Last active
January 9, 2017 17:31
-
-
Save jimbaker/faa6288a8fcd9ba736f950435a901537 to your computer and use it in GitHub Desktop.
Example script using oslo_policy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from oslo_config import cfg | |
| from oslo_policy import policy as common_policy | |
| CONF = cfg.CONF # should just be an empty config file | |
| ENFORCER = common_policy.Enforcer(CONF) | |
| rules = { | |
| "fleet:audit": "role:admin or (principal:%(principal)s and role_:%(role_)s and resource:%(resource)s)" | |
| } | |
| these_rules = common_policy.Rules.from_dict(rules) | |
| print(these_rules) | |
| ENFORCER.set_rules(these_rules) | |
| ENFORCER.check_rules() | |
| credentials = {'roles': ['user'], 'principal': 'foo', 'role_': 'fleet:audit', 'resource': 'baz'} | |
| target = {'principal':'foo', 'role_':'fleet:audit', 'resource':'baz'} | |
| ENFORCER.enforce("fleet:audit", target, credentials, do_raise=True) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from oslo_config import cfg | |
| from oslo_policy import policy as common_policy | |
| CONF = cfg.CONF | |
| ENFORCER = common_policy.Enforcer(CONF) | |
| rules = { | |
| "true": [], | |
| "example:allowed": [], | |
| "example:denied": [["false:false"]], | |
| "example:get_http": [["http:http://www.example.com"]], | |
| "example:my_file": [["role:compute_admin"], | |
| ["project_id:%(project_id)s"]], | |
| "example:early_and_fail": [["false:false", "rule:true"]], | |
| "example:early_or_success": [["rule:true"], ["false:false"]], | |
| "example:lowercase_admin": [["role:admin"], ["role:sysadmin"]], | |
| "example:uppercase_admin": [["role:ADMIN"], ["role:sysadmin"]], | |
| } | |
| these_rules = common_policy.Rules.from_dict(rules) | |
| print(these_rules) | |
| ENFORCER.set_rules(these_rules) | |
| ENFORCER.check_rules() | |
| admin_credentials = {'roles': ['AdMiN']} | |
| credentials = {} | |
| target = {} | |
| lowercase_action = "example:lowercase_admin" | |
| ENFORCER.enforce(lowercase_action, target, admin_credentials, do_raise=True) | |
| ENFORCER.enforce(lowercase_action, target, credentials, do_raise=True) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment