keystone  18.0.0
About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Victoria" series (maintained release).
  Fossies Dox: keystone-18.0.0.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

status.py
Go to the documentation of this file.
1 # Licensed under the Apache License, Version 2.0 (the "License"); you may
2 # not use this file except in compliance with the License. You may obtain
3 # a copy of the License at
4 #
5 # http://www.apache.org/licenses/LICENSE-2.0
6 #
7 # Unless required by applicable law or agreed to in writing, software
8 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
9 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
10 # License for the specific language governing permissions and limitations
11 # under the License.
12 
13 from oslo_policy import _checks
14 from oslo_policy import policy
15 from oslo_upgradecheck import upgradecheck
16 
17 from keystone.common import driver_hints
18 from keystone.common import provider_api
19 from keystone.common import rbac_enforcer
20 import keystone.conf
21 from keystone.server import backends
22 
23 CONF = keystone.conf.CONF
24 ENFORCER = rbac_enforcer.RBACEnforcer
25 PROVIDERS = provider_api.ProviderAPIs
26 
27 
28 class Checks(upgradecheck.UpgradeCommands):
29  """Programmable upgrade checks.
30 
31  Each method here should be a programmable check that helps check for things
32  that might cause issues for deployers in the upgrade process. A good
33  example of an upgrade check would be to ensure all roles defined in
34  policies actually exist within the roles backend.
35  """
36 
38  enforcer = policy.Enforcer(CONF)
39  ENFORCER.register_rules(enforcer)
40  enforcer.load_rules()
41  rules = [
42  'identity:list_trusts',
43  'identity:delete_trust',
44  'identity:get_trust',
45  'identity:list_roles_for_trust'
46  'identity:get_role_for_trust'
47  ]
48  failed_rules = []
49  for rule in rules:
50  current_rule = enforcer.rules.get(rule)
51  if isinstance(current_rule, _checks.TrueCheck):
52  failed_rules.append(rule)
53  if any(failed_rules):
54  return upgradecheck.Result(
55  upgradecheck.Code.FAILURE,
56  "Policy check string for rules \"%s\" are overridden to "
57  "\"\", \"@\", or []. In the next release, this will cause "
58  "these rules to be fully permissive as hardcoded enforcement "
59  "will be removed. To correct this issue, either stop "
60  "overriding these rules in config to accept the defaults, or "
61  "explicitly set check strings that are not empty." %
62  "\", \"".join(failed_rules)
63  )
64  return upgradecheck.Result(
65  upgradecheck.Code.SUCCESS, 'Trust policies are safe.')
66 
68  hints = driver_hints.Hints()
69  hints.add_filter('domain_id', None) # Only check global roles
70  roles = PROVIDERS.role_api.list_roles(hints=hints)
71  default_roles = ('admin', 'member', 'reader',)
72  failed_roles = []
73  for role in [r for r in roles if r['name'] in default_roles]:
74  if not role.get('options', {}).get('immutable'):
75  failed_roles.append(role['name'])
76  if any(failed_roles):
77  return upgradecheck.Result(
78  upgradecheck.Code.FAILURE,
79  "Roles are not immutable: %s" % ", ".join(failed_roles)
80  )
81  return upgradecheck.Result(
82  upgradecheck.Code.SUCCESS, "Default roles are immutable.")
83 
84  _upgrade_checks = (
85  ("Check trust policies are not empty",
86  check_trust_policies_are_not_empty),
87  ("Check default roles are immutable",
88  check_default_roles_are_immutable),
89  )
90 
91 
92 def main():
94  backends.load_backends()
95  return upgradecheck.main(CONF, 'keystone', Checks())
keystone.cmd.status.Checks.check_default_roles_are_immutable
def check_default_roles_are_immutable(self)
Definition: status.py:67
keystone.cmd.status.Checks
Definition: status.py:28
keystone.conf.configure
def configure(conf=None)
Definition: __init__.py:128
keystone.server
Definition: __init__.py:1
keystone.conf
Definition: __init__.py:1
keystone.cmd.status.main
def main()
Definition: status.py:92
keystone.cmd.status.Checks.check_trust_policies_are_not_empty
def check_trust_policies_are_not_empty(self)
Definition: status.py:37
keystone.common
Definition: __init__.py:1