Merge "docs: Add man pages for 'nova-policy'"

doc/source/cli/index.rst

@@ -31,6 +31,7 @@ database.
    :maxdepth: 1
 
    nova-manage
+   nova-policy
    nova-status
 
 Service Daemons

doc/source/cli/nova-api-metadata.rst

@@ -36,6 +36,7 @@ Files
 * ``/etc/nova/nova.conf``
 * ``/etc/nova/api-paste.ini``
 * ``/etc/nova/policy.yaml``
+* ``/etc/nova/policy.d/``
 * ``/etc/nova/rootwrap.conf``
 * ``/etc/nova/rootwrap.d/``
 

doc/source/cli/nova-api-os-compute.rst

@@ -34,6 +34,7 @@ Files
 * ``/etc/nova/nova.conf``
 * ``/etc/nova/api-paste.ini``
 * ``/etc/nova/policy.yaml``
+* ``/etc/nova/policy.d/``
 * ``/etc/nova/rootwrap.conf``
 * ``/etc/nova/rootwrap.d/``
 

doc/source/cli/nova-api.rst

@@ -34,6 +34,7 @@ Files
 * ``/etc/nova/nova.conf``
 * ``/etc/nova/api-paste.ini``
 * ``/etc/nova/policy.yaml``
+* ``/etc/nova/policy.d/``
 * ``/etc/nova/rootwrap.conf``
 * ``/etc/nova/rootwrap.d/``
 

doc/source/cli/nova-compute.rst

@@ -33,8 +33,12 @@ Options
 Files
 =====
 
+.. todo: We shouldn't have policy configuration in this non-API service, but
+   bug #1675486 means we do have one
+
 * ``/etc/nova/nova.conf``
 * ``/etc/nova/policy.yaml``
+* ``/etc/nova/policy.d/``
 * ``/etc/nova/rootwrap.conf``
 * ``/etc/nova/rootwrap.d/``
 

doc/source/cli/nova-manage.rst

@@ -1509,6 +1509,7 @@ within an environment.
 See Also
 ========
 
+:doc:`nova-policy(1) <nova-policy>`,
 :doc:`nova-status(1) <nova-status>`
 
 Bugs

doc/source/cli/nova-novncproxy.rst

@@ -80,7 +80,6 @@ Files
 =====
 
 * ``/etc/nova/nova.conf``
-* ``/etc/nova/policy.yaml``
 * ``/etc/nova/rootwrap.conf``
 * ``/etc/nova/rootwrap.d/``
 

doc/source/cli/nova-policy.rst

@@ -0,0 +1,94 @@
+===========
+nova-policy
+===========
+
+.. program:: nova-policy
+
+Synopsis
+========
+
+::
+
+  nova-policy [<options>...]
+
+Description
+===========
+
+:program:`nova-policy` is a tool that allows for inspection of policy file
+configuration. It provides a way to identify the actions available for a user.
+It does not require a running deployment: validation runs against the policy
+files typically located at ``/etc/nova/policy.yaml`` and in the
+``/etc/nova/policy.d`` directory. These paths are configurable via the
+``[oslo_config] policy_file`` and ``[oslo_config] policy_dirs`` configuration
+options, respectively.
+
+Options
+=======
+
+.. rubric:: General options
+
+.. include:: opts/common.rst
+
+.. rubric:: User options
+
+.. option:: --os-roles <auth-roles>
+
+    Defaults to ``$OS_ROLES``.
+
+.. option:: --os-tenant-id <auth-tenant-id>
+
+    Defaults to ``$OS_TENANT_ID``.
+
+.. option:: --os-user-id <auth-user-id>
+
+    Defaults to ``$OS_USER_ID``.
+
+.. rubric:: Debugger options
+
+.. include:: opts/debugger.rst
+
+Commands
+========
+
+policy check
+------------
+
+::
+
+    nova-policy policy check [-h] [--api-name <name>]
+                             [--target <target> [<target>...]
+
+Prints all passing policy rules for the given user.
+
+.. rubric:: Options
+
+.. option:: --api-name <name>
+
+    Return only the passing policy rules containing the given API name.
+    If unspecified, all passing policy rules will be returned.
+
+.. option:: --target <target> [<target>...]
+
+    The target(s) against which the policy rule authorization will be tested.
+    The available targets are: ``project_id``, ``user_id``, ``quota_class``,
+    ``availability_zone``, ``instance_id``.
+    When ``instance_id`` is used, the other targets will be overwritten.
+    If unspecified, the given user will be considered as the target.
+
+Files
+=====
+
+* ``/etc/nova/nova.conf``
+* ``/etc/nova/policy.yaml``
+* ``/etc/nova/policy.d/``
+
+See Also
+========
+
+:doc:`nova-manage(1) <nova-manage>`,
+:doc:`nova-status(1) <nova-status>`
+
+Bugs
+====
+
+* Nova bugs are managed at `Launchpad <https://bugs.launchpad.net/nova>`__

