summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMathieu Gagné <mgagne@iweb.com>2017-07-24 18:42:09 -0400
committerMathieu Gagné <mgagne@iweb.com>2017-08-17 12:23:31 -0400
commit346c36d7985296dedcbcfa8a52248dd9f9d21f35 (patch)
treeb65d32767fee4254f40964c6ef910caffaa965a3
parent3688a8243f81ade78cb1d28400e8c9ae5a6e124e (diff)
Add support for policy directories per service
This change introduces the POLICY_DIRS setting which adds the ability to define multiple policy directories per service. Blueprint: policy-dirs Change-Id: Ie42f1aa68539b7388661ddfe2c265255cd574736
Notes
Notes (review): Code-Review+2: Akihiro Motoki <amotoki@gmail.com> Workflow+1: Akihiro Motoki <amotoki@gmail.com> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Fri, 18 Aug 2017 10:40:33 +0000 Reviewed-on: https://review.openstack.org/487153 Project: openstack/django_openstack_auth Branch: refs/heads/master
-rw-r--r--doc/source/configuration/index.rst17
-rw-r--r--openstack_auth/policy.py17
2 files changed, 29 insertions, 5 deletions
diff --git a/doc/source/configuration/index.rst b/doc/source/configuration/index.rst
index 5b581b0..06c300b 100644
--- a/doc/source/configuration/index.rst
+++ b/doc/source/configuration/index.rst
@@ -222,6 +222,23 @@ will deny the access and users must contact an admin to change their password.
222Setting this value to ``N`` days means the user will be alerted when the 222Setting this value to ``N`` days means the user will be alerted when the
223password expires in less than ``N+1`` days. ``-1`` disables the feature. 223password expires in less than ``N+1`` days. ``-1`` disables the feature.
224 224
225``POLICY_DIRS``
226----------------
227
228Default: ``{}``
229
230Specifies a list of policy directories per service types. The directories
231are relative to ``POLICY_FILES_PATH``. Services whose additional policies
232are defined here must be defined in ``POLICY_FILES`` too. Otherwise,
233additional policies specified in ``POLICY_DIRS`` are not loaded.
234
235Example::
236
237 POLICY_DIRS = {
238 'identity': 'keystone_policy.d',
239 'compute': 'nova_policy.d'
240 }
241
225``POLICY_FILES`` 242``POLICY_FILES``
226---------------- 243----------------
227 244
diff --git a/openstack_auth/policy.py b/openstack_auth/policy.py
index 81fc7c2..e0a3ab0 100644
--- a/openstack_auth/policy.py
+++ b/openstack_auth/policy.py
@@ -30,16 +30,22 @@ _ENFORCER = None
30_BASE_PATH = getattr(settings, 'POLICY_FILES_PATH', '') 30_BASE_PATH = getattr(settings, 'POLICY_FILES_PATH', '')
31 31
32 32
33def _get_policy_conf(): 33def _get_policy_conf(policy_file, policy_dirs=None):
34 conf = cfg.ConfigOpts() 34 conf = cfg.ConfigOpts()
35 # Passing [] is required. Otherwise oslo.config looks up sys.argv. 35 # Passing [] is required. Otherwise oslo.config looks up sys.argv.
36 conf([]) 36 conf([])
37 policy_opts.set_defaults(conf) 37 policy_opts.set_defaults(conf)
38 policy_file = os.path.join(_BASE_PATH, policy_file)
39 conf.set_default('policy_file', policy_file, 'oslo_policy')
38 # Policy Enforcer has been updated to take in a policy directory 40 # Policy Enforcer has been updated to take in a policy directory
39 # as a config option. However, the default value in is set to 41 # as a config option. However, the default value in is set to
40 # ['policy.d'] which causes the code to break. Set the default 42 # ['policy.d'] which causes the code to break. Set the default
41 # value to empty list for now. 43 # value to empty list for now.
42 conf.set_default('policy_dirs', [], 'oslo_policy') 44 if policy_dirs is None:
45 policy_dirs = []
46 policy_dirs = [os.path.join(_BASE_PATH, policy_dir)
47 for policy_dir in policy_dirs]
48 conf.set_default('policy_dirs', policy_dirs, 'oslo_policy')
43 return conf 49 return conf
44 50
45 51
@@ -48,10 +54,11 @@ def _get_enforcer():
48 if not _ENFORCER: 54 if not _ENFORCER:
49 _ENFORCER = {} 55 _ENFORCER = {}
50 policy_files = getattr(settings, 'POLICY_FILES', {}) 56 policy_files = getattr(settings, 'POLICY_FILES', {})
51 conf = _get_policy_conf() 57 policy_dirs = getattr(settings, 'POLICY_DIRS', {})
52 for service in policy_files.keys(): 58 for service in policy_files.keys():
53 policy_file = os.path.join(_BASE_PATH, policy_files[service]) 59 conf = _get_policy_conf(policy_file=policy_files[service],
54 enforcer = policy.Enforcer(conf, policy_file) 60 policy_dirs=policy_dirs.get(service, []))
61 enforcer = policy.Enforcer(conf)
55 # Ensure enforcer.policy_path is populated. 62 # Ensure enforcer.policy_path is populated.
56 enforcer.load_rules() 63 enforcer.load_rules()
57 if os.path.isfile(enforcer.policy_path): 64 if os.path.isfile(enforcer.policy_path):