nova-policy¶

Synopsis¶

nova-policy [<options>...]

Description¶

nova-policy is a tool that allows for inspection of policy file configuration. It provides a way to identify the actions available for a user. It does not require a running deployment: validation runs against the policy files typically located at /etc/nova/policy.yaml and in the /etc/nova/policy.d directory. These paths are configurable via the [oslo_config] policy_file and [oslo_config] policy_dirs configuration options, respectively.

Options¶

General options

--config-dir DIR¶: Path to a config directory to pull *.conf files from. This file set is sorted, so as to provide a predictable parse order if individual options are over-ridden. The set is parsed after the file(s) specified via previous –config-file, arguments hence over-ridden options in the directory take precedence. This option must be set from the command-line.

--config-file PATH¶: Path to a config file to use. Multiple config files can be specified, with values in later files taking precedence. Defaults to None. This option must be set from the command-line.

--debug, -d¶: Set the logging level to DEBUG instead of the default INFO level.

--log-config-append PATH, --log-config PATH, --log_config PATH¶: The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, log-date-format).

--log-date-format DATE_FORMAT¶: Defines the format string for %(asctime)s in log records. Default: None . This option is ignored if log_config_append is set.

--log-dir LOG_DIR, --logdir LOG_DIR¶: (Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.

--log-file PATH, --logfile PATH¶: (Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.

--nodebug¶: The inverse of --debug.

--nouse-journal¶: The inverse of --use-journal.

--nouse-json¶: The inverse of --use-json.

--nouse-syslog¶: The inverse of --use-syslog.

--nowatch-log-file¶: The inverse of --watch-log-file.

--syslog-log-facility SYSLOG_LOG_FACILITY¶: Syslog facility to receive log lines. This option is ignored if log_config_append is set.

--use-journal¶: Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.

--use-json¶: Use JSON formatting for logging. This option is ignored if log_config_append is set.

--use-syslog¶: Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.

--version¶: Show program’s version number and exit

--watch-log-file¶: Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.

User options

--os-roles <auth-roles>¶: Defaults to $OS_ROLES.

--os-tenant-id <auth-tenant-id>¶: Defaults to $OS_TENANT_ID.

--os-user-id <auth-user-id>¶: Defaults to $OS_USER_ID.

Debugger options

--remote_debug-host REMOTE_DEBUG_HOST¶: Debug host (IP or name) to connect to. This command line parameter is used when you want to connect to a nova service via a debugger running on a different host. Note that using the remote debug option changes how Nova uses the eventlet library to support async IO. This could result in failures that do not occur under normal operation. Use at your own risk.

--remote_debug-port REMOTE_DEBUG_PORT¶: Debug port to connect to. This command line parameter allows you to specify the port you want to use to connect to a nova service via a debugger running on different host. Note that using the remote debug option changes how Nova uses the eventlet library to support async IO. This could result in failures that do not occur under normal operation. Use at your own risk.

Commands¶

policy check¶

nova-policy policy check [-h] [--api-name <name>]
                         [--target <target> [<target>...]

Prints all passing policy rules for the given user.

Options

--api-name <name>¶: Return only the passing policy rules containing the given API name. If unspecified, all passing policy rules will be returned.

--target <target> [<target>...]¶: The target(s) against which the policy rule authorization will be tested. The available targets are: project_id, user_id, quota_class, availability_zone, instance_id. When instance_id is used, the other targets will be overwritten. If unspecified, the given user will be considered as the target.

Files¶

/etc/nova/nova.conf
/etc/nova/policy.yaml
/etc/nova/policy.d/

Bugs¶

Nova bugs are managed at Launchpad

nova-policy