← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #62631

[Bug 1675822] [NEW] Allow policy actions in code to be importable for RBAC testing

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Now that Keystone is defining all of its policy actions in code, it is
no longer possible to read the keystone policy.json in order to retrieve
an exhaustive list of all the Keystone policy actions, necessary for
RBAC testing by Patrole.

Currently, Nova has its policy actions in code [0] and allows them to be
imported via setup.cfg [1].

Keystone can do the same thing as Nova by adding

oslo.policy.policies =
    keystone = keystone.common.policies:list_rules

to its setup.cfg.

Moreover, oslo.policy currently uses the "oslo.policy.policies"
extension by default [2] in order to generate a sample policy file.

This bug fix, therefore, solves both issues.

[0] https://github.com/openstack/nova/blob/master/nova/policies/__init__.py
[1] https://github.com/openstack/nova/blob/master/setup.cfg
[2] https://github.com/openstack/oslo.policy/blob/master/oslo_policy/generator.py

** Affects: keystone
     Importance: Undecided
     Assignee: Felipe Monteiro (fm577c)
         Status: In Progress

** Changed in: keystone
     Assignee: (unassigned) => Felipe Monteiro (fm577c)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1675822

Title:
  Allow policy actions in code to be importable for RBAC testing

Status in OpenStack Identity (keystone):
  In Progress

Bug description:
  Now that Keystone is defining all of its policy actions in code, it is
  no longer possible to read the keystone policy.json in order to
  retrieve an exhaustive list of all the Keystone policy actions,
  necessary for RBAC testing by Patrole.

  Currently, Nova has its policy actions in code [0] and allows them to
  be imported via setup.cfg [1].

  Keystone can do the same thing as Nova by adding

  oslo.policy.policies =
      keystone = keystone.common.policies:list_rules

  to its setup.cfg.

  Moreover, oslo.policy currently uses the "oslo.policy.policies"
  extension by default [2] in order to generate a sample policy file.

  This bug fix, therefore, solves both issues.

  [0] https://github.com/openstack/nova/blob/master/nova/policies/__init__.py
  [1] https://github.com/openstack/nova/blob/master/setup.cfg
  [2] https://github.com/openstack/oslo.policy/blob/master/oslo_policy/generator.py

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1675822/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next