[openstack-dev] [Keystone] [Horizon] UI for Keystone dynamic policies editing

David Chadwick d.w.chadwick at kent.ac.uk
Tue Aug 4 10:42:04 UTC 2015


Hi All

Ioram has built a complete set of wireframe policy GUI screens for
comment. He has uploaded them to InVision

https://openstack.invisionapp.com/share/HQ3QN2123#/screens

Please comment on these in InVision

regards

David

On 03/08/2015 21:39, Lin Hua Cheng wrote:
> Hi Timur,
> 
> Thanks for bringing this up. 
> 
> I think we can borrow some concept from the Mistral Workbook Builder. I
> like the ability to add items and seeing the preview on the right side.
> We can re-use that part.
> 
> The challenging part would be building a Rule expression builder that
> supports the policy semantic [1] [2]. We should start with creating some
> mockups.  The builder will also be useful even if we don't land the
> dynamic policy in L by adding support of loading local policy files for
> editing and providing export functionality.
> 
> I imagine there would be a pop-up that will allow user to build the
> expression with support for:
> 1. Building nested expression using AND OR and ()
> 2. Auto-complete that lists:
> -  existing rule definition 
> -  available context variable (like domain_id, user_id, target.token)
> 
> Just throwing some ideas around.  
> 
> This is a good opportunity to engage the new UX project they might have
> a better idea how the Expression Builder should look like. :)
> 
> Thanks,
> Lin
> 
> [1]
> https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L18-L210
> [2]
> http://docs.openstack.org/kilo/config-reference/content/policy-json-file.html
> 
> 
> On Mon, Aug 3, 2015 at 5:10 AM, Timur Sufiev <tsufiev at mirantis.com
> <mailto:tsufiev at mirantis.com>> wrote:
> 
>     Hello, folks!
> 
>     A word has come to me that on the recent Keystone mid-cycle summit
>     dynamic policies have been discussed - as well as the lack of means
>     to edit them in UX-friendly manner. I had my own share of editing
>     *_policy.json files inside openstack_dashboard/conf and can hardly
>     state it's easy. At least, when dynamic policies are fully supported
>     by all OpenStack services we will have no longer to edit the same
>     files on every controller node in case of HA installations. Still,
>     the problem of editing a single policy file remains. AFAIK, the
>     obscurity of policy rules' format had lead may deployers to the
>     copy-pasting existing rules with minimal changes - when they were
>     meant to a flexible tool for RBAC definitions.
> 
>     But I wouldn't write this letter, if I didn't have some kind of
>     solution to the task of editing the policies. During my work on
>     Merlin framework/Mistral Workbook Builder I've achieved some results
>     that might be useful for a Keystone community. More specifically,
>     visual structure and type of relations between Workbook entities
>     appeared to me to be similar to the entities of Keystone policies.
>     Understanding that some things are better seen in dynamic than in
>     static screenshots, I'm sharing the address of the VM where the
>     Workbook builder is deployed inside
>     Horizon: http://horizon-merlin.mirantis.com/horizon/project/
>     Credentials are demo/demo. Some features like saving the workbooks
>     to db or the rest OpenStack control plane are disabled for security
>     reasons, leaving only the Workbook Builder UI there. 
> 
>     I'd like to start the discussion about the extent of reusing Merlin
>     UI elements for making a dynamic policies editor.
> 
>     __________________________________________________________________________
>     OpenStack Development Mailing List (not for usage questions)
>     Unsubscribe:
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> 
> 
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 



More information about the OpenStack-dev mailing list