cinder.policy module¶

Policy Engine For Cinder

authorize(context, action, target, do_raise=True, exc=None)¶

Verifies that the action is valid on the target in this context.

Parameters:	context – cinder context action – string representing the action to be checked this should be colon separated for clarity. i.e. compute:create_instance, compute:attach_volume, volume:attach_volume target – dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'project_id': context.project_id} do_raise – if True (the default), raises PolicyNotAuthorized; if False, returns False exc – Class of the exception to raise if the check fails. Any remaining arguments passed to authorize() (both positional and keyword arguments) will be passed to the exception class. If not specified, PolicyNotAuthorized will be used.
Raises:	cinder.exception.PolicyNotAuthorized – if verification fails and do_raise is True. Or if ‘exc’ is specified it will raise an exception of that type.
Returns:	returns a non-False value (not necessarily “True”) if authorized, and the exact value False if not authorized and do_raise is False.

check_is_admin(context)¶

Whether or not user is admin according to policy setting.

enforce(context, action, target)¶

Verifies that the action is valid on the target in this context.

Parameters:	context – cinder context action – string representing the action to be checked this should be colon separated for clarity. i.e. compute:create_instance, compute:attach_volume, volume:attach_volume target – dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'project_id': context.project_id}
Raises:	PolicyNotAuthorized – if verification fails.

get_enforcer()¶

get_rules()¶

init(use_conf=True)¶

Init an Enforcer class.

Parameters:	use_conf – Whether to load rules from config file.

register_rules(enforcer)¶

reset()¶

set_rules(rules, overwrite=True, use_conf=False)¶

Set rules based on the provided dict of rules.

Parameters:	rules – New rules to use. It should be an instance of dict. overwrite – Whether to overwrite current rules or update them with the new rules. use_conf – Whether to reload rules from config file.

verify_deprecated_policy(old_policy, new_policy, default_rule, context)¶

Check the rule of the deprecated policy action

If the current rule of the deprecated policy action is set to a non-default value, then a warning message is logged stating that the new policy action should be used to dictate permissions as the old policy action is being deprecated.

Parameters:	old_policy – policy action that is being deprecated new_policy – policy action that is replacing old_policy default_rule – the old_policy action default rule value context – the cinder context