heat.common.policy module

Policy Engine For Heat.

class heat.common.policy.Enforcer(scope='heat', exc=<class 'heat.common.exception.Forbidden'>, default_rule=<oslo_policy._checks.FalseCheck object>, policy_file=None)[source]

Bases: object

Responsible for loading and enforcing rules.

check_is_admin(context)[source]

Whether or not is admin according to policy.

By default the rule will check whether or not roles contains ‘admin’ role and is admin project.

param context

Heat request context

returns

A non-False value if the user is admin according to policy

enforce(context, action, scope=None, target=None, is_registered_policy=False)[source]

Verifies that the action is valid on the target in this context.

Parameters
  • context – Heat request context

  • action – String representing the action to be checked

  • target – Dictionary representing the object of the action.

Raises

heat.common.exception.Forbidden – When permission is denied (or self.exc if supplied).

Returns

A non-False value if access is allowed.

load_rules(force_reload=False)[source]

Set the rules found in the json file on disk.

set_rules(rules, overwrite=True)[source]

Create a new Rules object based on the provided dict of rules.

class heat.common.policy.ResourceEnforcer(default_rule=<oslo_policy._checks.TrueCheck object>, **kwargs)[source]

Bases: heat.common.policy.Enforcer

enforce(context, res_type, scope=None, target=None, is_registered_policy=False)[source]

Verifies that the action is valid on the target in this context.

Parameters
  • context – Heat request context

  • action – String representing the action to be checked

  • target – Dictionary representing the object of the action.

Raises

heat.common.exception.Forbidden – When permission is denied (or self.exc if supplied).

Returns

A non-False value if access is allowed.

enforce_stack(stack, scope=None, target=None, is_registered_policy=False)[source]
heat.common.policy.get_enforcer()[source]
heat.common.policy.get_policy_enforcer()[source]