oslopolicy-validator tool can be used to perform basic sanity checks
against a policy file. It will detect the following problems:
A missing policy file
Rules which have invalid syntax
Rules which reference non-existent other rules
Rules which form a cyclical reference with another rule
Rules which do not exist in the specified namespace
This tool does very little validation of the content of the rules. Other tools,
oslopolicy-checker, should be used to check that rules do what is
- -h, --help¶
Show help message and exit.
- --config-dir DIR¶
Path to a config directory to pull
*.conffiles from. This file set is sorted, so as to provide a predictable parse order if individual options are overridden. The set is parsed after the file(s) specified via previous
--config-file, arguments hence overridden options in the directory take precedence.
This option must be set from the command-line.
- --config-file PATH¶
Path to a config file to use. Multiple config files can be specified, with values in later files taking precedence. Defaults to None. This option must be set from the command-line.
- --namespace NAMESPACE¶
Option namespace under “oslo.policy.enforcer” in which to look for a
Validate the policy file used for Keystone:
oslopolicy-validator --config-file /etc/keystone/keystone.conf --namespace keystone
Sample output from a failed validation:
$ oslopolicy-validator --config-file keystone.conf --namespace keystone
WARNING:oslo_policy.policy:Policies ['foo', 'bar'] are part of a cyclical reference.
Invalid rules found
Failed to parse rule: (role:admin and system_scope:all) or (role:foo and oken.domain.id:%(target.user.domain_id)s))
Unknown rule found in policy file: foo
Unknown rule found in policy file: bar