| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Blacklist:
W503 line break before binary operator
W504 line break after binary operator
Fix:
E123 closing bracket does not match indentation of opening bracket's line
E126 continuation line over-indented for hanging indent
Change-Id: I39003496a3f4be5a4cb05cdbae53a9c097e34e14
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sphinxpolicygen is calling the generate_sample cli entrypoint when
we aren't actually the command being run. This can cause problems
if the consuming project has cli args that get registered on import
of their modules because we may have parsed args before those modules
get imported. This results in an exception because oslo.config won't
allow cli args to be registered after they've been parsed once.
This change makes use of the existing parameter to generate_sample
that allows us to pass in a local config object on which to register
the cli args. This way we can parse them without affecting the
global config object.
This was the only place I could find that we were doing something
like this so I believe it should eliminate the problem.
Change-Id: I8e9f28b0a15d1ed092d72b983be74fe281708fbe
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to fix the referenced bug, we need to register cli args on
the global config object. Unfortunately, that causes issues because
our consumers are re-calling the conf object in their enforcers due
to the way we used to handle cli args. Specifically, the conf call
in the consumer fails because the namespace arg from oslo.policy is
registered as required, but they don't pass it to the conf call.
Long-term we want to stop having consumers call the conf object at
all, but in the meantime we need to provide a migration path that
doesn't break them. This change registers the namespace arg as
optional on the conf object and temporarily moves the required check
to oslo.policy. This will allow us to maintain the existing behavior
for our cli tools while not breaking consumers who haven't migrated
to the new cli arg behavior.
Note that we do have unit test coverage of this behavior[0], so we
can be reasonably confident the explicit check is maintaining
compatibility.
Change-Id: I34ce1dd15c464bec319e51d3e217e26554f1a944
Closes-Bug: 1863637
Related-Bug: 1849518
0: https://github.com/openstack/oslo.policy/blob/6e2fe3857367eb2b3e2d2e92121a408e1ff89ea4/oslo_policy/tests/test_generator.py#L500
|
| |
|
|
| |
Change-Id: I085654bfac96462538f44621222ff97faa637ccf
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenStack is dropping the py2.7 support in Ussuri cycle.
Complete discussion & schedule can be found in
-
http://lists.openstack.org/pipermail/openstack-discuss/2019-October/010142.html
- https://etherpad.openstack.org/p/drop-python2-support
Ussuri Communtiy-wide goal:
https://governance.openstack.org/tc/goals/selected/ussuri/drop-py27.html
Change-Id: If6a07eee86a2aaf65bdf9fbb338809ad47e02a46
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently, passing --config-file to a tool like oslopolicy-list-redundant
is ineffective because the projects pass an empty cli arg list to the
conf object when they initialize it. By registering our cli args on the
global conf object, the projects can safely parse cli args in their
call to the conf object so things like --config-file won't be ignored.
This didn't work before because oslo.policy recognizes cli args like
--namespace that aren't recognized by the consuming projects.
This will require followup changes in each project to stop passing an
empty cli arg list to the conf object initialization. In the meantime,
everything should continue to work as it did before.
Change-Id: Iacd257fc6c351582de45476768e3fd1775317d3c
Closes-Bug: 1849518
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
The oslo.policy docs on writing custom policy checks use things like
the admin role without explaining where it comes from. This change
adds a link to the Keystone docs that explain which roles are created
by default and what they provide access to.
Change-Id: I70c01ad88344edd2db384da8b24ba0238764a8ec
|
| | |
| |
| |
| |
| |
| |
| |
| | |
It was confusing that this was titled "Writing custom check rules"
when it only discussed HTTP check rules. This makes it more clear
what the document deals with.
Change-Id: If23d817ab1392b97f1e2d8cfc3ddef2be9d9619c
|
| | |
| |
| |
| |
| |
| | |
https://docs.openstack.org/pbr/latest/user/features.html#test
Change-Id: Ie5f7cf0d8eefed2ee756114ef5a145fe151b11b2
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Move 'basepython' to the top-level 'testenv'.
Use the default 'install_command'
https://tox.readthedocs.io/en/latest/config.html#conf-install_command
Change-Id: Ie53c073d62d0adf3627b165f1ad11c02b1927904
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For compliance with the Project Testing Interface as described in:
https://governance.openstack.org/tc/reference/project-testing-interface.html
For more detials information, please refer to:
http://lists.openstack.org/pipermail/openstack-dev/2017-December/125710.html
Change-Id: I1c10b87297a23e010613e951f65913bb54baf6b9
Co-Authored-By: Stephen Finucane <sfinucan@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Constructing a policy string by sticking ' or ' between the new and
deprecated check_str values is error-prone. Construct the policy
programmatically instead by parsing the check_str values separately and
combining them into an OrCheck.
