heat.common.policy module¶
Policy Engine For Heat.
- class heat.common.policy.Enforcer(scope='heat', exc=<class 'heat.common.exception.Forbidden'>, default_rule=<oslo_policy._checks.FalseCheck object>, policy_file=None)[source]¶
Bases:
object
Responsible for loading and enforcing rules.
- check_is_admin(context)[source]¶
Whether or not is admin according to policy.
By default the rule will check whether or not roles contains ‘admin’ role and is admin project.
- param context
Heat request context
- returns
A non-False value if the user is admin according to policy
- enforce(context, action, scope=None, target=None, is_registered_policy=False)[source]¶
Verifies that the action is valid on the target in this context.
- Parameters
context – Heat request context
action – String representing the action to be checked
target – Dictionary representing the object of the action.
- Raises
heat.common.exception.Forbidden – When permission is denied (or self.exc if supplied).
- Returns
A non-False value if access is allowed.
- class heat.common.policy.ResourceEnforcer(default_rule=<oslo_policy._checks.TrueCheck object>, **kwargs)[source]¶
Bases:
heat.common.policy.Enforcer
- enforce(context, res_type, scope=None, target=None, is_registered_policy=False)[source]¶
Verifies that the action is valid on the target in this context.
- Parameters
context – Heat request context
action – String representing the action to be checked
target – Dictionary representing the object of the action.
- Raises
heat.common.exception.Forbidden – When permission is denied (or self.exc if supplied).
- Returns
A non-False value if access is allowed.