Configuration Options

oslo.policy uses oslo.config to define and manage configuration options that allow the deployer to control where the policy files are located, the default rule to apply, etc.

oslo_policy

enforce_scope

Type

boolean

Default

False

This option controls whether or not to enforce scope when evaluating policies. If True, the scope of the token used in the request is compared to the scope_types of the policy being enforced. If the scopes do not match, an InvalidScope exception will be raised. If False, a message will be logged informing operators that policies are being invoked with mismatching scope.

enforce_new_defaults

Type

boolean

Default

False

This option controls whether or not to use old deprecated defaults when evaluating policies. If True, the old deprecated defaults are not going to be evaluated. This means if any existing token is allowed for old defaults but is disallowed for new defaults, it will be disallowed. It is encouraged to enable this flag along with the enforce_scope flag so that you can get the benefits of new defaults and scope_type together

policy_file

Type

string

Default

policy.json

The relative or absolute path of a file that maps roles to permissions for a given service. Relative paths must be specified in relation to the configuration file setting this option.

Deprecated Variations

Group	Name
DEFAULT	policy_file

policy_default_rule

Type

string

Default

default

Default rule. Enforced when a requested rule is not found.

Deprecated Variations

Group	Name
DEFAULT	policy_default_rule

policy_dirs

Type

multi-valued

Default

policy.d

Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.

Deprecated Variations

Group	Name
DEFAULT	policy_dirs

remote_content_type

Type

string

Default

application/x-www-form-urlencoded

Valid Values

application/x-www-form-urlencoded, application/json

Content Type to send and receive data for REST based policy check

remote_ssl_verify_server_crt

Type

boolean

Default

False

server identity verification for REST based policy check

remote_ssl_ca_crt_file

Type

string

Default

<None>

Absolute path to ca cert file for REST based policy check

remote_ssl_client_crt_file

Type

string

Default

<None>

Absolute path to client cert for REST based policy check

remote_ssl_client_key_file

Type

string

Default

<None>

Absolute path client key file REST based policy check