def _build_message(self, message, **kwargs):
"""Only returns detailed messages in debug mode."""
if CONF.debug:
return _('%(message)s %(amendment)s') % {
'message': message or self.message_format % kwargs,
'amendment': self.amendment}
else:
return self.message_format % kwargs
def __init__(self, rule, target, creds):
msg = (_('%(target)s is disallowed by policy rule %(rule)s '
'with %(creds)s ') % {
'rule': rule,
'target': target,
'creds': creds
})
super(PolicyNotAuthorized, self).__init__(msg)
def __call__(self, target, creds, enforcer, current_rule=None):
url = ('https:' + self.match) % target
cert_file = enforcer.conf.oslo_policy.remote_ssl_client_crt_file
key_file = enforcer.conf.oslo_policy.remote_ssl_client_key_file
ca_crt_file = enforcer.conf.oslo_policy.remote_ssl_ca_crt_file
verify_server = enforcer.conf.oslo_policy.remote_ssl_verify_server_crt
if cert_file:
if not os.path.exists(cert_file):
raise RuntimeError(
_("Unable to find ssl cert_file : %s") % cert_file)
if not os.access(cert_file, os.R_OK):
raise RuntimeError(
_("Unable to access ssl cert_file : %s") % cert_file)
if key_file:
if not os.path.exists(key_file):
raise RuntimeError(
_("Unable to find ssl key_file : %s") % key_file)
if not os.access(key_file, os.R_OK):
raise RuntimeError(
_("Unable to access ssl key_file : %s") % key_file)
cert = (cert_file, key_file)
if verify_server:
if ca_crt_file:
if not os.path.exists(ca_crt_file):
raise RuntimeError(
_("Unable to find ca cert_file : %s") % ca_crt_file)
verify_server = ca_crt_file
data, json = self._construct_payload(creds, current_rule, enforcer,
target)
with contextlib.closing(
requests.post(url,
json=json,
data=data,
cert=cert,
verify=verify_server)) as r:
return r.text.lstrip('"').rstrip('"') == 'True'
def set_rules(self, rules, overwrite=True, use_conf=False):
"""Create a new :class:`Rules` based on the provided dict of rules.
:param dict rules: New rules to use.
:param overwrite: Whether to overwrite current rules or update them
with the new rules.
:param use_conf: Whether to reload rules from cache or config file.
"""
if not isinstance(rules, dict):
raise TypeError(_('Rules must be an instance of dict or Rules, '
'got %s instead') % type(rules))
self.use_conf = use_conf
if overwrite:
self.rules = Rules(rules, self.default_rule)
else:
self.rules.update(rules)
def set_rules(self, rules, overwrite=True, use_conf=False):
"""Create a new :class:`Rules` based on the provided dict of rules.
:param dict rules: New rules to use.
:param overwrite: Whether to overwrite current rules or update them
with the new rules.
:param use_conf: Whether to reload rules from cache or config file.
"""
if not isinstance(rules, dict):
raise TypeError(_('Rules must be an instance of dict or Rules, '
'got %s instead') % type(rules))
self.use_conf = use_conf
if overwrite:
self.rules = Rules(rules, self.default_rule)
else:
self.rules.update(rules)
def __init__(self, rule):
msg = _('Policy does not allow %s to be performed.') % rule
super(PolicyNotAuthorized, self).__init__(msg)
def __init__(self, error):
msg = (_('Invalid policy rule default: '
'%(error)s.') % {
'error': error
})
super(InvalidRuleDefault, self).__init__(msg)
def __init__(self, names):
msg = _('Policies %(names)s are not well defined. Check logs for '
'more details.') % {
'names': names
}
super(InvalidDefinitionError, self).__init__(msg)
def __init__(self, name):
msg = _('Policy %(name)s has not been registered') % {'name': name}
super(PolicyNotRegistered, self).__init__(msg)
def __init__(self, name):
msg = _('Policy %(name)s is already registered') % {'name': name}
super(DuplicatePolicyError, self).__init__(msg)
'set_defaults',
]
import copy
from oslo_config import cfg
from oslo_policy._i18n import _
_option_group = 'oslo_policy'
_options = [
cfg.StrOpt('CSP_domain_id',
default=None,
help=_("Domain of Cloud Service Provider's. This value should"
" be the same across the whole Cloud.")
),
cfg.StrOpt('policy_connection',
help='SQLAlchemy connection string used to connect to the '
'policy database.',
secret=True
)
]
def list_opts():
"""Return a list of oslo.config options available in the library.
The returned list includes all oslo.config options which may be registered
at runtime by the library.
