These are detected as errors since the clean up was done[1] in
the requirements repository.
[1] 314734e938f107cbd5ebcc7af4d9167c11347406
Change-Id: Ib3b1ffea6b7f1609f2fa92fce598b5697a96de2c
Add file to the reno documentation build to show release notes for
stable/2024.1.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2024.1.
Sem-Ver: feature
Change-Id: I843745a6763b314ea6a3e861f7fe955008c62b36
This updates the command executed in the cover target to make these
more consistent with the other repos. The main change is now we ensure
old data is erased before executing the steps.
Change-Id: I2c2b8a60ddfda9b8184e61113d11a7bdafe113c7
Some components like neutron-lib builds its own sub-enforcer which
enforces policy rules partially. However even these enforcer may load
the full policy rules in the file and this causes a lot of warnings
about "undefined rules".
This introduces a new flag so that users can disable undefined check,
when they know the undefined rules are "expected".
Note that the flag is not formally exposed, because we don't know if
this requirement is common. If we find similar problems with different
components then we may add an argument to __init__ .
Related-Bug: #2048198
Change-Id: Ibb4e8e877640e8488aaffb40560e930b0cbfcbce
As per the current release tested runtime, we test
python version from 3.8 to 3.11 so updating the
same in python classifier in setup.cfg
Change-Id: I850407259de142c1022ab06c04c6b8c035feaac4
This fixes the following error in the doc job.
```
TypeError: not all arguments converted during string formatting
```
Change-Id: If67f629dfd6b07ed198155bec43a128369b7affa
Add file to the reno documentation build to show release notes for
stable/2023.2.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.2.
Sem-Ver: feature
Change-Id: Iaf095e2f590862385446bec03dc7a78d067b0237
The bug scenario:
- define deprecated rule in policy folder
- start a service
- enforce policies
- remove the rule in policy folder
- enforce policies
New default is applied to the rule,
but new and old defaults should be applied
(OR logic)
The patch fixes it.
Closes-Bug: 1977549
Change-Id: If11fe2da1163d6d3f16d133aeb207a055cf30de4
Add file to the reno documentation build to show release notes for
stable/2023.1.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.1.
Sem-Ver: feature
Change-Id: I279a3b56f331ad2dcafd624f0d8ea166713a58c5
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: Ib8774b60b82602c4a22c622ebe623e348d0f1f2d
Generation of sample policy files was broken when exclude_deprecated was
added as an extra argument to the generate_sample function in
I6d02eb4d8f94323a806fab991ba2f1c3bbf71d04. It was passed as the fourth
argument, which is actually include_help. Because it defaults to False,
this turned sample policy files into actual policy files.
Fix by using keyword arguments instead.
Change-Id: I5478b1c8e7fd2f1b01f63602998194bab3683f7c
Closes-Bug: #1975682
In Zed cycle testing runtime, we are targetting to drop the
python 3.6/3.7 support, project started adding python 3.8 as minimum,
example nova:
- 56b5aed08c/setup.cfg (L13)
Change-Id: Icd143d8880666c1282e1e7821c108ab3e4de7813
The '--exclude-deprecated' parameter should only be passed to
oslo.config to parse when it is True.
The final generated sphinx syntax is[1] where [--exclude-deprecated]
doesn't require True/False value and only should be passed when True.
The change introducing this[2] causes parsing issue in oslo.config[3]
while checking <bool>.startswith (we pass True/False value) and even
after that while calling argparse[4] with following error[5].
[1] usage: sphinx-build [-h] [--config-dir DIR] [--config-file PATH] [--exclude-deprecated] [--format FORMAT] [--namespace NAMESPACE]
[--noexclude-deprecated] [--output-file OUTPUT_FILE]
[2] https://review.opendev.org/c/openstack/oslo.policy/+/830514
[3] https://opendev.org/openstack/oslo.config/src/branch/master/oslo_config/cfg.py#L2937
[4] https://opendev.org/openstack/oslo.config/src/branch/master/oslo_config/cfg.py#L2960
[5] > /usr/lib/python3.8/argparse.py(1781)parse_args()
-> if argv:
(Pdb)
> /usr/lib/python3.8/argparse.py(1782)parse_args()
-> msg = _('unrecognized arguments: %s')
(Pdb)
> /usr/lib/python3.8/argparse.py(1783)parse_args()
-> self.error(msg % ' '.join(argv))
(Pdb)
TypeError: sequence item 0: expected str instance, bool found
> /usr/lib/python3.8/argparse.py(1783)parse_args()
-> self.error(msg % ' '.join(argv))
Handler <function generate_sample at 0x7fc0d6697d30> for event 'builder-inited' threw an exception (exception: sequence item 0: expected str instance, bool found)
Closes-Bug: #1970725
Change-Id: I95745b8d1cbdb6a7cf442d431a998b7e3ff600e4
In the Enforcer.enforce() method there is boolean parameter do_raise.
