def setUp(self): super(PolicyFixture, self).setUp() policy_file = paths.state_path_def('etc/placement/policy.yaml') self.conf_fixture.config(group='oslo_policy', policy_file=policy_file) placement_policy.reset() # because oslo.policy has a nasty habit of modifying the default rules # we provide, we must pass a copy of the rules rather then the rules # themselves placement_policy.init(self.conf_fixture.conf, suppress_deprecation_warnings=True, rules=copy.deepcopy(policies.list_rules())) self.addCleanup(placement_policy.reset)
def init(): """Init an Enforcer class. Sets the _ENFORCER_PLACEMENT global.""" global _ENFORCER_PLACEMENT if not _ENFORCER_PLACEMENT: # NOTE(mriedem): We have to explicitly pass in the # [placement]/policy_file path because otherwise oslo_policy defaults # to read the policy file from config option [oslo_policy]/policy_file # which is used by nova. In other words, to have separate policy files # for placement and nova, we have to use separate policy_file options. _ENFORCER_PLACEMENT = policy.Enforcer( CONF, policy_file=CONF.placement.policy_file) _ENFORCER_PLACEMENT.register_defaults(policies.list_rules()) _ENFORCER_PLACEMENT.load_rules()
def start_fixture(self): super(OpenPolicyFixture, self).start_fixture() # Get all of the registered rules and set them to '@' to allow any # user to have access. The nova policy "admin_or_owner" concept does # not really apply to most of placement resources since they do not # have a user_id/project_id attribute. rules = {} for rule in policies.list_rules(): name = rule.name # Ignore "base" rules for role:admin. if name in ['placement', 'admin_api']: continue rules[name] = '@' self.policy_fixture.set_rules(rules)
def init(conf): """Init an Enforcer class. Sets the _ENFORCER global.""" global _ENFORCER if not _ENFORCER: # TODO(mriedem): This compat code can be removed when the # [placement]/policy_file config option is removed. # First check to see if [oslo_policy]/policy_file exists since that's # what we want people using. That option defaults to policy.json while # [placement]/policy_file defaults to policy.yaml so if # [oslo_policy]/policy_file does not exist it means either someone with # custom policy has not migrated or they are using defaults in code. if conf.find_file(conf.oslo_policy.policy_file): # [oslo_policy]/policy_file exists so use it. policy_file = conf.oslo_policy.policy_file # Do a sanity check to see if [placement]/policy_file exists but # with a different name because if so we could be loading up the # wrong file. For example, maybe someone's packaging or deployment # tooling creates an empty policy.json but placement.conf is # actually configured to use [placement]/policy_file=policy.yaml # with custom rules. if (conf.placement.policy_file != conf.oslo_policy.policy_file and conf.find_file(conf.placement.policy_file)): LOG.error('Found [oslo_policy]/policy_file and ' '[placement]/policy_file and not sure which to use. ' 'Using [oslo_policy]/policy_file since ' '[placement]/policy_file is deprecated but you need ' 'to clean up your configuration file to stop using ' '[placement]/policy_file.') else: # Check to see if a custom [placement]/policy_file is being used # and if so, log a warning to migrate to [oslo_policy]/policy_file. if conf.find_file(conf.placement.policy_file): LOG.warning('[placement]/policy_file is deprecated. Use ' '[oslo_policy]/policy_file instead.') # For backward compatibility use [placement]/policy_file. Even if # the file does not exist we can specify this since we will load up # default rules from code. Once we remove the compat code we can # just stop passing the policy_file kwarg to Enforcer. policy_file = conf.placement.policy_file _enforcer = policy.Enforcer(conf, policy_file=policy_file) _enforcer.register_defaults(policies.list_rules()) _enforcer.load_rules() _ENFORCER = _enforcer