Merge "Expose a get_enforcer method for oslo.policy scripts" into stable/pike

2018-02-14 19:14:23 +00:00 · 2018-02-14 19:14:23 +00:00 · e8953d0392
parent 9a07429640 075b8ad41b
commit e8953d0392
4 changed files with 38 additions and 0 deletions
--- a/keystone/common/policy.py
+++ b/keystone/common/policy.py
@ -35,6 +35,17 @@ def init():
        register_rules(_ENFORCER)


+def get_enforcer():
+    # Here we pass an empty list of arguments because there aren't any
+    # arguments that oslo.config or oslo.policy shouldn't already understand
+    # from the CONF object. This makes things easier here because we don't have
+    # to parse arguments passed in from the command line and remove unexpected
+    # arguments before building a Config object.
+    CONF([], project='keystone')
+    init()
+    return _ENFORCER
+
+
 def enforce(credentials, action, target, do_raise=True):
    """Verify that the action is valid on the target in this context.

--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@ -15,6 +15,7 @@

 import json
 import os
+import subprocess
 import uuid

 from oslo_policy import policy as common_policy
@ -213,3 +214,18 @@ class PolicyJsonTestCase(unit.TestCase):

        doc_targets = list(read_doc_targets())
        self.assertItemsEqual(policy_keys, doc_targets + policy_rule_keys)
+
+
+class GeneratePolicyFileTestCase(unit.TestCase):
+
+    def test_policy_generator_from_command_line(self):
+        # This test ensures keystone.common.policy:get_enforcer ignores
+        # unexpected arguments before handing them off to oslo.config, which
+        # will fail and prevent users from generating policy files.
+        ret_val = subprocess.Popen(
+            ['oslopolicy-policy-generator', '--namespace', 'keystone'],
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE
+        )
+        ret_val.communicate()
+        self.assertEqual(ret_val.returncode, 0)
--- a/releasenotes/notes/bug-1740951-82b7e4bd608742ab.yaml
+++ b/releasenotes/notes/bug-1740951-82b7e4bd608742ab.yaml
@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    [`bug 1740951 <https://bugs.launchpad.net/keystone/+bug/1740951>`_]
+    A new method was added that made it so oslo.policy sample generation
+    scripts can be used with keystone. The ``oslopolicy-policy-generator``
+    script will now generate a policy file containing overrides and defaults
+    registered in code.
--- a/setup.cfg
+++ b/setup.cfg
@ -181,6 +181,9 @@ oslo.policy.policies =
    # the default defined polices.
    keystone = keystone.common.policies:list_rules

+oslo.policy.enforcer =
+    keystone = keystone.common.policy:get_enforcer
+
 paste.filter_factory =
    healthcheck = oslo_middleware:Healthcheck.factory
    cors = oslo_middleware:CORS.factory