congress.common.policy module¶

Policy Engine For Auth on API calls.

class congress.common.policy.IsAdminCheck(kind, match)¶

Bases: oslo_policy._checks.Check

An explicit check for is_admin.

congress.common.policy.check_is_admin(context)¶: Whether or not roles contains ‘admin’ role according to policy setting.

congress.common.policy.enforce(context, action, target, do_raise=True, exc=None)¶

Verifies that the action is valid on the target in this context.

Param: context: congress context
Param: action: string representing the action to be checked this should be colon separated for clarity. i.e. compute:create_instance, compute:attach_volume, volume:attach_volume
Param: target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'project_id': context.project_id}
Param: do_raise: if True (the default), raises PolicyNotAuthorized; if False, returns False
Raises: congress.exception.PolicyNotAuthorized – if verification fails and do_raise is True.
Returns: returns a non-False value (not necessarily “True”) if authorized, and the exact value False if not authorized and do_raise is False.

congress.common.policy.init(policy_file=None, rules=None, default_rule=None, use_conf=True)¶

Init an Enforcer class.

Param: policy_file: Custom policy file to use, if none is specified, CONF.policy_file will be used.
Param: rules: Default dictionary / Rules to use. It will be considered just in the first instantiation.
Param: default_rule: Default rule to use, CONF.default_rule will be used if none is specified.
Param: use_conf: Whether to load rules from config file.

congress.common.policy.set_rules(rules, overwrite=True, use_conf=False)¶

Set rules based on the provided dict of rules.

Param: rules: New rules to use. It should be an instance of dict.
Param: overwrite: Whether to overwrite current rules or update them with the new rules.
Param: use_conf: Whether to reload rules from config file.

congress.common.policy module