| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It was determined that rules from policy files located in the directory
specified in the policy_dirs option (/etc/<config_dir>/policy.d by
default) are not re-applied after the rules from the primary policy file
is re-applied due to a change.
This change introduces additional behavior to make sure the rules from
policy_dirs are reapplied if there is a change to the primary policy
file.
Change-Id: I8a6f8e971d881365c41ea409966723319d5b239a
Closes-Bug: #1880959
Related-Bug: #1880847
(cherry picked from commit 75677a31108243e0adddc89f1fbf669053f9573b)
(cherry picked from commit 5904564bf13bbac7d66e00ec6312487c507f09c4)
|
| |\
| |
| |
| | |
stable/stein
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the sample policy generator, we create a rule that maps the
deprecated name of a policy to the new rule name. For example:
identity:old_rule: rule:identity:new_rule
However, in the policy code, if we see an override of a deprecated
name and no override for the new name, we apply the value of the
deprecated name to the new name. In the above case, this results
in us creating a rule that looks like:
identity:new_rule: rule:identity:new_rule
which is a circular reference and nonsense.
To fix this, I added a check to the deprecated rule logic that looks
for instances where the old override is just a reference to the new
rule. If that's the case, then we don't need to do anything because
it's already doing the right thing.
Change-Id: Ifd14993bc84e83c13abab3456fbf670c06e5806f
Closes-Bug: 1843931
(cherry picked from commit 82a2c8d8b71896b1f8b7f33c560681367ae76755)
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, oslo.policy would generate policy files with aliased names
in the event the name was changing for backwards compatibility. This
isn't needed if the name isn't changing and only the check string is
changing.
This patch adds a conditional to the generator logic that only aliases
the old name to the new name if the name is changing. Otherwise, it
only outputs comments about the deprecation.
Co-Authored-By: Ben Nemec <bnemec@redhat.com>
Closes-Bug: 1845209
Change-Id: I89ff60354e4751a5096832023441d2e6166db92a
(cherry picked from commit 9641e5ca0d758376fb7f7f5156056d5206d71046)
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
Bandit 1.6.0 accidentally changed how the exclusion list option is
handled and breaks our use of it. Cap to the previous version until
Bandit has fixed the problem.
Sphinx 2.0 no longer works on python 2.7, so we need to start capping
it there as well.
Change-Id: Idead9b4198c6b05d72bae60dee06e5aebc223822
Reference: https://github.com/PyCQA/bandit/pull/489
(cherry picked from commit 1d7ca8a198419896346369311fccedea5a559f66)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:
http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html
http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html
Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at https://opendev.org/ with any
questions you may have.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Update the URL to the upper-constraints file to point to the redirect
rule on releases.openstack.org so that anyone working on this branch
will switch to the correct upper-constraints list automatically when
the requirements repository branches.
Until the requirements repository has as stable/stein branch, tests will
continue to use the upper-constraints list on master.
Change-Id: I4abffcc44eb91685491bf04555662904c0f09965
|
| |
|
|
| |
Change-Id: I39ce760eaf7fbe5f4b0e0811b7bc3df7c2ba6e9a
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is a mechanically generated patch to add a unit test job running
under Python 3.7.
See ML discussion here [1] for context.
[1] http://lists.openstack.org/pipermail/openstack-dev/2018-October/135626.html
Story: #2004073
Task: #27440
Change-Id: I52a1172779d901ce9f8525b87d7d15b0200b8674
|
| |
|
|
| |
Change-Id: I7009b639743c22f885cebd532a3d6c1b0f9f1226
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Add a new "oslopolicy-policy-upgrade" commnd. Using this command,
operator can upgrade their self-defined policy files to follow
the new format in the new release when upgrading OpenStack services.
Change-Id: Iad9740bd8a5e4fdf1d1e64d61bc93f2483c531f3
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Reading configurations will enable us to be able to use the
oslopolicy-checker to do external checks (which require the
configuration in the enforcer).
Change-Id: If2e697f9ac0317046f5a872ad668b42c1b32eb1e
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
oslo.config already has a proper type to deal with boolean options.
Change-Id: I675c1dbfa13ca68506042f7907082b0e3d51672a
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
|
| |\ \ \
| |/ / |
|
| | | |
| | |
| | |
| | |
| | | |
Change-Id: If29fcf542c48a931edfebb7763d80f045c2fa0d7
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
By calling set_default[1] on a conf object it only applies to opts
registered to that object. This causes an incorrect value to appear in
the generated sample config because it deals with a list of raw opts,
not a conf object.
