<div dir="ltr">Hi Timur,<div><br></div><div>Thanks for bringing this up. </div><div><br></div><div>I think we can borrow some concept from the Mistral Workbook Builder. I like the ability to add items and seeing the preview on the right side. We can re-use that part.</div><div><br></div><div><div>The challenging part would be building a Rule expression builder that supports the policy semantic [1] [2]. We should start with creating some mockups. The builder will also be useful even if we don't land the dynamic policy in L by adding support of loading local policy files for editing and providing export functionality.</div><div><br></div><div>I imagine there would be a pop-up that will allow user to build the expression with support for:</div><div>1. Building nested expression using AND OR and ()</div><div>2. Auto-complete that lists:</div><div>- existing rule definition </div><div>- available context variable (like domain_id, user_id, target.token)</div><div><br></div><div>Just throwing some ideas around. </div><div><br></div><div>This is a good opportunity to engage the new UX project they might have a better idea how the Expression Builder should look like. :)</div><div><br></div><div><div>Thanks,</div><div>Lin</div></div><div><br></div><div>[1] <a href="https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L18-L210">https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L18-L210</a></div><div><div>[2] <a href="http://docs.openstack.org/kilo/config-reference/content/policy-json-file.html">http://docs.openstack.org/kilo/config-reference/content/policy-json-file.html</a></div></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 3, 2015 at 5:10 AM, Timur Sufiev <span dir="ltr"><<a href="mailto:tsufiev@mirantis.com" target="_blank">tsufiev@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello, folks!<div><br></div><div>A word has come to me that on the recent Keystone mid-cycle summit dynamic policies have been discussed - as well as the lack of means to edit them in UX-friendly manner. I had my own share of editing *_policy.json files inside openstack_dashboard/conf and can hardly state it's easy. At least, when dynamic policies are fully supported by all OpenStack services we will have no longer to edit the same files on every controller node in case of HA installations. Still, the problem of editing a single policy file remains. AFAIK, the obscurity of policy rules' format had lead may deployers to the copy-pasting existing rules with minimal changes - when they were meant to a flexible tool for RBAC definitions.</div><div><br></div><div>But I wouldn't write this letter, if I didn't have some kind of solution to the task of editing the policies. During my work on Merlin framework/Mistral Workbook Builder I've achieved some results that might be useful for a Keystone community. More specifically, visual structure and type of relations between Workbook entities appeared to me to be similar to the entities of Keystone policies. Understanding that some things are better seen in dynamic than in static screenshots, I'm sharing the address of the VM where the Workbook builder is deployed inside Horizon: <a href="http://horizon-merlin.mirantis.com/horizon/project/" target="_blank">http://horizon-merlin.mirantis.com/horizon/project/</a> Credentials are demo/demo. Some features like saving the workbooks to db or the rest OpenStack control plane are disabled for security reasons, leaving only the Workbook Builder UI there. </div><div><br></div><div>I'd like to start the discussion about the extent of reusing Merlin UI elements for making a dynamic policies editor.</div></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div>