[openstack-dev] [keystone] Liberty FFE Request - Dynamic Policies
samuel at lsd.ufcg.edu.br
Fri Jul 3 01:27:51 UTC 2015
Dynamic Policies is a great subject which affects OpenStack
horizontally, offering a better mechanism for defining and delivering
policies to endpoints of any OpenStack service.
An overview of this subject is presented at its wiki page (
What we propose to the Liberty cycle is the dynamic delivering of
policies, i.e., add to the Keystone server the capability to distribute
the policy information to service endpoints.
This goal is represented by the following core specs:
* "Dynamic Policies Overlay" ( https://review.openstack.org/#/c/196753/
), specifying how oslo.policy library will overlay the existing local
policy file with custom rules uploaded dynamically (?from Dynamic
* "Dynamic Policies Fetch and Cache" (
https://review.openstack.org/#/c/134655/ ), defining how the Keystone
Middleware will fetch the policy for the current service endpoint it is
serving and then ask oslo.policy to overlay the existing local policy
* "Dynamic Policies Delivering Mechanism" (
https://review.openstack.org/#/c/197980/ ), defining how the Keystone
Server will control the cache mechanism in order to keep policies
consistent across different service endpoints which must have the same
policy, for example, multiple Nova processes running behind an HAProxy.
Currently, there is some discussion around the association of a Dynamic
Policy with a given service endpoint. Alternatives are presented in the
* "Dynamic Policies with Custom IDs" (
https://review.openstack.org/#/c/198000/ ), proposing to allow the
creation of policy entities with custom IDs, easing the configuration of
the Keystone Middleware and improving UX;
* "Policy by URL" ( https://review.openstack.org/#/c/192422/ ),
proposing to identify services endpoints by their URL and then use that
URL to associate policy entities with them.
On behalf of the team working on the Dynamic Policies subject, I would
like to ask for a Feature Freeze Exception in Liberty for it.
Samuel de Medeiros Queiroz
More information about the OpenStack-dev