[openstack-dev] [keystone] Liberty FFE Request - Dynamic Policies

samuel samuel at lsd.ufcg.edu.br
Fri Jul 3 01:27:51 UTC 2015

Dear Keystoners,

Dynamic Policies is a great subject which affects OpenStack 
horizontally, offering a better mechanism for defining and delivering 
policies to endpoints of any OpenStack service.

An overview of this subject is presented at its wiki page ( 
https://wiki.openstack.org/wiki/DynamicPolicies ).

What we propose to the Liberty cycle is the dynamic delivering of 
policies, i.e., add to the Keystone server the capability to distribute 
the policy information to service endpoints.
This goal is represented by the following core specs:
* "Dynamic Policies Overlay" ( https://review.openstack.org/#/c/196753/ 
),  specifying how oslo.policy library will overlay the existing local 
policy file with custom rules uploaded dynamically (?from Dynamic 
* "Dynamic Policies Fetch and Cache" ( 
https://review.openstack.org/#/c/134655/ ), defining how the Keystone 
Middleware will fetch the policy for the current service endpoint it is 
serving and then ask oslo.policy to overlay the existing local policy 
* "Dynamic Policies Delivering Mechanism"  ( 
https://review.openstack.org/#/c/197980/ ), defining how the Keystone 
Server will control the cache mechanism in order to keep policies 
consistent across different service endpoints which must have the same 
policy, for  example, multiple Nova processes running behind an HAProxy.

Currently, there is some discussion around the association of a Dynamic 
Policy with a given service endpoint. Alternatives are presented in the 
following specs:
* "Dynamic Policies with Custom IDs" ( 
https://review.openstack.org/#/c/198000/ ),  proposing to allow the 
creation of policy entities with custom IDs, easing the configuration of 
the Keystone Middleware and improving UX;
* "Policy by URL" ( https://review.openstack.org/#/c/192422/ ), 
proposing to identify services endpoints by their URL and then use that 
URL to associate policy entities with them.

On behalf of the team working on the Dynamic Policies subject, I would 
like to ask for a Feature Freeze Exception in Liberty for it.

Samuel de Medeiros Queiroz

More information about the OpenStack-dev mailing list