[openstack-dev] [keystone] [nova] [oslo] [cross-project] Dynamic Policy

Sean Dague sean at dague.net
Wed Jun 3 17:43:39 UTC 2015

On 06/03/2015 10:10 AM, Adam Young wrote:
> I gave a presentation on Dynamic Policy for Access Control at the Summit.
> https://www.openstack.org/summit/vancouver-2015/summit-videos/presentation/dynamic-policy-for-access-control
> My slides are here:
> http://adam.younglogic.com/presentations/dynamic_policy.pp.pdf
> My original blog post attempted to lay out the direction:
> http://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/
> And the Overview spec is here:
> https://review.openstack.org/#/c/147651/
> This references multiple smaller specs:
> A unified policy file:
> https://review.openstack.org/134656

The unified policy file, as an actual single file is part of this
process which I'm concerned isn't workable unless all OpenStack
components are upgraded lock step, which is actually a situation we want
to do less of, not more of.

Assume that Keystone git tree owns that file. Nova adds an API via
microversions for an intermediate milestone that adds new policy in.
Deployers CD this version out, leaving Keystone at the previous release
version. Now Nova has code out there that requires policy which doesn't
exist. The policy at some level is really linked to the code.

In a world of microversions this is now a lot more like database schema,
because big bang API changes are a thing of the past (at least on the
Nova side). (Note: I'm working up some more general explanation of that
whole model shortly, part of our comms plan out of summit).


Sean Dague

More information about the OpenStack-dev mailing list