[openstack-dev] [tripleo] Policy Managment and distribution.
shardy at redhat.com
Wed Mar 30 21:16:05 UTC 2016
On Tue, Mar 29, 2016 at 07:37:02PM -0400, Emilien Macchi wrote:
> On Tue, Mar 29, 2016 at 6:18 PM, Adam Young <ayoung at redhat.com> wrote:
> > Keystone has a policy API, but no one uses it. It allows us to associate a
> > policy file with an endpoint. Upload a json blob, it gets a uuid. Associate
> > the UUID with the endpoint. It could also be associated with a service, and
> > then it is associated with all endpoint for that service unless explicitly
> > overwritten.
> > Assuming all of the puppet modules for all of the services support managing
> > the policy files, how hard would it be to synchronize between the database
> > and what we distribute to the nodes? Something along the lines of: if I
> > put a file in this directory, I want puppet to use it the next time I do a
> > redeploy, and I also want it uploaded to Keystone and associate with the
> > endpoint?
> > As a start, I want to be able to replace the baseline policy.json file with
> > the cloudsample. We ship both.
> > We have policy.pp in Puppet Keystone for this use case.
> > In tripleO, we could create a parameter that uses would use to
> > configure specific policies. It would be an hash and puppet will
> > manage the policies. This would handle the Keystone case, but we need
> > to customize all of the policy files, for all of the services, for
> > example, to add the is_admin_project check. I'd like to get this mechanism
> > in place before I start that work, so I can easily test changes.
> the keystone::policy (and generally neutron::policy, nova::policy,
> etc...) class is pretty robust:
> * it creates news policies or update existing ones.
> * it does not delete old policies, that are already in the file.
> * notify keystone service on every change.
> Please use it and let us know if we need to change something in
> puppet-keystone, that would help you to deploy the use-case.
I tried driving the heat::policy class today via our existing extraconfig
parameter, it works like this:
Just include this in an environment file, and the policy.json for heat will
be updated by puppet.
The only issue I found was the json formatting is lost when puppet renders
the file, it becomes a giant json blob (newlines/formatting gone).
Other than that it works well, so I assume the other interfaces will work
similarly for all other services.
The other approch I tried was using the new DeployArtifacts interface,
which isn't yet documented, but was proposed in this spec:
This was originally envisaged as a method to deploy updated puppet modules
(when not delivered via package updates), but it actually works great as a
general purpose deploy-files mechanism too:
Here's how it works:
1. Clone https://github.com/openstack/tripleo-common (not sure if the
script needed is packaged yet)
2. mkdir -p policyfiles/etc/heat/ && cd policyfiles
3. vim etc/heat/policy.json (copy the initial file from somewhere)
4. tar -cvzf policy123.tgz etc # Note the tarball is expanded from "/" so
ensure path prefixes are as required
5. ./tripleo-common/scripts/upload-swift-artifacts -f
This creates a special environment file here:
*NOTE* this will *always* be used now until you delete it, you don't need
to explicitly specify it via "-e"
I guess there are pros/cons to both methods, and neither uses keystone as
the policy store - I'm not sure how important that is vs having them stored
"somewhere", e.g it seems like they could just as well be stored in a git
repo or swift on the undercloud, there's not huge benefit to storing them
in the overcloud unless other services support automatically consuming
More information about the OpenStack-dev