Open Stack

On 7 July 2015 at 11:56, Doug Hellmann <doug at doughellmann.com> wrote:

> Excerpts from Ben Nemec's message of 2015-07-07 11:41:35 -0500:
> > On 07/04/2015 12:12 AM, Akihiro Motoki wrote:
> > > Hi Oslo and Neutron folks,
> > >
> > > Why is policy_dirs option deprecated in oslo.policy?
> > > In Neutron we have multiple repositories which consist of Neutron
> services
> > > and we would like to maintain policy.json separately.
> > > policy_dirs option looks useful for this purpose.
> > >
> > > == Detail ==
> > >
> > > Neutron project now consists of several repositories and
> > > they are imported when neutron-server runs.
> > > There are cases where it makes sense that each repository manages its
> > > policy.json
> > > and the neutron-server wants to load all related policy.json files.
> > > - advanced services have separate repositories and they evolve their
> API
> > > independently
> > > - vendor plugins/drivers in separate repositories (can) have
> > > vendor-specific extension API.
> > >   (It is not a good thing from the point of the current API discussion,
> > > but we have now.)
> > >
> > > An easy way is to put all related policy.json into a single directory
> > > lile /etc/neutron/policy.d and specify this to policy_dirs option.
> >
> > This will still work fine.  The reason policy_dirs was deprecated is
> > that we didn't see a need to allow arbitrary policy.d locations and
> > doing so caused issues in some edge cases, so after the opt is removed
> > we will simply look for policy.d in the configuration directory.
> >
> > Essentially, today the default would be to look in
> > /etc/neutron/policy.d, but you can change that if you want.  Once the
> > opt is removed, you will _only_ be able to use /etc/neutron/policy.d.
> >
> > -Ben
> >
>
> It's more subtle than that. We have 2 variables interacting right
> now, config_dirs (managed by oslo.config) and policy_dirs (managed
> by oslo.policy). Both represent multiple places to look for
> configuration files, but the policy_dirs value must be a subdirectory
> of config_dirs.
>
> So if config_dirs is ['/etc/one', '/etc/two'] and policy_dirs is
> ['policy.d', 'another.d'] then the valid locations for policy files are
> ['/etc/one/policy.d', '/etc/two/policy.d', '/etc/one/another.d',
> '/etc/two/another.d']. That set of paths is obvious, but the *order* is
> also important, and it's not obvious.
>
> If we really need to have multiple policy files, we should add that
> support explicitly somehow instead of backing into it by having
> multiple directories.
>

So long as we keep multiple policy files in a single flat directory
(default to /etc/neutron/policy.d), this is enough to load them all of them
at once after the config option policy_dirs is removed. Did I understand
this correctly?

Many thanks,
Armando


> Doug
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150713/404f2db6/attachment.html>