| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Change-Id: Iffc7cea49b9d759ab307108cd8f73b1cfbde0bc8
|
| |
|
|
| |
Change-Id: I4a909961c5eb5d0a7b212cd0650b5481a0c05e20
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We added policy files in policy.d, currently, the code will
reload the policy in policy.d every enforce been called.
This patch caches the file mtime of the most newest file in
the directory (or the directory itself if it is empty) and uses
that to detect if we need to reload files in the policy.d
directory.
Change-Id: I3ab1ce1f2132ea8672bf0765ee4b30ad126d4559
Closes-Bug: 1437992
Co-Authored-By: Eli Qiao <liyong.qiao@intel.com>
Cherry-pick: Ia8c273c8566a4b472cb8807b1576ef1dee8ef054
|
| |
|
|
| |
Change-Id: I71ca555c621e06ceb136d8b9cefdf6290023ec87
|
| |
|
|
| |
Change-Id: If88e06eb52934d7cbf10a84f47776b2e89b568c1
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It is not clear why this is a configurable option. The original
blueprint just wanted the ability to specify a policy.d infrastructure
to make complex policies easier to enforce. There was no requirement
on it being configurable.
Being configurable just exposes another way in which incompatibilities
in OpenStack projects might be able to emerge. As this merged late in
the incubator lifecycle for the policy code, there are likely few/no
existing users of the option so it should be safe to deprecate it
for the library. That way we won't break anyone currently using it,
and don't have to commit to supporting it going forward.
Co-Authored-By: Steve Martinelli <stevemar@ca.ibm.com>
Change-Id: I40bcbfbd4ab626fa9bfa050792e9ed3cfb587225
|
| |/
|
|
| |
Change-Id: I0a7d0e7e5f9a6ee9952ebeb30f27fb29c029f7b8
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Those symbols are used by Neutron for legitimate cases (defining a
custom check).
Change-Id: I96e9838068194b7b0903a738a94eb8f1b01ecdbe
Closes-Bug: #1426005
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
When policy disallows an action, the existing exception doesn't
contain anything except the rule. That means finding out why becomes
somewhat difficult. We should provide the matrix of information that
was used in the decision in the exception.
Change-Id: I99c46fcc9f16f2b13a1b5527a3754da26dacf248
|
| |/
|
|
| |
Change-Id: I1c14ac1b423d1408e8dde06af79163baa6d38877
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Many services currently construct a Rules instance from a dictionary in
their tests. It would be beneficial to them if they didn't have to
import oslo_policy._parser in order to parse a rule before passing it to
Rules.__init__. Adding a Rules.from_dict classmethod should satisfy the
need to create a Rules instance from a dictionary in tests.
Change-Id: I3d73059277c45d4852f842474c6f1d61daa349b8
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously we were using assertEqual(True, expected) or
assertEqual(False, exepected) instead of assertTrue or assertFalse
respectively. This simply updates the existing tests to follow the
common practice in oslo and OpenStack.
Change-Id: I05747a13533be00f7adc827276b833ae6aefd725
|
| |/
|
|
|
|
|
|
|
| |
The order of parameters needs to be (expected, actual) and many of the
tests in test_checks, test_parser, and test_policy were not following
that convention.
Closes-bug: 1277104
Change-Id: I2259972de4961bf9d5f9c6742d81eb083b770fba
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the option definitions into the opts module with the other
functions related to options.
Add set_defaults() to override the default settings for options and make
it part of the public API of the library by including it in the
documentation.
Add opts._register() so the options can be registered consistently from
multiple places.
Change-Id: Ib74beac58a07bf5ee0f92c2b7eda8281ef7d7c33
|
| |
|
|
|
|
|
| |
Explain the real reason for not using skipdist and develop in this
library, which does not have the namespace package.
Change-Id: Iaa91ab87ccacae8c26efc473e17b378eec50c31a
|
| |
|
|
|
|
|
|
| |
Import the symbols needed from _i18n directly, relying on the import
exception to avoid pep8 errors. Remove the imports that aren't being
used.
Change-Id: I8baef5ab859f005ff515b97adb9952f2ef1003e1
|
| |
|
|
|
|
|
|
|
| |
Remove py33, since we don't test on 3.3 any more.
Remove pypy, since we don't need to test that locally by default (it may
still be tested in the gate).
Change-Id: If714935c975de73000b5b94f9fdb1f62c3e05c55
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rather than keeping test input files in git, create them on the fly as
needed. This allows us to streamline one or two tests that modify the
files and then try to restore their old contents, and it also ensures
that looking at a given test it is clear which files are really being
used.
This change also updates the implementation of some tests that were
counting log calls to see how many files were loaded by making the
Enforcer track the files it loads so we can look at the list explicitly.
This gives us verification that the files we care about are the ones
being loaded, and is less brittle in case we change the logging
structure within the policy module.
Change-Id: I109b3d5afc622df7e5e7a12d06c4fb1baad18b1a
|
| |
|
|
| |
Change-Id: I351ab4f335d3bbb642e9e9bc225dd8725559989b
|
| |
|
|
|
|
|
|
| |
Throughout the project both single and double quotes are used,
let's just stick to one consistent format. Also removed a
few contractions in messages
Change-Id: I6636830bef53fadbab8616abdce9b731d39a1d10
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The "missing directory" message for the default policy-directory is
being hit constantly and requiring work-arounds
(e.g. I335a661d307a330e8b59883ef60c787c6590eb42)
It was turned down from a warning in
I183597f23b3a5eb44debd73f7a4a4444ca0d22fd. As it says there, the
directory missing is considered a normal condition.
