[Openstack-operators] [openstack-dev] [keystone] RBAC usage at production

Steve Martinelli stevemar at ca.ibm.com
Wed Dec 9 22:20:48 UTC 2015

Whether or not a restart is required is actually handled by oslo.policy.
Which is only included in Kilo and newer versions of Keystone. The work to
avoid restarting the service went in in commit [0] and was further worked
on in [1].

Juno and older versions are using the oslo-incubator code to handle policy
(before it was turned into it's own library), and AFAICT don't have the
check to see if policy.json has been modified.



Steve Martinelli
OpenStack Keystone Project Team Lead

From:	Timothy Symanczyk <Timothy_Symanczyk at symantec.com>
To:	"OpenStack Development Mailing List (not for usage questions)"
            <openstack-dev at lists.openstack.org>, "Kris G. Lindgren"
            <klindgren at godaddy.com>, Oguz Yarimtepe
            <oguzyarimtepe at gmail.com>,
            "openstack-operators at lists.openstack.org"
            <openstack-operators at lists.openstack.org>
Date:	2015/12/09 04:40 PM
Subject:	Re: [openstack-dev] [Openstack-operators] [keystone] RBAC usage
            at production

We are running keystone kilo in production, and I¹m actively implementing
RBAC right now. I¹m certain that, at least with the version of keystone
we¹re running, a restart is NOT required when the policy file is modified.


On 12/9/15, 9:18 AM, "Edgar Magana" <edgar.magana at workday.com> wrote:

>We use RBAC in production but basically modify networking operations and
>some compute ones. In our case we don¹t need to restart the services if
>we modify the policy.json file. I am surprise that keystone is not
>following the same process.
>On 12/9/15, 9:06 AM, "Kris G. Lindgren" <klindgren at godaddy.com> wrote:
>>In other projects the policy.json file is read each time of api request.
>> So changes to the file take place immediately.  I was 90% sure keystone
>>was the same way?
>>Kris Lindgren
>>Senior Linux Systems Engineer
>>On 12/9/15, 1:39 AM, "Oguz Yarimtepe" <oguzyarimtepe at gmail.com> wrote:
>>>I am wondering whether there are people using RBAC at production. The
>>>policy.json file has a structure that requires restart of the service
>>>each time you edit the file. Is there and on the fly solution or tips
>>>about it?
>>>OpenStack-operators mailing list
>>>OpenStack-operators at lists.openstack.org
>>OpenStack-operators mailing list
>>OpenStack-operators at lists.openstack.org
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe

OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20151209/94bb3b36/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20151209/94bb3b36/attachment.gif>

More information about the OpenStack-operators mailing list