本文整理汇总了Python中oslo_policy.policy.json方法的典型用法代码示例。如果您正苦于以下问题:Python policy.json方法的具体用法?Python policy.json怎么用?Python policy.json使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类oslo_policy.policy
的用法示例。
在下文中一共展示了policy.json方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: _add_policy_rules
# 需要导入模块: from oslo_policy import policy [as 别名]
# 或者: from oslo_policy.policy import json [as 别名]
def _add_policy_rules(self, property_exp, action, rule):
"""Add policy rules to the policy enforcer.
For example, if the file listed as property_protection_file has:
[prop_a]
create = searchlight_creator
then the corresponding policy rule would be:
"prop_a:create": "rule:searchlight_creator"
where searchlight_creator is defined in policy.json or policy.yaml.
For example:
"searchlight_creator": "role:admin or role:searchlight_create_user"
"""
rule = "rule:%s" % rule
rule_name = "%s:%s" % (property_exp, action)
rule_dict = policy.Rules.from_dict({
rule_name: rule
})
self.policy_enforcer.add_rules(rule_dict)
示例2: test_should_raise_decrypt_secret_with_project_access_disabled
# 需要导入模块: from oslo_policy import policy [as 别名]
# 或者: from oslo_policy.policy import json [as 别名]
def test_should_raise_decrypt_secret_with_project_access_disabled(self):
"""Should raise authz error as secret is marked private.
As secret is private so project users should not be able to access
the secret. Admin project user can still access it.
"""
self.acl_list.pop() # remove read acl from default setup
acl_read = models.SecretACL(secret_id=self.secret_id, operation='read',
project_access=False,
user_ids=['anyRandomUserX', 'aclUser1'])
self.acl_list.append(acl_read)
self._assert_fail_rbac(['observer', 'creator', 'audit'],
self._invoke_on_get,
accept='notjsonaccepttype',
content_type='application/json',
user_id=self.user_id,
project_id=self.external_project_id)
示例3: test_pass_decrypt_secret_for_admin_user_project_access_disabled
# 需要导入模块: from oslo_policy import policy [as 别名]
# 或者: from oslo_policy.policy import json [as 别名]
def test_pass_decrypt_secret_for_admin_user_project_access_disabled(self):
"""Should pass authz for admin role user as secret is marked private.
Even when secret is private, admin user should still have access to
the secret.
"""
self.acl_list.pop() # remove read acl from default setup
acl_read = models.SecretACL(secret_id=self.secret_id, operation='read',
project_access=False,
user_ids=['anyRandomUserX', 'aclUser1'])
self.acl_list.append(acl_read)
self._assert_pass_rbac(['admin'],
self._invoke_on_get,
accept='notjsonaccepttype',
content_type='application/json',
user_id=self.user_id,
project_id=self.external_project_id)
示例4: test_should_raise_decrypt_secret_for_with_project_access_nolist
# 需要导入模块: from oslo_policy import policy [as 别名]
# 或者: from oslo_policy.policy import json [as 别名]
def test_should_raise_decrypt_secret_for_with_project_access_nolist(self):
"""Should raise authz error as secret is marked private.
As secret is private so project users should not be able to access
the secret. This test passes user_ids as empty list, which is a
valid and common case. Admin project user can still access it.
"""
self.acl_list.pop() # remove read acl from default setup
acl_read = models.SecretACL(secret_id=self.secret_id, operation='read',
project_access=False,
user_ids=[])
self.acl_list.append(acl_read)
self._assert_fail_rbac(['observer', 'creator', 'audit'],
self._invoke_on_get,
accept='notjsonaccepttype',
content_type='application/json',
user_id=self.user_id,
project_id=self.external_project_id)
示例5: test_should_pass_decrypt_secret_private_enabled_with_read_acl
# 需要导入模块: from oslo_policy import policy [as 别名]
# 或者: from oslo_policy.policy import json [as 别名]
def test_should_pass_decrypt_secret_private_enabled_with_read_acl(self):
"""Should pass authz as user has read acl for private secret.
Even though secret is private, user with read acl should be able to
access the secret.
