oslopolicy-policy-validator
The oslopolicy-validator
tool can be used to perform basic sanity checks
against a policy file. It will detect the following problems:
A missing policy file
Rules which have invalid syntax
Rules which reference non-existent other rules
Rules which form a cyclical reference with another rule
Rules which do not exist in the specified namespace
This tool does very little validation of the content of the rules. Other tools,
such as oslopolicy-checker
, should be used to check that rules do what is
intended.
Show help message and exit.
Path to a config directory to pull *.conf
files from. This file set is
sorted, so as to provide a predictable parse order if individual options
are overridden. The set is parsed after the file(s) specified via previous
--config-file
, arguments hence overridden options in the directory
take precedence.
This option must be set from the command-line.
Path to a config file to use. Multiple config files can be specified, with values in later files taking precedence. Defaults to None. This option must be set from the command-line.
Option namespace under “oslo.policy.enforcer” in which to look for a
policy.Enforcer
.
Validate the policy file used for Keystone:
oslopolicy-validator --config-file /etc/keystone/keystone.conf --namespace keystone
Sample output from a failed validation:
$ oslopolicy-validator --config-file keystone.conf --namespace keystone
WARNING:oslo_policy.policy:Policies ['foo', 'bar'] are part of a cyclical reference.
Invalid rules found
Failed to parse rule: (role:admin and system_scope:all) or (role:foo and oken.domain.id:%(target.user.domain_id)s))
Unknown rule found in policy file: foo
Unknown rule found in policy file: bar
oslopolicy-checker
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.