Re: [Openstack-operators] Policy Updates

2017-02-25 Thread Matt Riedemann 

On 2/23/2017 3:20 PM, David Medberry wrote:

and the 'nova-policy' command was introduced at the same time
finally found the right release notes:

ref: https://docs.openstack.org/releasenotes/nova/newton.html

The nova-policy command line is implemented as a tool to experience the
under-development feature policy discovery. User can input the
credentials infomation and the instance info, the tool will return a
list of API which can be allowed to invoke. There isn’t any contract for
the interface of the tool due to the feature still under-development.

and

The API policy defaults are now defined in code like configuration
options. Because of this, the sample policy.json file that is shipped
with Nova is empty and should only be necessary if you want to override
the API policy from the defaults in the code. To generate the policy
file you can run:

oslopolicy-sample-generator --config-file=etc/nova/nova-policy-generator.conf




Yeah this happened in Newton, here is the spec [1].

The default policy is built into the docs [2] (note that is the policy 
from current master).


The various policy specs John Garbutt is proposing, which we talked 
about at the PTG, are linked here [3].


[1] 
https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/policy-in-code.html

[2] https://docs.openstack.org/developer/nova/sample_policy.html
[3] https://etherpad.openstack.org/p/pike-ptg-keystone-policy

--

Thanks,

Matt Riedemann

___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] Policy Updates

2017-02-23 Thread Edgar Magana 
Awesome! Thanks for the clarification! I was ready to have a heart attack!  ☺

Edgar

From: <medbe...@gmail.com> on behalf of David Medberry <openst...@medberry.net>
Date: Thursday, February 23, 2017 at 12:17 PM
To: "Logan V." <lo...@protiumit.com>
Cc: Edgar Magana <edgar.mag...@workday.com>, 
"openstack-operators@lists.openstack.org" 
<openstack-operators@lists.openstack.org>
Subject: Re: [Openstack-operators] Policy Updates

Yep what Logan said. I'm pretty sure Sean Dague talked about this at the last 
Operator's mid-cycle.  The "blank" policy.json just means you get the default 
policies. You set a value to override the defaults.

I don't see it in the Ocata relnotes but git indicates this is where it 
happened:

https://github.com/openstack/nova/blob/stable/mitaka/etc/nova/policy.json<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openstack_nova_blob_stable_mitaka_etc_nova_policy.json=DwMFaQ=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc=G0XRJfDQsuBvqa_wpWyDAUlSpeMV4W1qfWqBfctlWwQ=R2WX6zRqpVyBw2fVL01fmsbTX6XicRJiKW1LNyOcR_k=QuBKr7RZpB9lzLV9mMm0Y1NKDL2eP6R04O-UVXklNHU=>
https://github.com/openstack/nova/blob/stable/newton/etc/nova/policy.json<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openstack_nova_blob_stable_newton_etc_nova_policy.json=DwMFaQ=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc=G0XRJfDQsuBvqa_wpWyDAUlSpeMV4W1qfWqBfctlWwQ=R2WX6zRqpVyBw2fVL01fmsbTX6XicRJiKW1LNyOcR_k=HeP7-DU9WTao6BEtltycCJCRlk9H9FxayAU7jBF72LY=>

again, no change in behavior...

On Thu, Feb 23, 2017 at 3:06 PM, Logan V. 
<lo...@protiumit.com<mailto:lo...@protiumit.com>> wrote:
I think this actually started in Newton. Yes it ships blank, however
there is still a default policy implemented as before with similar
defaults separating the admin and user roles. The default policy is
implemented in the nova code base
(https://github.com/openstack/nova/tree/stable/newton/nova/policies<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openstack_nova_tree_stable_newton_nova_policies=DwMFaQ=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc=G0XRJfDQsuBvqa_wpWyDAUlSpeMV4W1qfWqBfctlWwQ=R2WX6zRqpVyBw2fVL01fmsbTX6XicRJiKW1LNyOcR_k=ra1H4GXwVQfIRH_hhSXlN-ymdb3ZEksRoBb7UNTz9mE=>)
and overrides can be provided using policy.json (which also accepts
yaml despite what the file extension would lead you to believe). The
difference now is that the default policy is not enumerated in a
policy.json file by default. You can obtain the default policy by
running
oslopolicy-sample-generator --namespace nova

