[openstack-dev] Policy's persistence layer

Dolph Mathews dolph.mathews at gmail.com
Fri May 3 14:20:05 UTC 2013


This API was implemented in keystone in grizzly for centralized policy
storage:


https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md#create-policy-post-policies


-Dolph


On Fri, May 3, 2013 at 2:54 AM, Flavio Percoco <flavio at redhat.com> wrote:

>
> Greetings,
>
> Lately, I've been working on de-duplicating[0] policy's code throughout
> OpenStack. As part of the effort to improve policy's code, we had a
> brief discussion on #opnestack-glance that I'd like to bring up to the
> list.
>
> So far, projects have been using an on-host policy.json file to manage
> their
> RBAC rules - which certainly has made implementations easier and faster -
> However, there are some issues related to that:
>
> 1) It is awkward for horizontally scaled deployments: It currently
> requires to be copied on all nodes running an instance of the
> application.
> 2) It's more difficult to keep updated and aligned: When changing a
> rule, it needs to be updated on all nodes.
>
> In order to improve the above, it is necessary to have a common,
> per-app, database / cache for policies, which will allow apps for
> managing their policies from a "centralized" source and with less
> effort.
>
> For that to happen, current policy's implementation needs further
> modifications so that it can read those policies either from a file, a
> database or a cache.
>
> Some considerations:
>
> 1) The change would be backward compatible.
> 2) It would still support file based RBAC.
> 3) Policy's form wont change. It would still be based on dictionaries
> and it'd be up to storage to de-normalize rules.
> 4) Policies could be imported from a file.
> 5) Policies could be updated using a manage command or by modifying a
> single policy file that is kept updated.
>
> Before digging more into this, I would like to have some feedback from
> you and see if there are some issues not being considered in the above.
>
> Any feedback is welcome!
> Cheers,
> FF
>
>
> [0] https://review.openstack.org/#**/c/27721/<https://review.openstack.org/#/c/27721/>
>
> --
> { name: "Flavio Percoco",
>   gpg: "87112EC1",   internal: "8261386",
>   phone: "+390687502386",
>   irc: ["fpercoco", "flaper87"]}
>
> ______________________________**_________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.**org <OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/**cgi-bin/mailman/listinfo/**openstack-dev<http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130503/437c3852/attachment.html>


More information about the OpenStack-dev mailing list