yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1740951] Re: Unable to dump policy

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1740951@xxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Jan 2018 09:04:33 -0000
Reply-to: Bug 1740951 <1740951@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Reviewed:  https://review.openstack.org/530828
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=85c957c50387ca47b68bc412879c753e7618f86b
Submitter: Zuul
Branch:    master

commit 85c957c50387ca47b68bc412879c753e7618f86b
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date:   Wed Jan 3 02:18:13 2018 +0000

    Expose a get_enforcer method for oslo.policy scripts
    
    Because we have policy in code, we should be able to use the
    oslo.policy CLI scripts to produce sample policy files and render
    complete policies based on overrides on disk. This was broken
    because keystone wasn't removing unexpected commandline arguments
    before passing them to oslo.config to parse. This prevented
    people from generating complete policy files like they would for
    horizon.
    
    This commit exposes a get_enforcer() that substitutes an empty list
    in place of arguments passed in through the system. This makes it
    so that oslo.config doesn't choke when processing configuration
    values.
    
    Change-Id: I22583258eac5b3a64208355d18ccfa62dba1871d
    Closes-Bug: 1740951


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1740951

Title:
  Unable to dump policy

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  I'm having issues dumping policy from Keystone in Pike

  root@aio1-keystone-container-398c6a0f:~# /openstack/venvs/keystone-16.0.6/bin/oslopolicy-policy-generator --namespace keystone
  WARNING:stevedore.named:Could not load keystone
  Traceback (most recent call last):
    File "/openstack/venvs/keystone-16.0.6/bin/oslopolicy-policy-generator", line 11, in <module>
      sys.exit(generate_policy())
    File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py", line 233, in generate_policy
      _generate_policy(conf.namespace, conf.output_file)
    File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py", line 178, in _generate_policy
      enforcer = _get_enforcer(namespace)
    File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py", line 74, in _get_enforcer
      enforcer = mgr[namespace].obj
    File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/stevedore/extension.py", line 314, in __getitem__
      return self._extensions_by_name[name]
  KeyError: 'keystone'

  Normally it works like this with Nova:
  root@aio1-nova-api-os-compute-container-3589c25e:~# /openstack/venvs/nova-16.0.6/bin/oslopolicy-policy-generator --namespace nova
  "os_compute_api:os-evacuate": "rule:admin_api"
  "os_compute_api:servers:create": "rule:admin_or_owner"
  "os_compute_api:os-extended-volumes": "rule:admin_or_owner"
  "os_compute_api:servers:create:forced_host": "rule:admin_api"
  "os_compute_api:os-aggregates:remove_host": "rule:admin_api"
  ...

  IRC convo regarding this bug:
  [04:00:26PM] logan- hello. I'm trying to use oslopolicy-policy-generator to dump the base RBAC so it can be combined with my policy overrides and provided to horizon. with nova i'm able to dump RBAC using "/path/to/nova/venv/bin/oslopolicy-policy-generator --namespace nova", but the doing the same with keystone using "keystone" or "identity" as the namespace does not work. 
  [04:01:39PM] @lbragstad logan-: do you have keystone installed?
  [04:01:57PM] @lbragstad let me see if i can recreate
  [04:03:30PM] logan- o/ @lbragstad. yep keystone's installed. here's the venv and output for the oslopolicy command at the bottom: http://paste.openstack.org/raw/636624/
  [04:03:53PM] @lbragstad huh - weird
  [04:03:56PM] @lbragstad i can recreate
  [04:04:48PM] ayoung @lbragstad, logan- I bet it is a dependency issue
  [04:05:25PM] ayoung trying to load Keystone fails cuz some other library is missing, and I bet  that is pulled in from oslopolicy polgen
  [04:07:05PM] ayoung oslo.policy.policies =
  [04:07:05PM] ayoung     # With the move of default policy in code list_rules returns a list of
  [04:07:05PM] ayoung     # the default defined polices.
  [04:07:05PM] ayoung     keystone = keystone.common.policies:list_rules
  [04:07:12PM] ayoung that is from setup.cfg
  [04:07:21PM] ayoung is that what iti is trying to load?
  [04:07:36PM] @lbragstad well - it's should be an entrypoint in oslo.policy
  [04:07:47PM] @lbragstad keystone is just responsible for exposing the namespace
  [04:07:59PM] @lbragstad https://github.com/openstack/keystone/blob/master/config-generator/keystone-policy-generator.conf
  [04:08:26PM] @lbragstad which is the same as what nova defines
  [04:08:28PM] @lbragstad https://github.com/openstack/nova/blob/master/etc/nova/nova-policy-generator.conf
  [04:09:31PM] ayoung seems like it is not registered
  [04:12:16PM] ayoung yep, reproduced it here, too
  [04:15:32PM] @lbragstad i think we're missing this entrypoint
  [04:15:33PM] @lbragstad https://docs.openstack.org/oslo.policy/latest/user/usage.html#merged-file-generation
  [04:15:45PM] @lbragstad which just needs something to return the _ENFORCER
  [04:15:55PM] @lbragstad so keystone.common.policy:get_enforcer
  [04:15:59PM] @lbragstad or something like that
  [04:16:24PM] @lbragstad logan-: certainly a bug
  [04:16:35PM] @lbragstad logan-: would you be able to open up something in launchpad?
  [04:16:53PM] @lbragstad we can get a patch up shortly, i think we're missing something with how we wire up the entry poionts

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1740951/+subscriptions
References

[Bug 1740951] [NEW] Unable to dump policy
From: Logan V, 2018-01-02