cinder.policy module

Policy Engine For Cinder

authorize(context, action, target, do_raise=True, exc=None)

Verifies that the action is valid on the target in this context.

Parameters
  • context – cinder context

  • action – string representing the action to be checked this should be colon separated for clarity. i.e. compute:create_instance, compute:attach_volume, volume:attach_volume

  • target – dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'project_id': context.project_id}

  • do_raise – if True (the default), raises PolicyNotAuthorized; if False, returns False

  • exc – Class of the exception to raise if the check fails. Any remaining arguments passed to authorize() (both positional and keyword arguments) will be passed to the exception class. If not specified, PolicyNotAuthorized will be used.

Raises

cinder.exception.PolicyNotAuthorized – if verification fails and do_raise is True. Or if ‘exc’ is specified it will raise an exception of that type.

Returns

returns a non-False value (not necessarily “True”) if authorized, and the exact value False if not authorized and do_raise is False.

check_is_admin(context)

Whether or not user is admin according to policy setting.

enforce(context, action, target)

Verifies that the action is valid on the target in this context.

Parameters
  • context – cinder context

  • action – string representing the action to be checked this should be colon separated for clarity. i.e. compute:create_instance, compute:attach_volume, volume:attach_volume

  • target – dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'project_id': context.project_id}

Raises

PolicyNotAuthorized – if verification fails.

get_enforcer()
get_rules()
init(use_conf=True)

Init an Enforcer class.

Parameters

use_conf – Whether to load rules from config file.

register_rules(enforcer)
reset()
set_rules(rules, overwrite=True, use_conf=False)

Set rules based on the provided dict of rules.

Parameters
  • rules – New rules to use. It should be an instance of dict.

  • overwrite – Whether to overwrite current rules or update them with the new rules.

  • use_conf – Whether to reload rules from config file.

verify_deprecated_policy(old_policy, new_policy, default_rule, context)

Check the rule of the deprecated policy action

If the current rule of the deprecated policy action is set to a non-default value, then a warning message is logged stating that the new policy action should be used to dictate permissions as the old policy action is being deprecated.

Parameters
  • old_policy – policy action that is being deprecated

  • new_policy – policy action that is replacing old_policy

  • default_rule – the old_policy action default rule value

  • context – the cinder context