blob: bb4fee17dac9bf71da6c76fd62a78a6f92284391 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
==================
oslopolicy-checker
==================
.. program:: oslopolicy-checker
Synopsis
--------
::
oslopolicy-checker [-h] [--access ACCESS] [--config-dir DIR]
[--config-file PATH]
[--enforcer_config ENFORCER_CONFIG] [--is_admin]
[--nois_admin] [--policy POLICY] [--rule RULE]
[--target TARGET]
Description
-----------
The ``oslopolicy-policy-generator`` command can be used to check policy against
the OpenStack Identity API access information. The access information is a
keystone token response from keystone's `authentication API
<https://docs.openstack.org/api-ref/identity/v3/#password-authentication-with-scoped-authorization>`_.
Options
-------
.. include:: common/default-opts.rst
.. option:: --access ACCESS
Path to a file containing an OpenStack Identity API token response body in
JSON format.
.. option:: --enforcer_config ENFORCER_CONFIG
Configuration file for the oslopolicy-checker enforcer
.. option:: --is_admin
Set ``is_admin=True`` on the credentials used for the evaluation.
.. option:: --nois_admin
The inverse of ``--is_admin``
.. option:: --policy POLICY
Path to a policy file.
.. option:: --rule RULE
Rule to test.
.. option:: --target TARGET
Path to a file containing custom target info in JSON format. This will be
used to evaluate the policy with.
Examples
--------
Test all of Nova's policy with an admin token:
.. code-block:: bash
oslopolicy-checker \
--policy /opt/stack/nova/etc/nova/policy.json
--access sample_data/auth_v3_token_admin.json
Test the ``compute_extension:flavorextraspecs:index`` rule in Nova's policy
with the admin member token and ``is_admin`` set to ``True``:
.. code-block:: bash
oslopolicy-checker \
--policy /opt/stack/nova/etc/nova/policy.json \
--access sample_data/auth_v3_token_admin.json \
--is_admin=true --rule compute_extension:flavorextraspecs:index
Test the ``compute_extension:flavorextraspecs:index`` rule in Nova's policy
with the plain member token:
.. code-block:: bash
oslopolicy-checker \
--policy /opt/stack/nova/etc/nova/policy.json \
--access sample_data/auth_v3_token_member.json \
--rule compute_extension:flavorextraspecs:index
See Also
--------
:program:`oslopolicy-sample-generator`, :program:`oslopolicy-policy-generator`,
:program:`oslopolicy-list-redundant`, :program:`oslopolicy-validator`
|
