The oslopolicy-validator tool can be used to perform basic sanity checks against a policy file. It will detect the following problems:

  • A missing policy file

  • Rules which have invalid syntax

  • Rules which reference non-existent other rules

  • Rules which form a cyclical reference with another rule

  • Rules which do not exist in the specified namespace

This tool does very little validation of the content of the rules. Other tools, such as oslopolicy-checker, should be used to check that rules do what is intended.


-h, --help

Show help message and exit.

--config-dir DIR

Path to a config directory to pull *.conf files from. This file set is sorted, so as to provide a predictable parse order if individual options are overridden. The set is parsed after the file(s) specified via previous --config-file, arguments hence overridden options in the directory take precedence.

This option must be set from the command-line.

--config-file PATH

Path to a config file to use. Multiple config files can be specified, with values in later files taking precedence. Defaults to None. This option must be set from the command-line.

--namespace NAMESPACE

Option namespace under “oslo.policy.enforcer” in which to look for a policy.Enforcer.


Validate the policy file used for Keystone:

oslopolicy-validator --config-file /etc/keystone/keystone.conf --namespace keystone

Sample output from a failed validation:

$ oslopolicy-validator --config-file keystone.conf --namespace keystone
WARNING:oslo_policy.policy:Policies ['foo', 'bar'] are part of a cyclical reference.
Invalid rules found
Failed to parse rule: (role:admin and system_scope:all) or (role:foo and oken.domain.id:%(target.user.domain_id)s))
Unknown rule found in policy file: foo
Unknown rule found in policy file: bar

See Also