Reviewed: https://review.opendev.org/690628
Committed:
https://git.openstack.org/cgit/openstack/oslo.policy/commit/?id=686aa238f921e8b6dff814d001690e15fa8ccea6
Submitter: Zuul
Branch: master
commit 686aa238f921e8b6dff814d001690e15fa8ccea6
Author: Ben Nemec <bne...@redhat.com>
Date: Wed Oct 23 15:36:42 2019 +0000
Initialize global config object in cli tools
Currently, passing --config-file to a tool like oslopolicy-list-redundant
is ineffective because the projects pass an empty cli arg list to the
conf object when they initialize it. By registering our cli args on the
global conf object, the projects can safely parse cli args in their
call to the conf object so things like --config-file won't be ignored.
This didn't work before because oslo.policy recognizes cli args like
--namespace that aren't recognized by the consuming projects.
This will require followup changes in each project to stop passing an
empty cli arg list to the conf object initialization. In the meantime,
everything should continue to work as it did before.
Change-Id: Iacd257fc6c351582de45476768e3fd1775317d3c
Closes-Bug: 1849518
** Changed in: oslo.policy
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1849518
Title:
oslopolicy-list-redundant loses cli args when used with keystone
Status in OpenStack Identity (keystone):
In Progress
Status in oslo.policy:
Fix Released
Bug description:
There is an issue with the configuration handling in oslo.policy and
keystone that causes cli args like --config-file to be ignored in the
keystone enforcer when running oslopolicy-list-redundant.
Specifically, because keystone re-initializes the global config object
when creating the enforcer[0], and doesn't pass any cli args to it,
those cli args get ignored. This can cause problems if, for example,
the policy file is not in the default location and is instead
specified in the config file passed via --config-file. Since --config-
file gets ignored by the enforcer, it just looks in the default
location and doesn't find a file.
One solution would be to have oslo.policy initialize the global config
object itself (switching [1] to use the global object instead of a
local one) and remove the initialization from the enforcer entirely.
One potential downside of this is that if a project's enforcer needs
project-specific config setup it wouldn't be possible for that to
happen (oslo.policy wouldn't know about it), but since that doesn't
apply to keystone and would only really be an issue if a project's
enforcer had a dependency on a cli arg (cli args are the only thing
that need to be registered before calling the conf object), I think
it's a worthwhile tradeoff.
0:
https://github.com/openstack/keystone/blob/1ef56e58ec63f19eff25a1044c8831ba8f97e26a/keystone/common/rbac_enforcer/policy.py#L43
1:
https://github.com/openstack/oslo.policy/blob/0f7e144d013155f27f74b0eb91b7ae0f1530a86b/oslo_policy/generator.py#L399
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1849518/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
