* Update oslo.policy from branch 'master'
to f2627a8975f628516b07c3d496d37bf7fc2b0e4a
- Merge "reno: Update master for unmaintained/xena"
- reno: Update master for unmaintained/xena
Update the xena release notes configuration to build from
unmaintained/xena.
Change-Id: If8c376798c1864d9c1f45ef187069e7d9277f219
* Update oslo.policy from branch 'master'
to 1177bcaf5830c250bb7cd8b4346306659ee9f440
- Merge "reno: Update master for unmaintained/wallaby"
- reno: Update master for unmaintained/wallaby
Update the wallaby release notes configuration to build from
unmaintained/wallaby.
Change-Id: I3511720379057cea1e13dc0fae9ab5cced3cb6da
* Update oslo.policy from branch 'master'
to 66a0660313bfe1d950b0f481496323f331ae39b9
- Merge "reno: Update master for unmaintained/victoria"
- reno: Update master for unmaintained/victoria
Update the victoria release notes configuration to build from
unmaintained/victoria.
Change-Id: I538106930dbbf2df7fddabc02288cd5b9315abc1
* Update oslo.policy from branch 'master'
to 42d63af2488c0b7656844d3cd745f7a8ab27a4dc
- Update master for stable/2024.1
Add file to the reno documentation build to show release notes for
stable/2024.1.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2024.1.
Sem-Ver: feature
Change-Id: I843745a6763b314ea6a3e861f7fe955008c62b36
* Update oslo.policy from branch 'master'
to 4b7a6f7753e282a5059bdbbf10258de8016fbffb
- Merge "Use consistent commands for coverage"
- Use consistent commands for coverage
This updates the command executed in the cover target to make these
more consistent with the other repos. The main change is now we ensure
old data is erased before executing the steps.
Change-Id: I2c2b8a60ddfda9b8184e61113d11a7bdafe113c7
* Update oslo.policy from branch 'master'
to d1de2a437d17cd182e9a7e47eafa83d665045da5
- reno: Update master for unmaintained/yoga
Update the yoga release notes configuration to build from
unmaintained/yoga.
Change-Id: I3c551d7083cbdfbcea27dffd69649ccef8138e3a
* Update oslo.policy from branch 'master'
to 973498106f242849b294acb286a3ac88385820e0
- Add flag to skip undefined rule check
Some components like neutron-lib builds its own sub-enforcer which
enforces policy rules partially. However even these enforcer may load
the full policy rules in the file and this causes a lot of warnings
about "undefined rules".
This introduces a new flag so that users can disable undefined check,
when they know the undefined rules are "expected".
Note that the flag is not formally exposed, because we don't know if
this requirement is common. If we find similar problems with different
components then we may add an argument to __init__ .
Related-Bug: #2048198
Change-Id: Ibb4e8e877640e8488aaffb40560e930b0cbfcbce
* Update oslo.policy from branch 'master'
to 9b22cf5f8f07c06d1c06d4f1c6d8450e6817788e
- Update python classifier in setup.cfg
As per the current release tested runtime, we test
python version from 3.8 to 3.11 so updating the
same in python classifier in setup.cfg
Change-Id: I850407259de142c1022ab06c04c6b8c035feaac4
* Update oslo.policy from branch 'master'
to 518c1bce22869cd92fcd97a9674681a7c72fd52a
- coveragerc: Remove non-existent path
The oslo_policy/openstack directory does not exist.
Change-Id: I8368287b28bf6f8eb96ca5396d1dd6efb828dd82
* Update oslo.policy from branch 'master'
to a1e76258180002b288e64532676ba2bc2d1ec800
- Merge "Update master for stable/2023.2"
- Update master for stable/2023.2
Add file to the reno documentation build to show release notes for
stable/2023.2.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.2.
Sem-Ver: feature
Change-Id: Iaf095e2f590862385446bec03dc7a78d067b0237
* Update oslo.policy from branch 'master'
to 989f559d739e67b03ee0f8d324c5ac26266fbbb9
- Fix doc build error
This fixes the following error in the doc job.
```
TypeError: not all arguments converted during string formatting
```
Change-Id: If67f629dfd6b07ed198155bec43a128369b7affa
* Update oslo.policy from branch 'master'
to 37de6f3ef08c6521031e8c7f54737d331bf57f22
- Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I1d4337f9120cd39cfdd144ceee78c5d5e6a3ec95
* Update oslo.policy from branch 'master'
to 67a3d3b0db462949ebcc07f9b7c45559a29fde1f
- Moves supported python runtimes from version 3.8 to 3.10
Within 2023.2 python version 3.9 and 3.10 are the
supported python runtimes [1].
