[openstack-dev] Dynamic Policy for Access Control Subteam Meeting

Adam Young ayoung at redhat.com
Wed Jun 3 16:28:38 UTC 2015

On 06/03/2015 06:47 AM, Sean Dague wrote:
> Where I get fuzzy on what I've read / discussed on Dynamic Policy right
> now is the fact that every API call is going to need another round trip
> to Keystone for a policy check (which would be db calls in keystone?)
> Which, maybe is fine, but it seems like there are some challenges and
> details around how this consolidated view of the world gets back to the
> servers. It*almost*  feels like that /policy API could be used to signal
> catch flush as well on changes in Keystone (though we'd need to handle
> the HA proxy case). I don't know, this seems a place where devil is in
> the details, and lots of people probably need to weigh in on options.
Don't worry, I am not proposing this. I am proposing extending the 
existing mechanism to fetch and cache the policy.json file.  I'm 
currently thinking a default of 1-5 minutes...feedback?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150603/7635bdc4/attachment.html>

More information about the OpenStack-dev mailing list