Add entry point to allow for oslo.policy CLI usage

The oslo.policy library exposes entry points so that users can
generate sample policy files and templates. The entry points do
expect some things to be done by the service in order to work,
though.

This commit adds an entry point for oslo.policy so that it can
consume an enforcer that has been initialized with mistrals
policies. The library will use this to generate useful things
for users like templates and sample policy files.

Change-Id: Ib442fbb79b5c237d634586c3169cf8c7f595da1c
Closes-Bug: 1793346
This commit is contained in:
Lance Bragstad 2018-09-19 16:22:08 +00:00
parent f85e57da89
commit 5e3cdec918
2 changed files with 27 additions and 1 deletions

View File

@ -21,6 +21,9 @@ from oslo_policy import policy
from mistral import exceptions as exc from mistral import exceptions as exc
from mistral import policies from mistral import policies
CONF = cfg.CONF
_ENFORCER = None _ENFORCER = None
@ -84,6 +87,26 @@ def enforce(action, context, target=None, do_raise=True,
) )
def get_enforcer():
"""Entrypoint that must return the raw oslo.policy enforcer obj.
This is utilized by the command-line policy tools.
:returns: :class:`oslo_policy.policy.Enforcer`
"""
# Here we pass an empty list of arguments because there aren't any
# arguments that oslo.config or oslo.policy shouldn't already understand
# from the CONF object. This makes things easier here because we don't have
# to parse arguments passed in from the command line and remove unexpected
# arguments before building a Config object.
CONF([], project='mistral')
enforcer = policy.Enforcer(CONF)
enforcer.register_defaults(policies.list_rules())
enforcer.load_rules()
return enforcer
def _ensure_enforcer_initialization(): def _ensure_enforcer_initialization():
global _ENFORCER global _ENFORCER
if not _ENFORCER: if not _ENFORCER:

View File

@ -47,6 +47,9 @@ oslo.config.opts.defaults =
oslo.policy.policies = oslo.policy.policies =
mistral = mistral.policies:list_rules mistral = mistral.policies:list_rules
oslo.policy.enforcer =
mistral = mistral.api.access_control:get_enforcer
mistral.actions = mistral.actions =
std.async_noop = mistral.actions.std_actions:AsyncNoOpAction std.async_noop = mistral.actions.std_actions:AsyncNoOpAction
std.noop = mistral.actions.std_actions:NoOpAction std.noop = mistral.actions.std_actions:NoOpAction