The policy API is currently a Blob-based operation. Keystone knows
nothing about the data stored or retrieved.
There is an API to fetch the policy file for a given endpoint.
http://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3-os-endpoint-policy.rst
What I would like to do is get the policy management syncronized with
the Endpoint registration. It should look something like this:
When a service is registered with Keystone, upload the associate policy
file for that service to Keystone, and create a service level association:
|PUT
/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}|
If there is a need to modify the policy, the updated policy goes to
Keystone, along with a new policy_id, the association is updated, then
synchronized down to the other services.
Lots of question here:
Keystone is capable of sending out notifications. Does it makes sense
to Have the undercloud Heat listen to notification from Keystone, and
have Keystone send out a notification if a Policy association changes?
Can heat update a file on stack? Is that too much Keystone-specific
knowledge?
What about the Container cases? Can Kolla update a policy file in a
container, or does it need to spin up a new container with the updated
values? It so, what happens with the endpoint ID, does it stay the same?
IN the OSAD case, what would be the right service to listen for the
notifications?
What other support would the Content management systems need from
Keystone? Obviously, Client and CLI support, Puppet modules.
Let's get the conversation started here on the mailing list, and expect
to dive into it deep in Austin.
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
