cinder.policy module

Policy Engine For Cinder

authorize(context, action: str, target: dict, do_raise: bool = True, exc: Type[Exception] | None = None)

Verifies that the action is valid on the target in this context.

Parameters:
  • context – cinder context

  • action – string representing the action to be checked this should be colon separated for clarity. i.e. compute:create_instance, compute:attach_volume, volume:attach_volume

  • target – dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'project_id': context.project_id}

  • do_raise – if True (the default), raises PolicyNotAuthorized; if False, returns False

  • exc – Class of the exception to raise if the check fails. Any remaining arguments passed to authorize() (both positional and keyword arguments) will be passed to the exception class. If not specified, PolicyNotAuthorized will be used.

Raises:

cinder.exception.PolicyNotAuthorized – if verification fails and do_raise is True. Or if ‘exc’ is specified it will raise an exception of that type.

Returns:

returns a non-False value (not necessarily “True”) if authorized, and the exact value False if not authorized and do_raise is False.

check_is_admin(context: RequestContext)

Whether or not user is admin according to policy setting.

enforce(context, action: str, target: dict)

Verifies that the action is valid on the target in this context.

Parameters:
  • context – cinder context

  • action – string representing the action to be checked this should be colon separated for clarity. i.e. compute:create_instance, compute:attach_volume, volume:attach_volume

  • target – dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'project_id': context.project_id}

Raises:

PolicyNotAuthorized – if verification fails.

get_enforcer() Enforcer
get_rules()
init(use_conf=True, suppress_deprecation_warnings: bool = False) None

Init an Enforcer class.

Parameters:

use_conf – Whether to load rules from config file.

register_rules(enforcer)
reset() None
set_rules(rules: dict, overwrite: bool = True, use_conf: bool = False) None

Set rules based on the provided dict of rules.

Parameters:
  • rules – New rules to use. It should be an instance of dict.

  • overwrite – Whether to overwrite current rules or update them with the new rules.

  • use_conf – Whether to reload rules from config file.