[openstack-dev] [keystone] [nova] [oslo] [cross-project] Dynamic Policy

David Chadwick d.w.chadwick at kent.ac.uk
Wed Jun 3 19:25:35 UTC 2015

On 03/06/2015 19:55, Sean Dague wrote:
> On 06/03/2015 02:44 PM, David Chadwick wrote:
>> In the design that we have been building for a policy administration
>> database, we dont require a single policy in order to unify common
>> concepts such as hierarchical attributes and roles between the different
>> policies of Openstack services. This is because policies and hierarchies
>> are held separately and are linked via a many to many relationship. My
>> understanding of Adam's primary requirement was that a role hierarchy
>> say, should be common across all OpenStack service policies, without
>> this necessarily meaning you have to have one huge policy. And there is
>> no requirement for Keystone to own all the policies. So each service
>> could still own and manage its own policy, whilst having attribute
>> hierarchies in common.
>> Does this help?
>> regards
>> David
> That part makes total sense. What concerned me is there was an
> intermediary step that seemed like it was literally *one file*
> (https://review.openstack.org/134656). That particular step I think is
> unworkable.
> By "common role hierachy" do you mean namespaced roles for services?

Yes, because namespaced roles will still be globally unique using their
hierarchical names. The policy database does not care, since the role
name is simply a string.


> Because if yes, definitely. And I think that's probably the first
> concrete step moving the whole thing forward, which should be doable on
> the existing static json definitions.
> 	-Sean

More information about the OpenStack-dev mailing list