yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1740951] [NEW] Unable to dump policy

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Logan V <logan2211@xxxxxxxxx>
Date: Tue, 02 Jan 2018 22:25:33 -0000
Reply-to: Bug 1740951 <1740951@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

I'm having issues dumping policy from Keystone in Pike

root@aio1-keystone-container-398c6a0f:~# /openstack/venvs/keystone-16.0.6/bin/oslopolicy-policy-generator --namespace keystone
WARNING:stevedore.named:Could not load keystone
Traceback (most recent call last):
  File "/openstack/venvs/keystone-16.0.6/bin/oslopolicy-policy-generator", line 11, in <module>
    sys.exit(generate_policy())
  File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py", line 233, in generate_policy
    _generate_policy(conf.namespace, conf.output_file)
  File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py", line 178, in _generate_policy
    enforcer = _get_enforcer(namespace)
  File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py", line 74, in _get_enforcer
    enforcer = mgr[namespace].obj
  File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/stevedore/extension.py", line 314, in __getitem__
    return self._extensions_by_name[name]
KeyError: 'keystone'

Normally it works like this with Nova:
root@aio1-nova-api-os-compute-container-3589c25e:~# /openstack/venvs/nova-16.0.6/bin/oslopolicy-policy-generator --namespace nova
"os_compute_api:os-evacuate": "rule:admin_api"
"os_compute_api:servers:create": "rule:admin_or_owner"
"os_compute_api:os-extended-volumes": "rule:admin_or_owner"
"os_compute_api:servers:create:forced_host": "rule:admin_api"
"os_compute_api:os-aggregates:remove_host": "rule:admin_api"
...

IRC convo regarding this bug:
[04:00:26PM] logan- hello. I'm trying to use oslopolicy-policy-generator to dump the base RBAC so it can be combined with my policy overrides and provided to horizon. with nova i'm able to dump RBAC using "/path/to/nova/venv/bin/oslopolicy-policy-generator --namespace nova", but the doing the same with keystone using "keystone" or "identity" as the namespace does not work. 
[04:01:39PM] @lbragstad logan-: do you have keystone installed?
[04:01:57PM] @lbragstad let me see if i can recreate
[04:03:30PM] logan- o/ @lbragstad. yep keystone's installed. here's the venv and output for the oslopolicy command at the bottom: http://paste.openstack.org/raw/636624/
[04:03:53PM] @lbragstad huh - weird
[04:03:56PM] @lbragstad i can recreate
[04:04:48PM] ayoung @lbragstad, logan- I bet it is a dependency issue
[04:05:25PM] ayoung trying to load Keystone fails cuz some other library is missing, and I bet  that is pulled in from oslopolicy polgen
[04:07:05PM] ayoung oslo.policy.policies =
[04:07:05PM] ayoung     # With the move of default policy in code list_rules returns a list of
[04:07:05PM] ayoung     # the default defined polices.
[04:07:05PM] ayoung     keystone = keystone.common.policies:list_rules
[04:07:12PM] ayoung that is from setup.cfg
[04:07:21PM] ayoung is that what iti is trying to load?
[04:07:36PM] @lbragstad well - it's should be an entrypoint in oslo.policy
[04:07:47PM] @lbragstad keystone is just responsible for exposing the namespace
[04:07:59PM] @lbragstad https://github.com/openstack/keystone/blob/master/config-generator/keystone-policy-generator.conf
[04:08:26PM] @lbragstad which is the same as what nova defines
[04:08:28PM] @lbragstad https://github.com/openstack/nova/blob/master/etc/nova/nova-policy-generator.conf
[04:09:31PM] ayoung seems like it is not registered
[04:12:16PM] ayoung yep, reproduced it here, too
[04:15:32PM] @lbragstad i think we're missing this entrypoint
[04:15:33PM] @lbragstad https://docs.openstack.org/oslo.policy/latest/user/usage.html#merged-file-generation
[04:15:45PM] @lbragstad which just needs something to return the _ENFORCER
[04:15:55PM] @lbragstad so keystone.common.policy:get_enforcer
[04:15:59PM] @lbragstad or something like that
[04:16:24PM] @lbragstad logan-: certainly a bug
[04:16:35PM] @lbragstad logan-: would you be able to open up something in launchpad?
[04:16:53PM] @lbragstad we can get a patch up shortly, i think we're missing something with how we wire up the entry poionts

