Public bug reported:
I'm having issues dumping policy from Keystone in Pike
root@aio1-keystone-container-398c6a0f:~#
/openstack/venvs/keystone-16.0.6/bin/oslopolicy-policy-generator --namespace
keystone
WARNING:stevedore.named:Could not load keystone
Traceback (most recent call last):
File "/openstack/venvs/keystone-16.0.6/bin/oslopolicy-policy-generator", line
11, in <module>
sys.exit(generate_policy())
File
"/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py",
line 233, in generate_policy
_generate_policy(conf.namespace, conf.output_file)
File
"/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py",
line 178, in _generate_policy
enforcer = _get_enforcer(namespace)
File
"/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py",
line 74, in _get_enforcer
enforcer = mgr[namespace].obj
File
"/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/stevedore/extension.py",
line 314, in __getitem__
return self._extensions_by_name[name]
KeyError: 'keystone'
Normally it works like this with Nova:
root@aio1-nova-api-os-compute-container-3589c25e:~#
/openstack/venvs/nova-16.0.6/bin/oslopolicy-policy-generator --namespace nova
"os_compute_api:os-evacuate": "rule:admin_api"
"os_compute_api:servers:create": "rule:admin_or_owner"
"os_compute_api:os-extended-volumes": "rule:admin_or_owner"
"os_compute_api:servers:create:forced_host": "rule:admin_api"
"os_compute_api:os-aggregates:remove_host": "rule:admin_api"
...
IRC convo regarding this bug:
[04:00:26PM] logan- hello. I'm trying to use oslopolicy-policy-generator to
dump the base RBAC so it can be combined with my policy overrides and provided
to horizon. with nova i'm able to dump RBAC using
"/path/to/nova/venv/bin/oslopolicy-policy-generator --namespace nova", but the
doing the same with keystone using "keystone" or "identity" as the namespace
does not work.
[04:01:39PM] @lbragstad logan-: do you have keystone installed?
[04:01:57PM] @lbragstad let me see if i can recreate
[04:03:30PM] logan- o/ @lbragstad. yep keystone's installed. here's the venv
and output for the oslopolicy command at the bottom:
http://paste.openstack.org/raw/636624/
[04:03:53PM] @lbragstad huh - weird
[04:03:56PM] @lbragstad i can recreate
[04:04:48PM] ayoung @lbragstad, logan- I bet it is a dependency issue
[04:05:25PM] ayoung trying to load Keystone fails cuz some other library is
missing, and I bet that is pulled in from oslopolicy polgen
[04:07:05PM] ayoung oslo.policy.policies =
[04:07:05PM] ayoung # With the move of default policy in code list_rules
returns a list of
[04:07:05PM] ayoung # the default defined polices.
[04:07:05PM] ayoung keystone = keystone.common.policies:list_rules
[04:07:12PM] ayoung that is from setup.cfg
[04:07:21PM] ayoung is that what iti is trying to load?
[04:07:36PM] @lbragstad well - it's should be an entrypoint in oslo.policy
[04:07:47PM] @lbragstad keystone is just responsible for exposing the namespace
[04:07:59PM] @lbragstad
https://github.com/openstack/keystone/blob/master/config-generator/keystone-policy-generator.conf
[04:08:26PM] @lbragstad which is the same as what nova defines
[04:08:28PM] @lbragstad
https://github.com/openstack/nova/blob/master/etc/nova/nova-policy-generator.conf
[04:09:31PM] ayoung seems like it is not registered
[04:12:16PM] ayoung yep, reproduced it here, too
[04:15:32PM] @lbragstad i think we're missing this entrypoint
[04:15:33PM] @lbragstad
https://docs.openstack.org/oslo.policy/latest/user/usage.html#merged-file-generation
[04:15:45PM] @lbragstad which just needs something to return the _ENFORCER
[04:15:55PM] @lbragstad so keystone.common.policy:get_enforcer
[04:15:59PM] @lbragstad or something like that
[04:16:24PM] @lbragstad logan-: certainly a bug
[04:16:35PM] @lbragstad logan-: would you be able to open up something in
launchpad?
