The karbor.policy Module¶
Policy Engine For karbor
-
karbor.policy.check_is_admin(roles, context=None)¶ Whether or not user is admin according to policy setting.
Can use roles or user_id from context to determine if user is admin. In a multi-domain configuration, roles alone may not be sufficient.
-
karbor.policy.enforce(context, action, target)¶ Verifies that the action is valid on the target in this context.
Parameters: - context – karbor context
- action – string representing the action to be checked
this should be colon separated for clarity.
i.e.
compute:create_instance,compute:attach_volume,volume:attach_volume - object – dictionary representing the object of the action
for object creation this should be a dictionary representing the
location of the object e.g.
{'project_id': context.project_id}
Raises: PolicyNotAuthorized – if verification fails.
-
karbor.policy.enforce_action(context, action)¶ Checks that the action can be done by the given context.
Applies a check to ensure the context’s project_id and user_id can be applied to the given action using the policy enforcement api.
-
karbor.policy.init()¶