heat.common.policy module

Policy Engine For Heat.

class heat.common.policy.Enforcer(scope='heat', exc=<class 'heat.common.exception.Forbidden'>, default_rule=<oslo_policy._checks.FalseCheck object>, policy_file=None)[source]

Bases: object

Responsible for loading and enforcing rules.

check_is_admin(context)[source]

Whether or not is admin according to policy.

By default the rule will check whether or not roles contains ‘admin’ role and is admin project.

param context:

Heat request context

returns:

A non-False value if the user is admin according to policy

enforce(context, action, scope=None, target=None, is_registered_policy=False)[source]

Verifies that the action is valid on the target in this context.

Parameters:
  • context – Heat request context

  • action – String representing the action to be checked

  • target – Dictionary representing the object of the action.

Raises:

heat.common.exception.Forbidden – When permission is denied (or self.exc if supplied).

Returns:

A non-False value if access is allowed.

load_rules(force_reload=False)[source]

Set the rules found in the json file on disk.

set_rules(rules, overwrite=True)[source]

Create a new Rules object based on the provided dict of rules.

class heat.common.policy.ResourceEnforcer(default_rule=<oslo_policy._checks.TrueCheck object>, **kwargs)[source]

Bases: Enforcer

enforce(context, res_type, scope=None, target=None, is_registered_policy=False)[source]

Verifies that the action is valid on the target in this context.

Parameters:
  • context – Heat request context

  • action – String representing the action to be checked

  • target – Dictionary representing the object of the action.

Raises:

heat.common.exception.Forbidden – When permission is denied (or self.exc if supplied).

Returns:

A non-False value if access is allowed.

enforce_stack(stack, scope=None, target=None, is_registered_policy=False)[source]
heat.common.policy.get_enforcer()[source]
heat.common.policy.get_policy_enforcer()[source]