| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Change-Id: I5edd645d8ae4201e8efe55cba9fb5675e93d53e4
|
|
|
|
| |
Change-Id: I86b39d9eedd3be8adda6bf09e3268ca764dc451f
|
|
|
|
| |
Change-Id: I26a85a190b8111fd24b605171db31cf1d0a4457c
|
|
|
|
| |
Change-Id: I32df320b311d0ef5c9e3e8db8bc7beb544c0fd2a
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If overwrite, which is the option to control whether current rules are
either overwritten or updated with new rules, was False, then policy
files would be reloaded even if they had not changed and rules already
existed.
Closes-Bug: 1487661
Change-Id: I3c0d84ce3ba3d4b41cbb08b824cbdd4ee6dd664b
|
|/
|
|
|
|
|
|
|
| |
The method check_loaded_files() receives a list of reference filenames
and asserts that is equal to the actual list of
enforcer._loaded_files, but passes them to assertEqual() in reverse
order of what assertEqual expects and prints if the assertion fails.
Change-Id: I0b42c2489185904ddeba555237e3c96bb1bb1090
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Instead of having a library have a global (and not garbage
collectable) file cache that is only used by enforcers and
no other code have the file cache be per-enforcer so that it
can be garbage collected when the enforcer drops from the
scope its used in.
This also removes one more usage of global state with instance
specific state, which makes things easier to test and easier
to isolate problems in (the less things that can be 'touched
at a distance' the better).
Change-Id: I208b08ae00e0337b594ece0f2b335d4de9f7392b
|
| |
| |
| |
| | |
Change-Id: I69787bfb1f32534b46672cc1be503c1e38e9f96f
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To start translation, we need to initially import the
translation file - and place it at the proper place so that
the usual CI scripts can handle it.
The proper place is for all python projects
$PROJECT/locale/$PROJECT.pot - see setup.cfg.
Further imports will be done by the OpenStack Proposal bot.
This patch is needed by https://review.openstack.org/210774 .
Change-Id: I2aa56455a15dee0beb4da2b733e172d235a0d02a
|
|
|
|
| |
Change-Id: I00e47063a5eaff9352a03cd3985981538ac9b0f5
|
|
|
|
| |
Change-Id: I2a9b613a0cafeee3d972eb017537f37fdd4c6e23
|
|
|
|
| |
Change-Id: Ie699eaf8afc2d64a559b1b07e342436db8555713
|
|
|
|
| |
Change-Id: I8eb33ecedadc59144a067d92b04850ea100a1613
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
- Automatically generate the API docs
- Makes the index on the modules index page useful
Change-Id: I4eafe2c64a0733f6fb81b20e85cd943355860f9a
|
| |
| |
| |
| |
| |
| |
| | |
We're no longer using oslo-incubator specific code, so we can
remove the directory and the config file.
Change-Id: I73049e0dff6f29a719cc9d9c194c24e552095ab1
|
|/
|
|
|
|
|
|
| |
read_cached_file and delete_cached_file are only used in
oslo.policy. isolate the functions there so we can depreate
fileutils.
Change-Id: Ibbcda87eba6e21ace8904e1fb4c700e0790fb477
|
|
|
|
|
|
|
|
| |
Running "pip-missing-reqs" tox target showed these references
in our code. Since we refer to them directly, we should add
them to our requirements.
Change-Id: I3fdd8fa2ac7d5c1a6316874b179ef7a638540451
|
|
|
| |
Change-Id: If9ce04ac555ffd10221739e1582e01ac3d924d2a
|
|
|
|
| |
Change-Id: Ic58778ba5c28c3b5e139ef12bbfa37cb4c10da03
|
|
|
|
| |
Change-Id: Ie60ebf35cdaa4fd869d1654c988be9339d800a5a
|
|
|
|
|
|
|
| |
The docstring for the policy_file argument is incorrect. This patch
updates the default value to the correct one.
Change-Id: I0240da41bf5e4525671bd9a3cf913a60c4d605e2
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Those classes are used in neutron to implement custom attribute
and sub-attribute checks (get_network:attr:subattr syntax).
Those checks do not belong to oslo.policy since they would be
backwards incompatible with existing behaviour, introducing new
semantics and potentially breaking other projects, like nova.
So the alternative is to expose those symbols as part of public
API for the oslo library and allow other projects to reuse them.
