diff options
author | Zuul <zuul@review.openstack.org> | 2018-02-14 19:14:23 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2018-02-14 19:14:23 +0000 |
commit | e8953d03926b2a5594bbc3d5d8af6854b97cddb7 (patch) | |
tree | 747a03c137291e13b5546292104aafa904167f63 | |
parent | 9a0742964011ba0df02230f6961e19859fc7d279 (diff) | |
parent | 075b8ad41b990311f1bd14644adb078bf089e3b0 (diff) | |
download | keystone-e8953d03926b2a5594bbc3d5d8af6854b97cddb7.tar.gz |
Merge "Expose a get_enforcer method for oslo.policy scripts" into stable/pike
-rw-r--r-- | keystone/common/policy.py | 11 | ||||
-rw-r--r-- | keystone/tests/unit/test_policy.py | 16 | ||||
-rw-r--r-- | releasenotes/notes/bug-1740951-82b7e4bd608742ab.yaml | 8 | ||||
-rw-r--r-- | setup.cfg | 3 |
4 files changed, 38 insertions, 0 deletions
diff --git a/keystone/common/policy.py b/keystone/common/policy.py index 4ec0a0f99..d5e8619e2 100644 --- a/keystone/common/policy.py +++ b/keystone/common/policy.py @@ -35,6 +35,17 @@ def init(): register_rules(_ENFORCER) +def get_enforcer(): + # Here we pass an empty list of arguments because there aren't any + # arguments that oslo.config or oslo.policy shouldn't already understand + # from the CONF object. This makes things easier here because we don't have + # to parse arguments passed in from the command line and remove unexpected + # arguments before building a Config object. + CONF([], project='keystone') + init() + return _ENFORCER + + def enforce(credentials, action, target, do_raise=True): """Verify that the action is valid on the target in this context. diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py index 485198d11..54587f399 100644 --- a/keystone/tests/unit/test_policy.py +++ b/keystone/tests/unit/test_policy.py @@ -15,6 +15,7 @@ import json import os +import subprocess import uuid from oslo_policy import policy as common_policy @@ -213,3 +214,18 @@ class PolicyJsonTestCase(unit.TestCase): doc_targets = list(read_doc_targets()) self.assertItemsEqual(policy_keys, doc_targets + policy_rule_keys) + + +class GeneratePolicyFileTestCase(unit.TestCase): + + def test_policy_generator_from_command_line(self): + # This test ensures keystone.common.policy:get_enforcer ignores + # unexpected arguments before handing them off to oslo.config, which + # will fail and prevent users from generating policy files. + ret_val = subprocess.Popen( + ['oslopolicy-policy-generator', '--namespace', 'keystone'], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE + ) + ret_val.communicate() + self.assertEqual(ret_val.returncode, 0) diff --git a/releasenotes/notes/bug-1740951-82b7e4bd608742ab.yaml b/releasenotes/notes/bug-1740951-82b7e4bd608742ab.yaml new file mode 100644 index 000000000..5b7650346 --- /dev/null +++ b/releasenotes/notes/bug-1740951-82b7e4bd608742ab.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + [`bug 1740951 <https://bugs.launchpad.net/keystone/+bug/1740951>`_] + A new method was added that made it so oslo.policy sample generation + scripts can be used with keystone. The ``oslopolicy-policy-generator`` + script will now generate a policy file containing overrides and defaults + registered in code. @@ -181,6 +181,9 @@ oslo.policy.policies = # the default defined polices. keystone = keystone.common.policies:list_rules +oslo.policy.enforcer = + keystone = keystone.common.policy:get_enforcer + paste.filter_factory = healthcheck = oslo_middleware:Healthcheck.factory cors = oslo_middleware:CORS.factory |