glance.api.policy module

Policy Engine For Glance

class glance.api.policy.Enforcer(suppress_deprecation_warnings=False)[source]

Bases: Enforcer

Responsible for loading and enforcing rules

add_rules(rules)[source]

Add new rules to the Rules object

check(context, action, target, registered=True)[source]

Verifies that the action is valid on the target in this context.

Parameters:

  • context – Glance request context

  • action – String representing the action to be checked

  • target – Dictionary representing the object of the action.

Returns:

A non-False value if access is allowed.

check_is_admin(context)[source]

Check if the given context is associated with an admin role, as defined via the ‘context_is_admin’ RBAC rule.

Parameters:

context – Glance request context

Returns:

A non-False value if context role is admin.

enforce(context, action, target, registered=True)[source]

Verifies that the action is valid on the target in this context.

Parameters:

  • context – Glance request context

  • action – String representing the action to be checked

  • target – Dictionary representing the object of the action.

Raises:

glance.common.exception.Forbidden

Returns:

A non-False value if access is allowed.

class glance.api.policy.ImageTarget(target)[source]

Bases: Mapping

SENTINEL = <object object>
get(k[, d]) D[k] if k in D, else d.  d defaults to None.[source]
key_transforms(key)[source]
glance.api.policy.get_enforcer()[source]