The cinder.openstack.common.policy Module

Common Policy Engine Implementation

class Brain(rules=None, default_rule=None)

Bases: object

Implements policy checking.

add_rule(key, match)

check(match_list, target_dict, cred_dict)

Checks authorization of some rules against credentials.

Detailed description of the check with examples in policy.enforce().

Parameters:

• match_list – nested tuples of data to match against
• target_dict – dict of object properties
• credentials_dict – dict of actor properties

Returns:

True if the check passes

classmethod load_json(data, default_rule=None)

Init a brain using json instead of a rules dictionary.

class HttpBrain(rules=None, default_rule=None)

Bases: cinder.openstack.common.policy.Brain

A brain that can check external urls for policy.

Posts json blobs for target and credentials.

Note that this brain is deprecated; the http check is registered by default.

enforce(match_list, target_dict, credentials_dict, exc=None, *args, **kwargs)

Enforces authorization of some rules against credentials.

Parameters:

• match_list –

  nested tuples of data to match against

  The basic brain supports three types of match lists:

  1. rules

     looks like: ('rule:compute:get_instance',)

     Retrieves the named rule from the rules dict and recursively checks against the contents of the rule.

  2. roles

     looks like: ('role:compute:admin',)

     Matches if the specified role is in credentials_dict[‘roles’].

  3. generic

     looks like: ('tenant_id:%(tenant_id)s',)

     Substitutes values from the target dict into the match using the % operator and matches them against the creds dict.

  Combining rules:

  The brain returns True if any of the outer tuple of rules match and also True if all of the inner tuples match. You can use this to perform simple boolean logic. For example, the following rule would return True if the creds contain the role ‘admin’ OR the if the tenant_id matches the target dict AND the the creds contains the role ‘compute_sysadmin’:

  {
      "rule:combined": (
          'role:admin',
          ('tenant_id:%(tenant_id)s', 'role:compute_sysadmin')
      )
  }
  

  Note that rule and role are reserved words in the credentials match, so you can’t match against properties with those names. Custom brains may also add new reserved words. For example, the HttpBrain adds http as a reserved word.

• target_dict –

  dict of object properties

  Target dicts contain as much information as we can about the object being operated on.

• credentials_dict –

  dict of actor properties

  Credentials dicts contain as much information as we can about the user performing the action.

• exc –

  exception to raise

  Class of the exception to raise if the check fails. Any remaining arguments passed to enforce() (both positional and keyword arguments) will be passed to the exception class. If exc is not provided, returns False.

Returns:

True if the policy allows the action

Returns:

False if the policy does not allow the action and exc is not set

register(name, func=None)

Register a function as a policy check.

Parameters:

• name – Gives the name of the check type, e.g., ‘rule’, ‘role’, etc. If name is None, a default function will be registered.
• func – If given, provides the function to register. If not given, returns a function taking one argument to specify the function to register, allowing use as a decorator.

reset()

Clear the brain used by enforce().

set_brain(brain)

Set the brain used by enforce().

Defaults use Brain() if not set.