our workflow (test frameworks called from tox,
documentation and packaging builds, et cetera).
This change is a port of I1b41efac219fca44e2548fc36633724d0ecfc0cb
from the openstack-dev/oslo-cookiecutter repository.
Change-Id: I3eeb6157ed79e2b75e14e8e94fcfe40c4bf7ff42
Inconsistent policy names across OpenStack services has been a pain
point for operators and users for a long time. This is an attempt at
documenting a set of conventions for developers to work towards to
provide a more uniform experience. These conventions were discussed
publicly on the mailing list:
http://lists.openstack.org/pipermail/openstack-dev/2018-September/134597.html
Change-Id: I8831c44a3544d11c0bb1c0ce58d1a140f861e22b
Users expect this to be parsed as rST and write their docstrings accordingly.
This has the potential to introduce warnings for users with improperly
formatted rST and these warnings can be promoted to errors if 'sphinx-build' is
used with the '-W' option. As a result, we disable the 'warning-is-error'
logger for these options. We may wish to change this behavior in the future.
It is not really possible to test this yet as the output wouldn't look much
different. In addition, the error messages generated are rather unhelpful. Both
of these can be changed in a future modification.
Change-Id: I4572eef31a8675eabb791c14279490348e949cd0
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
The Syntax section of this is supposed to be describing the YAML
format, but references the JSON format.
This commit updates the documentation to remove this reference.
Change-Id: I7bfc11a3f1ecc57e3865d308b7a9bffd8453bce2
This is a mechanically generated patch to add a functional test job
running under Python 3 as part of the python3-first goal.
See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html
Change-Id: I6cb066225c88f174b90eb21e8a0d26974641c41b
Story: #2002586
Task: #24322
Ben Nemec