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1740951

Title:
  Unable to dump policy

Status in OpenStack Identity (keystone):
  New

Bug description:
  I'm having issues dumping policy from Keystone in Pike

  root@aio1-keystone-container-398c6a0f:~# /openstack/venvs/keystone-16.0.6/bin/oslopolicy-policy-generator --namespace keystone
  WARNING:stevedore.named:Could not load keystone
  Traceback (most recent call last):
    File "/openstack/venvs/keystone-16.0.6/bin/oslopolicy-policy-generator", line 11, in <module>
      sys.exit(generate_policy())
    File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py", line 233, in generate_policy
      _generate_policy(conf.namespace, conf.output_file)
    File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py", line 178, in _generate_policy
      enforcer = _get_enforcer(namespace)
    File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py", line 74, in _get_enforcer
      enforcer = mgr[namespace].obj
    File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/stevedore/extension.py", line 314, in __getitem__
      return self._extensions_by_name[name]
  KeyError: 'keystone'

  Normally it works like this with Nova:
  root@aio1-nova-api-os-compute-container-3589c25e:~# /openstack/venvs/nova-16.0.6/bin/oslopolicy-policy-generator --namespace nova
  "os_compute_api:os-evacuate": "rule:admin_api"
  "os_compute_api:servers:create": "rule:admin_or_owner"
  "os_compute_api:os-extended-volumes": "rule:admin_or_owner"
  "os_compute_api:servers:create:forced_host": "rule:admin_api"
  "os_compute_api:os-aggregates:remove_host": "rule:admin_api"
  ...

  IRC convo regarding this bug:
  [04:00:26PM] logan- hello. I'm trying to use oslopolicy-policy-generator to dump the base RBAC so it can be combined with my policy overrides and provided to horizon. with nova i'm able to dump RBAC using "/path/to/nova/venv/bin/oslopolicy-policy-generator --namespace nova", but the doing the same with keystone using "keystone" or "identity" as the namespace does not work. 
  [04:01:39PM] @lbragstad logan-: do you have keystone installed?
  [04:01:57PM] @lbragstad let me see if i can recreate
  [04:03:30PM] logan- o/ @lbragstad. yep keystone's installed. here's the venv and output for the oslopolicy command at the bottom: http://paste.openstack.org/raw/636624/
  [04:03:53PM] @lbragstad huh - weird
  [04:03:56PM] @lbragstad i can recreate
  [04:04:48PM] ayoung @lbragstad, logan- I bet it is a dependency issue
  [04:05:25PM] ayoung trying to load Keystone fails cuz some other library is missing, and I bet  that is pulled in from oslopolicy polgen
  [04:07:05PM] ayoung oslo.policy.policies =
  [04:07:05PM] ayoung     # With the move of default policy in code list_rules returns a list of
  [04:07:05PM] ayoung     # the default defined polices.
  [04:07:05PM] ayoung     keystone = keystone.common.policies:list_rules
  [04:07:12PM] ayoung that is from setup.cfg
  [04:07:21PM] ayoung is that what iti is trying to load?
  [04:07:36PM] @lbragstad well - it's should be an entrypoint in oslo.policy
  [04:07:47PM] @lbragstad keystone is just responsible for exposing the namespace
  [04:07:59PM] @lbragstad https://github.com/openstack/keystone/blob/master/config-generator/keystone-policy-generator.conf
  [04:08:26PM] @lbragstad which is the same as what nova defines
  [04:08:28PM] @lbragstad https://github.com/openstack/nova/blob/master/etc/nova/nova-policy-generator.conf
  [04:09:31PM] ayoung seems like it is not registered
  [04:12:16PM] ayoung yep, reproduced it here, too
  [04:15:32PM] @lbragstad i think we're missing this entrypoint
  [04:15:33PM] @lbragstad https://docs.openstack.org/oslo.policy/latest/user/usage.html#merged-file-generation
  [04:15:45PM] @lbragstad which just needs something to return the _ENFORCER
  [04:15:55PM] @lbragstad so keystone.common.policy:get_enforcer
  [04:15:59PM] @lbragstad or something like that
  [04:16:24PM] @lbragstad logan-: certainly a bug
  [04:16:35PM] @lbragstad logan-: would you be able to open up something in launchpad?
  [04:16:53PM] @lbragstad we can get a patch up shortly, i think we're missing something with how we wire up the entry poionts

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1740951/+subscriptions
Follow ups

[Bug 1740951] Re: Unable to dump policy
From: OpenStack Infra, 2018-01-16