[openstack-dev] [keystone] [nova] [oslo] [cross-project] Dynamic Policy

Sean Dague sean at dague.net
Wed Jun 3 18:55:23 UTC 2015

On 06/03/2015 02:44 PM, David Chadwick wrote:
> In the design that we have been building for a policy administration
> database, we dont require a single policy in order to unify common
> concepts such as hierarchical attributes and roles between the different
> policies of Openstack services. This is because policies and hierarchies
> are held separately and are linked via a many to many relationship. My
> understanding of Adam's primary requirement was that a role hierarchy
> say, should be common across all OpenStack service policies, without
> this necessarily meaning you have to have one huge policy. And there is
> no requirement for Keystone to own all the policies. So each service
> could still own and manage its own policy, whilst having attribute
> hierarchies in common.
> Does this help?
> regards
> David

That part makes total sense. What concerned me is there was an
intermediary step that seemed like it was literally *one file*
(https://review.openstack.org/134656). That particular step I think is

By "common role hierachy" do you mean namespaced roles for services?
Because if yes, definitely. And I think that's probably the first
concrete step moving the whole thing forward, which should be doable on
the existing static json definitions.


Sean Dague

More information about the OpenStack-dev mailing list