oslopolicy-checker

Synopsis

oslopolicy-checker [-h] [--access ACCESS] [--config-dir DIR]
                   [--config-file PATH]
                   [--enforcer_config ENFORCER_CONFIG] [--is_admin]
                   [--nois_admin] [--policy POLICY] [--rule RULE]
                   [--target TARGET]

Description

The oslopolicy-checker command can be used to check policy against the OpenStack Identity API access information. The access information is a keystone token response from keystone’s authentication API.

Options

-h, --help

Show help message and exit.

--config-dir DIR

Path to a config directory to pull *.conf files from. This file set is sorted, so as to provide a predictable parse order if individual options are overridden. The set is parsed after the file(s) specified via previous --config-file, arguments hence overridden options in the directory take precedence.

This option must be set from the command-line.

--config-file PATH

Path to a config file to use. Multiple config files can be specified, with values in later files taking precedence. Defaults to None. This option must be set from the command-line.

--access ACCESS

Path to a file containing an OpenStack Identity API token response body in JSON format.

--enforcer_config ENFORCER_CONFIG

Configuration file for the oslopolicy-checker enforcer

--is_admin

Set is_admin=True on the credentials used for the evaluation.

--nois_admin

The inverse of --is_admin

--policy POLICY

Path to a policy file.

--rule RULE

Rule to test.

--target TARGET

Path to a file containing custom target info in JSON format. This will be used to evaluate the policy with.

Examples

Test all of Nova’s policy with an admin token:

oslopolicy-checker \
  --policy /opt/stack/nova/etc/nova/policy.json
  --access sample_data/auth_v3_token_admin.json

Test the compute_extension:flavorextraspecs:index rule in Nova’s policy with the admin member token and is_admin set to True:

oslopolicy-checker \
  --policy /opt/stack/nova/etc/nova/policy.json \
  --access sample_data/auth_v3_token_admin.json \
  --is_admin=true --rule compute_extension:flavorextraspecs:index

Test the compute_extension:flavorextraspecs:index rule in Nova’s policy with the plain member token:

oslopolicy-checker \
  --policy /opt/stack/nova/etc/nova/policy.json \
  --access sample_data/auth_v3_token_member.json \
  --rule compute_extension:flavorextraspecs:index

See Also

oslopolicy-sample-generator, oslopolicy-policy-generator, oslopolicy-list-redundant, oslopolicy-validator