When it is set to False, enforce() method should return True/False as an
enforcement result and not raise exception. It works like that with
PolicyNotAuthorized exception but since some time this method can also
raise InvalidScope exception and in such case behaviour was different.
This patch changes that behaviour so InvalidScope exception will also
not be raised when do_raise=False.
Closes-bug: #1965315
Change-Id: I37fd682ffa9d6f4c69698e1be42adac28bbfe72a
Add file to the reno documentation build to show release notes for
stable/yoga.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/yoga.
Sem-Ver: feature
Change-Id: I35de33c2f540ceb76b0b12da5373545c15306f6d
Deprecated rules can be confusing and downright unfriendly when
evaluating a generated sample output and seeing legacy rules being
aliased to new rules. Technically this is also invalid and results
in a broken sample file with overriding behavior.
Under normal circumstances, this wouldn't be a big deal, but with
the Secure RBAC effort, projects also performed some further
delineation of RBAC policies instead of performing a 1:1 mapping.
As a result of the policy enforcement model, a prior deprecated
rule was required, which meant the prior deprecated rule would
be reported multiple times in the output.
Since we don't have an extra flag in the policy-in-code definitions
of policies, all we can *really* do is both clarify the purpose
and meaning of the entry, not enable the alias by default in
sample output (as it is a sample! not an override of code!),
and provide projects as well as operators with a knob to
exclude deprecated policy inclusion into examples and sample
output.
Closes-Bug: #1945336
Change-Id: I6d02eb4d8f94323a806fab991ba2f1c3bbf71d04
Currently set_defaults() is only able to set the default
value of policy_file config option. In future, for example
scope config option like enforce_scope also needs to be override
the default value per service (service ready with scope enable
can set it to True and for other services it will be False as default
in oslo.policy).
To allow override the other config option, let's expand the existing
set_defaults() method to do so.
Change-Id: I72120efb7c55aab82b765237904c9ae6e91f6b6f
Previously it was checked only for registered rules but not for
rules which are subclasses of the BaseCheck class.
Now it's checked for all rules which have scope_types set.
It's required for e.g. Neutron as it is creating Check objects based
on the defined policy rules to e.g. include in the check attributes
like network's provider parameters, etc.
Depends-On: https://review.opendev.org/c/openstack/neutron/+/815838
Depends-On: https://review.opendev.org/c/openstack/neutron/+/818725
Closes-Bug: #1923503
Change-Id: I55258c1f999c84220518d1fbbf5e1e514361cebe
It seems that since some time that job is timing out. To fix that,
this patch sets timeout for the cross-neutron-tox-py38 job to
3600 seconds which is the same value as configured for unit tests
jobs in Neutron.
Change-Id: If360a366b7299e36c80adaefe5baf559a5c16bdd
If an user uses Enforcer without overwriting (Enforcer(overwrite=False))
we should not reset rules and only update loaded rules.
Enforcer without overwriting is a weird behavior, but it is supported at this moment.
Maybe it will be eliminated in future because it's misleading.
Operator cannot conclude what rules are loaded by simply looking in config files.
Change-Id: I2871407f8c7417a016415ccc166c1f37a9e17908
Closes-Bug: 1943584
Policy directory files can only add new rules or
update existing rules in cache, but cannot return back
loaded rules in memory to their default value.
This incorrect behavior was fixed in the patch.
Member "_loaded_files" of class Enforcer should keep
list of loaded policy config files paths.
In fact if the same file is changed many times
then the same file path is added many times.
If a file is deleted it's path not deleted from "_loaded_files".
The member is very misleading and is not used in code.
So this member was deleted in the patch because of
above mentioned resons.
Change-Id: I9ede38d8cf2ae968d3d8c0b1240bd6a51e6aa931
Closes-Bug: 1943584
This patch moves code responsible for scope types enforcement
to the separate method which can be reused in different places,
like e.g. to enforce scope for instances of the BaseCheck class.
Related-Bug: #1923503
Change-Id: I6fd671728582b2f60939764075a8e2a977e78b58
Neutron, based on the defined policy rules is creating check
objects "in flight" to e.g. include check some object's attributes,
like e.g. network's provider parameters.
That use case requires that BaseCheck class and classes which inherits
from it needs to have scope_types defined thus Neutron can set it for
the Check based on the defined policy rule.
This patch adds scope_types attribute to the BaseCheck class to make it
available for use cases like described above.
Related-Bug: #1923503
Change-Id: Ibf30d0ffa5e9b125742089705d3557c02a03bc43