[openstack-dev] Policy's persistence layer

Flavio Percoco flavio at redhat.com
Fri May 3 07:54:01 UTC 2013


Lately, I've been working on de-duplicating[0] policy's code throughout
OpenStack. As part of the effort to improve policy's code, we had a
brief discussion on #opnestack-glance that I'd like to bring up to the

So far, projects have been using an on-host policy.json file to manage their
RBAC rules - which certainly has made implementations easier and faster -
However, there are some issues related to that:

1) It is awkward for horizontally scaled deployments: It currently
requires to be copied on all nodes running an instance of the
2) It's more difficult to keep updated and aligned: When changing a
rule, it needs to be updated on all nodes.

In order to improve the above, it is necessary to have a common,
per-app, database / cache for policies, which will allow apps for
managing their policies from a "centralized" source and with less

For that to happen, current policy's implementation needs further
modifications so that it can read those policies either from a file, a
database or a cache.

Some considerations:

1) The change would be backward compatible.
2) It would still support file based RBAC.
3) Policy's form wont change. It would still be based on dictionaries
and it'd be up to storage to de-normalize rules.
4) Policies could be imported from a file.
5) Policies could be updated using a manage command or by modifying a
single policy file that is kept updated.

Before digging more into this, I would like to have some feedback from
you and see if there are some issues not being considered in the above.

Any feedback is welcome!

[0] https://review.openstack.org/#/c/27721/

{ name: "Flavio Percoco",
   gpg: "87112EC1", 
   internal: "8261386",
   phone: "+390687502386",
   irc: ["fpercoco", "flaper87"]}

More information about the OpenStack-dev mailing list