b5edc294a1
I don't actually grok what this does that 'oslopolicy-checker' couldn't do, so perhaps we can deprecate this in the future. For now though, simply document the thing. While we're here, we make some additional related changes: - Remove references to the 'policy.yaml' file for services that don't use policy (i.e. everything except the API services and, due to a bug, the nova-compute service). - Update remaining references to the 'policy.yaml' file to include the 'policy.d/' directory - Update the help text for the '--api-name' and '--target' options of the 'nova-policy policy check' command to correct tense and better explain their purpose. Also, yes, 'nova-policy policy check' is dumb. Don't blame me :) Change-Id: I913b0de9ec40a615da7bf9981852edef4a88fecb Signed-off-by: Stephen Finucane <stephenfin@redhat.com> Related-bug: #1675486
95 lines
2.0 KiB
ReStructuredText
95 lines
2.0 KiB
ReStructuredText
===========
|
|
nova-policy
|
|
===========
|
|
|
|
.. program:: nova-policy
|
|
|
|
Synopsis
|
|
========
|
|
|
|
::
|
|
|
|
nova-policy [<options>...]
|
|
|
|
Description
|
|
===========
|
|
|
|
:program:`nova-policy` is a tool that allows for inspection of policy file
|
|
configuration. It provides a way to identify the actions available for a user.
|
|
It does not require a running deployment: validation runs against the policy
|
|
files typically located at ``/etc/nova/policy.yaml`` and in the
|
|
``/etc/nova/policy.d`` directory. These paths are configurable via the
|
|
``[oslo_config] policy_file`` and ``[oslo_config] policy_dirs`` configuration
|
|
options, respectively.
|
|
|
|
Options
|
|
=======
|
|
|
|
.. rubric:: General options
|
|
|
|
.. include:: opts/common.rst
|
|
|
|
.. rubric:: User options
|
|
|
|
.. option:: --os-roles <auth-roles>
|
|
|
|
Defaults to ``$OS_ROLES``.
|
|
|
|
.. option:: --os-tenant-id <auth-tenant-id>
|
|
|
|
Defaults to ``$OS_TENANT_ID``.
|
|
|
|
.. option:: --os-user-id <auth-user-id>
|
|
|
|
Defaults to ``$OS_USER_ID``.
|
|
|
|
.. rubric:: Debugger options
|
|
|
|
.. include:: opts/debugger.rst
|
|
|
|
Commands
|
|
========
|
|
|
|
policy check
|
|
------------
|
|
|
|
::
|
|
|
|
nova-policy policy check [-h] [--api-name <name>]
|
|
[--target <target> [<target>...]
|
|
|
|
Prints all passing policy rules for the given user.
|
|
|
|
.. rubric:: Options
|
|
|
|
.. option:: --api-name <name>
|
|
|
|
Return only the passing policy rules containing the given API name.
|
|
If unspecified, all passing policy rules will be returned.
|
|
|
|
.. option:: --target <target> [<target>...]
|
|
|
|
The target(s) against which the policy rule authorization will be tested.
|
|
The available targets are: ``project_id``, ``user_id``, ``quota_class``,
|
|
``availability_zone``, ``instance_id``.
|
|
When ``instance_id`` is used, the other targets will be overwritten.
|
|
If unspecified, the given user will be considered as the target.
|
|
|
|
Files
|
|
=====
|
|
|
|
* ``/etc/nova/nova.conf``
|
|
* ``/etc/nova/policy.yaml``
|
|
* ``/etc/nova/policy.d/``
|
|
|
|
See Also
|
|
========
|
|
|
|
:doc:`nova-manage(1) <nova-manage>`,
|
|
:doc:`nova-status(1) <nova-status>`
|
|
|
|
Bugs
|
|
====
|
|
|
|
* Nova bugs are managed at `Launchpad <https://bugs.launchpad.net/nova>`__
|