There are also several other oslopolicy-* tools like
oslopolicy-list-redundant - can be used to list policies defined in
the policy.json which are redundant to the default policy
oslopolicy-checker -test access against a specific policy item
oslopolicy-policy-generator - dump a consolidated view of the policy
(ie defaults combined with overrides) for use with ie. horizon's
policy things. One thing I found with exporting this dump from nova
and using it in horizon is that you must define a policy called
"default" (usually set to "rule:admin_or_owner") because it is not
included in the dump and it seemed to cause some odd behavior in
horizon like the instances tab not showing up under the admin panel.


On Thu, Feb 23, 2017 at 1:52 PM, Edgar Magana 
<edgar.mag...@workday.com<mailto:edgar.mag...@workday.com>> wrote:
> Am I understanding correctly that in Ocata release, the policy.json file for
> NOVA is blank?
>
> What does that mean for us (operators)? Everything will be open for
> everybody for the other way around?
>
>
>
> In any case, that sounds like an awful approach because know if we upgrade
> we will need to be sure that we have a proper json file while in the past we
> at least were starting from the default one.
>
>
>
> Edgar
>
>
>
> From: David Medberry <openst...@medberry.net<mailto:openst...@medberry.net>>
> Date: Thursday, February 23, 2017 at 10:45 AM
> To: 
> "openstack-operators@lists.openstack.org<mailto:openstack-operators@lists.openstack.org>"
> <openstack-operators@lists.openstack.org<mailto:openstack-operators@lists.openstack.org>>
> Subject: [Openstack-operators] Policy Updates
>
>
>
> Nova no longer ships with a fleshed-out skeleton of all policy.json. It
> ships blank.
>
>
>
> Discussion in here on how to help operators select specific settings to
> include in their policy.json via documentation.
>
>
>
> You (as an op) may want to review and comment on this. This model is being
> proposed for all openstack projects (or at least MORE openstack projects.)
>
>
>
> https://review.openstack.org/#/c/433010<https://urldefense.proofpoint.com/v2/url?u=https-3A__review.openstack.org_-23_c_433010=D

Re: [Openstack-operators] Policy Updates

2017-02-23 Thread David Medberry 
and the 'nova-policy' command was introduced at the same time finally
found the right release notes:

ref: https://docs.openstack.org/releasenotes/nova/newton.html

The nova-policy command line is implemented as a tool to experience the
under-development feature policy discovery. User can input the credentials
infomation and the instance info, the tool will return a list of API which
can be allowed to invoke. There isn’t any contract for the interface of the
tool due to the feature still under-development.

and

The API policy defaults are now defined in code like configuration options.
Because of this, the sample policy.json file that is shipped with Nova is
empty and should only be necessary if you want to override the API policy
from the defaults in the code. To generate the policy file you can run:

oslopolicy-sample-generator --config-file=etc/nova/nova-policy-generator.conf


On Thu, Feb 23, 2017 at 3:17 PM, David Medberry 
wrote:

