<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Mar 23, 2015 at 9:36 AM, Bernd Bausch <span dir="ltr"><<a href="mailto:berndbausch@gmail.com" target="_blank">berndbausch@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I can't believe that this is caused by a rather simple rst file. My<br>
environment must be incompatible somewhere. I use virtualenv as well, then<br>
pip install tox+sphinx+openstackdocstheme, then tox -e docs.<br>
<br>
The file is below if you are really interested. In any case, I have just<br>
uploaded it to Gerrit (<a href="https://review.openstack.org/#/c/166853/2" target="_blank">https://review.openstack.org/#/c/166853/2</a>), so that<br>
there is some content for review. My build problems can be resolved<br>
separately.<br>
<br>
Thanks for all the suggestions.<br>
<br>
Bernd<br>
<br>
Policy.json document:<br></blockquote><div><br></div><div>Just a quick note that we can't use RST files for anything but the End User Guide and Admin User Guide. So please convert the content to DocBook for placement in the correct guide so we can review in context. Pandoc should handle it fine.</div><div><br></div><div>Thanks,</div><div>Anne</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
====================<br>
The policy.json file<br>
====================<br>
<br>
The policy.json file contains a list of policy rules, each setting the<br>
conditions for permitting an action, typically an API request.<br>
<br>
Whether a user is allowed to carry out a request depends on the request<br>
itself,<br>
the target object of the request and the user making the request.<br>
<br>
General form:<br>
<br>
.. code::<br>
<br>
action : access condition<br>
<br>
Access conditions can be:<br>
<br>
* always true, so that the action is permitted. This can be written as<br>
``""`` (empty string), ``[]``, or ``"@"``.<br>
* always false, so that the action is not allowed. Written as ``"!"``.<br>
* a comparison of two values<br>
* complex conditions formed with boolean operators ``not``, ``and``, ``or``<br>
and parentheses<br>
* aliases, using the ``rule`` keyword.<br>
<br>
Two values are compared in the following way<br>
<br>
.. code::<br>
<br>
value1 : value2<br>
<br>
Possible values are<br>
<br>
* constants: Strings, numbers, ``true``, ``false``<br>
* attributes of the user making the request<br>
* attributes of the target object<br>
* API attributes<br>
* the flag ``is_admin``<br>
<br>
User attributes can be ``project_id``, ``user_id``, ``domain_id`` or<br>
``role``.<br>
<br>
Target object attributes are database fields. Example: ``%(project_id)s``<br>
means the tenant (project) that owns the object. The trailing ``s``<br>
indicates<br>
this is a string.<br>
<br>
This example compares the user ID of the user making the request with<br>
the user ID of the target object<br>
<br>
.. code::<br>
<br>
user_id : %(user_id)s<br>
<br>
An alias is shorthand for a complex or hard to understand access condition.<br>
It is defined in the same way as an access rule<br>
<br>
.. code::<br>
<br>
alias name : access condition<br>
<br>
Once an alias is defined, use the ``rule`` keyword to use it in a policy<br>
rule.<br>
See examples below.<br>
<br>
<br>
Examples<br>
~~~~~~~~<br>
<br>
Unconditionally grant permission to create an instance:<br>
<br>
.. code::<br>
<br>
"compute:create": ""<br>
<br>
Disable shelving of an instance, perhaps as a temporary measure or because<br>
you<br>
don't want users to be able to shelve instances at all:<br>
<br>
.. code::<br>
<br>
"compute:shelve": "!"<br>
<br>
Define an alias for the condition "target object's user_id is equal to<br>
user's<br>
user_id", which means that the user owns the object. The condition features<br>
a<br>
user attribute ``user_id`` and a target object attribute ``%(user_id)s``:<br>
<br>
.. code::<br>
<br>
"owner" : "user_id:%(user_id)s",<br>
<br>
Define an alias for "user is administrator or owns the object". It is based<br>
