def read_policyd_dirs():
"""Return a mapping of policy type to directory name.
This returns a subset of:
{
'identity': ['keystone_policy.d'],
'compute': ['nova_policy.d'],
'volume': ['cinder_policy.d'],
'image': ['glance_policy.d'],
'network': ['neutron_policy.d'],
}
depending on what is actually set in the policy directory that has
been written.
:returns: mapping of type to policyd dir name.
:rtype: Dict[str, List[str]]
"""
policy_dir = policyd.policyd_dir_for('openstack-dashboard')
try:
_, dirs, _ = list(os.walk(policy_dir))[0]
return {
k: [v]
for k, v in POLICYD_HORIZON_SERVICE_TO_DIR.items() if v in dirs
}
except IndexError:
# The directory doesn't exist to return an empty dictionary
return {}
except Exception:
# Something else went wrong; log it but don't fail.
log("read_policyd_dirs went wrong -- need to fix this!!", ERROR)
import traceback
log(traceback.format_exc(), ERROR)
return {}
def copy_conf_to_policyd():
"""Walk the conf_dir and copy everything into the policy_dir.
This is used after processing the policy.d resource file to put the package
and templated policy files in DASHBOARD_PKG_DIR/conf/ into the
/etc/openstack-dashboard/policy.d/
"""
log("policyd: copy files from conf to /etc/openstack-dashboard/policy.d",
level=INFO)
conf_dir = os.path.join(DASHBOARD_PKG_DIR, 'conf')
conf_parts_count = len(conf_dir.split(os.path.sep))
policy_dir = policyd.policyd_dir_for('openstack-dashboard')
for root, dirs, files in os.walk(conf_dir):
# make _root relative to the conf_dir
_root = os.path.sep.join(root.split(os.path.sep)[conf_parts_count:])
# make any dirs necessary
for d in dirs:
_dir = os.path.join(policy_dir, _root, d)
if not os.path.exists(_dir):
mkdir(_dir, owner='horizon', group='horizon', perms=0o775)
# now copy the files.
for f in files:
source = os.path.join(conf_dir, _root, f)
dest = os.path.join(policy_dir, _root, f)
with open(source, 'r') as fh:
content = fh.read()
write_file(dest, content, 'horizon', 'horizon')
log("...done.", level=INFO)
def maybe_handle_policyd_override(openstack_release, hook):
"""Handle the use-policy-override config flag and resource file.
This function checks that policy overrides are supported on this release,
that the config flag is enabled, and then processes the resources, copies
the package policies to the config area, loads the override files. In the
case where the config flag is false, it removes the policy overrides by
deleting the config area policys. Note that the template for
`local_settings.py` controls where the horizon service actually reads the
policies from.
Note that for the 'config-changed' hook, the function is only interested in
whether the config value of `use-policy-override` matches the current
status of the policy overrides success file. If it doesn't, either the
config area policies are removed (i.e. False) or the policy overrides file
is processed.
:param openstack_release: The release of OpenStack installed.
:type openstack_release: str
:param hook: The hook name
:type hook: str
"""
log("Seeing if policyd overrides need doing", level=INFO)
if not policyd.is_policyd_override_valid_on_this_release(
openstack_release):
log("... policy overrides not valid on this release: {}".format(
openstack_release),
level=INFO)
return
# if policy config is not set, then remove the entire directory
_config = config()
if not _config.get(policyd.POLICYD_CONFIG_NAME, False):
_dir = policyd.policyd_dir_for('openstack-dashboard')
if os.path.exists(_dir):
log("... config is cleared, and removing {}".format(_dir), INFO)
shutil.rmtree(_dir)
else:
log("... nothing to do", INFO)
policyd.remove_policy_success_file()
return
# config-change and the policyd overrides have been performed just return
if hook == "config-changed" and policyd.is_policy_success_file_set():
log("... already setup, so skipping.", level=INFO)
return
# from now on it should succeed; if it doesn't then status line will show
# broken.
resource_filename = policyd.get_policy_resource_filename()
restart = policyd.process_policy_resource_file(
resource_filename,
'openstack-dashboard',
blacklist_paths=blacklist_policyd_paths(),
preserve_topdir=True,
preprocess_filename=policyd_preprocess_name,
user='******',
group='horizon')
copy_conf_to_policyd()
if restart:
service('stop', 'apache2')
service('start', 'apache2')
log("Policy override processing complete.", level=INFO)
def blacklist_policyd_paths():
"""Process the .../conf directory and create a list of blacklisted paths.
This is so that the policyd helpers don't delete the copied files from the
.../conf directory.
:returns: list of blacklisted paths.
:rtype: [str]
"""
conf_dir = os.path.join(DASHBOARD_PKG_DIR, 'conf')
conf_parts_count = len(conf_dir.split(os.path.sep))
policy_dir = policyd.policyd_dir_for('openstack-dashboard')
paths = []
for root, _, files in os.walk(conf_dir):
# make _root relative to the conf_dir
_root = os.path.sep.join(root.split(os.path.sep)[conf_parts_count:])
for file in files:
paths.append(os.path.join(policy_dir, _root, file))
log("blacklisted paths: {}".format(", ".join(paths)), INFO)
return paths
def test_policyd_dir_for(self):
self.assertEqual(policyd.policyd_dir_for('thing'),
"/etc/thing/policy.d")