def init(): """Init an Enforcer class. Sets the _ENFORCER_PLACEMENT global.""" global _ENFORCER_PLACEMENT if not _ENFORCER_PLACEMENT: # NOTE(mriedem): We have to explicitly pass in the # [placement]/policy_file path because otherwise oslo_policy defaults # to read the policy file from config option [oslo_policy]/policy_file # which is used by nova. In other words, to have separate policy files # for placement and nova, we have to use separate policy_file options. _ENFORCER_PLACEMENT = policy.Enforcer( CONF, policy_file=CONF.placement.policy_file) _ENFORCER_PLACEMENT.register_defaults(policies.list_rules()) _ENFORCER_PLACEMENT.load_rules()
def init(): """Init an Enforcer class. Sets the _ENFORCER_PLACEMENT global.""" global _ENFORCER_PLACEMENT if not _ENFORCER_PLACEMENT: # NOTE(mriedem): We have to explicitly pass in the # [placement]/policy_file path because otherwise oslo_policy defaults # to read the policy file from config option [oslo_policy]/policy_file # which is used by nova. In other words, to have separate policy files # for placement and nova, we have to use separate policy_file options. _ENFORCER_PLACEMENT = policy.Enforcer( CONF, policy_file=CONF.placement.policy_file) _ENFORCER_PLACEMENT.register_defaults(policies.list_rules()) _ENFORCER_PLACEMENT.load_rules()
def start_fixture(self): super(OpenPolicyFixture, self).start_fixture() self.placement_policy_fixture = policy_fixture.PlacementPolicyFixture() self.placement_policy_fixture.setUp() # Get all of the registered rules and set them to '@' to allow any # user to have access. The nova policy "admin_or_owner" concept does # not really apply to most of placement resources since they do not # have a user_id/project_id attribute. rules = {} for rule in policies.list_rules(): name = rule.name # Ignore "base" rules for role:admin. if name in ['placement', 'admin_api']: continue rules[name] = '@' self.placement_policy_fixture.set_rules(rules)
def start_fixture(self): super(OpenPolicyFixture, self).start_fixture() self.placement_policy_fixture = policy_fixture.PlacementPolicyFixture() self.placement_policy_fixture.setUp() # Get all of the registered rules and set them to '@' to allow any # user to have access. The nova policy "admin_or_owner" concept does # not really apply to most of placement resources since they do not # have a user_id/project_id attribute. rules = {} for rule in policies.list_rules(): name = rule.name # Ignore "base" rules for role:admin. if name in ['placement', 'admin_api']: continue rules[name] = '@' self.placement_policy_fixture.set_rules(rules)