Change-Id: Ia2ee05aa08326c6daa214a7b1156baa6efe43dc0
Closes-Bug: #1856207
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Some options are now automatically configured by the version 1.20:
- project
- html_last_updated_fmt
- latex_engine
- latex_elements
- version
- release.
Change-Id: I2c9f7b72a52edde7b18dc66bcc8c655630b3bbc2
|
| |\ \ \
| |/ /
|/| | |
|
| | |/
| |
| |
| | |
Change-Id: Ide0ce0642f30d3f5f6880d43cd5937ca63129065
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Sphinx 1.8 introduced [1] the '--keep-going' argument which, as its name
suggests, keeps the build running when it encounters non-fatal errors.
This is exceptionally useful in avoiding a continuous edit-build loop
when undertaking large doc reworks where multiple errors may be
introduced.
[1] https://github.com/sphinx-doc/sphinx/commit/e3483e9b045
Change-Id: I9af0e8323b85d47983274b4d45b27f6c036ea5a8
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Without this patch, the policy checker issues a 'failed' result when
checking a system-scoped sample token against a policy string like
"role:admin and system_scope:all", because the policy checker does not
understand the 'system_scope' attribute that is now in oslo.context[1]
and wasn't parsing the "system" scope object from the sample token.
Similarly, it fails on a string like "user_id:%(user_id)s" because it
never looked up the user_id from the sample token. This change updates
the policy checker to understand token contexts and policies like these
so that more of the policy defaults in keystone, and soon other
projects, will pass. This also adds a new system-scoped sample token to
check against.
[1] https://review.opendev.org/530509
Change-Id: I02fbbc99d28aa5c787133f530f6e968341107bf7
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When running the tool against a project with a lot of deprecated
policies, the deprecation warnings overwhelm the important output
from the tool. Since checking for deprecations isn't the purpose of
this tool, let's just suppress warnings and limit the output to the
list of redundant policy rules that the user cares about.
I will note that the suppress_deprecation_warnings member is marked
as test only, but that was targeted at consumers of oslo.policy
rather than oslo.policy itself. I could also argue that we're
"testing" for redundant policies here, but that feels like semantic
hair splitting. :-)
Change-Id: I194af14ebd341366dbb1dd033654739a7f3d085c
Partial-Bug: 1836568
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add file to the reno documentation build to show release notes for
stable/train.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/train.
Change-Id: I8cb1d87c0a6ab7da1918e69cd52fd40276717d5b
Sem-Ver: feature
|
| | |
| |
| |
| |
| |
| | |
For more detail, see http://lists.openstack.org/pipermail/openstack-discuss/2019-May/006478.html
Change-Id: Ic8a10192e3971bbda6be45518ffe9c472369d353
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the sample policy generator, we create a rule that maps the
deprecated name of a policy to the new rule name. For example:
identity:old_rule: rule:identity:new_rule
However, in the policy code, if we see an override of a deprecated
name and no override for the new name, we apply the value of the
deprecated name to the new name. In the above case, this results
in us creating a rule that looks like:
identity:new_rule: rule:identity:new_rule
which is a circular reference and nonsense.
To fix this, I added a check to the deprecated rule logic that looks
for instances where the old override is just a reference to the new
rule. If that's the case, then we don't need to do anything because
it's already doing the right thing.
Change-Id: Ifd14993bc84e83c13abab3456fbf670c06e5806f
Closes-Bug: 1843931
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, oslo.policy would generate policy files with aliased names
in the event the name was changing for backwards compatibility. This
isn't needed if the name isn't changing and only the check string is
changing.
This patch adds a conditional to the generator logic that only aliases
the old name to the new name if the name is changing. Otherwise, it
only outputs comments about the deprecation.
Co-Authored-By: Ben Nemec <bnemec@redhat.com>
Change-Id: I89ff60354e4751a5096832023441d2e6166db92a
|
| |\ \ |
|
| | | |
| | |
| | |
| | | |
Change-Id: I2f12fb5058984c1fc6beda4d13f934dd9b218218
|
| |\ \ \ |
|
| | | |/
| |/|
| | |
| | | |
Change-Id: I7c761710e88d144fef4736295e8d9dd85bf72396
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Without this patch, if a project is going through a heavy policy
refactor, significant numbers of deprecation warnings are emitted. When
the enforcer is repeated reinitialized, as is the case when unit
testing, the vast amount of logs resulting from the warnings is both
unnecessary and harmful as it impedes log readability and explodes the
size of the logs, thereby causing CI instability as the infrastructure
struggles to process the logs.
