Open Stack

On 9/30/2019 12:27 PM, Dan Smith wrote:
>> 7. Which services require policy.{yml,json}? I can see policy
>> referenced in API, conductor and compute.
> That's a good question. I would have thought it was just API, so maybe
> someone else can chime in here, although it's not specific to cells.

I don't see any explicit policy checks in conductor. Maybe you're 
referring to the conductor code handling UnsupportedPolicyException? 
That's a bad exception class name but its really something that the 
scheduler service can raise when a server group is created with a given 
policy, e.g. anti-affinity, and the scheduler filter to enforce that 
policy is not enabled.

As for the nova-compute service, the only explicit policy check that I 
know of is here [1]. That's a late check since the API does not 
necessarily know which network we're going to boot on, we gather that 
information later in the build process on the compute service. Yes it's 
unfortunate and it came up in the dev ML a few years ago [2]. The only 
other "policy" stuff in the compute service is the late affinity check 
[3] that Dan mentioned which is about server group policy not RBAC.

[1] 
https://github.com/openstack/nova/blob/627c461a62ce722a4c95a44b181f40b8db198c2b/nova/network/neutronv2/api.py#L532
[2] http://lists.openstack.org/pipermail/openstack-dev/2016-June/096919.html
[3] 
https://github.com/openstack/nova/blob/627c461a62ce722a4c95a44b181f40b8db198c2b/nova/compute/manager.py#L1467

-- 

Thanks,

Matt