Python oslo_policy.policy.Enforcer() Examples
The following are 30
code examples of oslo_policy.policy.Enforcer().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
oslo_policy.policy
, or try the search function
.
Example #1
Source File: _engine.py From neutron-lib with Apache License 2.0 | 6 votes |
def init(conf=cfg.CONF, policy_file=None): """Initialize the global enforcer if not already initialized. Initialize the global enforcer (and load its rules) if not already initialized; otherwise this is a no-op. :param conf: The configuration to initialize the global enforcer with. Defaults to oslo_config.cfg.CONF. :param policy_file: The policy file to initialize the global enforcer with. :returns: None. """ global _ROLE_ENFORCER if not _ROLE_ENFORCER: _ROLE_ENFORCER = policy.Enforcer(conf, policy_file=policy_file) _ROLE_ENFORCER.register_defaults(_BASE_RULES) _ROLE_ENFORCER.load_rules(True)
Example #2
Source File: test_policy.py From oslo.policy with Apache License 2.0 | 6 votes |
def test_deprecate_a_policy_for_removal_logs_warning_when_overridden(self): rule_list = [policy.DocumentedRuleDefault( name='foo:bar', check_str='role:baz', description='Create a foo.', operations=[{'path': '/v1/foos/', 'method': 'POST'}], deprecated_for_removal=True, deprecated_reason=( '"foo:bar" is no longer a policy used by the service' ), deprecated_since='N' )] expected_msg = ( 'Policy "foo:bar":"role:baz" was deprecated for removal in N. ' 'Reason: "foo:bar" is no longer a policy used by the service. Its ' 'value may be silently ignored in the future.' ) rules = jsonutils.dumps({'foo:bar': 'role:bang'}) self.create_config_file('policy.json', rules) enforcer = policy.Enforcer(self.conf) enforcer.register_defaults(rule_list) with mock.patch('warnings.warn') as mock_warn: enforcer.load_rules() mock_warn.assert_called_once_with(expected_msg)
Example #3
Source File: context.py From sgx-kms with Apache License 2.0 | 6 votes |
def __init__(self, roles=None, policy_enforcer=None, project=None, **kwargs): # prefer usage of 'project' instead of 'tenant' if project: kwargs['tenant'] = project self.project = project self.policy_enforcer = policy_enforcer or policy.Enforcer(CONF) # NOTE(edtubill): oslo_context 2.2.0 now has a roles attribute in # the RequestContext. This will make sure of backwards compatibility # with past oslo_context versions. argspec = inspect.getargspec(super(RequestContext, self).__init__) if 'roles' in argspec.args: kwargs['roles'] = roles else: self.roles = roles or [] super(RequestContext, self).__init__(**kwargs)
Example #4
Source File: test_policy.py From oslo.policy with Apache License 2.0 | 6 votes |
def test_deprecate_check_str_suppress_does_not_log_warning(self): deprecated_rule = policy.DeprecatedRule( name='foo:create_bar', check_str='role:fizz' ) rule_list = [policy.DocumentedRuleDefault( name='foo:create_bar', check_str='role:bang', description='Create a bar.', operations=[{'path': '/v1/bars', 'method': 'POST'}], deprecated_rule=deprecated_rule, deprecated_reason='"role:bang" is a better default', deprecated_since='N' )] enforcer = policy.Enforcer(self.conf) enforcer.suppress_deprecation_warnings = True enforcer.register_defaults(rule_list) with mock.patch('warnings.warn') as mock_warn: enforcer.load_rules() mock_warn.assert_not_called()
Example #5
Source File: test_policy.py From oslo.policy with Apache License 2.0 | 6 votes |
def test_deprecate_name_suppress_does_not_log_warning(self): deprecated_rule = policy.DeprecatedRule( name='foo:bar', check_str='role:baz' ) rule_list = [policy.DocumentedRuleDefault( name='foo:create_bar', check_str='role:baz', description='Create a bar.', operations=[{'path': '/v1/bars/', 'method': 'POST'}], deprecated_rule=deprecated_rule, deprecated_reason='"foo:bar" is not granular enough.', deprecated_since='N' )] rules = jsonutils.dumps({'foo:bar': 'role:bang'}) self.create_config_file('policy.json', rules) enforcer = policy.Enforcer(self.conf) enforcer.suppress_deprecation_warnings = True enforcer.register_defaults(rule_list) with mock.patch('warnings.warn') as mock_warn: enforcer.load_rules() mock_warn.assert_not_called()
