oslo.policy uses oslo.config to define and manage configuration options that allow the deployer to control where the policy files are located, the default rule to apply, etc.
boolean
False
This option controls whether or not to enforce scope when evaluating policies. If True
, the scope of the token used in the request is compared to the scope_types
of the policy being enforced. If the scopes do not match, an InvalidScope
exception will be raised. If False
, a message will be logged informing operators that policies are being invoked with mismatching scope.
boolean
False
This option controls whether or not to use old deprecated defaults when evaluating policies. If True
, the old deprecated defaults are not going to be evaluated. This means if any existing token is allowed for old defaults but is disallowed for new defaults, it will be disallowed. It is encouraged to enable this flag along with the enforce_scope
flag so that you can get the benefits of new defaults and scope_type
together. If False
, the deprecated policy check string is logically OR’d with the new policy check string, allowing for a graceful upgrade experience between releases with new policies, which is the default behavior.
string
policy.json
The relative or absolute path of a file that maps roles to permissions for a given service. Relative paths must be specified in relation to the configuration file setting this option.
Group |
Name |
---|---|
DEFAULT |
policy_file |
string
default
Default rule. Enforced when a requested rule is not found.
Group |
Name |
---|---|
DEFAULT |
policy_default_rule |
multi-valued
policy.d
Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.
Group |
Name |
---|---|
DEFAULT |
policy_dirs |
string
application/x-www-form-urlencoded
application/x-www-form-urlencoded, application/json
Content Type to send and receive data for REST based policy check
boolean
False
server identity verification for REST based policy check
string
<None>
Absolute path to ca cert file for REST based policy check
string
<None>
Absolute path to client cert for REST based policy check
string
<None>
Absolute path client key file REST based policy check
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.