From 075b8ad41b990311f1bd14644adb078bf089e3b0 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 3 Jan 2018 02:18:13 +0000 Subject: [PATCH] Expose a get_enforcer method for oslo.policy scripts Because we have policy in code, we should be able to use the oslo.policy CLI scripts to produce sample policy files and render complete policies based on overrides on disk. This was broken because keystone wasn't removing unexpected commandline arguments before passing them to oslo.config to parse. This prevented people from generating complete policy files like they would for horizon. This commit exposes a get_enforcer() that substitutes an empty list in place of arguments passed in through the system. This makes it so that oslo.config doesn't choke when processing configuration values. Change-Id: I22583258eac5b3a64208355d18ccfa62dba1871d Closes-Bug: 1740951 (cherry picked from commit 85c957c50387ca47b68bc412879c753e7618f86b) --- keystone/common/policy.py | 11 +++++++++++ keystone/tests/unit/test_policy.py | 16 ++++++++++++++++ .../notes/bug-1740951-82b7e4bd608742ab.yaml | 8 ++++++++ setup.cfg | 3 +++ 4 files changed, 38 insertions(+) create mode 100644 releasenotes/notes/bug-1740951-82b7e4bd608742ab.yaml diff --git a/keystone/common/policy.py b/keystone/common/policy.py index 4ec0a0f996..d5e8619e21 100644 --- a/keystone/common/policy.py +++ b/keystone/common/policy.py @@ -35,6 +35,17 @@ def init(): register_rules(_ENFORCER) +def get_enforcer(): + # Here we pass an empty list of arguments because there aren't any + # arguments that oslo.config or oslo.policy shouldn't already understand + # from the CONF object. This makes things easier here because we don't have + # to parse arguments passed in from the command line and remove unexpected + # arguments before building a Config object. + CONF([], project='keystone') + init() + return _ENFORCER + + def enforce(credentials, action, target, do_raise=True): """Verify that the action is valid on the target in this context. diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py index 485198d119..54587f399a 100644 --- a/keystone/tests/unit/test_policy.py +++ b/keystone/tests/unit/test_policy.py @@ -15,6 +15,7 @@ import json import os +import subprocess import uuid from oslo_policy import policy as common_policy @@ -213,3 +214,18 @@ class PolicyJsonTestCase(unit.TestCase): doc_targets = list(read_doc_targets()) self.assertItemsEqual(policy_keys, doc_targets + policy_rule_keys) + + +class GeneratePolicyFileTestCase(unit.TestCase): + + def test_policy_generator_from_command_line(self): + # This test ensures keystone.common.policy:get_enforcer ignores + # unexpected arguments before handing them off to oslo.config, which + # will fail and prevent users from generating policy files. + ret_val = subprocess.Popen( + ['oslopolicy-policy-generator', '--namespace', 'keystone'], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE + ) + ret_val.communicate() + self.assertEqual(ret_val.returncode, 0) diff --git a/releasenotes/notes/bug-1740951-82b7e4bd608742ab.yaml b/releasenotes/notes/bug-1740951-82b7e4bd608742ab.yaml new file mode 100644 index 0000000000..5b76503467 --- /dev/null +++ b/releasenotes/notes/bug-1740951-82b7e4bd608742ab.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + [`bug 1740951 `_] + A new method was added that made it so oslo.policy sample generation + scripts can be used with keystone. The ``oslopolicy-policy-generator`` + script will now generate a policy file containing overrides and defaults + registered in code. diff --git a/setup.cfg b/setup.cfg index f03acd1fc9..67ab508a81 100644 --- a/setup.cfg +++ b/setup.cfg @@ -181,6 +181,9 @@ oslo.policy.policies = # the default defined polices. keystone = keystone.common.policies:list_rules +oslo.policy.enforcer = + keystone = keystone.common.policy:get_enforcer + paste.filter_factory = healthcheck = oslo_middleware:Healthcheck.factory cors = oslo_middleware:CORS.factory