Example #6
Source File: policy.py From manila with Apache License 2.0 | 6 votes |
def init(rules=None, use_conf=True): """Init an Enforcer class. :param policy_file: Custom policy file to use, if none is specified, `CONF.policy_file` will be used. :param rules: Default dictionary / Rules to use. It will be considered just in the first instantiation. :param default_rule: Default rule to use, CONF.default_rule will be used if none is specified. :param use_conf: Whether to load rules from config file. """ global _ENFORCER if not _ENFORCER: _ENFORCER = policy.Enforcer(CONF, rules=rules, use_conf=use_conf) register_rules(_ENFORCER)
Example #7
Source File: test_policy.py From oslo.policy with Apache License 2.0 | 6 votes |
def test_deprecate_for_removal_suppress_does_not_log_warning(self): rule_list = [policy.DocumentedRuleDefault( name='foo:bar', check_str='role:baz', description='Create a foo.', operations=[{'path': '/v1/foos/', 'method': 'POST'}], deprecated_for_removal=True, deprecated_reason=( '"foo:bar" is no longer a policy used by the service' ), deprecated_since='N' )] rules = jsonutils.dumps({'foo:bar': 'role:bang'}) self.create_config_file('policy.json', rules) enforcer = policy.Enforcer(self.conf) enforcer.suppress_deprecation_warnings = True enforcer.register_defaults(rule_list) with mock.patch('warnings.warn') as mock_warn: enforcer.load_rules() mock_warn.assert_not_called()
Example #8
Source File: test_policy.py From oslo.policy with Apache License 2.0 | 6 votes |
def test_suppress_default_change_warnings_flag_not_log_warning(self): deprecated_rule = policy.DeprecatedRule( name='foo:create_bar', check_str='role:fizz' ) rule_list = [policy.DocumentedRuleDefault( name='foo:create_bar', check_str='role:bang', description='Create a bar.', operations=[{'path': '/v1/bars', 'method': 'POST'}], deprecated_rule=deprecated_rule, deprecated_reason='"role:bang" is a better default', deprecated_since='N' )] enforcer = policy.Enforcer(self.conf) enforcer.suppress_default_change_warnings = True enforcer.register_defaults(rule_list) with mock.patch('warnings.warn') as mock_warn: enforcer.load_rules() mock_warn.assert_not_called()
Example #9
Source File: generator.py From oslo.policy with Apache License 2.0 | 6 votes |
def _get_enforcer(namespace): """Find a policy.Enforcer via an entry point with the given namespace. :param namespace: a namespace under oslo.policy.enforcer where the desired enforcer object can be found. :returns: a policy.Enforcer object """ mgr = stevedore.named.NamedExtensionManager( 'oslo.policy.enforcer', names=[namespace], on_load_failure_callback=on_load_failure_callback, invoke_on_load=True) if namespace not in mgr: raise KeyError('Namespace "%s" not found.' % namespace) enforcer = mgr[namespace].obj return enforcer
Example #10
Source File: policy.py From cyborg with Apache License 2.0 | 6 votes |
def authorize(rule, target, creds, do_raise=False, *args, **kwargs): """A shortcut for policy.Enforcer.authorize() Checks authorization of a rule against the target and credentials, and raises an exception if the rule is not defined. """ enforcer = get_enforcer() try: return enforcer.authorize(rule, target, creds, do_raise=do_raise, *args, **kwargs) except policy.PolicyNotAuthorized: raise exception.HTTPForbidden(resource=rule) # This decorator MUST appear first (the outermost decorator) # on an API method for it to work correctly
Example #11
Source File: policy.py From ironic-inspector with Apache License 2.0 | 6 votes |
def authorize(rule, target, creds, *args, **kwargs): """A shortcut for policy.Enforcer.authorize() Checks authorization of a rule against the target and credentials, and raises an exception if the rule is not defined. args and kwargs are passed directly to oslo.policy Enforcer.authorize Always returns True if CONF.auth_strategy != keystone. :param rule: name of a registered oslo.policy rule :param target: dict-like structure to check rule against :param creds: dict of policy values from request :returns: True if request is authorized against given policy, False otherwise :raises: oslo_policy.policy.PolicyNotRegistered if supplied policy is not registered in oslo_policy """ if CONF.auth_strategy != 'keystone': return True enforcer = get_enforcer() rule = CONF.oslo_policy.policy_default_rule if rule is None else rule return enforcer.authorize(rule, target, creds, *args, **kwargs)
Example #12
Source File: policy.py From designate with Apache License 2.0 | 6 votes |
def set_rules(data, default_rule=None, overwrite=True): default_rule = default_rule or cfg.CONF.policy_default_rule if not _ENFORCER: LOG.debug("Enforcer not present, recreating at rules stage.") init() if default_rule: _ENFORCER.default_rule = default_rule msg = "Loading rules %s, default: %s, overwrite: %s" LOG.debug(msg, data, default_rule, overwrite) if isinstance(data, dict): rules = policy.Rules.from_dict(data, default_rule) else: rules = policy.Rules.load_json(data, default_rule) _ENFORCER.set_rules(rules, overwrite=overwrite)
Example #13
Source File: config.py From freezer-api with Apache License 2.0 | 6 votes |
def parse_args(args=[]): CONF.register_cli_opts(api_common_opts()) register_db_drivers_opt() # register paste configuration paste_grp = cfg.OptGroup('paste_deploy', 'Paste Configuration') CONF.register_group(paste_grp) CONF.register_opts(paste_deploy, group=paste_grp) log.register_options(CONF) policy.Enforcer(CONF) default_config_files = cfg.find_config_files('freezer', 'freezer-api') CONF(args=args, project='freezer-api', default_config_files=default_config_files, version=FREEZER_API_VERSION )
Example #14
Source File: policy.py From karbor with Apache License 2.0 | 6 votes |
def init(policy_file=None, rules=None, default_rule=None, use_conf=True): """Init an Enforcer class. :param policy_file: Custom policy file to use, if none is specified, `CONF.policy_file` will be used. :param rules: Default dictionary / Rules to use. It will be considered just in the first instantiation. :param default_rule: Default rule to use, CONF.default_rule will be used if none is specified. :param use_conf: Whether to load rules from config file. """ global _ENFORCER if not _ENFORCER: _ENFORCER = policy.Enforcer(CONF, policy_file=policy_file, rules=rules, default_rule=default_rule, use_conf=use_conf) register_rules(_ENFORCER) _ENFORCER.load_rules()
Example #15
Source File: policy.py From ironic-inspector with Apache License 2.0 | 6 votes |
def init_enforcer(policy_file=None, rules=None, default_rule=None, use_conf=True): """Synchronously initializes the policy enforcer :param policy_file: Custom policy file to use, if none is specified, `CONF.oslo_policy.policy_file` will be used. :param rules: Default dictionary / Rules to use. It will be considered just in the first instantiation. :param default_rule: Default rule to use, CONF.oslo_policy.policy_default_rule will be used if none is specified. :param use_conf: Whether to load rules from config file. """ global _ENFORCER if _ENFORCER: return _ENFORCER = policy.Enforcer(CONF, policy_file=policy_file, rules=rules, default_rule=default_rule, use_conf=use_conf) _ENFORCER.register_defaults(list_policies())
Example #16
Source File: policy.py From shipyard with Apache License 2.0 | 5 votes |
def __init__(self): self.enforcer = policy.Enforcer(cfg.CONF)
Example #17
Source File: policy.py From coriolis with GNU Affero General Public License v3.0 | 5 votes |
def init(): global _ENFORCER global saved_file_rules if not _ENFORCER: _ENFORCER = policy.Enforcer(CONF) register_rules(_ENFORCER) _ENFORCER.load_rules()
Example #18
Source File: base.py From oslo.policy with Apache License 2.0 | 5 votes |
def setUp(self): super(PolicyBaseTestCase, self).setUp() self.conf = self.useFixture(config.Config()).conf self.config_dir = self.useFixture(fixtures.TempDir()).path self.conf(args=['--config-dir', self.config_dir]) self.enforcer = policy.Enforcer(self.conf) self.addCleanup(self.enforcer.clear)
Example #19
Source File: test_policy.py From oslo.policy with Apache License 2.0 | 5 votes |
def test_enforcer_with_default_rule(self): rules_json = jsonutils.dumps({ "deny_stack_user": "not role:stack_user", "cloudwatch:PutMetricData": "" }) rules = policy.Rules.load(rules_json) default_rule = _checks.TrueCheck() enforcer = policy.Enforcer(self.conf, default_rule=default_rule) enforcer.set_rules(rules) action = 'cloudwatch:PutMetricData' creds = {'roles': ''} self.assertTrue(enforcer.enforce(action, {}, creds))
Example #20
Source File: test_policy.py From oslo.policy with Apache License 2.0 | 5 votes |
def test_enforcer_with_default_policy_file(self): enforcer = policy.Enforcer(self.conf) self.assertEqual(self.conf.oslo_policy.policy_file, enforcer.policy_file)
Example #21
Source File: test_policy.py From oslo.policy with Apache License 2.0 | 5 votes |
def test_enforcer_with_policy_file(self): enforcer = policy.Enforcer(self.conf, policy_file='non-default.json') self.assertEqual('non-default.json', enforcer.policy_file)
Example #22
Source File: test_policy.py From oslo.policy with Apache License 2.0 | 5 votes |
def test_get_policy_path_raises_exc(self): enforcer = policy.Enforcer(self.conf, policy_file='raise_error.json') e = self.assertRaises(cfg.ConfigFilesNotFoundError, enforcer._get_policy_path, enforcer.policy_file) self.assertEqual(('raise_error.json', ), e.config_files)
Example #23
Source File: test_policy.py From oslo.policy with Apache License 2.0 | 5 votes |
def test_deprecate_a_policy_check_string(self): deprecated_rule = policy.DeprecatedRule( name='foo:create_bar', check_str='role:fizz' ) rule_list = [policy.DocumentedRuleDefault( name='foo:create_bar', check_str='role:bang', description='Create a bar.', operations=[{'path': '/v1/bars', 'method': 'POST'}], deprecated_rule=deprecated_rule, deprecated_reason='"role:bang" is a better default', deprecated_since='N' )] enforcer = policy.Enforcer(self.conf) enforcer.register_defaults(rule_list) expected_msg = ( 'Policy "foo:create_bar":"role:fizz" was deprecated in N in favor ' 'of "foo:create_bar":"role:bang". Reason: "role:bang" is a better ' 'default. Either ensure your deployment is ready for the new ' 'default or copy/paste the deprecated policy into your policy ' 'file and maintain it manually.' ) with mock.patch('warnings.warn') as mock_warn: enforcer.load_rules() mock_warn.assert_called_once_with(expected_msg) self.assertTrue( enforcer.enforce('foo:create_bar', {}, {'roles': ['bang']}) ) self.assertTrue( enforcer.enforce('foo:create_bar', {}, {'roles': ['fizz']}) ) self.assertFalse( enforcer.enforce('foo:create_bar', {}, {'roles': ['baz']}) )
Example #24
Source File: test_policy.py From oslo.policy with Apache License 2.0 | 5 votes |
def test_deprecate_an_empty_policy_check_string(self): deprecated_rule = policy.DeprecatedRule( name='foo:create_bar', check_str='' ) rule_list = [policy.DocumentedRuleDefault( name='foo:create_bar', check_str='role:bang', description='Create a bar.', operations=[{'path': '/v1/bars', 'method': 'POST'}], deprecated_rule=deprecated_rule, deprecated_reason='because of reasons', deprecated_since='N' )] enforcer = policy.Enforcer(self.conf) enforcer.register_defaults(rule_list) with mock.patch('warnings.warn') as mock_warn: enforcer.load_rules() mock_warn.assert_called_once() enforcer.enforce('foo:create_bar', {}, {'roles': ['bang']}, do_raise=True) enforcer.enforce('foo:create_bar', {}, {'roles': ['fizz']}, do_raise=True)
Example #25
Source File: test_policy.py From oslo.policy with Apache License 2.0 | 5 votes |
def test_deprecate_replace_with_empty_policy_check_string(self): deprecated_rule = policy.DeprecatedRule( name='foo:create_bar', check_str='role:fizz' ) rule_list = [policy.DocumentedRuleDefault( name='foo:create_bar', check_str='', description='Create a bar.', operations=[{'path': '/v1/bars', 'method': 'POST'}], deprecated_rule=deprecated_rule, deprecated_reason='because of reasons', deprecated_since='N' )] enforcer = policy.Enforcer(self.conf) enforcer.register_defaults(rule_list) with mock.patch('warnings.warn') as mock_warn: enforcer.load_rules() mock_warn.assert_called_once() enforcer.enforce('foo:create_bar', {}, {'roles': ['fizz']}, do_raise=True) enforcer.enforce('foo:create_bar', {}, {'roles': ['bang']}, do_raise=True)
Example #26
Source File: policy_engine.py From monasca-api with Apache License 2.0 | 5 votes |
def init(policy_file=None, rules=None, default_rule=None, use_conf=True): """Init an Enforcer class. :param policy_file: Custom policy file to use, if none is specified, `CONF.policy_file` will be used. :param rules: Default dictionary / Rules to use. It will be considered just in the first instantiation. :param default_rule: Default rule to use, CONF.default_rule will be used if none is specified. :param use_conf: Whether to load rules from config file. """ global _ENFORCER global saved_file_rules if not _ENFORCER: _ENFORCER = policy.Enforcer(CONF, policy_file=policy_file, rules=rules, default_rule=default_rule, use_conf=use_conf ) register_rules(_ENFORCER) _ENFORCER.load_rules() # Only the rules which are loaded from file may be changed current_file_rules = _ENFORCER.file_rules current_file_rules = _serialize_rules(current_file_rules) if saved_file_rules != current_file_rules: _warning_for_deprecated_user_based_rules(current_file_rules) saved_file_rules = copy.deepcopy(current_file_rules)
Example #27
Source File: access_control.py From qinling with Apache License 2.0 | 5 votes |
def _ensure_enforcer_initialization(): global _ENFORCER if not _ENFORCER: _ENFORCER = policy.Enforcer(cfg.CONF) _ENFORCER.load_rules()
Example #28
Source File: hooks.py From aodh with Apache License 2.0 | 5 votes |
def __init__(self, conf): self.conf = conf self.enforcer = policy.Enforcer(conf, default_rule="default") self.enforcer.register_defaults(policies.list_rules())
Example #29
Source File: test_policy.py From oslo.policy with Apache License 2.0 | 5 votes |
def test_enforce_new_defaults_no_old_check_string(self): self.conf.set_override('enforce_new_defaults', True, group='oslo_policy') deprecated_rule = policy.DeprecatedRule( name='foo:create_bar', check_str='role:fizz' ) rule_list = [policy.DocumentedRuleDefault( name='foo:create_bar', check_str='role:bang', description='Create a bar.', operations=[{'path': '/v1/bars', 'method': 'POST'}], deprecated_rule=deprecated_rule, deprecated_reason='"role:bang" is a better default', deprecated_since='N' )] enforcer = policy.Enforcer(self.conf) enforcer.register_defaults(rule_list) with mock.patch('warnings.warn') as mock_warn: enforcer.load_rules() mock_warn.assert_not_called() self.assertTrue( enforcer.enforce('foo:create_bar', {}, {'roles': ['bang']}) ) self.assertFalse( enforcer.enforce('foo:create_bar', {}, {'roles': ['fizz']}) ) self.assertFalse( enforcer.enforce('foo:create_bar', {}, {'roles': ['baz']}) )
Example #30
Source File: test_generator.py From oslo.policy with Apache License 2.0 | 5 votes |
def setUp(self): super(GenerateSampleJSONTestCase, self).setUp() self.enforcer = policy.Enforcer(self.conf, policy_file='policy.json')