[openstack-dev] [neutron] Group-based Policy language

Tim Hinrichs thinrichs at vmware.com
Thu Nov 21 17:23:13 UTC 2013

At the Neutron group-based policy proposal meeting today, we discussed whether or not the proposal should include a concrete policy language.  We decided to send a note to the list to get additional feedback.

The proposed API extension includes the ability to insert/delete policy statements.  But we do not say which policy statements are valid.  The benefit of leaving the policy language unspecified is that each plugin can support a custom policy language, leading to maximum flexibility in terms of writing plugins.  The drawback of leaving the policy language unspecified is that there's no way for any person or other OS component to know which API calls are valid, unless we know which plugin is being used.  Said another way, the current proposal says there are API calls like insert-policy-statement and delete-policy-statement, but does not say which arguments are valid to give to those calls (and the valid arguments can differ from plugin to plugin).

The thought experiment we went through was to imagine writing a super stripped-down version of Heat that only builds applications with a DB tier and a Web tier, and the template for the app only specifies how many DB servers and how many Web servers we want.  We should be able to implement a function that takes the number of DB servers and the number of web servers as input and executes a sequence of Nova/Neutron API calls that deploys that app.  But without a concrete policy language, we can't use the Neutron policy API  b/c we don't know what arguments to give the insert-policy-statement call.

In the end, we discussed adding a concrete language to the proposal.  Does anyone see a better alternative?


More information about the OpenStack-dev mailing list