To fix this, we can call the global set_defaults[2] on the cfg module
which alters the opts directly. This is the method used in the cors
middleware[3] and works as expected there.
This does complicate the unit tests, however. Because we're altering
global state we need to save the original opts and restore them after
the test. Furthermore, the conf.reset() call in the config fixture
doesn't sufficiently reset the conf object to allow it to recognize
the replaced opts. For the purposes of this test we can just create
a standalone conf object though, which gets past that problem.
It's possible that we should fix reset() so it actually removes opts
in groups completely, but I'm unsure what implications that might
have for other users of the function.
1: https://github.com/openstack/oslo.config/blob/b5df53543fd3edbc369cacbdd1c3038bdce9085e/oslo_config/cfg.py#L2433
2: https://github.com/openstack/oslo.config/blob/b5df53543fd3edbc369cacbdd1c3038bdce9085e/oslo_config/cfg.py#L391
3: https://github.com/openstack/oslo.middleware/blob/8c7fa5bb105cdfd15376c6b1f42ef1383b7cb3eb/oslo_middleware/cors.py#L88
Change-Id: I3af9de1b39b6360ecfcb448d8c37b463e1a42ca7
Closes-Bug: 1807184
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| | |
Changing arg consumption from argparse to oslo.config in
order to also provide behavior control using config files.
Change-Id: Iec4dab763b973b70c98077cb29708acd9cbbcec4
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
|
| |
Small cleanups:
* Use openstack-lower-constraints-jobs template, remove individual
jobs.
* Sort list of templates
Change-Id: If1babd86d4695fe216ff703ed862c3f06d448e15
Needed-By: https://review.openstack.org/623229
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A previous commit made some changes to allow for more robust logging
of RBAC enforcement data:
I4642c57990b145c0e691140970574412682e66a5
This also included logging of the target data, which is provided by
the service calling policy enforcement.
This commit makes it so that target data is protected from exposing
sensitive information. A good example is doing operations on users
in keystone since keystone would populate the target dictionary
with user information, and possibly passwords.
This issue was found in keystone unit testing while trying to consume
oslo.policy 1.43.0.
Change-Id: I2702df8f3d7c040312eb863f7772b129e0e2c45c
|
| |\ |
|
| | |
| |
| |
| |
| |
| | |
Mailinglists have been updated. Openstack-discuss replaces openstack-dev.
Change-Id: I84f738109f098415496619df423db7778b2fdcf2
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This commit makes it easier for services to protect APIs meant for
domain-only operations. It does this by making "domain-scope" an
official scope type to check for during policy enforcement.
A good example of where this would be useful is protecting the user
API in keystone, since user's are technically owned by domains.
This commit bumps the version of oslo.context to 2.22.0, which also
has domain support.
Depends-On: https://review.openstack.org/#/c/613635/
Change-Id: Ifc83a5f261bc823060eca5c4d0a4bf07966794c4
|
| |\ \ \
| |_|/
|/| | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Previously, we'd notify operators of changing or deprecated policies
by logging a warning while loading rules. However, this doesn't
prevent unintended access if an operator is overriding a policy
by its old policy name. In this case, let's make sure we check if the
old policy is being overridden and use that override for the new
policy's check value.
This commit introduces this change along with a few tests. It also
refactors the deprecated rule logic in load_rules() to separate
methods so that it's a little easier to understand where that logic
happens within the load_rules() method without cluttering it.
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Closes-Bug: 1800259
Change-Id: Ice27cdb44241da94693625776037ea6164bbb913
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Data passed to the RBAC enforce function consistes of 3 items:
* rule name or rule object
* credential data
* target data
Both the credential and target are dicts. When policy enforcement
does not work as expected it's essential to capture the input to
the enforcement engine as to ascertain why the rule did not work
as expected. It would also be highly advantageous if the logging
were in a format that could be digested by other tools
(e.g. oslopolicy-checker).
This patch does two things:
1) It logs the policy relevant input to Enforcer.enforce()
2) It eschews the use of Python's string formatting which may not
fully dump the contents of the dicts and is not easily parsed in favor
of using JSON format which does fully capture the object's content and
can be used in data exchange (and can be read by oslopolicy-checker).
Contents of the credentials dict are filtered to scrub security
sensitive data.
Closes-Bug: #1804073
Change-Id: I4642c57990b145c0e691140970574412682e66a5
Signed-off-by: John Dennis <jdennis@redhat.com>
|
| |\ \ \ \ |
|
| | | |/ /
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This makes it easier for folks checking their policies to just
execute their rule checks and compare them with the original output.
Instead of having to manually pipe the result and sort it.
