Open Stack

I think this actually started in Newton. Yes it ships blank, however
there is still a default policy implemented as before with similar
defaults separating the admin and user roles. The default policy is
implemented in the nova code base
(https://github.com/openstack/nova/tree/stable/newton/nova/policies)
and overrides can be provided using policy.json (which also accepts
yaml despite what the file extension would lead you to believe). The
difference now is that the default policy is not enumerated in a
policy.json file by default. You can obtain the default policy by
running
oslopolicy-sample-generator --namespace nova

There are also several other oslopolicy-* tools like
oslopolicy-list-redundant - can be used to list policies defined in
the policy.json which are redundant to the default policy
oslopolicy-checker -test access against a specific policy item
oslopolicy-policy-generator - dump a consolidated view of the policy
(ie defaults combined with overrides) for use with ie. horizon's
policy things. One thing I found with exporting this dump from nova
and using it in horizon is that you must define a policy called
"default" (usually set to "rule:admin_or_owner") because it is not
included in the dump and it seemed to cause some odd behavior in
horizon like the instances tab not showing up under the admin panel.


On Thu, Feb 23, 2017 at 1:52 PM, Edgar Magana <edgar.magana at workday.com> wrote:
> Am I understanding correctly that in Ocata release, the policy.json file for
> NOVA is blank?
>
> What does that mean for us (operators)? Everything will be open for
> everybody for the other way around?
>
>
>
> In any case, that sounds like an awful approach because know if we upgrade
> we will need to be sure that we have a proper json file while in the past we
> at least were starting from the default one.
>
>
>
> Edgar
>
>
>
> From: David Medberry <openstack at medberry.net>
> Date: Thursday, February 23, 2017 at 10:45 AM
> To: "openstack-operators at lists.openstack.org"
> <openstack-operators at lists.openstack.org>
> Subject: [Openstack-operators] Policy Updates
>
>
>
> Nova no longer ships with a fleshed-out skeleton of all policy.json. It
> ships blank.
>
>
>
> Discussion in here on how to help operators select specific settings to
> include in their policy.json via documentation.
>
>
>
> You (as an op) may want to review and comment on this. This model is being
> proposed for all openstack projects (or at least MORE openstack projects.)
>
>
>
> https://review.openstack.org/#/c/433010
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>