[04:16:53PM] @lbragstad we can get a patch up shortly, i think we're missing
something with how we wire up the entry poionts
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1740951
Title:
Unable to dump policy
Status in OpenStack Identity (keystone):
New
Bug description:
I'm having issues dumping policy from Keystone in Pike
root@aio1-keystone-container-398c6a0f:~#
/openstack/venvs/keystone-16.0.6/bin/oslopolicy-policy-generator --namespace
keystone
WARNING:stevedore.named:Could not load keystone
Traceback (most recent call last):
File "/openstack/venvs/keystone-16.0.6/bin/oslopolicy-policy-generator",
line 11, in <module>
sys.exit(generate_policy())
File
"/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py",
line 233, in generate_policy
_generate_policy(conf.namespace, conf.output_file)
File
"/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py",
line 178, in _generate_policy
enforcer = _get_enforcer(namespace)
File
"/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py",
line 74, in _get_enforcer
enforcer = mgr[namespace].obj
File
"/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/stevedore/extension.py",
line 314, in __getitem__
return self._extensions_by_name[name]
KeyError: 'keystone'
Normally it works like this with Nova:
root@aio1-nova-api-os-compute-container-3589c25e:~#
/openstack/venvs/nova-16.0.6/bin/oslopolicy-policy-generator --namespace nova
"os_compute_api:os-evacuate": "rule:admin_api"
"os_compute_api:servers:create": "rule:admin_or_owner"
"os_compute_api:os-extended-volumes": "rule:admin_or_owner"
"os_compute_api:servers:create:forced_host": "rule:admin_api"
"os_compute_api:os-aggregates:remove_host": "rule:admin_api"
...
IRC convo regarding this bug:
[04:00:26PM] logan- hello. I'm trying to use oslopolicy-policy-generator to
dump the base RBAC so it can be combined with my policy overrides and provided
to horizon. with nova i'm able to dump RBAC using
"/path/to/nova/venv/bin/oslopolicy-policy-generator --namespace nova", but the
doing the same with keystone using "keystone" or "identity" as the namespace
does not work.
[04:01:39PM] @lbragstad logan-: do you have keystone installed?
[04:01:57PM] @lbragstad let me see if i can recreate
[04:03:30PM] logan- o/ @lbragstad. yep keystone's installed. here's the venv
and output for the oslopolicy command at the bottom:
http://paste.openstack.org/raw/636624/
[04:03:53PM] @lbragstad huh - weird
[04:03:56PM] @lbragstad i can recreate
[04:04:48PM] ayoung @lbragstad, logan- I bet it is a dependency issue
[04:05:25PM] ayoung trying to load Keystone fails cuz some other library is
missing, and I bet that is pulled in from oslopolicy polgen
[04:07:05PM] ayoung oslo.policy.policies =
[04:07:05PM] ayoung # With the move of default policy in code list_rules
returns a list of
[04:07:05PM] ayoung # the default defined polices.
[04:07:05PM] ayoung keystone = keystone.common.policies:list_rules
[04:07:12PM] ayoung that is from setup.cfg
[04:07:21PM] ayoung is that what iti is trying to load?
[04:07:36PM] @lbragstad well - it's should be an entrypoint in oslo.policy
[04:07:47PM] @lbragstad keystone is just responsible for exposing the
namespace
[04:07:59PM] @lbragstad
https://github.com/openstack/keystone/blob/master/config-generator/keystone-policy-generator.conf
[04:08:26PM] @lbragstad which is the same as what nova defines
[04:08:28PM] @lbragstad
https://github.com/openstack/nova/blob/master/etc/nova/nova-policy-generator.conf
[04:09:31PM] ayoung seems like it is not registered
[04:12:16PM] ayoung yep, reproduced it here, too
[04:15:32PM] @lbragstad i think we're missing this entrypoint
[04:15:33PM] @lbragstad
https://docs.openstack.org/oslo.policy/latest/user/usage.html#merged-file-generation
[04:15:45PM] @lbragstad which just needs something to return the _ENFORCER
[04:15:55PM] @lbragstad so keystone.common.policy:get_enforcer
[04:15:59PM] @lbragstad or something like that
[04:16:24PM] @lbragstad logan-: certainly a bug
[04:16:35PM] @lbragstad logan-: would you be able to open up something in
launchpad?
[04:16:53PM] @lbragstad we can get a patch up shortly, i think we're missing
something with how we wire up the entry poionts
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1740951/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
