keystone.policy.backends package¶
Submodules¶
keystone.policy.backends.base module¶
-
class
keystone.policy.backends.base.PolicyDriverBase[source]¶ Bases:
object-
create_policy(policy_id, policy)[source]¶ Store a policy blob.
Raises: keystone.exception.Conflict – If a duplicate policy exists.
-
delete_policy(policy_id)[source]¶ Remove a policy blob.
Raises: keystone.exception.PolicyNotFound – If the policy doesn’t exist.
-
enforce(context, credentials, action, target)[source]¶ Verify that a user is authorized to perform action.
For more information on a full implementation of this see: keystone.policy.backends.rules.Policy.enforce
-
get_policy(policy_id)[source]¶ Retrieve a specific policy blob.
Raises: keystone.exception.PolicyNotFound – If the policy doesn’t exist.
-
update_policy(policy_id, policy)[source]¶ Update a policy blob.
Raises: keystone.exception.PolicyNotFound – If the policy doesn’t exist.
-
keystone.policy.backends.rules module¶
Policy engine for keystone.
-
keystone.policy.backends.rules.enforce(credentials, action, target, do_raise=True)[source]¶ Verify that the action is valid on the target in this context.
Parameters: - credentials – user credentials
- action – string representing the action to be checked, which should be colon separated for clarity.
- target – dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {‘project_id’: object.project_id}
Raises: keystone.exception.Forbidden – If verification fails.
Actions should be colon separated for clarity. For example:
- identity:list_users