[openstack-dev] [keystone] [nova] [oslo] oslo.policy requests from the Nova team
ihrachys at redhat.com
Tue Jun 2 16:31:55 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
On 06/02/2015 06:22 PM, Sean Dague wrote:
> Nova has a very large API, and during the last release cycle a lot
> of work was done to move all the API checking properly into policy,
> and not do admin context checks at the database level. The result
> is a very large policy file -
> This provides a couple of challenges. One of which is in recent
> defcore discussions some deployers have been arguing that the
> existence of policy files means that anything you can do with
> policy.json is valid and shouldn't impact trademark usage, because
> the knobs were given. Nova specifically states this is not ok -
however, we'd like to go a step further here.
> What we'd really like is sane defaults for policy that come from
> code, not from etc files. So that a Nova deploy with an empty
> policy.json is completely valid, and does a reasonable thing.
> Policy.json would then be just a set
> overrides for existing policy. That would make it a lot more clear
> what was changed from the existing policy.
> We'd also really like the policy system to be able to WARN when
> the server starts if the policy was changed in some way that could
> negatively impact compatibility of the system, i.e. if functions
> that we felt were essential were turned off. Because the default
> policy is in code, we could have a view of the old and new world
> and actually warn the Operator that they did a weird thing.
> Lastly, we'd actually really like to redo our policy to look more
> like resource urls instead of extension names, as this should be a
> lot more sensible to the administrators, and hopefully make it
> easier to think about policy. Which I think means an aliasing
> facility in oslo.policy to allow a graceful transition for users.
> (This may exist, I don't know).
If I understand your aliasing need correctly, you may want to use
> I'm happy to write specs here, but mostly wanted to have the
> discussion on the list first to ensure we're all generally good
> with this direction.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the OpenStack-dev