tacker.policy module

class tacker.policy.FieldCheck(kind, match)

Bases: Check

class tacker.policy.OwnerCheck(kind, match)

Bases: Check

Resource ownership check.

This check verifies the owner of the current resource, or of another resource referenced by the one under analysis. In the former case it falls back to a regular GenericCheck, whereas in the latter case it leverages the plugin to load the referenced resource and perform the check.

tacker.policy.authorize(context, action, target, do_raise=True, exc=None)
tacker.policy.check(context, action, target, plugin=None, might_not_exist=False, pluralized=None)

Verifies that the action is valid on the target in this context.

Parameters:

  • context – tacker context

  • action – string representing the action to be checked this should be colon separated for clarity.

  • target – dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'project_id': context.project_id}

  • plugin – currently unused and deprecated. Kept for backward compatibility.

  • might_not_exist – If True the policy check is skipped (and the function returns True) if the specified policy does not exist. Defaults to false.

  • pluralized – pluralized case of resource e.g. firewall_policy -> pluralized = “firewall_policies”

Returns:

Returns True if access is permitted else False.

tacker.policy.check_is_admin(context)

Verify context has admin rights according to policy settings.

tacker.policy.enforce(context, action, target, plugin=None, pluralized=None, exc=<class 'tacker.common.exceptions.PolicyNotAuthorized'>)

Verifies that the action is valid on the target in this context.

Parameters:

  • context – tacker context

  • action – string representing the action to be checked this should be colon separated for clarity.

  • target – dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'project_id': context.project_id}

  • plugin – currently unused and deprecated. Kept for backward compatibility.

  • pluralized – pluralized case of resource e.g. firewall_policy -> pluralized = “firewall_policies”

  • exc – Class of the exception to raise if the check fails. If not specified, PolicyNotAuthorized will be used.

:raises tacker.common.exceptions.PolicyNotAuthorized or exc specified by
caller:

if verification fails.

tacker.policy.get_enforcer()
tacker.policy.get_resource_and_action(action, pluralized=None)

Return resource and enforce_attr_based_check(boolean).

It is per resource and action extracted from api operation.

tacker.policy.init(conf=<oslo_config.cfg.ConfigOpts object>, policy_file=None, suppress_deprecation_warnings=False)

Init an instance of the Enforcer class.

tacker.policy.log_rule_list(match_rule)
tacker.policy.refresh(policy_file=None)

Reset policy and init a new instance of Enforcer.

tacker.policy.register_rules(enforcer)
tacker.policy.reset()
tacker.policy.set_rules(policies, overwrite=True)

Set rules based on the provided dict of rules.

Parameters:

  • policies – New policies to use. It should be an instance of dict.

  • overwrite – Whether to overwrite current rules or update them with the new rules.