Add support for policy directories per service
This change introduces the POLICY_DIRS setting which adds the ability to define multiple policy directories per service. Blueprint: policy-dirs Change-Id: Ie42f1aa68539b7388661ddfe2c265255cd574736
This commit is contained in:
parent
3688a8243f
commit
346c36d798
|
@ -222,6 +222,23 @@ will deny the access and users must contact an admin to change their password.
|
|||
Setting this value to ``N`` days means the user will be alerted when the
|
||||
password expires in less than ``N+1`` days. ``-1`` disables the feature.
|
||||
|
||||
``POLICY_DIRS``
|
||||
----------------
|
||||
|
||||
Default: ``{}``
|
||||
|
||||
Specifies a list of policy directories per service types. The directories
|
||||
are relative to ``POLICY_FILES_PATH``. Services whose additional policies
|
||||
are defined here must be defined in ``POLICY_FILES`` too. Otherwise,
|
||||
additional policies specified in ``POLICY_DIRS`` are not loaded.
|
||||
|
||||
Example::
|
||||
|
||||
POLICY_DIRS = {
|
||||
'identity': 'keystone_policy.d',
|
||||
'compute': 'nova_policy.d'
|
||||
}
|
||||
|
||||
``POLICY_FILES``
|
||||
----------------
|
||||
|
||||
|
|
|
@ -30,16 +30,22 @@ _ENFORCER = None
|
|||
_BASE_PATH = getattr(settings, 'POLICY_FILES_PATH', '')
|
||||
|
||||
|
||||
def _get_policy_conf():
|
||||
def _get_policy_conf(policy_file, policy_dirs=None):
|
||||
conf = cfg.ConfigOpts()
|
||||
# Passing [] is required. Otherwise oslo.config looks up sys.argv.
|
||||
conf([])
|
||||
policy_opts.set_defaults(conf)
|
||||
policy_file = os.path.join(_BASE_PATH, policy_file)
|
||||
conf.set_default('policy_file', policy_file, 'oslo_policy')
|
||||
# Policy Enforcer has been updated to take in a policy directory
|
||||
# as a config option. However, the default value in is set to
|
||||
# ['policy.d'] which causes the code to break. Set the default
|
||||
# value to empty list for now.
|
||||
conf.set_default('policy_dirs', [], 'oslo_policy')
|
||||
if policy_dirs is None:
|
||||
policy_dirs = []
|
||||
policy_dirs = [os.path.join(_BASE_PATH, policy_dir)
|
||||
for policy_dir in policy_dirs]
|
||||
conf.set_default('policy_dirs', policy_dirs, 'oslo_policy')
|
||||
return conf
|
||||
|
||||
|
||||
|
@ -48,10 +54,11 @@ def _get_enforcer():
|
|||
if not _ENFORCER:
|
||||
_ENFORCER = {}
|
||||
policy_files = getattr(settings, 'POLICY_FILES', {})
|
||||
conf = _get_policy_conf()
|
||||
policy_dirs = getattr(settings, 'POLICY_DIRS', {})
|
||||
for service in policy_files.keys():
|
||||
policy_file = os.path.join(_BASE_PATH, policy_files[service])
|
||||
enforcer = policy.Enforcer(conf, policy_file)
|
||||
conf = _get_policy_conf(policy_file=policy_files[service],
|
||||
policy_dirs=policy_dirs.get(service, []))
|
||||
enforcer = policy.Enforcer(conf)
|
||||
# Ensure enforcer.policy_path is populated.
|
||||
enforcer.load_rules()
|
||||
if os.path.isfile(enforcer.policy_path):
|
||||
|
|
Loading…
Reference in New Issue