oslopolicy-list-redundant loses cli args when used with keystone
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Undecided
|
Ben Nemec | ||
oslo.policy |
Fix Released
|
Medium
|
Ben Nemec |
Bug Description
There is an issue with the configuration handling in oslo.policy and keystone that causes cli args like --config-file to be ignored in the keystone enforcer when running oslopolicy-
One solution would be to have oslo.policy initialize the global config object itself (switching [1] to use the global object instead of a local one) and remove the initialization from the enforcer entirely. One potential downside of this is that if a project's enforcer needs project-specific config setup it wouldn't be possible for that to happen (oslo.policy wouldn't know about it), but since that doesn't apply to keystone and would only really be an issue if a project's enforcer had a dependency on a cli arg (cli args are the only thing that need to be registered before calling the conf object), I think it's a worthwhile tradeoff.
0: https:/
1: https:/
summary: |
- oslo-policy-checker loses cli args when used with keystone + oslopolicy-list-redundant loses cli args when used with keystone |
Oh yuck, it looks like this is happening in all projects. Here's Nova's call: https:/ /github. com/openstack/ nova/blob/ 2718de6ed7c21f8 ff8cf74164ae505 4531fdbc30/ nova/policy. py#L224
That's going to make this a real joy to fix. :-/
Hopefully we can switch oslo.policy to use the global conf object and not break everyone, then migrate projects away from their own calls over time.