The nova.policy Module

Policy Engine For Nova.

class IsAdminCheck(kind, match)

Bases: oslo_policy._checks.Check

An explicit check for is_admin.

check_is_admin(context)

Whether or not roles contains ‘admin’ role according to policy setting.

enforce(context, action, target, do_raise=True, exc=None)

Verifies that the action is valid on the target in this context.

Parameters:

• context – nova context
• action – string representing the action to be checked this should be colon separated for clarity. i.e. compute:create_instance, compute:attach_volume, volume:attach_volume
• target – dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'project_id': context.project_id}
• do_raise – if True (the default), raises PolicyNotAuthorized; if False, returns False

Raises nova.exception.PolicyNotAuthorized:  

if verification fails and do_raise is True.

Returns:

returns a non-False value (not necessarily “True”) if authorized, and the exact value False if not authorized and do_raise is False.

get_rules()

init(policy_file=None, rules=None, default_rule=None, use_conf=True)

Init an Enforcer class.

Parameters:

• policy_file – Custom policy file to use, if none is specified, CONF.policy_file will be used.
• rules – Default dictionary / Rules to use. It will be considered just in the first instantiation.
• default_rule – Default rule to use, CONF.default_rule will be used if none is specified.
• use_conf – Whether to load rules from config file.

reset()

set_rules(rules, overwrite=True, use_conf=False)

Set rules based on the provided dict of rules.

Parameters:

• rules – New rules to use. It should be an instance of dict.
• overwrite – Whether to overwrite current rules or update them with the new rules.
• use_conf – Whether to reload rules from config file.