Each element of the list is a tuple. The first element is the name of the
def __init__(self, rule, target, creds):
msg = _("%(rule)s is disallowed by policy") % {'rule': rule}
super(PolicyNotAuthorized, self).__init__(msg)
'set_defaults',
]
import copy
from oslo_config import cfg
from oslo_policy._i18n import _
_option_group = 'oslo_policy'
_options = [
cfg.StrOpt('policy_file',
default='policy.json',
help=_('The JSON file that defines policies.'),
deprecated_group='DEFAULT'),
cfg.StrOpt('policy_default_rule',
default='default',
help=_('Default rule. Enforced when a requested rule is not '
'found.'),
deprecated_group='DEFAULT'),
# NOTE(stevemar): Remove this option in the M cycle, refer to bug 1428332
cfg.MultiStrOpt('policy_dirs',
default=['policy.d'],
help=_('Directories where policy configuration files are '
'stored. They can be relative to any directory '
'in the search path defined by the config_dir '
'option, or absolute paths. The file defined by '
'policy_file must exist for these directories to '
'be searched. Missing or empty directories are '
def __init__(self, name):
msg = _('Policy %(name)s has not been registered') % {'name': name}
super(PolicyNotRegistered, self).__init__(msg)
def __init__(self, name):
msg = _('Policy %(name)s is already registered') % {'name': name}
super(DuplicatePolicyError, self).__init__(msg)
def __init__(self, rule, target, creds):
msg = (_('%(rule)s on %(target)s by %(creds)s disallowed by policy') %
{'rule': rule, 'target': target, 'creds': creds})
super(PolicyNotAuthorized, self).__init__(msg)
import copy
from oslo_config import cfg
from oslo_policy._i18n import _
_option_group = 'oslo_policy'
_options = [
cfg.BoolOpt('enforce_scope',
default=False,
help=_('This option controls whether or not to enforce scope '
'when evaluating policies. If ``True``, the scope of '
'the token used in the request is compared to the '
'``scope_types`` of the policy being enforced. If the '
'scopes do not match, an ``InvalidScope`` exception '
'will be raised. If ``False``, a message will be '
'logged informing operators that policies are being '
'invoked with mismatching scope.')),
cfg.StrOpt('policy_file',
default='policy.json',
help=_('The file that defines policies.'),
deprecated_group='DEFAULT'),
cfg.StrOpt('policy_default_rule',
default='default',
help=_('Default rule. Enforced when a requested rule is not '
'found.'),
deprecated_group='DEFAULT'),
cfg.MultiStrOpt('policy_dirs',
default=['policy.d'],
help=_('Directories where policy configuration files are '
'list_opts',
'set_defaults',
]
import copy
from oslo_config import cfg
from oslo_policy._i18n import _
_option_group = 'oslo_policy'
_options = [
cfg.StrOpt('policy_file',
default='policy.json',
help=_('The JSON file that defines policies.'),
deprecated_group='DEFAULT'),
cfg.StrOpt('policy_default_rule',
default='default',
help=_('Default rule. Enforced when a requested rule is not '
'found.'),
deprecated_group='DEFAULT'),
cfg.MultiStrOpt('policy_dirs',
default=['policy.d'],
help=_('Directories where policy configuration files are '
'stored. They can be relative to any directory '
'in the search path defined by the config_dir '
'option, or absolute paths. The file defined by '
'policy_file must exist for these directories to '
'be searched. Missing or empty directories are'
'ignored.'),
from oslo_policy._i18n import _
__all__ = [
'list_opts',
'set_defaults',
]
_option_group = 'oslo_policy'
_options = [
cfg.BoolOpt('enforce_scope',
default=False,
help=_('This option controls whether or not to enforce scope '
'when evaluating policies. If ``True``, the scope of '
'the token used in the request is compared to the '
'``scope_types`` of the policy being enforced. If the '
'scopes do not match, an ``InvalidScope`` exception '
'will be raised. If ``False``, a message will be '
'logged informing operators that policies are being '
'invoked with mismatching scope.')),
cfg.BoolOpt('enforce_new_defaults',
default=False,
help=_('This option controls whether or not to use old '
'deprecated defaults when evaluating policies. If '
'``True``, the old deprecated defaults are not going '
'to be evaluated. This means if any existing token is '
'allowed for old defaults but is disallowed for new '
'defaults, it will be disallowed. It is encouraged to '
'enable this flag along with the ``enforce_scope`` '
'flag so that you can get the benefits of new defaults '
'and ``scope_type`` together')),
cfg.StrOpt('policy_file',
