[Openstack-operators] Policy Updates
David Medberry
openstack at medberry.net
Thu Feb 23 20:17:05 UTC 2017
Yep what Logan said. I'm pretty sure Sean Dague talked about this at the
last Operator's mid-cycle. The "blank" policy.json just means you get the
default policies. You set a value to override the defaults.
I don't see it in the Ocata relnotes but git indicates this is where it
happened:
https://github.com/openstack/nova/blob/stable/mitaka/etc/nova/policy.json
https://github.com/openstack/nova/blob/stable/newton/etc/nova/policy.json
again, no change in behavior...
On Thu, Feb 23, 2017 at 3:06 PM, Logan V. <logan at protiumit.com> wrote:
> I think this actually started in Newton. Yes it ships blank, however
> there is still a default policy implemented as before with similar
> defaults separating the admin and user roles. The default policy is
> implemented in the nova code base
> (https://github.com/openstack/nova/tree/stable/newton/nova/policies)
> and overrides can be provided using policy.json (which also accepts
> yaml despite what the file extension would lead you to believe). The
> difference now is that the default policy is not enumerated in a
> policy.json file by default. You can obtain the default policy by
> running
> oslopolicy-sample-generator --namespace nova
>
> There are also several other oslopolicy-* tools like
> oslopolicy-list-redundant - can be used to list policies defined in
> the policy.json which are redundant to the default policy
> oslopolicy-checker -test access against a specific policy item
> oslopolicy-policy-generator - dump a consolidated view of the policy
> (ie defaults combined with overrides) for use with ie. horizon's
> policy things. One thing I found with exporting this dump from nova
> and using it in horizon is that you must define a policy called
> "default" (usually set to "rule:admin_or_owner") because it is not
> included in the dump and it seemed to cause some odd behavior in
> horizon like the instances tab not showing up under the admin panel.
>
>
> On Thu, Feb 23, 2017 at 1:52 PM, Edgar Magana <edgar.magana at workday.com>
> wrote:
> > Am I understanding correctly that in Ocata release, the policy.json file
> for
> > NOVA is blank?
> >
> > What does that mean for us (operators)? Everything will be open for
> > everybody for the other way around?
> >
> >
> >
> > In any case, that sounds like an awful approach because know if we
> upgrade
> > we will need to be sure that we have a proper json file while in the
> past we
> > at least were starting from the default one.
> >
> >
> >
> > Edgar
> >
> >
> >
> > From: David Medberry <openstack at medberry.net>
> > Date: Thursday, February 23, 2017 at 10:45 AM
> > To: "openstack-operators at lists.openstack.org"
> > <openstack-operators at lists.openstack.org>
> > Subject: [Openstack-operators] Policy Updates
> >
> >
> >
> > Nova no longer ships with a fleshed-out skeleton of all policy.json. It
> > ships blank.
> >
> >
> >
> > Discussion in here on how to help operators select specific settings to
> > include in their policy.json via documentation.
> >
> >
> >
> > You (as an op) may want to review and comment on this. This model is
> being
> > proposed for all openstack projects (or at least MORE openstack
> projects.)
> >
> >
> >
> > https://review.openstack.org/#/c/433010
> >
> >
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20170223/6170f564/attachment.html>
More information about the OpenStack-operators
mailing list