"""
self.acl_list.pop() # remove read acl from default setup
acl_read = models.SecretACL(secret_id=self.secret_id, operation='read',
project_access=False,
user_ids=['anyRandomUserX', 'aclUser1'])
self.acl_list.append(acl_read)
self._assert_pass_rbac(['admin', 'observer', 'creator', 'audit',
'bogusRole'],
self._invoke_on_get,
accept='notjsonaccepttype',
content_type='application/json',
user_id='aclUser1',
project_id=self.external_project_id)
示例6: test_fail_decrypt_secret_for_creator_user_with_different_project
# 需要导入模块: from oslo_policy import policy [as 别名]
# 或者: from oslo_policy.policy import json [as 别名]
def test_fail_decrypt_secret_for_creator_user_with_different_project(self):
"""Check for creator user rule for secret decrypt/get call.
If token's user is creator of secret but its scoped to different
project, then he/she is not allowed access to secret when project
is marked private.
"""
self.acl_list.pop() # remove read acl from default setup
acl_read = models.SecretACL(secret_id=self.secret_id,
operation='write',
project_access=True,
user_ids=['anyRandomUserX', 'aclUser1'])
self.acl_list.append(acl_read)
self.resource.controller.secret.creator_id = 'creatorUserX'
# token user is creator but scoped to project different from secret
# project so don't allow decrypt secret call to creator of that secret
self._assert_fail_rbac(['admin', 'observer', 'creator', 'audit',
'bogusRole'],
self._invoke_on_get,
accept='notjsonaccepttype',
content_type='application/json',
user_id='creatorUserX',
project_id='different_project_id')
示例7: get_enforcer
# 需要导入模块: from oslo_policy import policy [as 别名]
# 或者: from oslo_policy.policy import json [as 别名]
def get_enforcer():
# NOTE(amotoki): This was borrowed from nova/policy.py.
# This method is for use by oslo.policy CLI scripts. Those scripts need the
# 'output-file' and 'namespace' options, but having those in sys.argv means
# loading the tacker config options will fail as those are not expected to
# be present. So we pass in an arg list with those stripped out.
conf_args = []
# Start at 1 because cfg.CONF expects the equivalent of sys.argv[1:]
i = 1
while i < len(sys.argv):
if sys.argv[i].strip('-') in ['namespace', 'output-file']:
i += 2
continue
conf_args.append(sys.argv[i])
i += 1
# 'project' must be 'tacker' so that get_enforcer looks at
# /etc/tacker/policy.json by default.
cfg.CONF(conf_args, project='tacker')
init()
return _ENFORCER
示例8: test_load_directory_caching_with_files_same
# 需要导入模块: from oslo_policy import policy [as 别名]
# 或者: from oslo_policy.policy import json [as 别名]
def test_load_directory_caching_with_files_same(self, overwrite=True):
self.enforcer.overwrite = overwrite
self.create_config_file(
os.path.join('policy.d', 'a.conf'), POLICY_A_CONTENTS)
self.enforcer.load_rules(False)
self.assertIsNotNone(self.enforcer.rules)
old = six.next(six.itervalues(
self.enforcer._policy_dir_mtimes))
self.assertEqual(1, len(self.enforcer._policy_dir_mtimes))
self.enforcer.load_rules(False)
self.assertEqual(1, len(self.enforcer._policy_dir_mtimes))
self.assertEqual(old, six.next(six.itervalues(
self.enforcer._policy_dir_mtimes)))
loaded_rules = jsonutils.loads(str(self.enforcer.rules))
self.assertEqual('is_admin:True', loaded_rules['admin'])
self.check_loaded_files([
'policy.json',
os.path.join('policy.d', 'a.conf'),
])
示例9: test_deprecate_a_policy_for_removal_logs_warning_when_overridden
# 需要导入模块: from oslo_policy import policy [as 别名]
# 或者: from oslo_policy.policy import json [as 别名]
def test_deprecate_a_policy_for_removal_logs_warning_when_overridden(self):
rule_list = [policy.DocumentedRuleDefault(
name='foo:bar',
check_str='role:baz',
description='Create a foo.',
operations=[{'path': '/v1/foos/', 'method': 'POST'}],
deprecated_for_removal=True,
deprecated_reason=(
'"foo:bar" is no longer a policy used by the service'
),
deprecated_since='N'
)]
expected_msg = (
'Policy "foo:bar":"role:baz" was deprecated for removal in N. '
'Reason: "foo:bar" is no longer a policy used by the service. Its '
'value may be silently ignored in the future.'
