[Openstack-operators] [Nova] Enable policy improvment both v2/v3 API or not
xuhj at linux.vnet.ibm.com
Fri May 30 07:03:03 UTC 2014
There are some BPs working on improve the usability of API policy. Initially
those BP just for v2.1/v3 API. For v2 API, we just want to it keep the same
But in Juno design summit, we get some complain about policy is hard to use.
I guess those guys is complain for v2 API. So I'm thinking of whether we
enable those improvment for v2 API too. I want to hear your guys and CD
people's suggestion. To ensure we should enable those for V2 API.
The main propose of improve policy is:
Policy should be enforced at REST API layer
In this propose we remove the compute-api layer policy checks for v3
move policy checks into API layer for v2 API. So only v3 API can get the
V2 API still have two policy checks for same API.
At API layer: "compute_extension:admin_actions:pause": "rule:admin_or_owner"
At compute API layer: "compute:pause": ""
There is pros/cons of enable for v2 API as below:
* V2 API user can get the benefit from those improvement. We still have some
user use V2 API before we release V2.1/V3.
* We don't need make the code back-compatibility for v2 API. That make the
code looks mess.
There are two policy checks code for one API. One is used for extension
another one for keep compatibility (line 85).
(There is another method that won't make the code mess and we can support
back-compatibility. It is that we didn't remove the compute api layer
then we just skip the policy check for v3 API. After v2 API deprecated,
up those compute api layer policy code.)
* Maybe V2 API user didn't have too much pain on this. And we will have
V2 will be deprecated. If we change those, this may become extra burden
operator user upgrade their policy config file when upgrade nova code.
* The risk of touch existed v2 API code.
And there are other minor improvement propose for API policy:
I think after make decision for first propose, then I think those two
just follow the decision.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-operators