cinder.policy module¶
Policy Engine For Cinder
- authorize(context, action: str, target: dict, do_raise: bool = True, exc: Type[Exception] | None = None)¶
Verifies that the action is valid on the target in this context.
- Parameters:
context – cinder context
action – string representing the action to be checked this should be colon separated for clarity. i.e.
compute:create_instance
,compute:attach_volume
,volume:attach_volume
target – dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g.
{'project_id': context.project_id}
do_raise – if True (the default), raises PolicyNotAuthorized; if False, returns False
exc – Class of the exception to raise if the check fails. Any remaining arguments passed to
authorize()
(both positional and keyword arguments) will be passed to the exception class. If not specified,PolicyNotAuthorized
will be used.
- Raises:
cinder.exception.PolicyNotAuthorized – if verification fails and do_raise is True. Or if ‘exc’ is specified it will raise an exception of that type.
- Returns:
returns a non-False value (not necessarily “True”) if authorized, and the exact value False if not authorized and do_raise is False.
- check_is_admin(context: RequestContext)¶
Whether or not user is admin according to policy setting.
- enforce(context, action: str, target: dict)¶
Verifies that the action is valid on the target in this context.
- Parameters:
context – cinder context
action – string representing the action to be checked this should be colon separated for clarity. i.e.
compute:create_instance
,compute:attach_volume
,volume:attach_volume
target – dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g.
{'project_id': context.project_id}
- Raises:
PolicyNotAuthorized – if verification fails.
- get_enforcer() Enforcer ¶
- get_rules()¶
- init(use_conf=True, suppress_deprecation_warnings: bool = False) None ¶
Init an Enforcer class.
- Parameters:
use_conf – Whether to load rules from config file.
- register_rules(enforcer)¶
- reset() None ¶
- set_rules(rules: dict, overwrite: bool = True, use_conf: bool = False) None ¶
Set rules based on the provided dict of rules.
- Parameters:
rules – New rules to use. It should be an instance of dict.
overwrite – Whether to overwrite current rules or update them with the new rules.
use_conf – Whether to reload rules from config file.