More details on neutron issues consuming the library can be
found at:
http://lists.openstack.org/pipermail/openstack-dev/2015-April/061783.html
Related-Bug: #1426082
Change-Id: I6ee9f8f7fcea3ddb2c52b5d58dfce3dd328c9131
|
| |
| |
| |
| |
| |
| |
| | |
Syncing change from oslo-incubator change id:
I7decb7bf5f3185f7d26ad99b0cb3475a88d3ec99
Change-Id: Ib03a947cce5b68d4693c93d740ffa1adecf61c46
|
| |
| |
| |
| |
| |
| |
| | |
Syncing change from oslo-incubator change id:
I7decb7bf5f3185f7d26ad99b0cb3475a88d3ec99
Change-Id: I9604220ae1a3b9d18304e23d9d93bd416ba2eb8d
|
| |
| |
| |
| | |
Change-Id: Ibaac655357e822344661b32a33124a87351ccd2c
|
|/
|
|
| |
Change-Id: Iaefd1a9078f054ecd63afcb1f6d1802c80cbc090
|
|
|
|
|
| |
Change-Id: Ic40b70b488873bf3679b9187d315b3088737e5a3
Depends-On: Ib948b756b8e6ca47a4c9c44c48031e54b7386a06
|
|
|
|
|
|
|
| |
The _load_policy_file method is using double indentation. Fix it by
removing redundant indentation.
Change-Id: Ib31557be298df59b2f4ea05c3f0a8a2b41fe5f36
|
|
|
|
|
|
|
|
|
| |
Provide a more complete description in README.rst, which is used
when viewing the library on pypi.
Also standardize the short-description used in setup.cfg.
Change-Id: Ia3b56ba2abfc0c2826bff8e10f31e196d5c4031b
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The Generic check had no way to identify
a value inside a list. Since Lists are inherantly unstable in
indexing, requiring an index to match is not practical.
Lists now follow the same approach as the OrCheck:
When specifying a value inside a list, each element
of the lsit is checked for a match. If any of the sub lists match,
the check succeeds. Only if the entry is not in the list does the
check fail.
If the value is nested in a dictionary under the list, all of
the subordinate dictionaries are checked in a recursive manner.
Change-Id: Ia286dbd3757703779d7044b3003381eab6c5c919
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
| |
We added policy files in policy.d, currently, the code will
reload the policy in policy.d every enforce been called.
This patch caches the file mtime of the most newest file in
the directory (or the directory itself if it is empty) and uses
that to detect if we need to reload files in the policy.d
directory.
Closes-Bug: 1437992
Co-Authored-By: Eli Qiao <liyong.qiao@intel.com>
Change-Id: Ia8c273c8566a4b472cb8807b1576ef1dee8ef054
|
|
|
|
| |
Change-Id: Ia416f8945ecc9073fbf303be37c411b6f20bbb92
|
|
|
|
| |
Change-Id: If88e06eb52934d7cbf10a84f47776b2e89b568c1
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It is not clear why this is a configurable option. The original
blueprint just wanted the ability to specify a policy.d infrastructure
to make complex policies easier to enforce. There was no requirement
on it being configurable.
Being configurable just exposes another way in which incompatibilities
in OpenStack projects might be able to emerge. As this merged late in
the incubator lifecycle for the policy code, there are likely few/no
existing users of the option so it should be safe to deprecate it
for the library. That way we won't break anyone currently using it,
and don't have to commit to supporting it going forward.
Co-Authored-By: Steve Martinelli <stevemar@ca.ibm.com>
Change-Id: I40bcbfbd4ab626fa9bfa050792e9ed3cfb587225
|
|/
|
|
| |
Change-Id: I0a7d0e7e5f9a6ee9952ebeb30f27fb29c029f7b8
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Those symbols are used by Neutron for legitimate cases (defining a
custom check).
Change-Id: I96e9838068194b7b0903a738a94eb8f1b01ecdbe
Closes-Bug: #1426005
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When policy disallows an action, the existing exception doesn't
contain anything except the rule. That means finding out why becomes
somewhat difficult. We should provide the matrix of information that
was used in the decision in the exception.
Change-Id: I99c46fcc9f16f2b13a1b5527a3754da26dacf248
|
|/
|
|
| |
Change-Id: I1c14ac1b423d1408e8dde06af79163baa6d38877
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Many services currently construct a Rules instance from a dictionary in
their tests. It would be beneficial to them if they didn't have to
import oslo_policy._parser in order to parse a rule before passing it to
Rules.__init__. Adding a Rules.from_dict classmethod should satisfy the
need to create a Rules instance from a dictionary in tests.
Change-Id: I3d73059277c45d4852f842474c6f1d61daa349b8
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously we were using assertEqual(True, expected) or
assertEqual(False, exepected) instead of assertTrue or assertFalse
respectively. This simply updates the existing tests to follow the
common practice in oslo and OpenStack.
Change-Id: I05747a13533be00f7adc827276b833ae6aefd725
|
|/
|
|
|
|
|
|
|
| |
The order of parameters needs to be (expected, actual) and many of the
tests in test_checks, test_parser, and test_policy were not following
that convention.
Closes-bug: 1277104
Change-Id: I2259972de4961bf9d5f9c6742d81eb083b770fba
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the option definitions into the opts module with the other
functions related to options.
Add set_defaults() to override the default settings for options and make
it part of the public API of the library by including it in the
documentation.
Add opts._register() so the options can be registered consistently from
multiple places.
Change-Id: Ib74beac58a07bf5ee0f92c2b7eda8281ef7d7c33
|