Unable to dump policy

Bug #1740951 reported by Logan V on 2018-01-02
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Lance Bragstad

Bug Description

I'm having issues dumping policy from Keystone in Pike

root@aio1-keystone-container-398c6a0f:~# /openstack/venvs/keystone-16.0.6/bin/oslopolicy-policy-generator --namespace keystone
WARNING:stevedore.named:Could not load keystone
Traceback (most recent call last):
  File "/openstack/venvs/keystone-16.0.6/bin/oslopolicy-policy-generator", line 11, in <module>
    sys.exit(generate_policy())
  File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py", line 233, in generate_policy
    _generate_policy(conf.namespace, conf.output_file)
  File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py", line 178, in _generate_policy
    enforcer = _get_enforcer(namespace)
  File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/oslo_policy/generator.py", line 74, in _get_enforcer
    enforcer = mgr[namespace].obj
  File "/openstack/venvs/keystone-16.0.6/lib/python2.7/site-packages/stevedore/extension.py", line 314, in __getitem__
    return self._extensions_by_name[name]
KeyError: 'keystone'

Normally it works like this with Nova:
root@aio1-nova-api-os-compute-container-3589c25e:~# /openstack/venvs/nova-16.0.6/bin/oslopolicy-policy-generator --namespace nova
"os_compute_api:os-evacuate": "rule:admin_api"
"os_compute_api:servers:create": "rule:admin_or_owner"
"os_compute_api:os-extended-volumes": "rule:admin_or_owner"
"os_compute_api:servers:create:forced_host": "rule:admin_api"
"os_compute_api:os-aggregates:remove_host": "rule:admin_api"
...

IRC convo regarding this bug:
[04:00:26PM] logan- hello. I'm trying to use oslopolicy-policy-generator to dump the base RBAC so it can be combined with my policy overrides and provided to horizon. with nova i'm able to dump RBAC using "/path/to/nova/venv/bin/oslopolicy-policy-generator --namespace nova", but the doing the same with keystone using "keystone" or "identity" as the namespace does not work.
[04:01:39PM] @lbragstad logan-: do you have keystone installed?
[04:01:57PM] @lbragstad let me see if i can recreate
[04:03:30PM] logan- o/ @lbragstad. yep keystone's installed. here's the venv and output for the oslopolicy command at the bottom: http://paste.openstack.org/raw/636624/
[04:03:53PM] @lbragstad huh - weird
[04:03:56PM] @lbragstad i can recreate
[04:04:48PM] ayoung @lbragstad, logan- I bet it is a dependency issue
[04:05:25PM] ayoung trying to load Keystone fails cuz some other library is missing, and I bet that is pulled in from oslopolicy polgen
[04:07:05PM] ayoung oslo.policy.policies =
[04:07:05PM] ayoung # With the move of default policy in code list_rules returns a list of
[04:07:05PM] ayoung # the default defined polices.
[04:07:05PM] ayoung keystone = keystone.common.policies:list_rules
[04:07:12PM] ayoung that is from setup.cfg
[04:07:21PM] ayoung is that what iti is trying to load?
[04:07:36PM] @lbragstad well - it's should be an entrypoint in oslo.policy
[04:07:47PM] @lbragstad keystone is just responsible for exposing the namespace
[04:07:59PM] @lbragstad https://github.com/openstack/keystone/blob/master/config-generator/keystone-policy-generator.conf
[04:08:26PM] @lbragstad which is the same as what nova defines
[04:08:28PM] @lbragstad https://github.com/openstack/nova/blob/master/etc/nova/nova-policy-generator.conf
[04:09:31PM] ayoung seems like it is not registered
[04:12:16PM] ayoung yep, reproduced it here, too
[04:15:32PM] @lbragstad i think we're missing this entrypoint
[04:15:33PM] @lbragstad https://docs.openstack.org/oslo.policy/latest/user/usage.html#merged-file-generation
[04:15:45PM] @lbragstad which just needs something to return the _ENFORCER
[04:15:55PM] @lbragstad so keystone.common.policy:get_enforcer
[04:15:59PM] @lbragstad or something like that
[04:16:24PM] @lbragstad logan-: certainly a bug
[04:16:35PM] @lbragstad logan-: would you be able to open up something in launchpad?
[04:16:53PM] @lbragstad we can get a patch up shortly, i think we're missing something with how we wire up the entry poionts

Changed in keystone:
status: New → Confirmed
importance: Undecided → High

Fix proposed to branch: master
Review: https://review.openstack.org/530828

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Confirmed → In Progress
tags: added: office-hours

Reviewed: https://review.openstack.org/530828
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=85c957c50387ca47b68bc412879c753e7618f86b
Submitter: Zuul
Branch: master

commit 85c957c50387ca47b68bc412879c753e7618f86b
Author: Lance Bragstad <email address hidden>
Date: Wed Jan 3 02:18:13 2018 +0000

    Expose a get_enforcer method for oslo.policy scripts

    Because we have policy in code, we should be able to use the
    oslo.policy CLI scripts to produce sample policy files and render
    complete policies based on overrides on disk. This was broken
    because keystone wasn't removing unexpected commandline arguments
    before passing them to oslo.config to parse. This prevented
    people from generating complete policy files like they would for
    horizon.

    This commit exposes a get_enforcer() that substitutes an empty list
    in place of arguments passed in through the system. This makes it
    so that oslo.config doesn't choke when processing configuration
    values.

    Change-Id: I22583258eac5b3a64208355d18ccfa62dba1871d
    Closes-Bug: 1740951

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 13.0.0.0b3 development milestone.

Reviewed: https://review.openstack.org/534396
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=075b8ad41b990311f1bd14644adb078bf089e3b0
Submitter: Zuul
Branch: stable/pike

commit 075b8ad41b990311f1bd14644adb078bf089e3b0
Author: Lance Bragstad <email address hidden>
Date: Wed Jan 3 02:18:13 2018 +0000

    Expose a get_enforcer method for oslo.policy scripts

    Because we have policy in code, we should be able to use the
    oslo.policy CLI scripts to produce sample policy files and render
    complete policies based on overrides on disk. This was broken
    because keystone wasn't removing unexpected commandline arguments
    before passing them to oslo.config to parse. This prevented
    people from generating complete policy files like they would for
    horizon.

    This commit exposes a get_enforcer() that substitutes an empty list
    in place of arguments passed in through the system. This makes it
    so that oslo.config doesn't choke when processing configuration
    values.

    Change-Id: I22583258eac5b3a64208355d18ccfa62dba1871d
    Closes-Bug: 1740951
    (cherry picked from commit 85c957c50387ca47b68bc412879c753e7618f86b)

tags: added: in-stable-pike
Changed in keystone:
milestone: none → queens-rc1
milestone: queens-rc1 → queens-3

This issue was fixed in the openstack/keystone 12.0.1 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers