def get_enforcer():
global _ENFORCER
if not _ENFORCER:
_ENFORCER = policy.Enforcer(CONF)
return _ENFORCER
def __init__(self, conf):
self.conf = conf
self.enforcer = policy.Enforcer(conf)
def init():
global _ENFORCER
if not _ENFORCER:
_ENFORCER = common_policy.Enforcer(CONF)
register_rules(_ENFORCER)
def test_get_policy_path_raises_exc(self):
enforcer = policy.Enforcer(self.conf, policy_file='raise_error.json')
e = self.assertRaises(cfg.ConfigFilesNotFoundError,
enforcer._get_policy_path, enforcer.policy_file)
self.assertEqual(('raise_error.json', ), e.config_files)
def _ensure_enforcer_initialization():
global _ENFORCER
if not _ENFORCER:
_ENFORCER = policy.Enforcer(cfg.CONF)
_ENFORCER.load_rules()
def init():
global _ENFORCER
if not _ENFORCER:
_ENFORCER = policy.Enforcer(pecan.request.cfg)
_ENFORCER.load_rules()
_ENFORCER.register_defaults(policies.list_policies())
def test_enforcer_with_default_policy_file(self):
enforcer = policy.Enforcer(self.conf)
self.assertEqual(self.conf.oslo_policy.policy_file,
enforcer.policy_file)
from oslo.config import cfg
from oslo.config import fixture as config
from oslo.serialization import jsonutils
from oslotest import base as test_base
import six
import six.moves.urllib.parse as urlparse
import six.moves.urllib.request as urlrequest
from oslo_policy.openstack.common import fileutils
from oslo_policy.openstack.common.fixture import lockutils
from oslo_policy import policy
TEST_VAR_DIR = os.path.abspath(
os.path.join(os.path.dirname(__file__), '..', 'tests/var'))
ENFORCER = policy.Enforcer(cfg.CONF)
class MyException(Exception):
def __init__(self, *args, **kwargs):
self.args = args
self.kwargs = kwargs
class RulesTestCase(test_base.BaseTestCase):
def test_init_basic(self):
rules = policy.Rules()
self.assertEqual(rules, {})
self.assertIsNone(rules.default_rule)
def test_enforcer_with_default_policy_file(self):
enforcer = policy.Enforcer(cfg.CONF)
self.assertEqual(cfg.CONF.policy_file, enforcer.policy_file)
def __init__(self):
self.enforcer = op.Enforcer(cfg.CONF)
def __init__(self, conf):
super(ConfigHook, self).__init__()
self.conf = conf
self.enforcer = policy.Enforcer(conf)
self.enforcer.load_rules()
def test_matched_rules(self, mock_warn):
extensions = []
for name, opts in OPTS.items():
ext = stevedore.extension.Extension(name=name, entry_point=None,
plugin=None, obj=opts)
extensions.append(ext)
test_mgr = stevedore.named.NamedExtensionManager.make_test_instance(
extensions=extensions, namespace=['base_rules', 'rules'])
# Write the policy file for an enforcer to load
sample_file = self.get_config_file_fullname('policy-sample.yaml')
with mock.patch('stevedore.named.NamedExtensionManager',
return_value=test_mgr):
# generate sample-policy file with only rules
generator._generate_sample(['base_rules', 'rules'], sample_file,
include_help=False)
enforcer = policy.Enforcer(self.conf, policy_file='policy-sample.yaml')
# register opts that match those defined in policy-sample.yaml
enforcer.register_default(policy.RuleDefault('admin', 'is_admin:True'))
enforcer.register_default(
policy.RuleDefault('owner', 'project_id:%(project_id)s'))
# register a new opt
deprecated_rule = policy.DeprecatedRule('old_foo', 'role:bar')
enforcer.register_default(
policy.RuleDefault('foo', 'role:foo',
deprecated_rule=deprecated_rule,
deprecated_reason='reason',
deprecated_since='T')
)
# Mock out stevedore to return the configured enforcer
ext = stevedore.extension.Extension(name='testing', entry_point=None,
plugin=None, obj=enforcer)
test_mgr = stevedore.named.NamedExtensionManager.make_test_instance(
extensions=[ext], namespace='testing')
stdout = self._capture_stdout()
with mock.patch('stevedore.named.NamedExtensionManager',
return_value=test_mgr) as mock_ext_mgr:
generator._list_redundant(namespace='testing')
mock_ext_mgr.assert_called_once_with(
'oslo.policy.enforcer', names=['testing'],
on_load_failure_callback=generator.on_load_failure_callback,
invoke_on_load=True)
matches = [line.split(': ', 1) for
line in stdout.getvalue().splitlines()]
matches.sort(key=operator.itemgetter(0))
# Should be 'admin'
opt0 = matches[0]
self.assertEqual('"admin"', opt0[0])
self.assertEqual('"is_admin:True"', opt0[1])
# Should be 'owner'
opt1 = matches[1]
self.assertEqual('"owner"', opt1[0])
self.assertEqual('"project_id:%(project_id)s"', opt1[1])
self.assertFalse(mock_warn.called,
'Deprecation warnings not suppressed.')
