Skip to content

Instantly share code, notes, and snippets.

@ahsan518

ahsan518/Error

Created January 9, 2017 17:47
Show Gist options
  • Save ahsan518/8b4996bd224943cf1a2c752761d56faf to your computer and use it in GitHub Desktop.
Save ahsan518/8b4996bd224943cf1a2c752761d56faf to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Error
(craton) ubuntu@ubuntu-xenial:~/craton/craton/common$ python3.5 policy.py
{
"example:get_http": "http:http://www.example.com",
"example:denied": "false:false",
"example:my_file": "(role:compute_admin or project_id:%(project_id)s)",
"example:lowercase_admin": "(role:admin or role:sysadmin)",
"example:early_and_fail": "(false:false and rule:true)",
"true": "",
"example:uppercase_admin": "(role:ADMIN or role:sysadmin)",
"example:allowed": "",
"example:early_or_success": "(rule:true or false:false)"
}
Traceback (most recent call last):
File "policy.py", line 53, in <module>
ENFORCER.enforce(lowercase_action, target, credentials, do_raise=True)
File "/home/ubuntu/craton/lib/python3.5/site-packages/oslo_policy/policy.py", line 735, in enforce
raise PolicyNotAuthorized(rule, target, creds)
oslo_policy.policy.PolicyNotAuthorized: {} is disallowed by policy rule example:lowercase_admin with {}
Raw
policy.py
(craton) ubuntu@ubuntu-xenial:~/craton/craton/common$ cat policy.py
# Copyright (c) 2015 OpenStack Foundation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""Policy Engine for craton."""
from oslo_config import cfg
from oslo_policy import policy as common_policy
from craton import exceptions
CONF = cfg.CONF
ENFORCER = common_policy.Enforcer(CONF)
rules = {
"true": [],
"example:allowed": [],
"example:denied": [["false:false"]],
"example:get_http": [["http:http://www.example.com"]],
"example:my_file": [["role:compute_admin"],
["project_id:%(project_id)s"]],
"example:early_and_fail": [["false:false", "rule:true"]],
"example:early_or_success": [["rule:true"], ["false:false"]],
"example:lowercase_admin": [["role:admin"], ["role:sysadmin"]],
"example:uppercase_admin": [["role:ADMIN"], ["role:sysadmin"]],
}
these_rules = common_policy.Rules.from_dict(rules)
print(these_rules)
ENFORCER.set_rules(these_rules)
ENFORCER.check_rules()
admin_credentials = {'roles': ['AdMiN']}
credentials = {}
target = {}
lowercase_action = "example:lowercase_admin"
#ENFORCER.authorize()
ENFORCER.enforce(lowercase_action, target, admin_credentials, do_raise=True)
ENFORCER.enforce(lowercase_action, target, credentials, do_raise=True)
Raw
t-policy-using-role-assignment.py
(craton) ubuntu@ubuntu-xenial:~/craton/craton/common$ cat t-policy-using-role-assignments.py
from oslo_config import cfg
from oslo_policy import policy as common_policy
CONF = cfg.CONF # should just be an empty config file
ENFORCER = common_policy.Enforcer(CONF)
rules = {
"fleet:audit": "role:admin or (principal:%(principal)s and role_:%(role_)s and resource:%(resource)s)"
}
these_rules = common_policy.Rules.from_dict(rules)
print(these_rules)
ENFORCER.set_rules(these_rules)
ENFORCER.check_rules()
credentials = {'roles': ['user'], 'principal': 'foo', 'role_': 'fleet:audit', 'resource': 'baz'}
target = {'principal':'foo', 'role_':'fleet:audit', 'resource':'baz'}
ENFORCER.enforce("fleet:audit", target, credentials, do_raise=True)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment