Open Stack

The policy API is currently a Blob-based operation. Keystone knows 
nothing about the data stored or retrieved.

There is an API to fetch the policy file for a given endpoint.

http://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3-os-endpoint-policy.rst

What I would like to do is get the policy management syncronized with 
the Endpoint registration.  It should look something like this:

When a service is registered with Keystone, upload the associate policy 
file for that service to Keystone, and create a service level association:

|PUT 
/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}|

If there is a need to modify the policy, the updated policy goes to 
Keystone, along with a new policy_id, the association is updated, then 
synchronized down to the other services.

Lots of question here:

Keystone is capable of sending out notifications.  Does it makes sense 
to Have the undercloud Heat listen to notification from Keystone, and 
have Keystone send out a notification if a Policy association changes?  
Can heat update a file on stack?  Is that too much Keystone-specific 
knowledge?

What about the Container cases?  Can Kolla update a policy file in a 
container, or does it need to spin up a new container with the updated 
values?  It so, what happens with the endpoint ID, does it stay the same?

IN the OSAD case, what would be the right service to listen for the 
notifications?

What other support would the Content management systems need from 
Keystone?  Obviously, Client and CLI support, Puppet modules.

Let's get the conversation started here on the mailing list, and expect 
to dive into it deep in Austin.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160319/8aaa4a4f/attachment.html>