 b5edc294a1
			
		
	
	b5edc294a1
	
	
	
		
			
			I don't actually grok what this does that 'oslopolicy-checker' couldn't do, so perhaps we can deprecate this in the future. For now though, simply document the thing. While we're here, we make some additional related changes: - Remove references to the 'policy.yaml' file for services that don't use policy (i.e. everything except the API services and, due to a bug, the nova-compute service). - Update remaining references to the 'policy.yaml' file to include the 'policy.d/' directory - Update the help text for the '--api-name' and '--target' options of the 'nova-policy policy check' command to correct tense and better explain their purpose. Also, yes, 'nova-policy policy check' is dumb. Don't blame me :) Change-Id: I913b0de9ec40a615da7bf9981852edef4a88fecb Signed-off-by: Stephen Finucane <stephenfin@redhat.com> Related-bug: #1675486
		
			
				
	
	
	
		
			2.0 KiB
		
	
	
	
	
	
	
	
			
		
		
	
	nova-policy
nova-policy
Synopsis
nova-policy [<options>...]Description
nova-policy is a
tool that allows for inspection of policy file configuration. It
provides a way to identify the actions available for a user. It does not
require a running deployment: validation runs against the policy files
typically located at /etc/nova/policy.yaml and in the
/etc/nova/policy.d directory. These paths are configurable
via the [oslo_config] policy_file and
[oslo_config] policy_dirs configuration options,
respectively.
Options
General options
User options
--os-roles <auth-roles>
Defaults to $OS_ROLES.
--os-tenant-id <auth-tenant-id>
Defaults to $OS_TENANT_ID.
--os-user-id <auth-user-id>
Defaults to $OS_USER_ID.
Debugger options
Commands
policy check
nova-policy policy check [-h] [--api-name <name>]
                         [--target <target> [<target>...]Prints all passing policy rules for the given user.
Options
--api-name <name>
Return only the passing policy rules containing the given API name. If unspecified, all passing policy rules will be returned.
--target <target> [<target>...]
The target(s) against which the policy rule authorization will be
tested. The available targets are: project_id,
user_id, quota_class,
availability_zone, instance_id. When
instance_id is used, the other targets will be overwritten.
If unspecified, the given user will be considered as the target.
Files
- /etc/nova/nova.conf
- /etc/nova/policy.yaml
- /etc/nova/policy.d/
See Also
nova-manage(1) <nova-manage>, nova-status(1) <nova-status>
Bugs
- Nova bugs are managed at Launchpad