File: oslopolicy-checker.rst

package info (click to toggle)
python-oslo.policy 4.5.1-3
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 1,012 kB
  • sloc: python: 6,099; makefile: 23; sh: 20
file content (96 lines) | stat: -rw-r--r-- 2,487 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
 
==================
oslopolicy-checker
==================

.. program:: oslopolicy-checker

Synopsis
--------

::

   oslopolicy-checker [-h] [--access ACCESS] [--config-dir DIR]
                      [--config-file PATH]
                      [--enforcer_config ENFORCER_CONFIG] [--is_admin]
                      [--nois_admin] [--policy POLICY] [--rule RULE]
                      [--target TARGET]

Description
-----------

The ``oslopolicy-checker`` command can be used to check policy against
the OpenStack Identity API access information. The access information is a
keystone token response from keystone's `authentication API
<https://docs.openstack.org/api-ref/identity/v3/#password-authentication-with-scoped-authorization>`_.

Options
-------

.. include:: common/default-opts.rst

.. option:: --access ACCESS

    Path to a file containing an OpenStack Identity API token response body in
    JSON format.

.. option:: --enforcer_config ENFORCER_CONFIG

    Configuration file for the oslopolicy-checker enforcer

.. option:: --is_admin

    Set ``is_admin=True`` on the credentials used for the evaluation.

.. option:: --nois_admin

    The inverse of ``--is_admin``

.. option:: --policy POLICY

    Path to a policy file.

.. option:: --rule RULE

    Rule to test.

.. option:: --target TARGET

    Path to a file containing custom target info in JSON format. This will be
    used to evaluate the policy with.

Examples
--------

Test all of Nova's policy with an admin token:

.. code-block:: bash

   oslopolicy-checker \
     --policy /opt/stack/nova/etc/nova/policy.json
     --access sample_data/auth_v3_token_admin.json

Test the ``compute_extension:flavorextraspecs:index`` rule in Nova's policy
with the admin member token and ``is_admin`` set to ``True``:

.. code-block:: bash

   oslopolicy-checker \
     --policy /opt/stack/nova/etc/nova/policy.json \
     --access sample_data/auth_v3_token_admin.json \
     --is_admin=true --rule compute_extension:flavorextraspecs:index

Test the ``compute_extension:flavorextraspecs:index`` rule in Nova's policy
with the plain member token:

.. code-block:: bash

   oslopolicy-checker \
     --policy /opt/stack/nova/etc/nova/policy.json \
     --access sample_data/auth_v3_token_member.json \
     --rule compute_extension:flavorextraspecs:index

See Also
--------

:program:`oslopolicy-sample-generator`, :program:`oslopolicy-policy-generator`,
:program:`oslopolicy-list-redundant`, :program:`oslopolicy-validator`