> Yep what Logan said. I'm pretty sure Sean Dague talked about this at the
> last Operator's mid-cycle.  The "blank" policy.json just means you get the
> default policies. You set a value to override the defaults.
>
> I don't see it in the Ocata relnotes but git indicates this is where it
> happened:
>
> https://github.com/openstack/nova/blob/stable/mitaka/etc/nova/policy.json
> https://github.com/openstack/nova/blob/stable/newton/etc/nova/policy.json
>
> again, no change in behavior...
>
> On Thu, Feb 23, 2017 at 3:06 PM, Logan V.  wrote:
>
>> I think this actually started in Newton. Yes it ships blank, however
>> there is still a default policy implemented as before with similar
>> defaults separating the admin and user roles. The default policy is
>> implemented in the nova code base
>> (https://github.com/openstack/nova/tree/stable/newton/nova/policies)
>> and overrides can be provided using policy.json (which also accepts
>> yaml despite what the file extension would lead you to believe). The
>> difference now is that the default policy is not enumerated in a
>> policy.json file by default. You can obtain the default policy by
>> running
>> oslopolicy-sample-generator --namespace nova
>>
>> There are also several other oslopolicy-* tools like
>> oslopolicy-list-redundant - can be used to list policies defined in
>> the policy.json which are redundant to the default policy
>> oslopolicy-checker -test access against a specific policy item
>> oslopolicy-policy-generator - dump a consolidated view of the policy
>> (ie defaults combined with overrides) for use with ie. horizon's
>> policy things. One thing I found with exporting this dump from nova
>> and using it in horizon is that you must define a policy called
>> "default" (usually set to "rule:admin_or_owner") because it is not
>> included in the dump and it seemed to cause some odd behavior in
>> horizon like the instances tab not showing up under the admin panel.
>>
>>
>> On Thu, Feb 23, 2017 at 1:52 PM, Edgar Magana 
>> wrote:
>> > Am I understanding correctly that in Ocata release, the policy.json
>> file for
>> > NOVA is blank?
>> >
>> > What does that mean for us (operators)? Everything will be open for
>> > everybody for the other way around?
>> >
>> >
>> >
>> > In any case, that sounds like an awful approach because know if we
>> upgrade
>> > we will need to be sure that we have a proper json file while in the
>> past we
>> > at least were starting from the default one.
>> >
>> >
>> >
>> > Edgar
>> >
>> >
>> >
>> > From: David Medberry 
>> > Date: Thursday, February 23, 2017 at 10:45 AM
>> > To: "openstack-operators@lists.openstack.org"
>> > 
>> > Subject: [Openstack-operators] Policy Updates
>> >
>> >
>> >
>> > Nova no longer ships with a fleshed-out skeleton of all policy.json. It
>> > ships blank.
>> >
>> >
>> >
>> > Discussion in here on how to help operators select specific settings to
>> > include in their policy.json via documentation.
>> >
>> >
>> >
>> > You (as an op) may want to review and comment on this. This model is
>> being
>> > proposed for all openstack projects (or at least MORE openstack
>> projects.)
>> >
>> >
>> >
>> > https://review.openstack.org/#/c/433010
>> >
>> >
>> > ___
>> > OpenStack-operators mailing list
>> > OpenStack-operators@lists.openstack.org
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>> >
>>
>
>
___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] Policy Updates

2017-02-23 Thread David Medberry 
Yep what Logan said. I'm pretty sure Sean Dague talked about this at the
last Operator's mid-cycle.  The "blank" policy.json just means you get the
default policies. You set a value to override the defaults.

I don't see it in the Ocata relnotes but git indicates this is where it
happened:

https://github.com/openstack/nova/blob/stable/mitaka/etc/nova/policy.json
https://github.com/openstack/nova/blob/stable/newton/etc/nova/policy.json

again, no change in behavior...

On Thu, Feb 23, 2017 at 3:06 PM, Logan V.  wrote:

> I think this actually started in Newton. Yes it ships blank, however
> there is still a default policy implemented as before with similar
> defaults separating the admin and user roles. The default policy is
> implemented in the nova code base
> (https://github.com/openstack/nova/tree/stable/newton/nova/policies)
> and overrides can be provided using policy.json (which also accepts
> yaml despite what the file extension would lead you to believe). The
> difference now is that the default policy is not enumerated in a
> policy.json file by default. You can obtain the default policy by
> running
> oslopolicy-sample-generator --namespace nova
>
> There are also several other oslopolicy-* tools like
> oslopolicy-list-redundant - can be used to list policies defined in
> the policy.json which are redundant to the default policy
> oslopolicy-checker -test access against a specific policy item
> oslopolicy-policy-generator - dump a consolidated view of the policy
> (ie defaults combined with overrides) for use with ie. horizon's
> policy things. One thing I found with exporting this dump from nova
> and using it in horizon is that you must define a policy called
> "default" (usually set to "rule:admin_or_owner") because it is not
> included in the dump and it seemed to cause some odd behavior in
> horizon like the instances tab not showing up under the admin panel.
>
>
> On Thu, Feb 23, 2017 at 1:52 PM, Edgar Magana 
> wrote:
> > Am I understanding correctly that in Ocata release, the policy.json file
> for
> > NOVA is blank?
> >
> > What does that mean for us (operators)? Everything will be open for
> > everybody for the other way around?
> >
> >
> >
> > In any case, that sounds like an awful approach because know if we
> upgrade
> > we will need to be sure that we have a proper json file while in the
> past we
> > at least were starting from the default one.
> >
> >
> >
> > Edgar
> >
> >
> >
> > From: David Medberry 
> > Date: Thursday, February 23, 2017 at 10:45 AM
> > To: "openstack-operators@lists.openstack.org"
> > 
> > Subject: [Openstack-operators] Policy Updates
> >
> >
> >
> > Nova no longer ships with a fleshed-out skeleton of all policy.json. It
> > ships blank.
> >
> >
> >
> > Discussion in here on how to help operators select specific settings to
> > include in their policy.json via documentation.
> >
> >
> >
> > You (as an op) may want to review and comment on this. This model is
> being
> > proposed for all openstack projects (or at least MORE openstack
> projects.)
> >
> >
> >
> > https://review.openstack.org/#/c/433010
> >
> >
> > ___
> > OpenStack-operators mailing list
> > OpenStack-operators@lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> >
>
___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] Policy Updates

