[openstack-dev] [Keystone] [Horizon] UI for Keystone dynamic policies editing

Lin Hua Cheng os.lcheng at gmail.com
Mon Aug 3 20:39:16 UTC 2015


Hi Timur,

Thanks for bringing this up.

I think we can borrow some concept from the Mistral Workbook Builder. I
like the ability to add items and seeing the preview on the right side. We
can re-use that part.

The challenging part would be building a Rule expression builder that
supports the policy semantic [1] [2]. We should start with creating some
mockups.  The builder will also be useful even if we don't land the dynamic
policy in L by adding support of loading local policy files for editing and
providing export functionality.

I imagine there would be a pop-up that will allow user to build the
expression with support for:
1. Building nested expression using AND OR and ()
2. Auto-complete that lists:
-  existing rule definition
-  available context variable (like domain_id, user_id, target.token)

Just throwing some ideas around.

This is a good opportunity to engage the new UX project they might have a
better idea how the Expression Builder should look like. :)

Thanks,
Lin

[1]
https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L18-L210
[2]
http://docs.openstack.org/kilo/config-reference/content/policy-json-file.html


On Mon, Aug 3, 2015 at 5:10 AM, Timur Sufiev <tsufiev at mirantis.com> wrote:

> Hello, folks!
>
> A word has come to me that on the recent Keystone mid-cycle summit dynamic
> policies have been discussed - as well as the lack of means to edit them in
> UX-friendly manner. I had my own share of editing *_policy.json files
> inside openstack_dashboard/conf and can hardly state it's easy. At least,
> when dynamic policies are fully supported by all OpenStack services we will
> have no longer to edit the same files on every controller node in case of
> HA installations. Still, the problem of editing a single policy file
> remains. AFAIK, the obscurity of policy rules' format had lead may
> deployers to the copy-pasting existing rules with minimal changes - when
> they were meant to a flexible tool for RBAC definitions.
>
> But I wouldn't write this letter, if I didn't have some kind of solution
> to the task of editing the policies. During my work on Merlin
> framework/Mistral Workbook Builder I've achieved some results that might be
> useful for a Keystone community. More specifically, visual structure and
> type of relations between Workbook entities appeared to me to be similar to
> the entities of Keystone policies. Understanding that some things are
> better seen in dynamic than in static screenshots, I'm sharing the address
> of the VM where the Workbook builder is deployed inside Horizon:
> http://horizon-merlin.mirantis.com/horizon/project/ Credentials are
> demo/demo. Some features like saving the workbooks to db or the rest
> OpenStack control plane are disabled for security reasons, leaving only the
> Workbook Builder UI there.
>
> I'd like to start the discussion about the extent of reusing Merlin UI
> elements for making a dynamic policies editor.
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150803/b16465b3/attachment.html>


More information about the OpenStack-dev mailing list