Keystone's policy enforcer breaks oslopolicy-list-redundant
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
If I create a config file named fake.conf that looks like this:
[oslo_policy]
policy_file = /home/fedora/
and put a redundant rule in the referenced policy file, that rule should get printed out when I run:
oslopolicy-
Unfortunately it's not. I believe the reason is this line in the enforcer code in keystone: https:/
That causes the config object to drop all cli arguments, so the --config-file is ignored and the default search path is used. In my case, I don't actually have a file at the default search path so the tool silently* falls back to the default policy-in-code. This means the tool is essentially doing nothing, but behaving as if it verified everything.
*: Silent because it uses the default value for policy_file, and since policy files are optional now we don't warn if the default one is missing.
I am able to fix this by making the following changes:
diff --git a/keystone/
index 52cc86c36.
--- a/keystone/
+++ b/keystone/
@@ -40,7 +40,7 @@ def get_enforcer():
# from the CONF object. This makes things easier here because we don't have
# to parse arguments passed in from the command line and remove unexpected
# arguments before building a Config object.
- CONF([], project='keystone')
+ #CONF([], project='keystone')
return _ENFORCER._enforcer
and
diff --git a/oslo_
index bd75389..ab12931 100644
--- a/oslo_
+++ b/oslo_
@@ -391,7 +391,7 @@ def upgrade_
def list_redundant(
logging.
- conf = cfg.ConfigOpts()
+ conf = cfg.CONF
conf.
conf.
conf(args)
I'm not entirely sure why the CONF object was getting re-initialized in the enforcer code in Keystone. IMHO that's the job of the entry point, which in this case is oslo.policy. I believe Keystone is already initializing the object itself in https:/
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → High |
milestone: | none → train-rc1 |
Changed in keystone: | |
importance: | High → Medium |
Changed in keystone: | |
milestone: | train-rc1 → none |
It's fixed and merged in [1].
[1] https:/ /review. opendev. org/#/c/ 690630