Change-Id: I8d45173578d3b309b97caaa7d4e87cb2aec0e8f2
|
| |\ \ \ \ |
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Change I43782d245d7652ba69613b26fe598ac79ec19929 added a policy
file parsing optimization that had the affect of allowing some
strictly speaking invalid JSON policy files to be accepted.
Enhance the test for bad JSON to look for this to prevent
formerly acceptable policy files from becoming invalid if
the code is refactored at some point.
Also updates two related comments that had gotten out of sync
with the code.
Change-Id: I6a269b91436cac29bd72e11dbdc51ee74feca028
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | | |
In the "special checks" section, 'role' and 'rule' are keywords
and should not be enclosed in '< >'.
Change-Id: Ia3c1b47f1c8452bcca62961de4414d21d7ebf481
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The way we were using the token fixture in the shell tests was modifying
the structure. If the test would get run by the same process, it would
then use the modified structure and the test would fail.
This uses deepcopy instead, so this way, we never modify that fixture.
Change-Id: Ib88feee7d7fe72c66b4e8af510f9f28411ac47df
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This allows us to test the policy for other services which might have
different or unusual target data formats (such as Barbican). It would be
possible to pass it as a nested dictionary, e.g.:
{
"target": {
"secret": {
"project_id": "my project id"
}
}
}
or as a key pair (as oslo.policy would expect):
{
"target.secret.project_id": "my project id"
}
Both will work (note that this logic was taken from barbican).
This fixes around the limitation that the target is hardcoded to be
"project_id", and thus allows to test more scenarios (such as the
project ID not matching).
Change-Id: Ia9f7462072a8cb142251c8bb5ef19d9a25a98119
|
| | |
| |
| |
| |
| |
| |
| |
| | |
We were not passing the policy name, which made it quite hard to test
out external checks given that this is information that is passed in
there. This passes that parameter.
Change-Id: I217a6545bdf753470e08b39de2c0df08ffa1f82f
|
| |/
|
|
|
|
|
| |
This adds unit tests for the shell.py file, which is what we use for the
oslopolicy-checker command.
Change-Id: I52d8669b30e868a4fbdb33316f4db31947b08fa2
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Sphinx 1.6 deprecated using the application object to perform logging
and it will be removed in the upcoming 2.0 release. This updates our
extensions to use the recommended sphinx.util.logging instead.
Change-Id: Ia9edbfd551d260b798818940e4d156957f382324
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
|
| |/
|
|
|
|
|
| |
This commit addresses nits from
https://review.openstack.org/#/c/604192/1
Change-Id: I2ca0cd67eca4d1b2d0320f7ecb40c9ff55229b12
|
| |\ |
|
| | |
| |
| |
| | |
Change-Id: Ie752d7e9d40be33ba29f6c14d6a6f16e1fcc66f1
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Inconsistent policy names across OpenStack services has been a pain
point for operators and users for a long time. This is an attempt at
documenting a set of conventions for developers to work towards to
provide a more uniform experience. These conventions were discussed
publicly on the mailing list:
http://lists.openstack.org/pipermail/openstack-dev/2018-September/134597.html
Change-Id: I8831c44a3544d11c0bb1c0ce58d1a140f861e22b
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Developers run all sorts of different tools within Git repositories,
any of which can leave their own special trashfiles all over the
place. We can't every hope to catalog them all, so better to
recommend developers simply configure a global core.excludesfile to
filter the irrelevant files which tend to get created by their
personal choice of tools.
To this end, remove the long-standing sections for "Mr Developer"
and "Editors" since their mere existence here sends the signal that
we welcome (and have time to review) additions for any old tool
someone ever might happen to try. Also add a comment block
explaining this, for clarity.
We can, and should of course, continue to list files created by the
tools recommended by our workflow (test frameworks called from tox,
documentation and packaging builds, et cetera).
This change is a port of I1b41efac219fca44e2548fc36633724d0ecfc0cb
from the openstack-dev/oslo-cookiecutter repository.
Change-Id: I3eeb6157ed79e2b75e14e8e94fcfe40c4bf7ff42
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Users expect this to be parsed as rST and write their docstrings accordingly.
This has the potential to introduce warnings for users with improperly
formatted rST and these warnings can be promoted to errors if 'sphinx-build' is
used with the '-W' option. As a result, we disable the 'warning-is-error'
logger for these options. We may wish to change this behavior in the future.
It is not really possible to test this yet as the output wouldn't look much
different. In addition, the error messages generated are rather unhelpful. Both
of these can be changed in a future modification.
Change-Id: I4572eef31a8675eabb791c14279490348e949cd0
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
|
