On 2/23/2017 3:20 PM, David Medberry wrote: > and the 'nova-policy' command was introduced at the same time.... > finally found the right release notes: > > ref: https://docs.openstack.org/releasenotes/nova/newton.html > > The nova-policy command line is implemented as a tool to experience the > under-development feature policy discovery. User can input the > credentials infomation and the instance info, the tool will return a > list of API which can be allowed to invoke. There isn’t any contract for > the interface of the tool due to the feature still under-development. > > and > > The API policy defaults are now defined in code like configuration > options. Because of this, the sample policy.json file that is shipped > with Nova is empty and should only be necessary if you want to override > the API policy from the defaults in the code. To generate the policy > file you can run: > > oslopolicy-sample-generator --config-file=etc/nova/nova-policy-generator.conf > > Yeah this happened in Newton, here is the spec [1]. The default policy is built into the docs [2] (note that is the policy from current master). The various policy specs John Garbutt is proposing, which we talked about at the PTG, are linked here [3]. [1] https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/policy-in-code.html [2] https://docs.openstack.org/developer/nova/sample_policy.html [3] https://etherpad.openstack.org/p/pike-ptg-keystone-policy -- Thanks, Matt Riedemann