Add support for policy directories per service

This change introduces the POLICY_DIRS setting which adds the ability to define multiple policy directories per service. Blueprint: policy-dirs Change-Id: Ie42f1aa68539b7388661ddfe2c265255cd574736
2017-07-24 18:42:09 -04:00 · 2017-07-24 18:42:09 -04:00 · 346c36d798
parent 3688a8243f
commit 346c36d798
2 changed files with 29 additions and 5 deletions
--- a/doc/source/configuration/index.rst
+++ b/doc/source/configuration/index.rst
@ -222,6 +222,23 @@ will deny the access and users must contact an admin to change their password.
 Setting this value to ``N`` days means the user will be alerted when the
 password expires in less than ``N+1`` days. ``-1`` disables the feature.

+``POLICY_DIRS``
+----------------
+
+Default: ``{}``
+
+Specifies a list of policy directories per service types. The directories
+are relative to ``POLICY_FILES_PATH``. Services whose additional policies
+are defined here must be defined in ``POLICY_FILES`` too. Otherwise,
+additional policies specified in ``POLICY_DIRS`` are not loaded.
+
+Example::
+
+    POLICY_DIRS = {
+        'identity': 'keystone_policy.d',
+        'compute': 'nova_policy.d'
+    }
+
 ``POLICY_FILES``
 ----------------

--- a/openstack_auth/policy.py
+++ b/openstack_auth/policy.py
@ -30,16 +30,22 @@ _ENFORCER = None
 _BASE_PATH = getattr(settings, 'POLICY_FILES_PATH', '')


-def _get_policy_conf():
+def _get_policy_conf(policy_file, policy_dirs=None):
    conf = cfg.ConfigOpts()
    # Passing [] is required. Otherwise oslo.config looks up sys.argv.
    conf([])
    policy_opts.set_defaults(conf)
+    policy_file = os.path.join(_BASE_PATH, policy_file)
+    conf.set_default('policy_file', policy_file, 'oslo_policy')
    # Policy Enforcer has been updated to take in a policy directory
    # as a config option. However, the default value in is set to
    # ['policy.d'] which causes the code to break. Set the default
    # value to empty list for now.
-    conf.set_default('policy_dirs', [], 'oslo_policy')
+    if policy_dirs is None:
+        policy_dirs = []
+    policy_dirs = [os.path.join(_BASE_PATH, policy_dir)
+                   for policy_dir in policy_dirs]
+    conf.set_default('policy_dirs', policy_dirs, 'oslo_policy')
    return conf


@ -48,10 +54,11 @@ def _get_enforcer():
    if not _ENFORCER:
        _ENFORCER = {}
        policy_files = getattr(settings, 'POLICY_FILES', {})
-        conf = _get_policy_conf()
+        policy_dirs = getattr(settings, 'POLICY_DIRS', {})
        for service in policy_files.keys():
-            policy_file = os.path.join(_BASE_PATH, policy_files[service])
-            enforcer = policy.Enforcer(conf, policy_file)
+            conf = _get_policy_conf(policy_file=policy_files[service],
+                                    policy_dirs=policy_dirs.get(service, []))
+            enforcer = policy.Enforcer(conf)
            # Ensure enforcer.policy_path is populated.
            enforcer.load_rules()
            if os.path.isfile(enforcer.policy_path):