doc/source/cli/nova-scheduler.rst

@@ -33,7 +33,6 @@ Files
 =====
 
 * ``/etc/nova/nova.conf``
-* ``/etc/nova/policy.yaml``
 * ``/etc/nova/rootwrap.conf``
 * ``/etc/nova/rootwrap.d/``
 

doc/source/cli/nova-serialproxy.rst

@@ -53,7 +53,6 @@ Files
 =====
 
 * ``/etc/nova/nova.conf``
-* ``/etc/nova/policy.yaml``
 * ``/etc/nova/rootwrap.conf``
 * ``/etc/nova/rootwrap.d/``
 

doc/source/cli/nova-spicehtml5proxy.rst

@@ -54,7 +54,6 @@ Files
 =====
 
 * ``/etc/nova/nova.conf``
-* ``/etc/nova/policy.yaml``
 * ``/etc/nova/rootwrap.conf``
 * ``/etc/nova/rootwrap.d/``
 

doc/source/cli/nova-status.rst

@@ -151,7 +151,8 @@ Upgrade
 See Also
 ========
 
-:doc:`nova-manage(1) <nova-manage>`
+:doc:`nova-manage(1) <nova-manage>`,
+:doc:`nova-policy(1) <nova-policy>`
 
 Bugs
 ====

doc/source/conf.py

@@ -98,6 +98,10 @@ _man_pages = [
         'nova-rootwrap',
         'Root wrapper daemon for the OpenStack Compute service.',
     ),
+    (
+        'nova-policy',
+        'Inspect policy configuration for the OpenStack Compute services.',
+    ),
     (
         'nova-scheduler',
         'Server for the OpenStack Compute scheduler service.',

nova/cmd/policy.py

@@ -62,24 +62,26 @@ class PolicyCommands(object):
         'project_id', 'user_id', 'quota_class', 'availability_zone',
         'instance_id']
 
-    @cmd_common.args('--api-name', dest='api_name', metavar='<API name>',
-                     help='Will return only passing policy rules containing '
-                          'the given API name.')
-    @cmd_common.args('--target', nargs='+', dest='target', metavar='<Target>',
-                     help='Will return only passing policy rules for the '
-                          'given target. The available targets are %s. When '
-                          '"instance_id" is used, the other targets will be '
-                          'overwritten.' % ','.join(_ACCEPTABLE_TARGETS))
+    @cmd_common.args(
+        '--api-name', dest='api_name', metavar='<name>',
+        help=(
+            'Return only the passing policy rules containing the given API '
+            'name. If unspecified, all passing policy rules will be returned.'
+        ),
+    )
+    @cmd_common.args(
+        '--target', nargs='+', dest='target', metavar='<target>',
+        help=(
+            "The target(s) against which the policy rule authorization will "
+            "be tested. The available targets are: %s. When 'instance_id' is "
+            "used, the other targets will be overwritten. If unspecified, the "
+            "given user will be considered the target." % ', '.join(
+                _ACCEPTABLE_TARGETS
+            )
+        ),
+    )
     def check(self, api_name=None, target=None):
-        """Prints all passing policy rules for the given user.
-
-        :param api_name: If None, all passing policy rules will be printed,
-                         otherwise, only passing policies that contain the
-                         given api_name in their names.
-        :param target: The target against which the policy rule authorization
-                       will be tested. If None, the given user will be
-                       considered as the target.
-        """
+        """Prints all passing policy rules for the given user."""
         context = self._get_context()
         api_name = api_name or ''
         target = self._get_target(context, target)
@@ -104,7 +106,7 @@ class PolicyCommands(object):
         policy authorization.
 
         :returns: None if the given target is None, otherwise returns a proper
-                  authorization target.
+            authorization target.
         :raises nova.exception.InvalidAttribute: if a key in the given target
             is not an acceptable.
         :raises nova.exception.InstanceNotFound: if 'instance_id' is given, and