Merge "Support policy configuration directories"

This commit is contained in:
Jenkins 2014-07-25 23:03:54 +00:00 committed by Gerrit Code Review
commit ace9a43e68
1 changed files with 150 additions and 0 deletions

View File

@ -0,0 +1,150 @@
========================================
Support Policy configuration directories
========================================
https://blueprints.launchpad.net/oslo/+spec/policy-configuration-directories
This propose to add a way to override the default policy rules.
Problem description
===================
There some complain about policy configuration is hard to use. So think of
there isn't a way to override default policy rule. The only way to modify
default policy rule is to edit the policy.conf. This isn't convenient for
deployer.
Proposed change
===============
Proposed to support for policy configuration directories. The policy rules
that loaded from policy configuration directories will override the default
policy rules from 'policy_file'.
Add new configuration option:
cfg.ListOpt('policy_configuration_directories', default=['policy.d'],
help=_('The directories of policy configuration files'))
'policy_configuration_directories' accept a list of directories. Those
directories will be iterated by order. The files in those directories will be
loaded by alphabet order, and the rules will be overrided by that order. The
sub-directories will be ignore.
If the directory in the policy_configuration_directories isn't existed, there
will be error raised when loading policy.
Alternatives
------------
None
Impact on Existing APIs
-----------------------
None
Security impact
---------------
The policy rules will be loaded from specified directories. If those
directories have appropriate permissions, there won't have any security issue.
The permissions suggest only the admin can read and write the policy
configurations directories and files. And openstack program can read those
directories and files is enough.
Performance Impact
------------------
This change need iterated a list of directories, that will slow down the
init/reload of policy rules.
Configuration Impact
--------------------
This change introduce new configuration option:
policy_definition_path = [list of directories]
The option is convenient for deployer change where to store the policy config
files. The default value is 'policy.d'. The location searching will be same with
option 'policy_file'.
Developer Impact
----------------
When developer add this feature into app, developer need to add UpgradeImpact
flags and upgrade docs to notice deployer to create 'policy.d' directory in
his development, otherwise there will be error raised by 'policy.d' can't be
found.
Implementation
==============
Assignee(s)
-----------
Primary assignee:
Alex Xu (xuhj@linux.vnet.ibm.com)
Milestones
----------
Target Milestone for completion: Juno-3
Work Items
----------
This change only need one single patch.
This will be implemented in
oslo-incubator/openstack/common/policy.py:Enforcer
Enforcer.load_rules will scan the policy configuration directories, and load
them to override the rules by order.
Incubation
==========
None
Adoption
--------
Nova will use this to improvement the configuration of policy rules. But this
feature can be used by most of openstack project that support policy rules.
Library
-------
None
Anticipated API Stabilization
-----------------------------
None
Documentation Impact
====================
The new option should be documented at configuration documents.
http://docs.openstack.org/icehouse/config-reference/content
And we should describe how to write policies to explain how multiple policy
files are combined to build up the full set of rules.
Dependencies
============
None
References
==========
https://etherpad.openstack.org/p/juno-nova-devops
.. note::
This work is licensed under a Creative Commons Attribution 3.0
Unported License.
http://creativecommons.org/licenses/by/3.0/legalcode