openstack/masakari
Code Issues Proposed changes
master
masakari/releasenotes/notes/policy-in-code-8740d51624055044.yaml
shilpa.devharakar d7592cbe25 Register and Document policy in code 
Adds below things for the implementation of framework for registering and
using default policy rules.
* Policy-in-code
  The framework for registering and using default policy rules.
  Rules should be defined and returned from a module in
  masakari/policies/, and then added to the list in masakari/policies/__init__.py.
  A new context.can() method has been added for policy enforcement of
  registered rules. It has the same parameters as the enforce() method
  currently being used.
* Add policy sample generation
  The entry point and config file necessary for using the
  oslo.policy sample generation script. It also adds a tox target to
  simplify the usage of it.
* Add policy documentation and sample file
  Documentation and sample file for default policy in code feature.
* Hacking check for policy registration
  It ensures that policy registration happens in the centralized
  masakari/policies/ directory.
* Hacking check for _ENFORCER.enforce()
  Hacking check in order to ensure that only registered policies
  are used for authorization checks _ENFORCER.authorize should be used rather
  than _ENFORCER.enforce.
* Add entry_point for oslo policy scripts
  There are two helper scripts in oslo.policy to help deployers understand
  their policy configuration better. With the setup.cfg entry these can be
  called directly from oslo.policy.

Changes done here are with the reference of [1] at NOVA side
which is contributed by Andrew Laski and Claudiu Belu

[1] https://review.openstack.org/#/q/topic:bp/policy-in-code+project:openstack/nova+status:merged

Change-Id: If885a66d92c31be440d27d6780635800a0b12e3e
2018-07-27 12:15:14 +05:30

23 lines
1.1 KiB
YAML
Raw Permalink Blame History

---
features:
- |
Masakari now support policy in code, which means if operators doesn't need to
modify any of the default policy rules, they do not need a policy file.
Operators can modify/generate a ``policy.yaml.sample`` file which will override
specific policy rules from their defaults.
Masakari is now configured to work with two oslo.policy CLI scripts that
have been added:
- The first of these can be called like
``oslopolicy-list-redundant --namespace masakari`` and will output a list of
policy rules in policy.[json|yaml] that match the project defaults. These
rules can be removed from the policy file as they have no effect there.
- The second script can be called like
``oslopolicy-policy-generator --namespace masakari --output-file policy-merged.yaml``
and will populate the policy-merged.yaml file with the effective policy.
This is the merged results of project defaults and config file overrides.
NOTE: Default `policy.json` file is now removed as Masakari now uses default
policies. A policy file is only needed if overriding one of the defaults.
View Git Blame Copy Permalink