[Yahoo-eng-team] [Bug 1849518] Re: oslopolicy-list-redundant loses cli args when used with keystone
Reviewed: https://review.opendev.org/690630 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ba8dd06e123adb353c5bb71d75c345cf3e463ba8 Submitter: Zuul Branch:master commit ba8dd06e123adb353c5bb71d75c345cf3e463ba8 Author: Ben Nemec Date: Wed Oct 23 16:11:35 2019 + Parse cli args in get_enforcer Previously this call to the conf object couldn't parse cli args because the oslo.policy tool was registering its cli opts on a private conf object, so attempting to parse them on the global object would fail. The dependency makes oslo.policy use the global object instead so cli arg parsing works correctly. This is important because ignoring cli args as this was previously doing caused things like --config-file to be dropped, which meant that running the tool with that option specified did not work as expected. Depends-On: https://review.opendev.org/690628 Change-Id: Id553743277a35660a40d6b3b02847d7a35abbfb9 Closes-Bug: 1849518 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1849518 Title: oslopolicy-list-redundant loses cli args when used with keystone Status in OpenStack Identity (keystone): Fix Released Status in oslo.policy: Fix Released Bug description: There is an issue with the configuration handling in oslo.policy and keystone that causes cli args like --config-file to be ignored in the keystone enforcer when running oslopolicy-list-redundant. Specifically, because keystone re-initializes the global config object when creating the enforcer[0], and doesn't pass any cli args to it, those cli args get ignored. This can cause problems if, for example, the policy file is not in the default location and is instead specified in the config file passed via --config-file. Since --config- file gets ignored by the enforcer, it just looks in the default location and doesn't find a file. One solution would be to have oslo.policy initialize the global config object itself (switching [1] to use the global object instead of a local one) and remove the initialization from the enforcer entirely. One potential downside of this is that if a project's enforcer needs project-specific config setup it wouldn't be possible for that to happen (oslo.policy wouldn't know about it), but since that doesn't apply to keystone and would only really be an issue if a project's enforcer had a dependency on a cli arg (cli args are the only thing that need to be registered before calling the conf object), I think it's a worthwhile tradeoff. 0: https://github.com/openstack/keystone/blob/1ef56e58ec63f19eff25a1044c8831ba8f97e26a/keystone/common/rbac_enforcer/policy.py#L43 1: https://github.com/openstack/oslo.policy/blob/0f7e144d013155f27f74b0eb91b7ae0f1530a86b/oslo_policy/generator.py#L399 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1849518/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1849518] Re: oslopolicy-list-redundant loses cli args when used with keystone
Reviewed: https://review.opendev.org/690628 Committed: https://git.openstack.org/cgit/openstack/oslo.policy/commit/?id=686aa238f921e8b6dff814d001690e15fa8ccea6 Submitter: Zuul Branch:master commit 686aa238f921e8b6dff814d001690e15fa8ccea6 Author: Ben Nemec Date: Wed Oct 23 15:36:42 2019 + Initialize global config object in cli tools Currently, passing --config-file to a tool like oslopolicy-list-redundant is ineffective because the projects pass an empty cli arg list to the conf object when they initialize it. By registering our cli args on the global conf object, the projects can safely parse cli args in their call to the conf object so things like --config-file won't be ignored. This didn't work before because oslo.policy recognizes cli args like --namespace that aren't recognized by the consuming projects. This will require followup changes in each project to stop passing an empty cli arg list to the conf object initialization. In the meantime, everything should continue to work as it did before. Change-Id: Iacd257fc6c351582de45476768e3fd1775317d3c Closes-Bug: 1849518 ** Changed in: oslo.policy Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1849518 Title: oslopolicy-list-redundant loses cli args when used with keystone Status in OpenStack Identity (keystone): In Progress Status in oslo.policy: Fix Released Bug description: There is an issue with the configuration handling in oslo.policy and keystone that causes cli args like --config-file to be ignored in the keystone enforcer when running oslopolicy-list-redundant. Specifically, because keystone re-initializes the global config object when creating the enforcer[0], and doesn't pass any cli args to it, those cli args get ignored. This can cause problems if, for example, the policy file is not in the default location and is instead specified in the config file passed via --config-file. Since --config- file gets ignored by the enforcer, it just looks in the default location and doesn't find a file. One solution would be to have oslo.policy initialize the global config object itself (switching [1] to use the global object instead of a local one) and remove the initialization from the enforcer entirely. One potential downside of this is that if a project's enforcer needs project-specific config setup it wouldn't be possible for that to happen (oslo.policy wouldn't know about it), but since that doesn't apply to keystone and would only really be an issue if a project's enforcer had a dependency on a cli arg (cli args are the only thing that need to be registered before calling the conf object), I think it's a worthwhile tradeoff. 0: https://github.com/openstack/keystone/blob/1ef56e58ec63f19eff25a1044c8831ba8f97e26a/keystone/common/rbac_enforcer/policy.py#L43 1: https://github.com/openstack/oslo.policy/blob/0f7e144d013155f27f74b0eb91b7ae0f1530a86b/oslo_policy/generator.py#L399 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1849518/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
