openstack
/
keystone
Code Issues Proposed changes

Merge "Add a permissive mode for access rules config"

This commit is contained in:
Zuul 2019-03-11 05:39:50 +00:00 committed by Gerrit Code Review
parent 06855d0db1 02540b7de6
commit 30e6a7f1f1
4 changed files with 58 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
keystone/access_rules_config/backends/json.py
View File

@ -94,6 +94,8 @@ class AccessRulesConfig(base.AccessRulesConfigDriverBase):
def __init__(self):
super(AccessRulesConfig, self).__init__()
if CONF.access_rules_config.permissive:
return
access_rules_file = CONF.access_rules_config.rules_file
self.access_rules = dict()
self.access_rules_json = dict()

23
keystone/access_rules_config/core.py
View File

@ -12,15 +12,18 @@
# License for the specific language governing permissions and limitations
# under the License.
"""List access rules."""
"""List access rules config."""
from keystone.common import cache
from keystone.common import driver_hints
from keystone.common import manager
from keystone.common import provider_api
import keystone.conf
CONF = keystone.conf.CONF
MEMOIZE = cache.get_memoization_decorator(group='access_rules_config')
PROVIDERS = provider_api.ProviderAPIs
class Manager(manager.Manager):
@ -41,6 +44,22 @@ class Manager(manager.Manager):
HTTP method.
"""
if CONF.access_rules_config.permissive:
hints = driver_hints.Hints()
if service:
hints.add_filter('service', service)
rules = {}
services = PROVIDERS.catalog_api.list_services(hints=hints)
if service:
services = [svc for svc in services if svc['type'] == service]
for svc in services:
rules[svc['type']] = []
for method in ['HEAD', 'GET', 'POST', 'PUT', 'PATCH', 'DELETE']:
rules[svc['type']].append({
"path": "**",
"method": method
})
return rules
return self.driver.list_access_rules_config(service)
@MEMOIZE
@ -55,5 +74,7 @@ class Manager(manager.Manager):
configured access rules
"""
if CONF.access_rules_config.permissive:
return True
return self.driver.check_access_rule(service, request_path,
request_method)

10
keystone/conf/access_rules_config.py
View File

@ -51,12 +51,22 @@ configuration will be loaded and application credential access rules will be
unavailable.
"""))
permissive = cfg.BoolOpt(
'permissive',
default=False,
help=utils.fmt("""
Toggles permissive mode for access rules. When enabled, application
credentials can be created with any access rules regardless of operator's
configuration.
"""))
GROUP_NAME = __name__.split('.')[-1]
ALL_OPTS = [
driver,
caching,
cache_time,
rules_file,
permissive,
]

24
keystone/tests/unit/access_rules_config/test_backends.py
View File

@ -12,9 +12,12 @@
# License for the specific language governing permissions and limitations
# under the License.
import uuid
from keystone.common import provider_api
from keystone.tests import unit
from keystone.tests.unit.ksfixtures import access_rules_config
from keystone.tests.unit.ksfixtures import database
PROVIDERS = provider_api.ProviderAPIs
@ -43,3 +46,24 @@ class AccessRulesConfigTest(unit.TestCase):
result = PROVIDERS.access_rules_config_api.check_access_rule(
'identity', '/v3/users', 'GET')
self.assertTrue(result)
class AccessRulesConfigPermissiveTest(AccessRulesConfigTest):
def setUp(self):
super(AccessRulesConfigPermissiveTest, self).setUp()
self.config_fixture.config(group='access_rules_config',
permissive=True)
self.useFixture(database.Database())
services = [
'identity',
'image',
'block-storage',
'network',
'compute',
'object'
]
for service in services:
ref = unit.new_service_ref(type=service)
PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, ref)