The nova.policy Module

Policy Engine For Nova.

class IsAdminCheck(kind, match)

Bases: oslo_policy._checks.Check

An explicit check for is_admin.


Whether or not roles contains ‘admin’ role according to policy setting.

enforce(context, action, target, do_raise=True, exc=None)

Verifies that the action is valid on the target in this context.

  • context – nova context
  • action – string representing the action to be checked this should be colon separated for clarity. i.e. compute:create_instance, compute:attach_volume, volume:attach_volume
  • target – dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'project_id': context.project_id}
  • do_raise – if True (the default), raises PolicyNotAuthorized; if False, returns False
Raises nova.exception.PolicyNotAuthorized:

if verification fails and do_raise is True.


returns a non-False value (not necessarily “True”) if authorized, and the exact value False if not authorized and do_raise is False.

init(policy_file=None, rules=None, default_rule=None, use_conf=True)

Init an Enforcer class.

  • policy_file – Custom policy file to use, if none is specified, CONF.policy_file will be used.
  • rules – Default dictionary / Rules to use. It will be considered just in the first instantiation.
  • default_rule – Default rule to use, CONF.default_rule will be used if none is specified.
  • use_conf – Whether to load rules from config file.
set_rules(rules, overwrite=True, use_conf=False)

Set rules based on the provided dict of rules.

  • rules – New rules to use. It should be an instance of dict.
  • overwrite – Whether to overwrite current rules or update them with the new rules.
  • use_conf – Whether to reload rules from config file.

Previous topic

The nova.pci.whitelist Module

Next topic

The nova.quota Module

Project Source

This Page