diff options
| author | Mathieu Gagné <mgagne@iweb.com> | 2017-07-24 18:42:09 -0400 |
|---|---|---|
| committer | Mathieu Gagné <mgagne@iweb.com> | 2017-08-17 12:23:31 -0400 |
| commit | 346c36d7985296dedcbcfa8a52248dd9f9d21f35 (patch) | |
| tree | b65d32767fee4254f40964c6ef910caffaa965a3 | |
| parent | 3688a8243f81ade78cb1d28400e8c9ae5a6e124e (diff) | |
| download | django_openstack_auth-346c36d7985296dedcbcfa8a52248dd9f9d21f35.tar.gz | |
Add support for policy directories per service
This change introduces the POLICY_DIRS setting which adds the ability
to define multiple policy directories per service.
Blueprint: policy-dirs
Change-Id: Ie42f1aa68539b7388661ddfe2c265255cd574736
| -rw-r--r-- | doc/source/configuration/index.rst | 17 | ||||
| -rw-r--r-- | openstack_auth/policy.py | 17 |
2 files changed, 29 insertions, 5 deletions
diff --git a/doc/source/configuration/index.rst b/doc/source/configuration/index.rst index 5b581b0..06c300b 100644 --- a/doc/source/configuration/index.rst +++ b/doc/source/configuration/index.rst @@ -222,6 +222,23 @@ will deny the access and users must contact an admin to change their password. Setting this value to ``N`` days means the user will be alerted when the password expires in less than ``N+1`` days. ``-1`` disables the feature. +``POLICY_DIRS`` +---------------- + +Default: ``{}`` + +Specifies a list of policy directories per service types. The directories +are relative to ``POLICY_FILES_PATH``. Services whose additional policies +are defined here must be defined in ``POLICY_FILES`` too. Otherwise, +additional policies specified in ``POLICY_DIRS`` are not loaded. + +Example:: + + POLICY_DIRS = { + 'identity': 'keystone_policy.d', + 'compute': 'nova_policy.d' + } + ``POLICY_FILES`` ---------------- diff --git a/openstack_auth/policy.py b/openstack_auth/policy.py index 81fc7c2..e0a3ab0 100644 --- a/openstack_auth/policy.py +++ b/openstack_auth/policy.py @@ -30,16 +30,22 @@ _ENFORCER = None _BASE_PATH = getattr(settings, 'POLICY_FILES_PATH', '') -def _get_policy_conf(): +def _get_policy_conf(policy_file, policy_dirs=None): conf = cfg.ConfigOpts() # Passing [] is required. Otherwise oslo.config looks up sys.argv. conf([]) policy_opts.set_defaults(conf) + policy_file = os.path.join(_BASE_PATH, policy_file) + conf.set_default('policy_file', policy_file, 'oslo_policy') # Policy Enforcer has been updated to take in a policy directory # as a config option. However, the default value in is set to # ['policy.d'] which causes the code to break. Set the default # value to empty list for now. - conf.set_default('policy_dirs', [], 'oslo_policy') + if policy_dirs is None: + policy_dirs = [] + policy_dirs = [os.path.join(_BASE_PATH, policy_dir) + for policy_dir in policy_dirs] + conf.set_default('policy_dirs', policy_dirs, 'oslo_policy') return conf @@ -48,10 +54,11 @@ def _get_enforcer(): if not _ENFORCER: _ENFORCER = {} policy_files = getattr(settings, 'POLICY_FILES', {}) - conf = _get_policy_conf() + policy_dirs = getattr(settings, 'POLICY_DIRS', {}) for service in policy_files.keys(): - policy_file = os.path.join(_BASE_PATH, policy_files[service]) - enforcer = policy.Enforcer(conf, policy_file) + conf = _get_policy_conf(policy_file=policy_files[service], + policy_dirs=policy_dirs.get(service, [])) + enforcer = policy.Enforcer(conf) # Ensure enforcer.policy_path is populated. enforcer.load_rules() if os.path.isfile(enforcer.policy_path): |