ironic_inspector.policy module

ironic_inspector.policy.authorize(rule, target, creds, *args, **kwargs)[source]

A shortcut for policy.Enforcer.authorize()

Checks authorization of a rule against the target and credentials, and raises an exception if the rule is not defined. args and kwargs are passed directly to oslo.policy Enforcer.authorize Always returns True if CONF.auth_strategy != keystone.

  • rule – name of a registered oslo.policy rule

  • target – dict-like structure to check rule against

  • creds – dict of policy values from request


True if request is authorized against given policy, False otherwise


oslo_policy.policy.PolicyNotRegistered if supplied policy is not registered in oslo_policy


Provides access to the single instance of Policy enforcer.


Get the enforcer instance to generate policy files.

This method is for use by oslopolicy CLI scripts. Those scripts need the ‘output-file’ and ‘namespace’ options, but having those in sys.argv means loading the inspector config options will fail as those are not expected to be present. So we pass in an arg list with those stripped out.

ironic_inspector.policy.init_enforcer(policy_file=None, rules=None, default_rule=None, use_conf=True)[source]

Synchronously initializes the policy enforcer

  • policy_file – Custom policy file to use, if none is specified, CONF.oslo_policy.policy_file will be used.

  • rules – Default dictionary / Rules to use. It will be considered just in the first instantiation.

  • default_rule – Default rule to use, CONF.oslo_policy.policy_default_rule will be used if none is specified.

  • use_conf – Whether to load rules from config file.


Get list of all policies defined in code.

Used to register them all at runtime, and by oslo-config-generator to generate sample policy files.