[openstack-dev] [Oslo] Policy's persistence layer

Dolph Mathews dolph.mathews at gmail.com
Fri May 3 16:29:30 UTC 2013 

On Fri, May 3, 2013 at 10:52 AM, Flavio Percoco <flavio at redhat.com> wrote:

> On 03/05/13 09:20 -0500, Dolph Mathews wrote:
>
>>   This API was implemented in keystone in grizzly for centralized policy
>>   storage:
>>     [1]https://github.com/**openstack/identity-api/blob/**
>> master/openstack-identity-api/**src/markdown/identity-api-v3.**
>> md#create-policy-post-policies<https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md#create-policy-post-policies>
>>
>
>
> Interesting.
>
> How is it meant to be used throughout OpenStack? Do services need to load
> policies from that API when they are started?
> It's a shame it hasn't been proposed to be integrated in Oslo. Any plans
> for that?
>

There was a lot of discussion/disagreement during folsom about how to
consume centralized policies from keystone; the API in grizzly is intended
to be bare-minimum so as to be as flexible as possible.

Opinions varied from your suggestion (which I think would be an easy step
forward), to more elaborate approaches where auth_token (or a new
middleware layer) was responsible for fetching policies relevant to the
service being protected and the identity in context (e.g. allowing identity
domains to customize their policy per-endpoint) and passing the policy blob
down in a header (X-Policy or whatever).


>
> TBH, I think policies must be managed by the application itself
> instead of storing them in a separated service. What happens if
> someone wants to deploy Glance without keystone but still have
> centralized policies? (Maybe I'm just looking at it from the wrong
> angle). I'd rather use a lib like like oslo.policy
>

I don't follow- in a glance-only deployment, where would "centralized
policies" be stored?


>
> Hopefully, I didn't misunderstand how that API is meant to be used.
>
> Thanks for the feedback
> FF
>
>
> --
> { name: "Flavio Percoco",
>   gpg: "87112EC1",   internal: "8261386",
>   phone: "+390687502386",
>   irc: ["fpercoco", "flaper87"]}
>
> ______________________________**_________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.**org <OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/**cgi-bin/mailman/listinfo/**openstack-dev<http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130503/2eca7d16/attachment.html>

More information about the OpenStack-dev mailing list