[openstack-dev] [keystone] Liberty FFE Request - Dynamic Policies

Thu, 02 Jul 2015 18:34:44 -0700 

Dear Keystoners,
Dynamic Policies is a great subject which affects OpenStack horizontally, offering a better mechanism for defining and delivering policies to endpoints of any OpenStack service. 


An overview of this subject is presented at its wiki page ( 
https://wiki.openstack.org/wiki/DynamicPolicies ).



What we propose to the Liberty cycle is the dynamic delivering of 
policies, i.e., add to the Keystone server the capability to distribute 
the policy information to service endpoints.

This goal is represented by the following core specs:

* "Dynamic Policies Overlay" ( https://review.openstack.org/#/c/196753/ 
),  specifying how oslo.policy library will overlay the existing local 
policy file with custom rules uploaded dynamically (?from Dynamic 
Policy);
* "Dynamic Policies Fetch and Cache" ( 
https://review.openstack.org/#/c/134655/ ), defining how the Keystone 
Middleware will fetch the policy for the current service endpoint it is 
serving and then ask oslo.policy to overlay the existing local policy 
file;
* "Dynamic Policies Delivering Mechanism"  ( 
https://review.openstack.org/#/c/197980/ ), defining how the Keystone 
Server will control the cache mechanism in order to keep policies 
consistent across different service endpoints which must have the same 
policy, for  example, multiple Nova processes running behind an HAProxy.



Currently, there is some discussion around the association of a Dynamic 
Policy with a given service endpoint. Alternatives are presented in the 
following specs:
* "Dynamic Policies with Custom IDs" ( 
https://review.openstack.org/#/c/198000/ ),  proposing to allow the 
creation of policy entities with custom IDs, easing the configuration of 
the Keystone Middleware and improving UX;
* "Policy by URL" ( https://review.openstack.org/#/c/192422/ ), 
proposing to identify services endpoints by their URL and then use that 
URL to associate policy entities with them.



On behalf of the team working on the Dynamic Policies subject, I would 
like to ask for a Feature Freeze Exception in Liberty for it.


Sincerely,
Samuel de Medeiros Queiroz

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev






















					Reply via email to