On 9/30/2019 12:27 PM, Dan Smith wrote:
- Which services require policy.{yml,json}? I can see policy
referenced in API, conductor and compute.
That's a good question. I would have thought it was just API, so maybe someone else can chime in here, although it's not specific to cells.
I don't see any explicit policy checks in conductor. Maybe you're referring to the conductor code handling UnsupportedPolicyException? That's a bad exception class name but its really something that the scheduler service can raise when a server group is created with a given policy, e.g. anti-affinity, and the scheduler filter to enforce that policy is not enabled.
As for the nova-compute service, the only explicit policy check that I know of is here [1]. That's a late check since the API does not necessarily know which network we're going to boot on, we gather that information later in the build process on the compute service. Yes it's unfortunate and it came up in the dev ML a few years ago [2]. The only other "policy" stuff in the compute service is the late affinity check [3] that Dan mentioned which is about server group policy not RBAC.
[1] https://github.com/openstack/nova/blob/627c461a62ce722a4c95a44b181f40b8db198... [2] http://lists.openstack.org/pipermail/openstack-dev/2016-June/096919.html [3] https://github.com/openstack/nova/blob/627c461a62ce722a4c95a44b181f40b8db198...