oslopolicy-validator¶
Synopsis¶
oslopolicy-policy-validator
Description¶
The oslopolicy-validator tool can be used to perform basic sanity checks
against a policy file. It will detect the following problems:
A missing policy file
Rules which have invalid syntax
Rules which reference non-existent other rules
Rules which form a cyclical reference with another rule
Rules which do not exist in the specified namespace
This tool does very little validation of the content of the rules. Other tools,
such as oslopolicy-checker, should be used to check that rules do what is
intended.
Options¶
- -h, --help¶
Show help message and exit.
- --config-dir DIR¶
Path to a config directory to pull
*.conffiles from. This file set is sorted, so as to provide a predictable parse order if individual options are overridden. The set is parsed after the file(s) specified via previous--config-file, arguments hence overridden options in the directory take precedence.This option must be set from the command-line.
- --config-file PATH¶
Path to a config file to use. Multiple config files can be specified, with values in later files taking precedence. Defaults to None. This option must be set from the command-line.
- --namespace NAMESPACE¶
Option namespace under “oslo.policy.enforcer” in which to look for a
policy.Enforcer.
Examples¶
Validate the policy file used for Keystone:
oslopolicy-validator --config-file /etc/keystone/keystone.conf --namespace keystone
Sample output from a failed validation:
$ oslopolicy-validator --config-file keystone.conf --namespace keystone
WARNING:oslo_policy.policy:Policies ['foo', 'bar'] are part of a cyclical reference.
Invalid rules found
Failed to parse rule: (role:admin and system_scope:all) or (role:foo and oken.domain.id:%(target.user.domain_id)s))
Unknown rule found in policy file: foo
Unknown rule found in policy file: bar
See Also¶
oslopolicy-checker