on two previously defined aliases, combined with ``or``:<br>
<br>
.. code::<br>
<br>
"admin_or_owner": "rule:admin_required or rule:owner",<br>
<br>
Another definition for ``admin or owner``. Here the user's tenant ID is<br>
compared<br>
with the target object's tenant ID. The definition also uses a constant<br>
value<br>
``True``:<br>
<br>
.. code::<br>
<br>
"admin_or_owner": "is_admin:True or project_id:%(project_id)s"<br>
<br>
This is how an alias is used:<br>
<br>
.. code::<br>
<br>
"compute:start": "rule:admin_or_owner"<br>
<br>
Here, only the administrator or the owner<br>
of an instance are allowed to start it.<br>
<br>
A slightly more complex condition demonstrating the use of boolean<br>
expressions.<br>
To delete an EC2 credential, an Identity service API, one must either be<br>
administrator, or both own the credential and have a matching user ID:<br>
<br>
.. code::<br>
<br>
"identity:ec2_delete_credential": "rule:admin_required or<br>
(rule:owner and user_id:%(target.credential.user_id)s)"<br>
<br>
Older syntax<br>
~~~~~~~~~~~~<br>
<br>
Older policy.json files may feature a different syntax not based on boolean<br>
expressions but nested JavaScript arrays.<br>
For example, the EC2 credentials condition above would have been written as<br>
follows:<br>
<br>
.. code::<br>
<br>
"identity:ec2_delete_credential": [ [ "rule:admin_required ],<br>
[ "rule:owner", "user_id:%(target.credential.user_id)s)" ] ]<br>
<br>
The condition is an array of arrays. The innermost arrays are or'ed<br>
together,<br>
whereas elements inside the innermost arrays are and'ed.<br>
<br>
While the old syntax is still supported, we recommend using the newer, more<br>
intuitive syntax.<br>
<br>
# end of file<br>
<span class=""><br>
-----Original Message-----<br>
From: Christian Berendt [mailto:<a href="mailto:christian@berendt.io">christian@berendt.io</a>]<br>
Sent: Monday, March 23, 2015 9:27 PM<br>
To: <a href="mailto:openstack-docs@lists.openstack.org">openstack-docs@lists.openstack.org</a><br>
Subject: Re: [OpenStack-docs] Sphinx error when building in<br>
openstack-manuals<br>
<br>
</span><span class="">On 03/23/2015 11:21 AM, Bernd Bausch wrote:<br>
> 1- add policy.rst to<br>
> openstack-manuals/doc/playground-user-guide/source<br>
> 2- add it to the table of contents in index.rst<br>
> 3- in the source directory, "sphinx-build -b html . my-output-directory"<br>
<br>
</span>The following is working for me to build the playground-user-guide. Can you<br>
please share your policy.rst file.<br>
<br>
git clone <a href="https://github.com/openstack/openstack-manuals" target="_blank">https://github.com/openstack/openstack-manuals</a><br>
cd openstack-manuals<br>
virtualenv .venv<br>
source .venv/bin/activate<br>
pip install -r test-requirements.txt<br>
cd doc/playground-user-guide/source<br>
mkdir build<br>
sphinx-build -b html . build<br>
<br>
HTH, Christian.<br>
<br>
--<br>
Christian Berendt<br>
Cloud Solution Architect<br>
Mail: <a href="mailto:berendt@b1-systems.de">berendt@b1-systems.de</a><br>
<br>
B1 Systems GmbH<br>
Osterfeldstraße 7 / 85088 Vohburg / <a href="http://www.b1-systems.de" target="_blank">http://www.b1-systems.de</a><br>
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537<br>
<br>
_______________________________________________<br>
OpenStack-docs mailing list<br>
<a href="mailto:OpenStack-docs@lists.openstack.org">OpenStack-docs@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-docs" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-docs</a><br>
<br>
<br>
_______________________________________________<br>
OpenStack-docs mailing list<br>
<a href="mailto:OpenStack-docs@lists.openstack.org">OpenStack-docs@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-docs" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-docs</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Anne Gentle<br><a href="mailto:annegentle@justwriteclick.com" target="_blank">annegentle@justwriteclick.com</a></div>
</div></div>