)
rules = jsonutils.dumps({'foo:bar': 'role:bang'})
self.create_config_file('policy.json', rules)
enforcer = policy.Enforcer(self.conf)
enforcer.register_defaults(rule_list)
with mock.patch('warnings.warn') as mock_warn:
enforcer.load_rules()
mock_warn.assert_called_once_with(expected_msg)
示例10: test_deprecate_name_suppress_does_not_log_warning
# 需要导入模块: from oslo_policy import policy [as 别名]
# 或者: from oslo_policy.policy import json [as 别名]
def test_deprecate_name_suppress_does_not_log_warning(self):
deprecated_rule = policy.DeprecatedRule(
name='foo:bar',
check_str='role:baz'
)
rule_list = [policy.DocumentedRuleDefault(
name='foo:create_bar',
check_str='role:baz',
description='Create a bar.',
operations=[{'path': '/v1/bars/', 'method': 'POST'}],
deprecated_rule=deprecated_rule,
deprecated_reason='"foo:bar" is not granular enough.',
deprecated_since='N'
)]
rules = jsonutils.dumps({'foo:bar': 'role:bang'})
self.create_config_file('policy.json', rules)
enforcer = policy.Enforcer(self.conf)
enforcer.suppress_deprecation_warnings = True
enforcer.register_defaults(rule_list)
with mock.patch('warnings.warn') as mock_warn:
enforcer.load_rules()
mock_warn.assert_not_called()
示例11: test_deprecate_for_removal_suppress_does_not_log_warning
# 需要导入模块: from oslo_policy import policy [as 别名]
# 或者: from oslo_policy.policy import json [as 别名]
def test_deprecate_for_removal_suppress_does_not_log_warning(self):
rule_list = [policy.DocumentedRuleDefault(
name='foo:bar',
check_str='role:baz',
description='Create a foo.',
operations=[{'path': '/v1/foos/', 'method': 'POST'}],
deprecated_for_removal=True,
deprecated_reason=(
'"foo:bar" is no longer a policy used by the service'
),
deprecated_since='N'
)]
rules = jsonutils.dumps({'foo:bar': 'role:bang'})
self.create_config_file('policy.json', rules)
enforcer = policy.Enforcer(self.conf)
enforcer.suppress_deprecation_warnings = True
enforcer.register_defaults(rule_list)
with mock.patch('warnings.warn') as mock_warn:
enforcer.load_rules()
mock_warn.assert_not_called()
示例12: get_enforcer
# 需要导入模块: from oslo_policy import policy [as 别名]
# 或者: from oslo_policy.policy import json [as 别名]
def get_enforcer():
# NOTE(amotoki): This was borrowed from nova/policy.py.
# This method is for use by oslo.policy CLI scripts. Those scripts need the
# 'output-file' and 'namespace' options, but having those in sys.argv means
# loading the neutron config options will fail as those are not expected to
# be present. So we pass in an arg list with those stripped out.
conf_args = []
# Start at 1 because cfg.CONF expects the equivalent of sys.argv[1:]
i = 1
while i < len(sys.argv):
if sys.argv[i].strip('-') in ['namespace', 'output-file']:
i += 2
continue
conf_args.append(sys.argv[i])
i += 1
# 'project' must be 'neutron' so that get_enforcer looks at
# /etc/neutron/policy.json by default.
cfg.CONF(conf_args, project='neutron')
init()
return _ROLE_ENFORCER
示例13: test_should_pass_create_secret
# 需要导入模块: from oslo_policy import policy [as 别名]
# 或者: from oslo_policy.policy import json [as 别名]
def test_should_pass_create_secret(self):
self._assert_pass_rbac(['admin', 'creator'], self._invoke_on_post,
content_type='application/json')
示例14: test_should_raise_create_secret
# 需要导入模块: from oslo_policy import policy [as 别名]
# 或者: from oslo_policy.policy import json [as 别名]
def test_should_raise_create_secret(self):
self._assert_fail_rbac([None, 'audit', 'observer', 'bogus'],
self._invoke_on_post,
content_type='application/json')
示例15: test_should_pass_get_secrets
# 需要导入模块: from oslo_policy import policy [as 别名]
# 或者: from oslo_policy.policy import json [as 别名]
def test_should_pass_get_secrets(self):
self._assert_pass_rbac(['admin', 'observer', 'creator'],
self._invoke_on_get,
content_type='application/json')