keystone.policy.backends package

Submodules

keystone.policy.backends.base module

class keystone.policy.backends.base.PolicyDriverBase[source]

Bases: object

create_policy(policy_id, policy)[source]

Store a policy blob.

Raises:keystone.exception.Conflict – If a duplicate policy exists.
delete_policy(policy_id)[source]

Remove a policy blob.

Raises:keystone.exception.PolicyNotFound – If the policy doesn’t exist.
enforce(context, credentials, action, target)[source]

Verify that a user is authorized to perform action.

For more information on a full implementation of this see: keystone.policy.backends.rules.Policy.enforce

get_policy(policy_id)[source]

Retrieve a specific policy blob.

Raises:keystone.exception.PolicyNotFound – If the policy doesn’t exist.
list_policies()[source]

List all policies.

update_policy(policy_id, policy)[source]

Update a policy blob.

Raises:keystone.exception.PolicyNotFound – If the policy doesn’t exist.

keystone.policy.backends.rules module

Policy engine for keystone.

class keystone.policy.backends.rules.Policy[source]

Bases: keystone.policy.backends.base.PolicyDriverBase

create_policy(policy_id, policy)[source]
delete_policy(policy_id)[source]
enforce(credentials, action, target)[source]
get_policy(policy_id)[source]
list_policies()[source]
update_policy(policy_id, policy)[source]
keystone.policy.backends.rules.enforce(credentials, action, target, do_raise=True)[source]

Verify that the action is valid on the target in this context.

Parameters:
  • credentials – user credentials
  • action – string representing the action to be checked, which should be colon separated for clarity.
  • target – dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {‘project_id’: object.project_id}
Raises:

keystone.exception.Forbidden – If verification fails.

Actions should be colon separated for clarity. For example:

  • identity:list_users
keystone.policy.backends.rules.init()[source]
keystone.policy.backends.rules.reset()[source]

keystone.policy.backends.sql module

class keystone.policy.backends.sql.Policy[source]

Bases: keystone.policy.backends.rules.Policy

create_policy(*args, **kwargs)[source]
delete_policy(policy_id)[source]
get_policy(policy_id)[source]
list_policies()[source]
update_policy(*args, **kwargs)[source]
class keystone.policy.backends.sql.PolicyModel(*args, **kwargs)[source]

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.DictBase

attributes = ['id', 'blob', 'type']
blob
extra
id
type

Module contents