yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #80476
[Bug 1849518] [NEW] oslo-policy-checker loses cli args when used with keystone
Public bug reported:
There is an issue with the configuration handling in oslo.policy and
keystone that causes cli args like --config-file to be ignored in the
keystone enforcer when running oslopolicy-list-redundant. Specifically,
because keystone re-initializes the global config object when creating
the enforcer[0], and doesn't pass any cli args to it, those cli args get
ignored. This can cause problems if, for example, the policy file is not
in the default location and is instead specified in the config file
passed via --config-file. Since --config-file gets ignored by the
enforcer, it just looks in the default location and doesn't find a file.
One solution would be to have oslo.policy initialize the global config
object itself (switching [1] to use the global object instead of a local
one) and remove the initialization from the enforcer entirely. One
potential downside of this is that if a project's enforcer needs
project-specific config setup it wouldn't be possible for that to happen
(oslo.policy wouldn't know about it), but since that doesn't apply to
keystone and would only really be an issue if a project's enforcer had a
dependency on a cli arg (cli args are the only thing that need to be
registered before calling the conf object), I think it's a worthwhile
tradeoff.
0: https://github.com/openstack/keystone/blob/1ef56e58ec63f19eff25a1044c8831ba8f97e26a/keystone/common/rbac_enforcer/policy.py#L43
1: https://github.com/openstack/oslo.policy/blob/0f7e144d013155f27f74b0eb91b7ae0f1530a86b/oslo_policy/generator.py#L399
** Affects: keystone
Importance: Undecided
Status: New
** Affects: oslo.policy
Importance: Medium
Status: Triaged
** Also affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1849518
Title:
oslo-policy-checker loses cli args when used with keystone
Status in OpenStack Identity (keystone):
New
Status in oslo.policy:
Triaged
Bug description:
There is an issue with the configuration handling in oslo.policy and
keystone that causes cli args like --config-file to be ignored in the
keystone enforcer when running oslopolicy-list-redundant.
Specifically, because keystone re-initializes the global config object
when creating the enforcer[0], and doesn't pass any cli args to it,
those cli args get ignored. This can cause problems if, for example,
the policy file is not in the default location and is instead
specified in the config file passed via --config-file. Since --config-
file gets ignored by the enforcer, it just looks in the default
location and doesn't find a file.
One solution would be to have oslo.policy initialize the global config
object itself (switching [1] to use the global object instead of a
local one) and remove the initialization from the enforcer entirely.
One potential downside of this is that if a project's enforcer needs
project-specific config setup it wouldn't be possible for that to
happen (oslo.policy wouldn't know about it), but since that doesn't
apply to keystone and would only really be an issue if a project's
enforcer had a dependency on a cli arg (cli args are the only thing
that need to be registered before calling the conf object), I think
it's a worthwhile tradeoff.
0: https://github.com/openstack/keystone/blob/1ef56e58ec63f19eff25a1044c8831ba8f97e26a/keystone/common/rbac_enforcer/policy.py#L43
1: https://github.com/openstack/oslo.policy/blob/0f7e144d013155f27f74b0eb91b7ae0f1530a86b/oslo_policy/generator.py#L399
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1849518/+subscriptions
Follow ups