Previous revisions of this change have modified this log to only fire
if policy_dirs is set to something other than the default and to
deprecate the default value of policy_dirs so the directory is not
searched.
The policy_dirs option as written (and exposed, hence limiting change)
is analogous to a PATH setting; we attempt to search each entry but a
missing or empty directory does not indicate a problem.
In a theoretical sense this actually seems quite sound; some setup
might have some specific host policy files in /etc/policy.d and global
ones in /usr/share/policy.d; the non-existence of /etc/policy.d would
not be an error but just mean that on this host only the
/usr/share/policy.d ones are wanted.
However, the existing debug level message about a file being should be
expanded to show the actual file that was loaded. This allows
investigators insight into what policies have actually been loaded and
from where.
Debugging test-cases are updated to verify that we get debug-level
messages about the loaded files. Additionally, the documentation for
policy_dirs is expanded to make it clear the directories may be
missing or empty.
Related-Bug: #1421863
Change-Id: Ib749b2a019c89bec811d3da5a369ffcdd27bc76f
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
After https://review.openstack.org/#/c/154615/ merged, when attempting
to pull down oslo.policy the following error came up:
error: can't copy 'oslo_policy/tests/var/policy.d/fake_link': doesn't
exist or not a regular file
Change-Id: I306c99530bacb7944979e2e47ed057b85cde9898
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
stylize the docs, and document the migration process, specifically
calling out the changes to the Enforcer class, which now required
an oslo.config config object to be passed in.
implements bp graduate-policy
Change-Id: Ief4395f3312b90adea1f05903b9498b730663a74
|
| |/
|
|
|
|
|
|
|
| |
Oslo libraries should not depend on oslo.log, we should use
standard logging, as noted in the graduation guidelines.
partially implements bp graduate-policy
Change-Id: I9d3973ad4b5b32922fa56881b679ad9e403289ea
|
| |
|
|
| |
Change-Id: Iafb2554d37db033914193aaf32ae4d7b2072577a
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| | |
The current version of hacking is very old; upgrade hacking
and fix any minor errors that were uncovered.
Change-Id: Iabf38881b6030dce903c8e74670bfd6e5eabbc20
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Looks like only Rules and Enforcer are ever consumed, so there
is no need to have globals for backwards compatibility for
Check/BaseCheck/register.
Change-Id: Ifc482beb2bb9d9dd25102730d6d21792f23be3af
|
| |/
|
|
|
|
|
|
|
| |
This was only being used in a test, which has since been refactored
to not need lockutils, as such we can remove oslo.concurrency
from this requirements list. Also remove a reference of it from
tox.ini
Change-Id: I3da48a5a99db126637d78a5eadfa44da594b82c2
|
| |
|
|
|
|
|
| |
Change the instance attribute name CONF to conf because it's not a
global.
Change-Id: Ibfe19e0159b40952dbe28fb47b6940a13000dffc
|
| |
|
|
|
|
|
| |
Have each test instantiate its own enforcer object with a private
configuration.
Change-Id: I5eb354f0149be4bd4ec3eeb46ce9274b04781c9a
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Move the parser and checks logic into oslo_policy._parser and
oslo_policy._checks respectively. As a consequence, this allows us to
create separate test files for those modules so we now also have
oslo_policy.tests.test_parser and oslo_policy.tests.test_checks. Since
those modules needed some common classes and fixtures it was also
necessary to add oslo_policy.tests.base to service the three test
modules.
Change-Id: I656dcb8fda7b953f5def8ddfaa4d119a8c881965
|
| |
|
|
|
|
|
|
| |
A first hack at attempting to privatize certain classes and
functions.
Change-Id: I520767731e510ca2edf46511a54687a5a45919df
Closes-Bug: #1415633
|
| |
|
|
|
|
|
|
| |
Create entry points for oslo.policy, and make the necessary
changes to grouping the options into a new 'oslo_policy' group.
Change-Id: I32fd78c8a90fd2d49824db145362069b81fcaec5
Closes-Bug: #1415631
|
| |\ |
|
| | |
| |
| |
| | |
Change-Id: Ifd692642e5994f80edbc9d02041105176e756fa6
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| | |
Remove the copied over version from oslo-incubator and use
the library oslo.i18n
Change-Id: I0511c63b9c65c6585cc999c4fae0fd0b21b19d48
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Removed run_cross_tests from openstack-common.conf
Removed all of oslo_policy/openstack/common
Performed sync from latest master of oslo-incubator
Undid the delete to oslo_policy/openstack/common/_i18n.py since
it is still required, until we move to oslo.i18n.
oslo-incubator was at commit level:
9a1970b3708114cc52f89a7b4d048eeae9140fef
Change-Id: I55288e618b268b73012784481c00285195edbf3b
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
For example, instead of oslo.config, we should use oslo_config.
Related-blueprint: drop-namespace-packages
Change-Id: Iee1bc653196ba699fae0fb844638bd745286ee85
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
The docstrings weren't pretty.
Change-Id: I76d17ee3f6dfca8e79b25b9d5ec81ec5194b571c
|
