[openstack-dev] [oslo][neutron] oslo.policy: policy_dirs config option, why deprecated?

Doug Hellmann doug at doughellmann.com
Tue Jul 7 18:56:35 UTC 2015

Excerpts from Ben Nemec's message of 2015-07-07 11:41:35 -0500:
> On 07/04/2015 12:12 AM, Akihiro Motoki wrote:
> > Hi Oslo and Neutron folks,
> > 
> > Why is policy_dirs option deprecated in oslo.policy?
> > In Neutron we have multiple repositories which consist of Neutron services
> > and we would like to maintain policy.json separately.
> > policy_dirs option looks useful for this purpose.
> > 
> > == Detail ==
> > 
> > Neutron project now consists of several repositories and
> > they are imported when neutron-server runs.
> > There are cases where it makes sense that each repository manages its
> > policy.json
> > and the neutron-server wants to load all related policy.json files.
> > - advanced services have separate repositories and they evolve their API
> > independently
> > - vendor plugins/drivers in separate repositories (can) have
> > vendor-specific extension API.
> >   (It is not a good thing from the point of the current API discussion,
> > but we have now.)
> > 
> > An easy way is to put all related policy.json into a single directory
> > lile /etc/neutron/policy.d and specify this to policy_dirs option.
> This will still work fine.  The reason policy_dirs was deprecated is
> that we didn't see a need to allow arbitrary policy.d locations and
> doing so caused issues in some edge cases, so after the opt is removed
> we will simply look for policy.d in the configuration directory.
> Essentially, today the default would be to look in
> /etc/neutron/policy.d, but you can change that if you want.  Once the
> opt is removed, you will _only_ be able to use /etc/neutron/policy.d.
> -Ben

It's more subtle than that. We have 2 variables interacting right
now, config_dirs (managed by oslo.config) and policy_dirs (managed
by oslo.policy). Both represent multiple places to look for
configuration files, but the policy_dirs value must be a subdirectory
of config_dirs.

So if config_dirs is ['/etc/one', '/etc/two'] and policy_dirs is
['policy.d', 'another.d'] then the valid locations for policy files are
['/etc/one/policy.d', '/etc/two/policy.d', '/etc/one/another.d',
'/etc/two/another.d']. That set of paths is obvious, but the *order* is
also important, and it's not obvious.

If we really need to have multiple policy files, we should add that
support explicitly somehow instead of backing into it by having
multiple directories.


More information about the OpenStack-dev mailing list