Add oslo.policy.enforcer entry point

this will allow various oslo.policy scripts like oslopolicy-policy-generator to work with Aodh. Change-Id: I5941fe03277368f789a0e07d823ececdf86ed37e Story: 2010559 Task: 47247
2023-02-01 15:42:41 +02:00 · 2023-02-01 15:42:41 +02:00 · 9d9840023e
commit 9d9840023e
parent aa91a3b614
3 changed files with 25 additions and 10 deletions
--- a/aodh/api/hooks.py
+++ b/aodh/api/hooks.py
@ -15,7 +15,6 @@

 from oslo_config import cfg
 from oslo_policy import opts
-from oslo_policy import policy
 from pecan import hooks

 from aodh.api import policies
@ -35,15 +34,7 @@ class ConfigHook(hooks.PecanHook):

    def __init__(self, conf):
        self.conf = conf
-        self.enforcer = policy.Enforcer(conf, default_rule="default")
-        # NOTE(gmann): Explictly disable the warnings for policies
-        # changing their default check_str. With new RBAC policy
-        # work, all the policy defaults have been changed and warning for
-        # each policy started filling the logs limit for various tool.
-        # Once we move to new defaults only world then we can enable these
-        # warning again.
-        self.enforcer.suppress_default_change_warnings = True
-        self.enforcer.register_defaults(policies.list_rules())
+        self.enforcer = policies.init(conf)

    def before(self, state):
        state.request.cfg = self.conf
--- a/aodh/api/policies.py
+++ b/aodh/api/policies.py
@ -13,6 +13,7 @@
 #    under the License.


+from oslo_config import cfg
 from oslo_log import versionutils
 from oslo_policy import policy

@ -325,3 +326,23 @@ rules = [

 def list_rules():
    return rules
+
+
+def init(conf):
+    enforcer = policy.Enforcer(conf, default_rule="default")
+    # NOTE(gmann): Explictly disable the warnings for policies
+    # changing their default check_str. With new RBAC policy
+    # work, all the policy defaults have been changed and warning for
+    # each policy started filling the logs limit for various tool.
+    # Once we move to new defaults only world then we can enable these
+    # warning again.
+    enforcer.suppress_default_change_warnings = True
+    enforcer.register_defaults(list_rules())
+    return enforcer
+
+
+def get_enforcer():
+    # This method is used by oslopolicy CLI scripts in order to generate policy
+    # files from overrides on disk and defaults in code.
+    cfg.CONF([], project='aodh')
+    return init(cfg.CONF)
--- a/setup.cfg
+++ b/setup.cfg
@ -110,3 +110,6 @@ oslo.config.opts.defaults =

 oslo.policy.policies =
    aodh = aodh.api.policies:list_rules
+
+oslo.policy.enforcer =
+    aodh = aodh.api.policies:get_enforcer