diff options
author | Zuul <zuul@review.opendev.org> | 2020-04-09 23:52:41 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2020-04-09 23:52:41 +0000 |
commit | bbb76769fde5bfaee86539ec94ac10175de20697 (patch) | |
tree | 6c06df879a0078196dc77c60421d15d595dfc934 | |
parent | e17cfc1b6d8697333030ed08ebcb6086213c9329 (diff) | |
parent | 99012db14bd0e6f87aa2b79c272c7f5951972d41 (diff) | |
download | oslo-policy-bbb76769fde5bfaee86539ec94ac10175de20697.tar.gz |
Merge "Add new config to enforce the new defaults"
-rw-r--r-- | oslo_policy/opts.py | 11 | ||||
-rw-r--r-- | oslo_policy/policy.py | 5 | ||||
-rw-r--r-- | oslo_policy/tests/test_policy.py | 33 | ||||
-rw-r--r-- | releasenotes/notes/enforce_new_defaults-6ae17d8b8d166a2c.yaml | 11 |
4 files changed, 59 insertions, 1 deletions
diff --git a/oslo_policy/opts.py b/oslo_policy/opts.py index e0e1dd6..16e3696 100644 --- a/oslo_policy/opts.py +++ b/oslo_policy/opts.py @@ -34,6 +34,17 @@ _options = [ 'will be raised. If ``False``, a message will be ' 'logged informing operators that policies are being ' 'invoked with mismatching scope.')), + cfg.BoolOpt('enforce_new_defaults', + default=False, + help=_('This option controls whether or not to use old ' + 'deprecated defaults when evaluating policies. If ' + '``True``, the old deprecated defaults are not going ' + 'to be evaluated which mean if any existing token ' + 'allowed for old defaults but disallowed for new ' + 'defaults will be disallowed. It is encouraged to ' + 'enable this flag along with ``enforce_scope`` flag ' + 'so that you can get benefits of new defaults and ' + '``scope_type`` together')), cfg.StrOpt('policy_file', default='policy.json', help=_('The relative or absolute path of a file that maps ' diff --git a/oslo_policy/policy.py b/oslo_policy/policy.py index dbb9443..a1a6f85 100644 --- a/oslo_policy/policy.py +++ b/oslo_policy/policy.py @@ -703,7 +703,10 @@ class Enforcer(object): # messages telling them stuff is going to change if they don't maintain # the policy manually or add infrastructure to their deployment to # support the new policy. - if (deprecated_rule.check_str != default.check_str + # If flag enforce_new_defaults is true then do not add OrCheck + # the old check_str and enforce only new defaults. + if (not self.conf.oslo_policy.enforce_new_defaults + and deprecated_rule.check_str != default.check_str and default.name not in self.file_rules): default.check = OrCheck([_parser.parse_rule(cs) for cs in diff --git a/oslo_policy/tests/test_policy.py b/oslo_policy/tests/test_policy.py index 1053de7..b67504b 100644 --- a/oslo_policy/tests/test_policy.py +++ b/oslo_policy/tests/test_policy.py @@ -1648,6 +1648,39 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase): # Verify that we didn't overwrite the new rule. self.assertEqual('bang', self.enforcer.rules['new_rule'].match) + def test_enforce_new_defaults_no_old_check_string(self): + self.conf.set_override('enforce_new_defaults', True, + group='oslo_policy') + deprecated_rule = policy.DeprecatedRule( + name='foo:create_bar', + check_str='role:fizz' + ) + + rule_list = [policy.DocumentedRuleDefault( + name='foo:create_bar', + check_str='role:bang', + description='Create a bar.', + operations=[{'path': '/v1/bars', 'method': 'POST'}], + deprecated_rule=deprecated_rule, + deprecated_reason='"role:bang" is a better default', + deprecated_since='N' + )] + enforcer = policy.Enforcer(self.conf) + enforcer.register_defaults(rule_list) + + with mock.patch('warnings.warn') as mock_warn: + enforcer.load_rules() + mock_warn.assert_not_called() + self.assertTrue( + enforcer.enforce('foo:create_bar', {}, {'roles': ['bang']}) + ) + self.assertFalse( + enforcer.enforce('foo:create_bar', {}, {'roles': ['fizz']}) + ) + self.assertFalse( + enforcer.enforce('foo:create_bar', {}, {'roles': ['baz']}) + ) + class DocumentedRuleDefaultTestCase(base.PolicyBaseTestCase): diff --git a/releasenotes/notes/enforce_new_defaults-6ae17d8b8d166a2c.yaml b/releasenotes/notes/enforce_new_defaults-6ae17d8b8d166a2c.yaml new file mode 100644 index 0000000..8ff851f --- /dev/null +++ b/releasenotes/notes/enforce_new_defaults-6ae17d8b8d166a2c.yaml @@ -0,0 +1,11 @@ +features: + - | + A new configuration option ``enforce_new_defaults`` has been + added to the ``[oslo_policy]`` group to control whether or not to + use the old deprecated defaults. If ``True``, the old deprecated + defaults are not going to be evaluated which mean if any existing + token allowed for old defaults but disallowed for new defaults + will be disallowed. It is encouraged to enable this flag along + with ``enforce_scope`` flag so that you can get benefits of new + defaults and ``scope_type`` together. This way operators can switch + to new defaults without overwriting the rule in policy file. |