"Fossies" - the Fresh Open Source Software Archive

Member "keystone-19.0.0/keystone/cmd/status.py" (14 Apr 2021, 3904 Bytes) of package /linux/misc/openstack/keystone-19.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. For more information about "status.py" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 18.0.0_vs_19.0.0.

    1 # Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 # not use this file except in compliance with the License. You may obtain
    3 # a copy of the License at
    4 #
    5 #      http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 # Unless required by applicable law or agreed to in writing, software
    8 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 # License for the specific language governing permissions and limitations
   11 # under the License.
   12 
   13 from oslo_policy import _checks
   14 from oslo_policy import policy
   15 from oslo_upgradecheck import common_checks
   16 from oslo_upgradecheck import upgradecheck
   17 
   18 from keystone.common import driver_hints
   19 from keystone.common import provider_api
   20 from keystone.common import rbac_enforcer
   21 import keystone.conf
   22 from keystone.server import backends
   23 
   24 CONF = keystone.conf.CONF
   25 ENFORCER = rbac_enforcer.RBACEnforcer
   26 PROVIDERS = provider_api.ProviderAPIs
   27 
   28 
   29 class Checks(upgradecheck.UpgradeCommands):
   30     """Programmable upgrade checks.
   31 
   32     Each method here should be a programmable check that helps check for things
   33     that might cause issues for deployers in the upgrade process. A good
   34     example of an upgrade check would be to ensure all roles defined in
   35     policies actually exist within the roles backend.
   36     """
   37 
   38     def check_trust_policies_are_not_empty(self):
   39         enforcer = policy.Enforcer(CONF)
   40         ENFORCER.register_rules(enforcer)
   41         enforcer.load_rules()
   42         rules = [
   43             'identity:list_trusts',
   44             'identity:delete_trust',
   45             'identity:get_trust',
   46             'identity:list_roles_for_trust'
   47             'identity:get_role_for_trust'
   48         ]
   49         failed_rules = []
   50         for rule in rules:
   51             current_rule = enforcer.rules.get(rule)
   52             if isinstance(current_rule, _checks.TrueCheck):
   53                 failed_rules.append(rule)
   54         if any(failed_rules):
   55             return upgradecheck.Result(
   56                 upgradecheck.Code.FAILURE,
   57                 "Policy check string for rules \"%s\" are overridden to "
   58                 "\"\", \"@\", or []. In the next release, this will cause "
   59                 "these rules to be fully permissive as hardcoded enforcement "
   60                 "will be removed. To correct this issue, either stop "
   61                 "overriding these rules in config to accept the defaults, or "
   62                 "explicitly set check strings that are not empty." %
   63                 "\", \"".join(failed_rules)
   64             )
   65         return upgradecheck.Result(
   66             upgradecheck.Code.SUCCESS, 'Trust policies are safe.')
   67 
   68     def check_default_roles_are_immutable(self):
   69         hints = driver_hints.Hints()
   70         hints.add_filter('domain_id', None)  # Only check global roles
   71         roles = PROVIDERS.role_api.list_roles(hints=hints)
   72         default_roles = ('admin', 'member', 'reader',)
   73         failed_roles = []
   74         for role in [r for r in roles if r['name'] in default_roles]:
   75             if not role.get('options', {}).get('immutable'):
   76                 failed_roles.append(role['name'])
   77         if any(failed_roles):
   78             return upgradecheck.Result(
   79                 upgradecheck.Code.FAILURE,
   80                 "Roles are not immutable: %s" % ", ".join(failed_roles)
   81             )
   82         return upgradecheck.Result(
   83             upgradecheck.Code.SUCCESS, "Default roles are immutable.")
   84 
   85     _upgrade_checks = (
   86         ("Check trust policies are not empty",
   87          check_trust_policies_are_not_empty),
   88         ("Check default roles are immutable",
   89          check_default_roles_are_immutable),
   90         ("Policy File JSON to YAML Migration",
   91          (common_checks.check_policy_json, {'conf': CONF})),
   92     )
   93 
   94 
   95 def main():
   96     keystone.conf.configure()
   97     backends.load_backends()
   98     return upgradecheck.main(CONF, 'keystone', Checks())