def setUp(self):
super(TestImageMembersPolicy, self).setUp()
self.policy = policy.Enforcer(suppress_deprecation_warnings=True)
def setup_policy(conf):
global ENFORCER
ENFORCER = policy.Enforcer(conf)
def setUp(self):
super(GenerateSampleJSONTestCase, self).setUp()
self.enforcer = policy.Enforcer(self.conf, policy_file='policy.json')
def setup_policy():
global ENFORCER
ENFORCER = policy.Enforcer(cfg.CONF)
ENFORCER.register_defaults(policies.list_rules())
def setUp(self):
super(GenerateSampleYAMLTestCase, self).setUp()
self.enforcer = policy.Enforcer(self.conf, policy_file='policy.yaml')
def fakepolicyinit(self, **kwargs):
policy._ENFORCER = oslo_policy.Enforcer(cfg.CONF)
policy._ENFORCER.set_rules(oslo_policy.Rules(self.rules))
def setup_policy():
global _ENFORCER
if not _ENFORCER:
_ENFORCER = policy.Enforcer(CONF)
register_rules(_ENFORCER)
def _ensure_enforcer_initialization():
global _ENFORCER
if not _ENFORCER:
_ENFORCER = policy.Enforcer(cfg.CONF)
_ENFORCER.register_defaults(policies.list_rules())
_ENFORCER.load_rules()
def test_enforcer_with_policy_file(self):
enforcer = policy.Enforcer(self.conf, policy_file='non-default.json')
self.assertEqual('non-default.json', enforcer.policy_file)
def __init__(self, conf):
self.conf = conf
self.enforcer = policy.Enforcer(conf)
self._register_rules()
from oslo_config import cfg
from oslo_policy import policy
from sahara.common import policies
CONF = cfg.CONF
CONF(['--config-file', '/etc/sahara/sahara.conf'])
CONF.list_all_sections()
#['DEFAULT', 'database', 'keystone_authtoken', 'object_store_access', 'oslo_messaging_notifications', 'oslo_messaging_rabbit', 'oslo_policy', 'profiler']
ENFORCER = policy.Enforcer(CONF)
ENFORCER
dir(ENFORCER)
#['__class__', '__delattr__', '__dict__', '__doc__', '__format__', '__getattribute__', '__hash__', '__init__', '__module__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', '_cycle_check', '_file_cache', '_get_policy_path', '_informed_no_policy_file', '_is_directory_updated', '_load_policy_file', '_loaded_files', '_policy_dir_mtimes', '_record_file_rules', '_undefined_check', '_walk_through_policy_directory', 'authorize', 'check_rules', 'clear', 'conf', 'default_rule', 'enforce', 'file_rules', 'load_rules', 'overwrite', 'policy_file', 'policy_path', 'register_default', 'register_defaults', 'registered_rules', 'rules', 'set_rules', 'use_conf']
e = ENFORCER
e.policy_file
e.load_rules()
e.rules
rls = e.rules
r = rls.get('data-processing:clusters:get_all')
ru = policy.Rules.load('"data-processing:job-types:get_all": ""')
ru
{'data-processing:job-types:get_all': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054750>}
'''
e.rules is a dictionary and r is an object
'''
{u'data-processing:jobs:get_all': <oslo_policy._checks.TrueCheck object at 0x7f0fd50547d0>, u'data-processing:clusters:modify': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054b10>, u'data-processing:images:register': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054850>, u'data-processing:plugins:patch': <oslo_policy._checks.RoleCheck object at 0x7f0fd5054910>, u'data-processing:job-binaries:create': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054890>, u'data-processing:node-group-templates:modify': <oslo_policy._checks.TrueCheck object at 0x7f0fd50548d0>, u'data-processing:job-executions:modify': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054950>, u'data-processing:job-types:get_all': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054990>, u'data-processing:plugins:get': <oslo_policy._checks.TrueCheck object at 0x7f0fd50549d0>, u'data-processing:cluster-templates:create': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054a10>, u'data-processing:job-binaries:delete': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054a50>, u'data-processing:plugins:get_version': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054a90>, u'data-processing:cluster-templates:get_all': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054ad0>, u'data-processing:job-binaries:modify': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054c90>,
u'data-processing:clusters:get': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063290>, u'data-processing:job-binary-internals:get_all': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054b90>, u'data-processing:job-executions:delete': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054bd0>, u'data-processing:job-binary-internals:create': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054c10>, u'data-processing:job-executions:cancel': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054c50>, u'data-processing:images:add_tags': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054810>, u'data-processing:job-binaries:get_all': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054cd0>, u'data-processing:clusters:create': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054d10>, u'data-processing:node-group-templates:delete': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054d50>, u'data-processing:clusters:scale': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054d90>, u'data-processing:job-executions:refresh_status': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054dd0>, u'data-processing:plugins:get_all': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054e10>, u'data-processing:jobs:get': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054e90>, u'data-processing:job-binary-internals:delete': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054ed0>, u'data-processing:job-executions:get': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054f10>, u'data-processing:clusters:delete': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054f50>, u'data-processing:jobs:get_config_hints': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054f90>, u'data-processing:images:get_all': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054fd0>, u'data-processing:images:get': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063050>, u'data-processing:job-binaries:get': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054790>, u'data-processing:job-binary-internals:get_data': <oslo_policy._checks.TrueCheck object at 0x7f0fd50630d0>, u'data-processing:node-group-templates:get': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063110>, u'data-processing:images:set_tags': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063090>,
u'data-processing:clusters:get_all': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063150>, u'data-processing:images:unregister': <oslo_policy._checks.TrueCheck object at 0x7f0fd50631d0>, u'data-processing:cluster-templates:modify': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063210>, u'data-processing:data-sources:modify': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063190>, u'data-processing:job-binary-internals:get': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054e50>, u'data-processing:data-sources:delete': <oslo_policy._checks.TrueCheck object at 0x7f0fd5054b50>, u'data-processing:jobs:delete': <oslo_policy._checks.TrueCheck object at 0x7f0fd50632d0>, u'data-processing:node-group-templates:create': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063350>, u'data-processing:plugins:convert_config': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063390>, u'data-processing:job-executions:get_all': <oslo_policy._checks.TrueCheck object at 0x7f0fd50633d0>, u'data-processing:jobs:execute': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063410>, u'data-processing:cluster-templates:delete': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063450>, u'data-processing:job-binaries:get_data': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063490>, u'default': <oslo_policy._checks.TrueCheck object at 0x7f0fd50634d0>, u'data-processing:data-sources:get_all': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063510>, u'data-processing:cluster-templates:get': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063550>, u'data-processing:images:remove_tags': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063590>, u'data-processing:node-group-templates:get_all': <oslo_policy._checks.TrueCheck object at 0x7f0fd50635d0>, u'data-processing:data-sources:get': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063610>, u'context_is_admin': <oslo_policy._checks.RoleCheck object at 0x7f0fd5063310>, u'data-processing:jobs:modify': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063650>, u'data-processing:data-sources:register': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063250>, u'data-processing:job-binary-internals:modify': <oslo_policy._checks.TrueCheck object at 0x7f0fd5063690>, u'data-processing:jobs:create': <oslo_policy._checks.TrueCheck object at 0x7f0fd50636d0>}
def setUp(self):
super(TestMetadefObjectsPolicy, self).setUp()
self.policy = policy.Enforcer(suppress_deprecation_warnings=True)
def __init__(self):
self.enforcer = policy.Enforcer(cfg.CONF)
def _enforcer(self):
# The raw oslo-policy enforcer object
if self.__ENFORCER is None:
self.__ENFORCER = common_policy.Enforcer(CONF)
self.register_rules(self.__ENFORCER)
return self.__ENFORCER
'32 bytes')),
cfg.StrOpt('digest_algorithm',
default='sha256',
help=_('Digest algorithm which will be used for digital '
'signature. Use the command "openssl list-message-'
'digest-algorithms" to get the available algorithms '
'supported by the version of OpenSSL on the platform.'
' Examples are "sha1", "sha256", "sha512", etc.')),
]
CONF = cfg.CONF
CONF.register_opts(paste_deploy_opts, group='paste_deploy')
CONF.register_opts(image_format_opts, group='image_format')
CONF.register_opts(task_opts, group='task')
CONF.register_opts(common_opts)
policy.Enforcer(CONF)
def parse_args(args=None, usage=None, default_config_files=None):
CONF(args=args,
project='glance',
version=version.cached_version_string(),
usage=usage,
default_config_files=default_config_files)
def parse_cache_args(args=None):
config_files = cfg.find_config_files(project='glance', prog='glance-cache')
parse_args(args=args, default_config_files=config_files)
def init():
global _ENFORCER
if not _ENFORCER:
_ENFORCER = policy.Enforcer(pecan.request.cfg)
_ENFORCER.load_rules()
def init():
global _ENFORCER
if not _ENFORCER:
_ENFORCER = policy.Enforcer(CONF)
def init(default_rule=None, policy_file=None):
global _ENFORCER
if not _ENFORCER:
LOG.debug("Enforcer is not present, recreating.")
_ENFORCER = policy.Enforcer(CONF, policy_file=policy_file)
_ENFORCER.register_defaults(policies.list_rules())