Handle Permission Denied for policy files

oslo.policy doesn't handle Permission Denied error during file parsing. This patch just ignores IOError exceptions to fallback to the default behaviour. Closes-Bug: #1845523 Change-Id: I87c2862e6e3a3f42d231552b00dc02364d6fa14f
2019-09-02 18:25:55 +03:00 · 2019-09-02 18:25:55 +03:00 · f57b6ead57
commit f57b6ead57
parent 30b7cfb9b8
1 changed files with 10 additions and 1 deletions
--- a/openstack_auth/policy.py
+++ b/openstack_auth/policy.py
@ -64,7 +64,16 @@ def _get_enforcer():
            policy_file, policy_dirs = _get_policy_file_with_full_path(service)
            conf = _get_policy_conf(policy_file, policy_dirs)
            enforcer = policy.Enforcer(conf)
-            enforcer.load_rules()
+            try:
+                enforcer.load_rules()
+            except IOError:
+                # Just in case if we have permission denied error which is not
+                # handled by oslo.policy now. It will handled in the code like
+                # we don't have any policy file: allow action from the Horizon
+                # side.
+                LOG.warning("Cannot load a policy file '%s' for service '%s' "
+                            "due to IOError. One possible reason is "
+                            "permission denied.", policy_file, service)
            # Ensure enforcer.rules is populated.
            if enforcer.rules:
                LOG.debug("adding enforcer for service: %s", service)