[1] https://review.opendev.org/c/openstack/governance/+/872232
Change-Id: I82682282703def588ce95b9b0067651ccf5ce924
* Update oslo.policy from branch 'master'
to d80573c61254a2f8f371746bc678bd3b60f8a6a4
- Fix deprecated rule logic if the rule was deleted in policy directory.
The bug scenario:
- define deprecated rule in policy folder
- start a service
- enforce policies
- remove the rule in policy folder
- enforce policies
New default is applied to the rule,
but new and old defaults should be applied
(OR logic)
The patch fixes it.
Closes-Bug: 1977549
Change-Id: If11fe2da1163d6d3f16d133aeb207a055cf30de4
* Update oslo.policy from branch 'master'
to e7b9dd1f5ab10b447faba291ca0f89089aa46bcc
- Update master for stable/2023.1
Add file to the reno documentation build to show release notes for
stable/2023.1.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.1.
Sem-Ver: feature
Change-Id: I279a3b56f331ad2dcafd624f0d8ea166713a58c5
* Update oslo.policy from branch 'master'
to 25fe203f1da7fd917cbe8e0a2ced98756d772283
- Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: Ib11f5c8095c075170575ecaf635e6ce30bd3d789
* Update oslo.policy from branch 'master'
to 3977a9a82ba91288298d7cfafd1458de64ab5eda
- Add Python3 antelope unit tests
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for antelope.
See also the PTI in governance [1].
[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html
Change-Id: Ied1dbd4a6751b8a9bded9569eb5ea76e72d0b3f4
* Update oslo.policy from branch 'master'
to cd966bc170b5e795d76caa9d1ab5fe78d938ad67
- Update master for stable/zed
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: Ib8774b60b82602c4a22c622ebe623e348d0f1f2d
* Update oslo.policy from branch 'master'
to 5bd767be790f21d6ec0af0589f50137b207d94e8
- Fix generation of sample policy files
Generation of sample policy files was broken when exclude_deprecated was
added as an extra argument to the generate_sample function in
I6d02eb4d8f94323a806fab991ba2f1c3bbf71d04. It was passed as the fourth
argument, which is actually include_help. Because it defaults to False,
this turned sample policy files into actual policy files.
Fix by using keyword arguments instead.
Change-Id: I5478b1c8e7fd2f1b01f63602998194bab3683f7c
Closes-Bug: #1975682
* Update oslo.policy from branch 'master'
to 6471443811c300a8a9c99d2785258765b4461148
- Drop python3.6/3.7 support in testing runtime
In Zed cycle testing runtime, we are targetting to drop the
python 3.6/3.7 support, project started adding python 3.8 as minimum,
example nova:
- 56b5aed08c/setup.cfg (L13)
Change-Id: Icd143d8880666c1282e1e7821c108ab3e4de7813
* Update oslo.policy from branch 'master'
to 9673a74b600cd387aa3d13a6ff923c06c304c55a
- Only pass exclude-deprecated when True
The '--exclude-deprecated' parameter should only be passed to
oslo.config to parse when it is True.
The final generated sphinx syntax is[1] where [--exclude-deprecated]
doesn't require True/False value and only should be passed when True.
The change introducing this[2] causes parsing issue in oslo.config[3]
while checking <bool>.startswith (we pass True/False value) and even
after that while calling argparse[4] with following error[5].
[1] usage: sphinx-build [-h] [--config-dir DIR] [--config-file PATH] [--exclude-deprecated] [--format FORMAT] [--namespace NAMESPACE]
[--noexclude-deprecated] [--output-file OUTPUT_FILE]
[2] https://review.opendev.org/c/openstack/oslo.policy/+/830514
[3] https://opendev.org/openstack/oslo.config/src/branch/master/oslo_config/cfg.py#L2937
[4] https://opendev.org/openstack/oslo.config/src/branch/master/oslo_config/cfg.py#L2960
[5] > /usr/lib/python3.8/argparse.py(1781)parse_args()
-> if argv:
(Pdb)
> /usr/lib/python3.8/argparse.py(1782)parse_args()
-> msg = _('unrecognized arguments: %s')
(Pdb)
> /usr/lib/python3.8/argparse.py(1783)parse_args()
-> self.error(msg % ' '.join(argv))
(Pdb)
TypeError: sequence item 0: expected str instance, bool found
> /usr/lib/python3.8/argparse.py(1783)parse_args()
-> self.error(msg % ' '.join(argv))
Handler <function generate_sample at 0x7fc0d6697d30> for event 'builder-inited' threw an exception (exception: sequence item 0: expected str instance, bool found)
Closes-Bug: #1970725
Change-Id: I95745b8d1cbdb6a7cf442d431a998b7e3ff600e4
* Update oslo.policy from branch 'master'
to d89cdda6b13ad664443051a53b084781f255b048
- Merge "make deprecated rule examples explicit"
- make deprecated rule examples explicit
Deprecated rules can be confusing and downright unfriendly when
evaluating a generated sample output and seeing legacy rules being
aliased to new rules. Technically this is also invalid and results
in a broken sample file with overriding behavior.
Under normal circumstances, this wouldn't be a big deal, but with
the Secure RBAC effort, projects also performed some further
delineation of RBAC policies instead of performing a 1:1 mapping.
As a result of the policy enforcement model, a prior deprecated
rule was required, which meant the prior deprecated rule would
be reported multiple times in the output.
Since we don't have an extra flag in the policy-in-code definitions
of policies, all we can *really* do is both clarify the purpose
and meaning of the entry, not enable the alias by default in
sample output (as it is a sample! not an override of code!),
and provide projects as well as operators with a knob to
exclude deprecated policy inclusion into examples and sample
output.
Closes-Bug: #1945336
Change-Id: I6d02eb4d8f94323a806fab991ba2f1c3bbf71d04
* Update oslo.policy from branch 'master'
to 9bc1783400f9960b7132bf631c690a98fbfc8066
- Don't raise InvalidScope exception when do_raise=False
In the Enforcer.enforce() method there is boolean parameter do_raise.
When it is set to False, enforce() method should return True/False as an
enforcement result and not raise exception. It works like that with
PolicyNotAuthorized exception but since some time this method can also
raise InvalidScope exception and in such case behaviour was different.
This patch changes that behaviour so InvalidScope exception will also
not be raised when do_raise=False.
Closes-bug: #1965315
Change-Id: I37fd682ffa9d6f4c69698e1be42adac28bbfe72a
* Update oslo.policy from branch 'master'
to 9eef147fc334b254974b634b4411cbb8875a8c5a
- Add Python3 zed unit tests
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for zed.
See also the PTI in governance [1].
[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html
Change-Id: I9819bed88617605d40649bb5bdcf27723d48ea3a
* Update oslo.policy from branch 'master'
to cdec2c13212f65ff57832348d2282db2fa481e56
- Update master for stable/yoga
Add file to the reno documentation build to show release notes for
stable/yoga.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/yoga.
Sem-Ver: feature
Change-Id: I35de33c2f540ceb76b0b12da5373545c15306f6d
* Update oslo.policy from branch 'master'
to b48b711b090dcb769c642a50988a774d5737eb1a
- Merge "Fix formatting of release list"
- Fix formatting of release list
Change-Id: I09de011b77b49801da2a70eebacfab1d10de32d3
* Update oslo.policy from branch 'master'
to eae3dc0032106ac8b3a33c7ced0444810abb311c
- Expand set_defaults() to set other config default value
Currently set_defaults() is only able to set the default
value of policy_file config option. In future, for example
scope config option like enforce_scope also needs to be override
the default value per service (service ready with scope enable
can set it to True and for other services it will be False as default
in oslo.policy).
To allow override the other config option, let's expand the existing
set_defaults() method to do so.
Change-Id: I72120efb7c55aab82b765237904c9ae6e91f6b6f
* Update oslo.policy from branch 'master'
to 919c3280aa79762df8475f131a65d12b78ac436e
- Enforce scope check always when rule has scope_types set
Previously it was checked only for registered rules but not for
rules which are subclasses of the BaseCheck class.
Now it's checked for all rules which have scope_types set.
It's required for e.g. Neutron as it is creating Check objects based
on the defined policy rules to e.g. include in the check attributes
like network's provider parameters, etc.
Depends-On: https://review.opendev.org/c/openstack/neutron/+/815838
Depends-On: https://review.opendev.org/c/openstack/neutron/+/818725
Closes-Bug: #1923503
Change-Id: I55258c1f999c84220518d1fbbf5e1e514361cebe
* Update oslo.policy from branch 'master'
to 1e89f032b7b47cc2a3567da40fc6d5ace10ee768
- Increase timeout of the cross-neutron-tox-py38 job
It seems that since some time that job is timing out. To fix that,
this patch sets timeout for the cross-neutron-tox-py38 job to
3600 seconds which is the same value as configured for unit tests
jobs in Neutron.
