I'm having issues dumping policy from Keystone in Pike
root@aio1-keystone-container-398c6a0f:~# /openstack/venvs/keystone-16.0.6/bin/oslopolicy-policy-generator --namespace keystone
WARNING:stevedore.named:Could not load keystone
Traceback (most recent call last):
File "/openstack/venvs/keystone-16.0.6/bin/oslopolicy-policy-generator", line 11, in <module>
sys.exit(generate_policy())
File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py", line 233, in generate_policy
_generate_policy(conf.namespace, conf.output_file)
File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py", line 178, in _generate_policy
enforcer = _get_enforcer(namespace)
File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py", line 74, in _get_enforcer
enforcer = mgr[namespace].obj
File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/stevedore/extension.py", line 314, in __getitem__
return self._extensions_by_name[name]
KeyError: 'keystone'
Normally it works like this with Nova:
root@aio1-nova-api-os-compute-container-3589c25e:~# /openstack/venvs/nova-16.0.6/bin/oslopolicy-policy-generator --namespace nova
"os_compute_api:os-evacuate": "rule:admin_api"
"os_compute_api:servers:create": "rule:admin_or_owner"
"os_compute_api:os-extended-volumes": "rule:admin_or_owner"
"os_compute_api:servers:create:forced_host": "rule:admin_api"
"os_compute_api:os-aggregates:remove_host": "rule:admin_api"
...
IRC convo regarding this bug:
[04:00:26PM] logan- hello. I'm trying to use oslopolicy-policy-generator to dump the base RBAC so it can be combined with my policy overrides and provided to horizon. with nova i'm able to dump RBAC using "/path/to/nova/venv/bin/oslopolicy-policy-generator --namespace nova", but the doing the same with keystone using "keystone" or "identity" as the namespace does not work.
[04:01:39PM] @lbragstad logan-: do you have keystone installed?
[04:01:57PM] @lbragstad let me see if i can recreate
[04:03:30PM] logan- o/ @lbragstad. yep keystone's installed. here's the venv and output for the oslopolicy command at the bottom: http://paste.openstack.org/raw/636624/
[04:03:53PM] @lbragstad huh - weird
[04:03:56PM] @lbragstad i can recreate
[04:04:48PM] ayoung @lbragstad, logan- I bet it is a dependency issue
[04:05:25PM] ayoung trying to load Keystone fails cuz some other library is missing, and I bet that is pulled in from oslopolicy polgen
[04:07:05PM] ayoung oslo.policy.policies =
[04:07:05PM] ayoung # With the move of default policy in code list_rules returns a list of
[04:07:05PM] ayoung # the default defined polices.
[04:07:05PM] ayoung keystone = keystone.common.policies:list_rules
[04:07:12PM] ayoung that is from setup.cfg
[04:07:21PM] ayoung is that what iti is trying to load?
[04:07:36PM] @lbragstad well - it's should be an entrypoint in oslo.policy
[04:07:47PM] @lbragstad keystone is just responsible for exposing the namespace
[04:07:59PM] @lbragstad https://github.com/openstack/keystone/blob/master/config-generator/keystone-policy-generator.conf
[04:08:26PM] @lbragstad which is the same as what nova defines
[04:08:28PM] @lbragstad https://github.com/openstack/nova/blob/master/etc/nova/nova-policy-generator.conf
[04:09:31PM] ayoung seems like it is not registered
[04:12:16PM] ayoung yep, reproduced it here, too
[04:15:32PM] @lbragstad i think we're missing this entrypoint
[04:15:33PM] @lbragstad https://docs.openstack.org/oslo.policy/latest/user/usage.html#merged-file-generation
[04:15:45PM] @lbragstad which just needs something to return the _ENFORCER
[04:15:55PM] @lbragstad so keystone.common.policy:get_enforcer
[04:15:59PM] @lbragstad or something like that
[04:16:24PM] @lbragstad logan-: certainly a bug
[04:16:35PM] @lbragstad logan-: would you be able to open up something in launchpad?
[04:16:53PM] @lbragstad we can get a patch up shortly, i think we're missing something with how we wire up the entry poionts
Fix proposed to branch: master
Review: https:/