Fix default policy rules registration

The constants used for configuring default policy rules were initialized
before configuration file was parsed. As the result the configuration
options in 'roles_middleware' group didn't have effect on registered
policy rules. The behavior can be reproduced in devstack plugin where
monasca-log-agent using 'monasca-agent' role is not authorized to send
logs to the API.

The change postpones the initilization of these constants. Additionally
obsolete 'roles' filter was removed from the paste pipelines.

Change-Id: I0ca38f2cc7d63b9b47eedb304ba7b00a94816f9a
Story: 2001233
Task: 24250
This commit is contained in:
Witold Bedyk 2018-08-03 10:29:06 +02:00
parent 8b6582d8d4
commit 7d40e5d5c2
5 changed files with 19 additions and 16 deletions

View File

@ -32,10 +32,10 @@ pipeline = error_trap versionapp
pipeline = error_trap healthcheckapp
[pipeline:la_api_v2]
pipeline = error_trap request_id auth roles api_v2_app
pipeline = error_trap request_id auth api_v2_app
[pipeline:la_api_v3]
pipeline = error_trap request_id auth roles api_v3_app
pipeline = error_trap request_id auth api_v3_app
[app:versionapp]
paste.app_factory = monasca_log_api.app.api:create_version_app
@ -54,9 +54,6 @@ set api_version=v3.0
[filter:auth]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
[filter:roles]
paste.filter_factory = monasca_log_api.middleware.role_middleware:RoleMiddleware.factory
[filter:request_id]
paste.filter_factory = oslo_middleware.request_id:RequestId.factory

View File

@ -16,7 +16,6 @@
import os
import pkgutil
from oslo_config import cfg
from oslo_log import log
from oslo_utils import importutils
@ -38,11 +37,6 @@ def roles_list_to_check_str(roles_list):
role_middleware.register_opts(CONF)
DEFAULT_AUTHORIZED_ROLES = roles_list_to_check_str(cfg.CONF.roles_middleware.default_roles)
AGENT_AUTHORIZED_ROLES = roles_list_to_check_str(cfg.CONF.roles_middleware.agent_roles)
DELEGATE_AUTHORIZED_ROLES = roles_list_to_check_str(cfg.CONF.roles_middleware.delegate_roles)
CHECK_AUTHORIZED_ROLES = roles_list_to_check_str(cfg.CONF.roles_middleware.check_roles)
def load_policy_modules():
"""Load all modules that contain policies.

View File

@ -12,9 +12,13 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from oslo_policy import policy
from monasca_log_api.policies import CHECK_AUTHORIZED_ROLES
from monasca_log_api import policies
CHECK_AUTHORIZED_ROLES = policies.roles_list_to_check_str(
cfg.CONF.roles_middleware.check_roles)
rules = [
policy.DocumentedRuleDefault(

View File

@ -12,12 +12,17 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from oslo_policy import policy
from monasca_log_api.policies import AGENT_AUTHORIZED_ROLES
from monasca_log_api.policies import DEFAULT_AUTHORIZED_ROLES
from monasca_log_api.policies import DELEGATE_AUTHORIZED_ROLES
from monasca_log_api import policies
DEFAULT_AUTHORIZED_ROLES = policies.roles_list_to_check_str(
cfg.CONF.roles_middleware.default_roles)
AGENT_AUTHORIZED_ROLES = policies.roles_list_to_check_str(
cfg.CONF.roles_middleware.agent_roles)
DELEGATE_AUTHORIZED_ROLES = policies.roles_list_to_check_str(
cfg.CONF.roles_middleware.delegate_roles)
rules = [
policy.DocumentedRuleDefault(

View File

@ -12,10 +12,13 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from oslo_policy import policy
from monasca_log_api.policies import CHECK_AUTHORIZED_ROLES
from monasca_log_api import policies
CHECK_AUTHORIZED_ROLES = policies.roles_list_to_check_str(
cfg.CONF.roles_middleware.check_roles)
rules = [
policy.DocumentedRuleDefault(