2017-02-23 Thread Logan V. 
I think this actually started in Newton. Yes it ships blank, however
there is still a default policy implemented as before with similar
defaults separating the admin and user roles. The default policy is
implemented in the nova code base
(https://github.com/openstack/nova/tree/stable/newton/nova/policies)
and overrides can be provided using policy.json (which also accepts
yaml despite what the file extension would lead you to believe). The
difference now is that the default policy is not enumerated in a
policy.json file by default. You can obtain the default policy by
running
oslopolicy-sample-generator --namespace nova

There are also several other oslopolicy-* tools like
oslopolicy-list-redundant - can be used to list policies defined in
the policy.json which are redundant to the default policy
oslopolicy-checker -test access against a specific policy item
oslopolicy-policy-generator - dump a consolidated view of the policy
(ie defaults combined with overrides) for use with ie. horizon's
policy things. One thing I found with exporting this dump from nova
and using it in horizon is that you must define a policy called
"default" (usually set to "rule:admin_or_owner") because it is not
included in the dump and it seemed to cause some odd behavior in
horizon like the instances tab not showing up under the admin panel.


On Thu, Feb 23, 2017 at 1:52 PM, Edgar Magana  wrote:
> Am I understanding correctly that in Ocata release, the policy.json file for
> NOVA is blank?
>
> What does that mean for us (operators)? Everything will be open for
> everybody for the other way around?
>
>
>
> In any case, that sounds like an awful approach because know if we upgrade
> we will need to be sure that we have a proper json file while in the past we
> at least were starting from the default one.
>
>
>
> Edgar
>
>
>
> From: David Medberry 
> Date: Thursday, February 23, 2017 at 10:45 AM
> To: "openstack-operators@lists.openstack.org"
> 
> Subject: [Openstack-operators] Policy Updates
>
>
>
> Nova no longer ships with a fleshed-out skeleton of all policy.json. It
> ships blank.
>
>
>
> Discussion in here on how to help operators select specific settings to
> include in their policy.json via documentation.
>
>
>
> You (as an op) may want to review and comment on this. This model is being
> proposed for all openstack projects (or at least MORE openstack projects.)
>
>
>
> https://review.openstack.org/#/c/433010
>
>
> ___
> OpenStack-operators mailing list
> OpenStack-operators@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>

___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] Policy Updates

2017-02-23 Thread Edgar Magana 
Am I understanding correctly that in Ocata release, the policy.json file for 
NOVA is blank?
What does that mean for us (operators)? Everything will be open for everybody 
for the other way around?

In any case, that sounds like an awful approach because know if we upgrade we 
will need to be sure that we have a proper json file while in the past we at 
least were starting from the default one.

Edgar

From: David Medberry 
Date: Thursday, February 23, 2017 at 10:45 AM
To: "openstack-operators@lists.openstack.org" 

Subject: [Openstack-operators] Policy Updates

Nova no longer ships with a fleshed-out skeleton of all policy.json. It ships 
blank.

Discussion in here on how to help operators select specific settings to include 
in their policy.json via documentation.

You (as an op) may want to review and comment on this. This model is being 
proposed for all openstack projects (or at least MORE openstack projects.)

https://review.openstack.org/#/c/433010
___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators