def _build_message(self, message, **kwargs): """Only returns detailed messages in debug mode.""" if CONF.debug: return _('%(message)s %(amendment)s') % { 'message': message or self.message_format % kwargs, 'amendment': self.amendment} else: return self.message_format % kwargs
def __init__(self, rule, target, creds): msg = (_('%(target)s is disallowed by policy rule %(rule)s ' 'with %(creds)s ') % { 'rule': rule, 'target': target, 'creds': creds }) super(PolicyNotAuthorized, self).__init__(msg)
def __call__(self, target, creds, enforcer, current_rule=None): url = ('https:' + self.match) % target cert_file = enforcer.conf.oslo_policy.remote_ssl_client_crt_file key_file = enforcer.conf.oslo_policy.remote_ssl_client_key_file ca_crt_file = enforcer.conf.oslo_policy.remote_ssl_ca_crt_file verify_server = enforcer.conf.oslo_policy.remote_ssl_verify_server_crt if cert_file: if not os.path.exists(cert_file): raise RuntimeError( _("Unable to find ssl cert_file : %s") % cert_file) if not os.access(cert_file, os.R_OK): raise RuntimeError( _("Unable to access ssl cert_file : %s") % cert_file) if key_file: if not os.path.exists(key_file): raise RuntimeError( _("Unable to find ssl key_file : %s") % key_file) if not os.access(key_file, os.R_OK): raise RuntimeError( _("Unable to access ssl key_file : %s") % key_file) cert = (cert_file, key_file) if verify_server: if ca_crt_file: if not os.path.exists(ca_crt_file): raise RuntimeError( _("Unable to find ca cert_file : %s") % ca_crt_file) verify_server = ca_crt_file data, json = self._construct_payload(creds, current_rule, enforcer, target) with contextlib.closing( requests.post(url, json=json, data=data, cert=cert, verify=verify_server)) as r: return r.text.lstrip('"').rstrip('"') == 'True'
def set_rules(self, rules, overwrite=True, use_conf=False): """Create a new :class:`Rules` based on the provided dict of rules. :param dict rules: New rules to use. :param overwrite: Whether to overwrite current rules or update them with the new rules. :param use_conf: Whether to reload rules from cache or config file. """ if not isinstance(rules, dict): raise TypeError(_('Rules must be an instance of dict or Rules, ' 'got %s instead') % type(rules)) self.use_conf = use_conf if overwrite: self.rules = Rules(rules, self.default_rule) else: self.rules.update(rules)
def __init__(self, rule): msg = _('Policy does not allow %s to be performed.') % rule super(PolicyNotAuthorized, self).__init__(msg)
def __init__(self, error): msg = (_('Invalid policy rule default: ' '%(error)s.') % { 'error': error }) super(InvalidRuleDefault, self).__init__(msg)
def __init__(self, names): msg = _('Policies %(names)s are not well defined. Check logs for ' 'more details.') % { 'names': names } super(InvalidDefinitionError, self).__init__(msg)
def __init__(self, name): msg = _('Policy %(name)s has not been registered') % {'name': name} super(PolicyNotRegistered, self).__init__(msg)
def __init__(self, name): msg = _('Policy %(name)s is already registered') % {'name': name} super(DuplicatePolicyError, self).__init__(msg)
'set_defaults', ] import copy from oslo_config import cfg from oslo_policy._i18n import _ _option_group = 'oslo_policy' _options = [ cfg.StrOpt('CSP_domain_id', default=None, help=_("Domain of Cloud Service Provider's. This value should" " be the same across the whole Cloud.") ), cfg.StrOpt('policy_connection', help='SQLAlchemy connection string used to connect to the ' 'policy database.', secret=True ) ] def list_opts(): """Return a list of oslo.config options available in the library. The returned list includes all oslo.config options which may be registered at runtime by the library. Each element of the list is a tuple. The first element is the name of the
def __init__(self, rule, target, creds): msg = _("%(rule)s is disallowed by policy") % {'rule': rule} super(PolicyNotAuthorized, self).__init__(msg)
