def setUp(self):
super(PolicyFixture, self).setUp()
policy_file = paths.state_path_def('etc/placement/policy.yaml')
self.conf_fixture.config(group='oslo_policy', policy_file=policy_file)
placement_policy.reset()
# because oslo.policy has a nasty habit of modifying the default rules
# we provide, we must pass a copy of the rules rather then the rules
# themselves
placement_policy.init(self.conf_fixture.conf,
suppress_deprecation_warnings=True,
rules=copy.deepcopy(policies.list_rules()))
self.addCleanup(placement_policy.reset)
def init():
"""Init an Enforcer class. Sets the _ENFORCER_PLACEMENT global."""
global _ENFORCER_PLACEMENT
if not _ENFORCER_PLACEMENT:
# NOTE(mriedem): We have to explicitly pass in the
# [placement]/policy_file path because otherwise oslo_policy defaults
# to read the policy file from config option [oslo_policy]/policy_file
# which is used by nova. In other words, to have separate policy files
# for placement and nova, we have to use separate policy_file options.
_ENFORCER_PLACEMENT = policy.Enforcer(
CONF, policy_file=CONF.placement.policy_file)
_ENFORCER_PLACEMENT.register_defaults(policies.list_rules())
_ENFORCER_PLACEMENT.load_rules()
def start_fixture(self):
super(OpenPolicyFixture, self).start_fixture()
# Get all of the registered rules and set them to '@' to allow any
# user to have access. The nova policy "admin_or_owner" concept does
# not really apply to most of placement resources since they do not
# have a user_id/project_id attribute.
rules = {}
for rule in policies.list_rules():
name = rule.name
# Ignore "base" rules for role:admin.
if name in ['placement', 'admin_api']:
continue
rules[name] = '@'
self.policy_fixture.set_rules(rules)
def init(conf):
"""Init an Enforcer class. Sets the _ENFORCER global."""
global _ENFORCER
if not _ENFORCER:
# TODO(mriedem): This compat code can be removed when the
# [placement]/policy_file config option is removed.
# First check to see if [oslo_policy]/policy_file exists since that's
# what we want people using. That option defaults to policy.json while
# [placement]/policy_file defaults to policy.yaml so if
# [oslo_policy]/policy_file does not exist it means either someone with
# custom policy has not migrated or they are using defaults in code.
if conf.find_file(conf.oslo_policy.policy_file):
# [oslo_policy]/policy_file exists so use it.
policy_file = conf.oslo_policy.policy_file
# Do a sanity check to see if [placement]/policy_file exists but
# with a different name because if so we could be loading up the
# wrong file. For example, maybe someone's packaging or deployment
# tooling creates an empty policy.json but placement.conf is
# actually configured to use [placement]/policy_file=policy.yaml
# with custom rules.
if (conf.placement.policy_file != conf.oslo_policy.policy_file
and conf.find_file(conf.placement.policy_file)):
LOG.error('Found [oslo_policy]/policy_file and '
'[placement]/policy_file and not sure which to use. '
'Using [oslo_policy]/policy_file since '
'[placement]/policy_file is deprecated but you need '
'to clean up your configuration file to stop using '
'[placement]/policy_file.')
else:
# Check to see if a custom [placement]/policy_file is being used
# and if so, log a warning to migrate to [oslo_policy]/policy_file.
if conf.find_file(conf.placement.policy_file):
LOG.warning('[placement]/policy_file is deprecated. Use '
'[oslo_policy]/policy_file instead.')
# For backward compatibility use [placement]/policy_file. Even if
# the file does not exist we can specify this since we will load up
# default rules from code. Once we remove the compat code we can
# just stop passing the policy_file kwarg to Enforcer.
policy_file = conf.placement.policy_file
_enforcer = policy.Enforcer(conf, policy_file=policy_file)
_enforcer.register_defaults(policies.list_rules())
_enforcer.load_rules()
_ENFORCER = _enforcer