Change-Id: If360a366b7299e36c80adaefe5baf559a5c16bdd
* Update oslo.policy from branch 'master'
to 4ecbcf280ad008f17ab4a72bc56a9793c32f7dc7
- Merge "Refactor scope enforcement in the Enforcer class"
- Refactor scope enforcement in the Enforcer class
This patch moves code responsible for scope types enforcement
to the separate method which can be reused in different places,
like e.g. to enforce scope for instances of the BaseCheck class.
Related-Bug: #1923503
Change-Id: I6fd671728582b2f60939764075a8e2a977e78b58
* Update oslo.policy from branch 'master'
to cce180d37237f275be7ffb7179893ee475c8a561
- Merge "Add scope_types attribute to the BaseCheck class"
- Add scope_types attribute to the BaseCheck class
Neutron, based on the defined policy rules is creating check
objects "in flight" to e.g. include check some object's attributes,
like e.g. network's provider parameters.
That use case requires that BaseCheck class and classes which inherits
from it needs to have scope_types defined thus Neutron can set it for
the Check based on the defined policy rule.
This patch adds scope_types attribute to the BaseCheck class to make it
available for use cases like described above.
Related-Bug: #1923503
Change-Id: Ibf30d0ffa5e9b125742089705d3557c02a03bc43
* Update oslo.policy from branch 'master'
to 4757688ecf5585f5e87795a3efe3c8ea48df0c7b
- Merge "Don't reset rules without overwriting"
- Don't reset rules without overwriting
If an user uses Enforcer without overwriting (Enforcer(overwrite=False))
we should not reset rules and only update loaded rules.
Enforcer without overwriting is a weird behavior, but it is supported at this moment.
Maybe it will be eliminated in future because it's misleading.
Operator cannot conclude what rules are loaded by simply looking in config files.
Change-Id: I2871407f8c7417a016415ccc166c1f37a9e17908
Closes-Bug: 1943584
* Update oslo.policy from branch 'master'
to 8a3998af18e1e86dc98005947c06eff593ae2229
- Merge "Rules in policy directory files can be deleted."
- Rules in policy directory files can be deleted.
Policy directory files can only add new rules or
update existing rules in cache, but cannot return back
loaded rules in memory to their default value.
This incorrect behavior was fixed in the patch.
Member "_loaded_files" of class Enforcer should keep
list of loaded policy config files paths.
In fact if the same file is changed many times
then the same file path is added many times.
If a file is deleted it's path not deleted from "_loaded_files".
The member is very misleading and is not used in code.
So this member was deleted in the patch because of
above mentioned resons.
Change-Id: I9ede38d8cf2ae968d3d8c0b1240bd6a51e6aa931
Closes-Bug: 1943584
* Update oslo.policy from branch 'master'
to 4f0e206a12040a0643816c3a14585160408a9f5d
- Merge "Add Python3 yoga unit tests"
- Add Python3 yoga unit tests
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for yoga.
See also the PTI in governance [1].
[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html
Change-Id: I8b701dc843a96178cf3028d10c36af977b38739b
* Update oslo.policy from branch 'master'
to 7cec2bb4bd6a9931689fd0920c22799b9c979458
- Merge "Update master for stable/xena"
- Update master for stable/xena
Add file to the reno documentation build to show release notes for
stable/xena.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/xena.
Sem-Ver: feature
Change-Id: I90013a56029ff70d0112b56efd32c1d0a5a6f0e0
* Update oslo.policy from branch 'master'
to d768f6b3930dd607f1db213c2c30219607d912bd
- Merge "Map system_scope in creds dictionary"
- Map system_scope in creds dictionary
An earlier patch[1] added a mapping for context 'system_scope'
to 'system' when enforce was called with a RequestContext
object. However, enforce can also be called with a creds dictionary
that may contain the context 'system_scope' element. When this
occured, 'system_scope' was not mapped to 'system' and the enforce
would fail with an InvalidScope exception.
This patch moves the 'system_scope' mapping from only occuring
with RequestContext objects to also map it when a creds dictonary
is passed to enforce.
