OpenStack Identity (keystone)

Allow policy actions in code to be importable for RBAC testing

Bug #1675822 reported by Felipe Monteiro on 2017-03-24

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Unassigned	OpenStack Identity (keystone) pike-1 "pike-1"

Bug Description

Now that Keystone is defining all of its policy actions in code, it is no longer possible to read the keystone policy.json in order to retrieve an exhaustive list of all the Keystone policy actions, necessary for RBAC testing by Patrole.

Currently, Nova has its policy actions in code [0] and allows them to be imported via setup.cfg [1].

Keystone can do the same thing as Nova by adding

oslo.policy.policies =
keystone = keystone.common.policies:list_rules

to its setup.cfg.

Moreover, oslo.policy currently uses the "oslo.policy.policies" extension by default [2] in order to generate a sample policy file.

This bug fix, therefore, solves both issues.

[0] https://github.com/openstack/nova/blob/master/nova/policies/__init__.py
[1] https://github.com/openstack/nova/blob/master/setup.cfg
[2] https://github.com/openstack/oslo.policy/blob/master/oslo_policy/generator.py

Felipe Monteiro (fm577c) on 2017-03-24

Changed in keystone:
assignee:	nobody → Felipe Monteiro (fm577c)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-24: Fix proposed to keystone (master)

#1

Fix proposed to branch: master
Review: https://review.openstack.org/449694

Changed in keystone:
status:	New → In Progress

Revision history for this message

Anthony Washington (anthony-washington) wrote on 2017-03-24:

#2

Hey, Felipe we already have a commit that's in progress to be committed for this fix https://review.openstack.org/#/c/443344/

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-24: Change abandoned on keystone (master)

#3

Change abandoned by Felipe Monteiro (<email address hidden>) on branch: master
Review: https://review.openstack.org/449694
Reason: Duplicate.

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-03-24:

#4

Moving this back to In Progress since the proposed solution hasn't merged yet. Anthony, thanks for the update!

Changed in keystone:
status:	Fix Committed → In Progress
assignee:	Felipe Monteiro (fm577c) → nobody
assignee:	nobody → Anthony Washington (anthony-washington)
importance:	Undecided → High
milestone:	none → pike-1

Revision history for this message

Anthony Washington (anthony-washington) wrote on 2017-04-04:

#5

Patch finally merged to master https://review.openstack.org/#/c/443344/ :)

Changed in keystone:
status:	In Progress → Fix Released

Lance Bragstad (lbragstad) on 2017-04-04

Changed in keystone:
status:	Fix Released → Fix Committed

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-08-02:

#6

Automatically unassigning due to inactivity.

Changed in keystone:
assignee:	Anthony Washington (anthony-washington) → nobody

Colleen Murphy (krinkle) on 2018-01-27

Changed in keystone:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.