From f57b6ead5740d1c1b715cde15f7e5d4f303bdf93 Mon Sep 17 00:00:00 2001
From: Ivan Kolodyazhny <e0ne@e0ne.info>
Date: Mon, 2 Sep 2019 18:25:55 +0300
Subject: [PATCH] Handle Permission Denied for policy files

oslo.policy doesn't handle Permission Denied error during file
parsing. This patch just ignores IOError exceptions to fallback to
the default behaviour.

Closes-Bug: #1845523
Change-Id: I87c2862e6e3a3f42d231552b00dc02364d6fa14f
---
 openstack_auth/policy.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/openstack_auth/policy.py b/openstack_auth/policy.py
index e8cc6d2dda..a039927582 100644
--- a/openstack_auth/policy.py
+++ b/openstack_auth/policy.py
@@ -64,7 +64,16 @@ def _get_enforcer():
             policy_file, policy_dirs = _get_policy_file_with_full_path(service)
             conf = _get_policy_conf(policy_file, policy_dirs)
             enforcer = policy.Enforcer(conf)
-            enforcer.load_rules()
+            try:
+                enforcer.load_rules()
+            except IOError:
+                # Just in case if we have permission denied error which is not
+                # handled by oslo.policy now. It will handled in the code like
+                # we don't have any policy file: allow action from the Horizon
+                # side.
+                LOG.warning("Cannot load a policy file '%s' for service '%s' "
+                            "due to IOError. One possible reason is "
+                            "permission denied.", policy_file, service)
             # Ensure enforcer.rules is populated.
             if enforcer.rules:
                 LOG.debug("adding enforcer for service: %s", service)