The ceilometer.openstack.common.policy Module

Common Policy Engine Implementation

Policies can be expressed in one of two forms: A list of lists, or a string written in the new policy language.

In the list-of-lists representation, each check inside the innermost list is combined as with an “and” conjunction–for that check to pass, all the specified checks must pass. These innermost lists are then combined as with an “or” conjunction. This is the original way of expressing policies, but there now exists a new way: the policy language.

In the policy language, each check is specified the same way as in the list-of-lists representation: a simple “a:b” pair that is matched to the correct code to perform that check. However, conjunction operators are available, allowing for more expressiveness in crafting policies.

As an example, take the following rule, expressed in the list-of-lists representation:

[["role:admin"], ["project_id:%(project_id)s", "role:projectadmin"]]

In the policy language, this becomes:

role:admin or (project_id:%(project_id)s and role:projectadmin)

The policy language also has the “not” operator, allowing a richer policy rule:

project_id:%(project_id)s and not role:dunce

Finally, two special policy checks should be mentioned; the policy check “@” will always accept an access, and the policy check ”!” will always reject an access. (Note that if a rule is either the empty list (“[]”) or the empty string, this is equivalent to the “@” policy check.) Of these, the ”!” policy check is probably the most useful, as it allows particular rules to be explicitly disabled.

class ceilometer.openstack.common.policy.AndCheck(rules)

Bases: ceilometer.openstack.common.policy.BaseCheck

A policy check that requires that a list of other checks all return True. Implements the “and” operator.

add_check(rule)

Allows addition of another rule to the list of rules that will be tested. Returns the AndCheck object for convenience.

class ceilometer.openstack.common.policy.BaseCheck

Bases: object

Abstract base class for Check classes.

class ceilometer.openstack.common.policy.Check(kind, match)

Bases: ceilometer.openstack.common.policy.BaseCheck

A base class to allow for user-defined policy checks.

class ceilometer.openstack.common.policy.FalseCheck

Bases: ceilometer.openstack.common.policy.BaseCheck

A policy check that always returns False (disallow).

class ceilometer.openstack.common.policy.GenericCheck(kind, match)

Bases: ceilometer.openstack.common.policy.Check

class ceilometer.openstack.common.policy.HttpCheck(kind, match)

Bases: ceilometer.openstack.common.policy.Check

class ceilometer.openstack.common.policy.NotCheck(rule)

Bases: ceilometer.openstack.common.policy.BaseCheck

A policy check that inverts the result of another policy check. Implements the “not” operator.

class ceilometer.openstack.common.policy.OrCheck(rules)

Bases: ceilometer.openstack.common.policy.BaseCheck

A policy check that requires that at least one of a list of other checks returns True. Implements the “or” operator.

add_check(rule)

Allows addition of another rule to the list of rules that will be tested. Returns the OrCheck object for convenience.

class ceilometer.openstack.common.policy.ParseState

Bases: object

Implement the core of parsing the policy language. Uses a greedy reduction algorithm to reduce a sequence of tokens into a single terminal, the value of which will be the root of the Check tree.

Note: error reporting is rather lacking. The best we can get with this parser formulation is an overall “parse failed” error. Fortunately, the policy language is simple enough that this shouldn’t be that big a problem.

reduce()

Perform a greedy reduction of the token stream. If a reducer method matches, it will be executed, then the reduce() method will be called recursively to search for any more possible reductions.

shift(tok, value)

Adds one more token to the state. Calls reduce().

class ceilometer.openstack.common.policy.ParseStateMeta

Bases: type

Metaclass for the ParseState class. Facilitates identifying reduction methods.

class ceilometer.openstack.common.policy.RoleCheck(kind, match)

Bases: ceilometer.openstack.common.policy.Check

class ceilometer.openstack.common.policy.RuleCheck(kind, match)

Bases: ceilometer.openstack.common.policy.Check

class ceilometer.openstack.common.policy.Rules(rules=None, default_rule=None)

Bases: dict

A store for rules. Handles the default_rule setting directly.

classmethod load_json(data, default_rule=None)

Allow loading of JSON rule data.

class ceilometer.openstack.common.policy.TrueCheck

Bases: ceilometer.openstack.common.policy.BaseCheck

A policy check that always returns True (allow).