Error

(craton) ubuntu@ubuntu-xenial:~/craton/craton/common$ python3.5 policy.py 
{
    "example:get_http": "http:http://www.example.com",
    "example:denied": "false:false",
    "example:my_file": "(role:compute_admin or project_id:%(project_id)s)",
    "example:lowercase_admin": "(role:admin or role:sysadmin)",
    "example:early_and_fail": "(false:false and rule:true)",
    "true": "",
    "example:uppercase_admin": "(role:ADMIN or role:sysadmin)",
    "example:allowed": "",
    "example:early_or_success": "(rule:true or false:false)"
}
Traceback (most recent call last):
  File "policy.py", line 53, in <module>
    ENFORCER.enforce(lowercase_action, target, credentials, do_raise=True)
  File "/home/ubuntu/craton/lib/python3.5/site-packages/oslo_policy/policy.py", line 735, in enforce
    raise PolicyNotAuthorized(rule, target, creds)
oslo_policy.policy.PolicyNotAuthorized: {} is disallowed by policy rule example:lowercase_admin with {} 

policy.py

(craton) ubuntu@ubuntu-xenial:~/craton/craton/common$ cat policy.py 
# Copyright (c) 2015 OpenStack Foundation
# All Rights Reserved.
#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

"""Policy Engine for craton."""

from oslo_config import cfg
from oslo_policy import policy as common_policy
from craton import exceptions

CONF = cfg.CONF
ENFORCER = common_policy.Enforcer(CONF)

rules = {
    "true": [],
    "example:allowed": [],
    "example:denied": [["false:false"]],
    "example:get_http": [["http:http://www.example.com"]],
    "example:my_file": [["role:compute_admin"],
                        ["project_id:%(project_id)s"]],
    "example:early_and_fail": [["false:false", "rule:true"]],
    "example:early_or_success": [["rule:true"], ["false:false"]],
    "example:lowercase_admin": [["role:admin"], ["role:sysadmin"]],
    "example:uppercase_admin": [["role:ADMIN"], ["role:sysadmin"]],
}

these_rules = common_policy.Rules.from_dict(rules)

print(these_rules)

ENFORCER.set_rules(these_rules)
ENFORCER.check_rules()

admin_credentials = {'roles': ['AdMiN']}
credentials = {}
target = {}

lowercase_action = "example:lowercase_admin"

#ENFORCER.authorize()
ENFORCER.enforce(lowercase_action, target, admin_credentials, do_raise=True)
ENFORCER.enforce(lowercase_action, target, credentials, do_raise=True)

t-policy-using-role-assignment.py

(craton) ubuntu@ubuntu-xenial:~/craton/craton/common$ cat t-policy-using-role-assignments.py 
from oslo_config import cfg
from oslo_policy import policy as common_policy

CONF = cfg.CONF  # should just be an empty config file
ENFORCER = common_policy.Enforcer(CONF)

rules = {
        "fleet:audit": "role:admin or (principal:%(principal)s and role_:%(role_)s and resource:%(resource)s)"
}


these_rules = common_policy.Rules.from_dict(rules)
print(these_rules)

ENFORCER.set_rules(these_rules)
ENFORCER.check_rules()

credentials = {'roles': ['user'], 'principal': 'foo', 'role_': 'fleet:audit', 'resource': 'baz'}
target = {'principal':'foo', 'role_':'fleet:audit', 'resource':'baz'}
ENFORCER.enforce("fleet:audit", target, credentials, do_raise=True)