Reviewed: https://review.openstack.org/530828 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=85c957c50387ca47b68bc412879c753e7618f86b Submitter: Zuul Branch: master
commit 85c957c50387ca47b68bc412879c753e7618f86b Author: Lance Bragstad <lbrags...@gmail.com> Date: Wed Jan 3 02:18:13 2018 +0000 Expose a get_enforcer method for oslo.policy scripts Because we have policy in code, we should be able to use the oslo.policy CLI scripts to produce sample policy files and render complete policies based on overrides on disk. This was broken because keystone wasn't removing unexpected commandline arguments before passing them to oslo.config to parse. This prevented people from generating complete policy files like they would for horizon. This commit exposes a get_enforcer() that substitutes an empty list in place of arguments passed in through the system. This makes it so that oslo.config doesn't choke when processing configuration values. Change-Id: I22583258eac5b3a64208355d18ccfa62dba1871d Closes-Bug: 1740951 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1740951 Title: Unable to dump policy Status in OpenStack Identity (keystone): Fix Released Bug description: I'm having issues dumping policy from Keystone in Pike root@aio1-keystone-container-398c6a0f:~# /openstack/venvs/keystone-16.0.6/bin/oslopolicy-policy-generator --namespace keystone WARNING:stevedore.named:Could not load keystone Traceback (most recent call last): File "/openstack/venvs/keystone-16.0.6/bin/oslopolicy-policy-generator", line 11, in <module> sys.exit(generate_policy()) File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py", line 233, in generate_policy _generate_policy(conf.namespace, conf.output_file) File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py", line 178, in _generate_policy enforcer = _get_enforcer(namespace) File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py", line 74, in _get_enforcer enforcer = mgr[namespace].obj File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/stevedore/extension.py", line 314, in __getitem__ return self._extensions_by_name[name] KeyError: 'keystone' Normally it works like this with Nova: root@aio1-nova-api-os-compute-container-3589c25e:~# /openstack/venvs/nova-16.0.6/bin/oslopolicy-policy-generator --namespace nova "os_compute_api:os-evacuate": "rule:admin_api" "os_compute_api:servers:create": "rule:admin_or_owner" "os_compute_api:os-extended-volumes": "rule:admin_or_owner" "os_compute_api:servers:create:forced_host": "rule:admin_api" "os_compute_api:os-aggregates:remove_host": "rule:admin_api" ... IRC convo regarding this bug: [04:00:26PM] logan- hello. I'm trying to use oslopolicy-policy-generator to dump the base RBAC so it can be combined with my policy overrides and provided to horizon. with nova i'm able to dump RBAC using "/path/to/nova/venv/bin/oslopolicy-policy-generator --namespace nova", but the doing the same with keystone using "keystone" or "identity" as the namespace does not work. [04:01:39PM] @lbragstad logan-: do you have keystone installed? [04:01:57PM] @lbragstad let me see if i can recreate [04:03:30PM] logan- o/ @lbragstad. yep keystone's installed. here's the venv and output for the oslopolicy command at the bottom: http://paste.openstack.org/raw/636624/ [04:03:53PM] @lbragstad huh - weird [04:03:56PM] @lbragstad i can recreate [04:04:48PM] ayoung @lbragstad, logan- I bet it is a dependency issue [04:05:25PM] ayoung trying to load Keystone fails cuz some other library is missing, and I bet that is pulled in from oslopolicy polgen [04:07:05PM] ayoung oslo.policy.policies = [04:07:05PM] ayoung # With the move of default policy in code list_rules returns a list of [04:07:05PM] ayoung # the default defined polices. [04:07:05PM] ayoung keystone = keystone.common.policies:list_rules [04:07:12PM] ayoung that is from setup.cfg [04:07:21PM] ayoung is that what iti is trying to load? [04:07:36PM] @lbragstad well - it's should be an entrypoint in oslo.policy [04:07:47PM] @lbragstad keystone is just responsible for exposing the namespace [04:07:59PM] @lbragstad https://github.com/openstack/keystone/blob/master/config-generator/keystone-policy-generator.conf [04:08:26PM] @lbragstad which is the same as what nova defines [04:08:28PM] @lbragstad https://github.com/openstack/nova/blob/master/etc/nova/nova-policy-generator.conf [04:09:31PM] ayoung seems like it is not registered [04:12:16PM] ayoung yep, reproduced it here, too [04:15:32PM] @lbragstad i think we're missing this entrypoint [04:15:33PM] @lbragstad https://docs.openstack.org/oslo.policy/latest/user/usage.html#merged-file-generation [04:15:45PM] @lbragstad which just needs something to return the _ENFORCER [04:15:55PM] @lbragstad so keystone.common.policy:get_enforcer [04:15:59PM] @lbragstad or something like that [04:16:24PM] @lbragstad logan-: certainly a bug [04:16:35PM] @lbragstad logan-: would you be able to open up something in launchpad? [04:16:53PM] @lbragstad we can get a patch up shortly, i think we're missing something with how we wire up the entry poionts To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1740951/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp