[openstack-dev] [keystone] [nova] [oslo] oslo.policy requests from the Nova team

Ihar Hrachyshka ihrachys at redhat.com
Tue Jun 2 16:31:55 UTC 2015

Hash: SHA256

On 06/02/2015 06:22 PM, Sean Dague wrote:
> Nova has a very large API, and during the last release cycle a lot
> of work was done to move all the API checking properly into policy,
> and not do admin context checks at the database level. The result
> is a very large policy file - 
> https://github.com/openstack/nova/blob/master/etc/nova/policy.json
> This provides a couple of challenges. One of which is in recent
> defcore discussions some deployers have been arguing that the
> existence of policy files means that anything you can do with
> policy.json is valid and shouldn't impact trademark usage, because
> the knobs were given. Nova specifically states this is not ok - 
> https://github.com/openstack/nova/blob/master/doc/source/devref/policy
however, we'd like to go a step further here.
> What we'd really like is sane defaults for policy that come from
> code, not from etc files. So that a Nova deploy with an empty
> policy.json is completely valid, and does a reasonable thing.
> Policy.json would then be just a set
> ofhttp://docs.openstack.org/developer/oslo.policy/api.html#rule-check
> overrides for existing policy. That would make it a lot more clear
> what was changed from the existing policy.
> We'd also really like the policy system to be able to WARN when
> the server starts if the policy was changed in some way that could 
> negatively impact compatibility of the system, i.e. if functions
> that we felt were essential were turned off. Because the default
> policy is in code, we could have a view of the old and new world
> and actually warn the Operator that they did a weird thing.
> Lastly, we'd actually really like to redo our policy to look more
> like resource urls instead of extension names, as this should be a
> lot more sensible to the administrators, and hopefully make it
> easier to think about policy. Which I think means an aliasing
> facility in oslo.policy to allow a graceful transition for users.
> (This may exist, I don't know).

If I understand your aliasing need correctly, you may want to use

> I'm happy to write specs here, but mostly wanted to have the
> discussion on the list first to ensure we're all generally good
> with this direction.
> -Sean
Version: GnuPG v2


More information about the OpenStack-dev mailing list