'set_defaults', ] import copy from oslo_config import cfg from oslo_policy._i18n import _ _option_group = 'oslo_policy' _options = [ cfg.StrOpt('policy_file', default='policy.json', help=_('The JSON file that defines policies.'), deprecated_group='DEFAULT'), cfg.StrOpt('policy_default_rule', default='default', help=_('Default rule. Enforced when a requested rule is not ' 'found.'), deprecated_group='DEFAULT'), # NOTE(stevemar): Remove this option in the M cycle, refer to bug 1428332 cfg.MultiStrOpt('policy_dirs', default=['policy.d'], help=_('Directories where policy configuration files are ' 'stored. They can be relative to any directory ' 'in the search path defined by the config_dir ' 'option, or absolute paths. The file defined by ' 'policy_file must exist for these directories to ' 'be searched. Missing or empty directories are '
def __init__(self, rule, target, creds): msg = (_('%(rule)s on %(target)s by %(creds)s disallowed by policy') % {'rule': rule, 'target': target, 'creds': creds}) super(PolicyNotAuthorized, self).__init__(msg)
import copy from oslo_config import cfg from oslo_policy._i18n import _ _option_group = 'oslo_policy' _options = [ cfg.BoolOpt('enforce_scope', default=False, help=_('This option controls whether or not to enforce scope ' 'when evaluating policies. If ``True``, the scope of ' 'the token used in the request is compared to the ' '``scope_types`` of the policy being enforced. If the ' 'scopes do not match, an ``InvalidScope`` exception ' 'will be raised. If ``False``, a message will be ' 'logged informing operators that policies are being ' 'invoked with mismatching scope.')), cfg.StrOpt('policy_file', default='policy.json', help=_('The file that defines policies.'), deprecated_group='DEFAULT'), cfg.StrOpt('policy_default_rule', default='default', help=_('Default rule. Enforced when a requested rule is not ' 'found.'), deprecated_group='DEFAULT'), cfg.MultiStrOpt('policy_dirs', default=['policy.d'], help=_('Directories where policy configuration files are '
'list_opts', 'set_defaults', ] import copy from oslo_config import cfg from oslo_policy._i18n import _ _option_group = 'oslo_policy' _options = [ cfg.StrOpt('policy_file', default='policy.json', help=_('The JSON file that defines policies.'), deprecated_group='DEFAULT'), cfg.StrOpt('policy_default_rule', default='default', help=_('Default rule. Enforced when a requested rule is not ' 'found.'), deprecated_group='DEFAULT'), cfg.MultiStrOpt('policy_dirs', default=['policy.d'], help=_('Directories where policy configuration files are ' 'stored. They can be relative to any directory ' 'in the search path defined by the config_dir ' 'option, or absolute paths. The file defined by ' 'policy_file must exist for these directories to ' 'be searched. Missing or empty directories are' 'ignored.'),
from oslo_policy._i18n import _ __all__ = [ 'list_opts', 'set_defaults', ] _option_group = 'oslo_policy' _options = [ cfg.BoolOpt('enforce_scope', default=False, help=_('This option controls whether or not to enforce scope ' 'when evaluating policies. If ``True``, the scope of ' 'the token used in the request is compared to the ' '``scope_types`` of the policy being enforced. If the ' 'scopes do not match, an ``InvalidScope`` exception ' 'will be raised. If ``False``, a message will be ' 'logged informing operators that policies are being ' 'invoked with mismatching scope.')), cfg.BoolOpt('enforce_new_defaults', default=False, help=_('This option controls whether or not to use old ' 'deprecated defaults when evaluating policies. If ' '``True``, the old deprecated defaults are not going ' 'to be evaluated. This means if any existing token is ' 'allowed for old defaults but is disallowed for new ' 'defaults, it will be disallowed. It is encouraged to ' 'enable this flag along with the ``enforce_scope`` ' 'flag so that you can get the benefits of new defaults ' 'and ``scope_type`` together')), cfg.StrOpt('policy_file',