Here's a quick update on where we have ended up so far on the work to define default policy rules in Nova code.
The majority of the effort has merged so now all used policy checks are defined in code, thanks Claudiu for doing most of this work. The sample policy file is now empty http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json?id=f6f4003dfdac83d1decad56cdf39258e9dc75ec0 and Devstack is running with this policy file in Zuul jobs. Interested people can look through the patches in https://blueprints.launchpad.net/nova/+spec/policy-in-code to see what the effort looked like. Devs wishing to add a new policy check should be aware that it is now done by registering a policy check in nova/policies/* just like it would be done for a config option. And then "context.can(...)" is used for performing the actual policy check. This will raise an exception if an attempt is made to use a policy rule which is not registered. There is a new "tox -e genpolicy" target which will generate a full policy sample file for devs/deployers who wish to see which policy rules are available. As far as what's left there are a few tools that would be useful to have. There is a WIP proposal for a CLI tool which will generate a list of policies that a given context and target will pass (https://review.openstack.org/#/c/322944/). There is another WIP proposal which will expose two oslo.policy console scripts (https://review.openstack.org/#/c/335667/). One script compares a policy file against the registered rules and informs the user of configured rules that match the defaults. The other script outputs the effective rules in use which are a merge of the registered rules and configured rules. Next steps are to look at a good way to expose this information in an API so that users can precheck their credentials against policies in order to know what they are allowed or not allowed to do. This will not be done in Newton. Thanks to everyone involved in coding and reviewing this work. -Andrew __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
