Open Stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/02/2015 06:22 PM, Sean Dague wrote:
> Nova has a very large API, and during the last release cycle a lot
> of work was done to move all the API checking properly into policy,
> and not do admin context checks at the database level. The result
> is a very large policy file - 
> https://github.com/openstack/nova/blob/master/etc/nova/policy.json
> 
> This provides a couple of challenges. One of which is in recent
> defcore discussions some deployers have been arguing that the
> existence of policy files means that anything you can do with
> policy.json is valid and shouldn't impact trademark usage, because
> the knobs were given. Nova specifically states this is not ok - 
> https://github.com/openstack/nova/blob/master/doc/source/devref/policy
_enforcement.rst#existed-nova-api-being-restricted
>
> 
however, we'd like to go a step further here.
> 
> What we'd really like is sane defaults for policy that come from
> code, not from etc files. So that a Nova deploy with an empty
> policy.json is completely valid, and does a reasonable thing.
> 
> Policy.json would then be just a set
> ofhttp://docs.openstack.org/developer/oslo.policy/api.html#rule-check
> overrides for existing policy. That would make it a lot more clear
> what was changed from the existing policy.
> 
> We'd also really like the policy system to be able to WARN when
> the server starts if the policy was changed in some way that could 
> negatively impact compatibility of the system, i.e. if functions
> that we felt were essential were turned off. Because the default
> policy is in code, we could have a view of the old and new world
> and actually warn the Operator that they did a weird thing.
> 
> Lastly, we'd actually really like to redo our policy to look more
> like resource urls instead of extension names, as this should be a
> lot more sensible to the administrators, and hopefully make it
> easier to think about policy. Which I think means an aliasing
> facility in oslo.policy to allow a graceful transition for users.
> (This may exist, I don't know).

If I understand your aliasing need correctly, you may want to use
RuleChecks:
http://docs.openstack.org/developer/oslo.policy/api.html#rule-check

> 
> I'm happy to write specs here, but mostly wanted to have the
> discussion on the list first to ensure we're all generally good
> with this direction.
> 
> -Sean
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVbdp7AAoJEC5aWaUY1u57/x0H/0G2aGlfNVyUdcflC19sner6
FobWh/ASS/fBLq2SjDGduieu/voCdvK8XKi4rTncSvcwuKGVkgmJ/G3YiO22ZPyn
kPFWtQjiSadRdmP3WRmMYU4LeHw090Gxq32lBA7knpqon2f/MTHLPZUsnqdmX5R8
J7zpGEj+nqe9RiWq4kJzwK8niwZTe4FP5+wvc3A+QYNbHNJB5feY5VnGMuUK/4O/
svsmuNMyAz93GCZL36f+EJoXXQv7+tGtSuImANq505Ae6sXs+Bl7crZul9lkzHo7
VB/UCbcxa208iw6tiWBh4qP1Y8vBljNjL8ifNbyXj6Y0z3gekEtoUcBQq3T0w5s=
=lBtm
-----END PGP SIGNATURE-----