Dear Keystoners,

Dynamic Policies is a great subject which affects OpenStack horizontally, offering a better mechanism for defining and delivering policies to endpoints of any OpenStack service.

An overview of this subject is presented at its wiki page ( ).

What we propose to the Liberty cycle is the dynamic delivering of policies, i.e., add to the Keystone server the capability to distribute the policy information to service endpoints.
This goal is represented by the following core specs:
* "Dynamic Policies Overlay" ( ), specifying how oslo.policy library will overlay the existing local policy file with custom rules uploaded dynamically (?from Dynamic Policy); * "Dynamic Policies Fetch and Cache" ( ), defining how the Keystone Middleware will fetch the policy for the current service endpoint it is serving and then ask oslo.policy to overlay the existing local policy file; * "Dynamic Policies Delivering Mechanism" ( ), defining how the Keystone Server will control the cache mechanism in order to keep policies consistent across different service endpoints which must have the same policy, for example, multiple Nova processes running behind an HAProxy.

Currently, there is some discussion around the association of a Dynamic Policy with a given service endpoint. Alternatives are presented in the following specs: * "Dynamic Policies with Custom IDs" ( ), proposing to allow the creation of policy entities with custom IDs, easing the configuration of the Keystone Middleware and improving UX; * "Policy by URL" ( ), proposing to identify services endpoints by their URL and then use that URL to associate policy entities with them.

On behalf of the team working on the Dynamic Policies subject, I would like to ask for a Feature Freeze Exception in Liberty for it.

Samuel de Medeiros Queiroz

OpenStack Development Mailing List (not for usage questions)

Reply via email to