openstack/nova
Code Issues Proposed changes
f788cbe26c
nova/doc/source/cli/nova-policy.rst
Stephen Finucane b5edc294a1 docs: Add man pages for 'nova-policy' 
I don't actually grok what this does that 'oslopolicy-checker' couldn't
do, so perhaps we can deprecate this in the future. For now though,
simply document the thing. While we're here, we make some additional
related changes:

- Remove references to the 'policy.yaml' file for services that don't
  use policy (i.e. everything except the API services and, due to a bug,
  the nova-compute service).
- Update remaining references to the 'policy.yaml' file to include the
  'policy.d/' directory
- Update the help text for the '--api-name' and '--target' options of
  the 'nova-policy policy check' command to correct tense and better
  explain their purpose.

Also, yes, 'nova-policy policy check' is dumb. Don't blame me :)

Change-Id: I913b0de9ec40a615da7bf9981852edef4a88fecb
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Related-bug: #1675486
2021-04-19 10:47:17 +01:00

2.0 KiB
Raw Blame History

nova-policy

nova-policy

Synopsis

nova-policy [<options>...]

Description

nova-policy is a tool that allows for inspection of policy file configuration. It provides a way to identify the actions available for a user. It does not require a running deployment: validation runs against the policy files typically located at /etc/nova/policy.yaml and in the /etc/nova/policy.d directory. These paths are configurable via the [oslo_config] policy_file and [oslo_config] policy_dirs configuration options, respectively.

Options

General options

User options

--os-roles <auth-roles>

Defaults to $OS_ROLES.

--os-tenant-id <auth-tenant-id>

Defaults to $OS_TENANT_ID.

--os-user-id <auth-user-id>

Defaults to $OS_USER_ID.

Debugger options

Commands

policy check

nova-policy policy check [-h] [--api-name <name>]
                         [--target <target> [<target>...]

Prints all passing policy rules for the given user.

Options

--api-name <name>

Return only the passing policy rules containing the given API name. If unspecified, all passing policy rules will be returned.

--target <target> [<target>...]

The target(s) against which the policy rule authorization will be tested. The available targets are: project_id, user_id, quota_class, availability_zone, instance_id. When instance_id is used, the other targets will be overwritten. If unspecified, the given user will be considered as the target.

Files

  • /etc/nova/nova.conf
  • /etc/nova/policy.yaml
  • /etc/nova/policy.d/

See Also

nova-manage(1) <nova-manage>, nova-status(1) <nova-status>

Bugs