This change adds a public attribute to the enforcer object to allow
callers to suppress these logs. This is not exposed as a configuration
option because we do not want to allow operators to suppress these logs,
and the warnings that occur when the enforcer is only reinitialized when
the process is reloaded are not nearly so debilitating as they are
during, e.g., a unit test run when the enforcer is generally
reinitialized for every test.
The Python warnings module allows for setting global attributes to
filter logs, and it might have been useful for the consuming project to
filter these logs at that level rather than modifying the policy
enforcer to turn log emissions on and off. The problem with this
approach is that if the number of deprecations is extreme, as may be the
case during a heavy refactor, the warnings filter can become so
inefficient that the test run can take much longer, causing even further
CI stability as test runs reach timeout limits.
Needed-by: https://review.opendev.org/673933
Change-Id: Ibfc7d4fca02b896953f80ddf1a9a8b9a19444f72
Related-bug: #1836568
|
| |/
|
|
|
|
|
|
|
|
|
|
| |
This is a mechanically generated patch to ensure unit testing is in place
for all of the Tested Runtimes for Train.
See the Train python3-updates goal document for details:
https://governance.openstack.org/tc/goals/train/python3-updates.html
Change-Id: I64676b14b8a69d07e1b5fdc85e2a29523d4cf31d
Story: #2005924
Task: #34234
|
| |
|
|
| |
Change-Id: Iafa01298a49342ce8b0a1405d2d8ea2b61b3e198
|
| |\ |
|
| | |
| |
| |
| |
| | |
Change-Id: I06b5f84891c7d90837cfbbdbb532f8479620c6c7
Closes-Bug: #1827761
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bandit 1.6.0 accidentally changed how the exclusion list option is
handled and breaks our use of it. Cap to the previous version until
Bandit has fixed the problem.
Sphinx 2.0 no longer works on python 2.7, so we need to start capping
it there as well.
Change-Id: Idead9b4198c6b05d72bae60dee06e5aebc223822
Reference: https://github.com/PyCQA/bandit/pull/489
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
All the integration testing has been moved to
Bionic now[1] and py3.5 is not tested runtime for
Train or stable/stein[2].
As per below ML thread, we are good to drop the py35
testing now:
http://lists.openstack.org/pipermail/openstack-discuss/2019-April/005097.html
[1] http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004647.html
[2]
https://governance.openstack.org/tc/reference/runtimes/stein.html
https://governance.openstack.org/tc/reference/runtimes/train.html
Change-Id: Ic757ff7963f1dabd70610a884a4c61e747cd3961
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:
http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html
http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html
Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at https://opendev.org/ with any
questions you may have.
|
| |
|
|
|
|
|
|
|
|
|
| |
This options help text was ambiguous and didn't really give readers
a good idea of what policies were or if the path could be relative,
absolute, or both.
This commit attempts to clarify the help text a little bit so that
readers have a little more to go on.
Change-Id: Icda67f07f0ef5ee256113634d29f4662b48140cc
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add file to the reno documentation build to show release notes for
stable/stein.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/stein.
Change-Id: I4ab63935e8382bd0e5903297f2a5cd424884b38b
Sem-Ver: feature
|
| |
|
|
|
|
|
| |
Previously the code snippet for tox.ini genpolicy pointed to the output yaml
instead of the config file.
Change-Id: Ia575beabad06f081d4f68bff8fcf83566331f1d6
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
With python3.6 and python3.7 jobs added to the Zuul jobs, it makes sense
to add this to the tox config too so that developers can run those
tests as well.
Change-Id: Iccc84a4336302b49a2d5e9a82518c06914f4794a
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously if a non-existent namespace was specified, we just got
a generic KeyError from stevedore that didn't say a whole lot about
what went wrong. You pretty much had to go read the code to figure
out what happened.
This change adds an explicit check for a missing namespace and raises
a KeyError with a more specific error message that explains what is
wrong.
Change-Id: Ia56d4655d70cee78661567188a977f67b7c3ee78
Closes-Bug: 1817953
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is a mechanically generated patch to add a unit test job running
under Python 3.7.
See ML discussion here [1] for context.
[1] http://lists.openstack.org/pipermail/openstack-dev/2018-October/135626.html
Story: #2004073
Task: #27440
Change-Id: I52a1172779d901ce9f8525b87d7d15b0200b8674
|
| |
|
|
| |
Change-Id: I7009b639743c22f885cebd532a3d6c1b0f9f1226
|
