openstack/aodh
Code Issues Proposed changes

Add oslo.policy.enforcer entry point

Browse Source 
this will allow various oslo.policy scripts like
oslopolicy-policy-generator to work with Aodh.

Change-Id: I5941fe03277368f789a0e07d823ececdf86ed37e
Story: 2010559
Task: 47247
This commit is contained in:
Pavlo Shchelokovskyy 2023-02-01 15:42:41 +02:00 committed by Pavlo Shchelokovskyy
parent aa91a3b614
commit 9d9840023e
3 changed files with 25 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
aodh/api/hooks.py
View File

@ -15,7 +15,6 @@
from oslo_config import cfg from oslo_config import cfg
from oslo_policy import opts from oslo_policy import opts
from oslo_policy import policy
from pecan import hooks from pecan import hooks
from aodh.api import policies from aodh.api import policies
@ -35,15 +34,7 @@ class ConfigHook(hooks.PecanHook):
def __init__(self, conf): def __init__(self, conf):
self.conf = conf self.conf = conf
self.enforcer = policy.Enforcer(conf, default_rule="default") self.enforcer = policies.init(conf)
# NOTE(gmann): Explictly disable the warnings for policies
# changing their default check_str. With new RBAC policy
# work, all the policy defaults have been changed and warning for
# each policy started filling the logs limit for various tool.
# Once we move to new defaults only world then we can enable these
# warning again.
self.enforcer.suppress_default_change_warnings = True
self.enforcer.register_defaults(policies.list_rules())
def before(self, state): def before(self, state):
state.request.cfg = self.conf state.request.cfg = self.conf

21
aodh/api/policies.py
View File

@ -13,6 +13,7 @@
# under the License. # under the License.
from oslo_config import cfg
from oslo_log import versionutils from oslo_log import versionutils
from oslo_policy import policy from oslo_policy import policy
@ -325,3 +326,23 @@ rules = [
def list_rules(): def list_rules():
return rules return rules
def init(conf):
enforcer = policy.Enforcer(conf, default_rule="default")
# NOTE(gmann): Explictly disable the warnings for policies
# changing their default check_str. With new RBAC policy
# work, all the policy defaults have been changed and warning for
# each policy started filling the logs limit for various tool.
# Once we move to new defaults only world then we can enable these
# warning again.
enforcer.suppress_default_change_warnings = True
enforcer.register_defaults(list_rules())
return enforcer
def get_enforcer():
# This method is used by oslopolicy CLI scripts in order to generate policy
# files from overrides on disk and defaults in code.
cfg.CONF([], project='aodh')
return init(cfg.CONF)

3
setup.cfg
View File

@ -110,3 +110,6 @@ oslo.config.opts.defaults =
oslo.policy.policies = oslo.policy.policies =
aodh = aodh.api.policies:list_rules aodh = aodh.api.policies:list_rules
oslo.policy.enforcer =
aodh = aodh.api.policies:get_enforcer