[1] https://review.opendev.org/c/openstack/oslo.policy/+/578995
Change-Id: I83a22c3f825bad0c88018118f8630a20a445965e
* Update oslo.policy from branch 'master'
to a0e407e6929bd07a8c97919ae63c9a2fea00d2c2
- Clarify enforce_new_defaults help text
The help text isn't clear what happens when enforce_new_defaults is
False, which is the default behavior. Explicity call that out in the
help text since it's important for users to understand that behavior.
Change-Id: Iaed5682bc72f4c66adb9a40c6510b399314574df
* Update oslo.policy from branch 'master'
to c7fd9f4fcd43fb78534921530d981634ec516344
- Fix a typo in the document
This patch changes 'oslopolicy-policy-generator' to
'oslopolicy-checker' in oslopolicy-checker.rst.
Change-Id: I73621ced00404d164fdb23f077ee36fbb6faf717
* Update oslo.policy from branch 'master'
to fa5f76e55910040f9132bd19940ceee1307ff303
- Changed minversion in tox to 3.18.0
The patch bumps min version of tox to 3.18.0 in order to
replace tox's whitelist_externals by allowlist_externals option:
https://github.com/tox-dev/tox/blob/master/docs/changelog.rst#v3180-2020-07-23
Change-Id: I28abab34878d3c62a88be8894107f994d02c1c4f
* Update oslo.policy from branch 'master'
to 0bc8a2e70faaf8600a44c6e7e366d2296adc128b
- Merge "Replace getargspec with getfullargspec"
- Replace getargspec with getfullargspec
inspect.getargspec() is deprecated since py3
[1] https://docs.python.org/3/library/inspect.html#inspect.getargspec
Change-Id: If7492d7f755c80687f867428d80e4efb1e1a5d57
* Update oslo.policy from branch 'master'
to 5713170c3e2efd2d66a03533bfd7a82b3c401f7e
- setup.cfg: Replace dashes with underscores
Setuptools v54.1.0 introduces a warning that the use of dash-separated
options in 'setup.cfg' will not be supported in a future version [1].
Get ahead of the issue by replacing the dashes with underscores. Without
this, we see 'UserWarning' messages like the following on new enough
versions of setuptools:
UserWarning: Usage of dash-separated 'description-file' will not be
supported in future versions. Please use the underscore name
'description_file' instead
[1] https://github.com/pypa/setuptools/commit/a2e9ae4cb
Change-Id: I58b9521882d81ab508bb7ce28308d88771daf1fe
* Update oslo.policy from branch 'master'
to 4eb58a81cbecfed3ed7c8c28ff50c1e7eb877d51
- Ussuri+ is python3 only and update python to python3
Change-Id: I8162d5c413de6a73614443fdcd30ee472cb81035
* Update oslo.policy from branch 'master'
to a42841c25b47ea17a3c1fa49aaf9bbaed67f4210
- Merge "Dropping lower constraints testing"
- Dropping lower constraints testing
We facing errors related to the new pip resolver, this
topic was discussed on the ML and QA team proposed to
to test lower-constraints [1].
I propose to drop this test because the complexity and recurring pain needed
to maintain that now exceeds the benefits provided by this mechanismes.
[1] http://lists.openstack.org/pipermail/openstack-discuss/2020-December/019390.html
Change-Id: Ifcaf6993517d02bf54cd144efd247832947a009f
* Update oslo.policy from branch 'master'
to 92eae81048b392f140e35e060e4c66195a08613e
- Merge "Add debug log in pick_default_policy_file"
- Add debug log in pick_default_policy_file
We have many if else condition to pick the
right policy filebut there is no debugging log
to have useful info to know if expected policy file
is not picked.
Change-Id: I507c58a6dca06d0cc6f306bcd063c700c18cc5f7
* Update oslo.policy from branch 'master'
to d0a37fd1af6d015c1ce20f7f007e0b1c152a033a
- Merge "Add Python3 xena unit tests"
- Add Python3 xena unit tests
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for xena.
See also the PTI in governance [1].
[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html
Change-Id: Ifb43d051c91501f870233f107e4d9e14c7473b6b
* Update oslo.policy from branch 'master'
to 6d8db9e2e2fc9e0b638230607ab7b607bda89556
- Merge "Update master for stable/wallaby"
- Update master for stable/wallaby
Add file to the reno documentation build to show release notes for
stable/wallaby.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/wallaby.
Sem-Ver: feature
Change-Id: Ic4f96634aa7fe3080c46ef411b7d47778676af1b