keystone.common.rbac_enforcer package

Submodules

Module contents

class keystone.common.rbac_enforcer.RBACEnforcer[source]

Bases: object

Enforce RBAC on API calls.

ACTION_STORE_ATTR = 'keystone:RBAC:action_name'
classmethod enforce_call(enforcer=None, action=None, target_attr=None, member_target_type=None, member_target=None, filters=None, build_target=None)[source]

Enforce RBAC on the current request.

This will do some legwork and then instantiate the Enforcer if an enforcer is not passed in.

Parameters:
  • enforcer (RBACEnforcer) – A pre-instantiated Enforcer object (optional)

  • action (str) – the name of the rule/policy enforcement to be checked against, e.g. identity:get_user (optional may be replaced by decorating the method/function with policy_enforcer_action.

  • target_attr (dict) – complete override of the target data. This will replace all other generated target data meaning member_target_type and member_target are ignored. This will also prevent extraction of data from the X-Subject-Token. The target dict should contain a series of key-value pairs such as {‘user’: user_ref_dict}.

  • member_target_type (str) – the type of the target, e.g. ‘user’. Both this and member_target must be passed if either is passed.

  • member_target (dict) – the (dict form) reference of the member object. Both this and member_target_type must be passed if either is passed.

  • filters (iterable) – A variable number of optional string filters, these are used to extract values from the query params. The filters are added to the request data that is passed to the enforcer and may be used to determine policy action. In practice these are mainly supplied in the various “list” APIs and are un-used in the default supplied policies.

  • build_target (function) – A function to build the target for enforcement. This is explicitly done after authentication in order to not leak existance data before auth.

classmethod policy_enforcer_action(action)[source]

Decorator to set policy enforcement action name.

static register_rules(enforcer)[source]
suppress_deprecation_warnings = False