Open Stack

Here's a quick update on where we have ended up so far on the work to
define default policy rules in Nova code.

The majority of the effort has merged so now all used policy checks are
defined in code, thanks Claudiu for doing most of this work. The sample
policy file is now empty
http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json?id=f6f4003dfdac83d1decad56cdf39258e9dc75ec0
and Devstack is running with this policy file in Zuul jobs. Interested
people can look through the patches in
https://blueprints.launchpad.net/nova/+spec/policy-in-code to see what
the effort looked like.

Devs wishing to add a new policy check should be aware that it is now
done by registering a policy check in nova/policies/* just like it would
be done for a config option. And then "context.can(...)" is used for
performing the actual policy check. This will raise an exception if an
attempt is made to use a policy rule which is not registered.

There is a new "tox -e genpolicy" target which will generate a full
policy sample file for devs/deployers who wish to see which policy rules
are available.

As far as what's left there are a few tools that would be useful to
have. There is a WIP proposal for a CLI tool which will generate a list
of policies that a given context and target will pass
(https://review.openstack.org/#/c/322944/). There is another WIP
proposal which will expose two oslo.policy console scripts
(https://review.openstack.org/#/c/335667/). One script compares a policy
file against the registered rules and informs the user of configured
rules that match the defaults. The other script outputs the effective
rules in use which are a merge of the registered rules and configured
rules.

Next steps are to look at a good way to expose this information in an
API so that users can precheck their credentials against policies in
order to know what they are allowed or not allowed to do. This will not
be done in Newton.

Thanks to everyone involved in coding and reviewing this work.

-Andrew