Merge "Support policy configuration directories"
This commit is contained in:
commit
ace9a43e68
|
@ -0,0 +1,150 @@
|
||||||
|
========================================
|
||||||
|
Support Policy configuration directories
|
||||||
|
========================================
|
||||||
|
|
||||||
|
https://blueprints.launchpad.net/oslo/+spec/policy-configuration-directories
|
||||||
|
|
||||||
|
This propose to add a way to override the default policy rules.
|
||||||
|
|
||||||
|
Problem description
|
||||||
|
===================
|
||||||
|
|
||||||
|
There some complain about policy configuration is hard to use. So think of
|
||||||
|
there isn't a way to override default policy rule. The only way to modify
|
||||||
|
default policy rule is to edit the policy.conf. This isn't convenient for
|
||||||
|
deployer.
|
||||||
|
|
||||||
|
Proposed change
|
||||||
|
===============
|
||||||
|
|
||||||
|
Proposed to support for policy configuration directories. The policy rules
|
||||||
|
that loaded from policy configuration directories will override the default
|
||||||
|
policy rules from 'policy_file'.
|
||||||
|
|
||||||
|
Add new configuration option:
|
||||||
|
|
||||||
|
cfg.ListOpt('policy_configuration_directories', default=['policy.d'],
|
||||||
|
help=_('The directories of policy configuration files'))
|
||||||
|
|
||||||
|
'policy_configuration_directories' accept a list of directories. Those
|
||||||
|
directories will be iterated by order. The files in those directories will be
|
||||||
|
loaded by alphabet order, and the rules will be overrided by that order. The
|
||||||
|
sub-directories will be ignore.
|
||||||
|
|
||||||
|
If the directory in the policy_configuration_directories isn't existed, there
|
||||||
|
will be error raised when loading policy.
|
||||||
|
|
||||||
|
Alternatives
|
||||||
|
------------
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Impact on Existing APIs
|
||||||
|
-----------------------
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Security impact
|
||||||
|
---------------
|
||||||
|
|
||||||
|
The policy rules will be loaded from specified directories. If those
|
||||||
|
directories have appropriate permissions, there won't have any security issue.
|
||||||
|
|
||||||
|
The permissions suggest only the admin can read and write the policy
|
||||||
|
configurations directories and files. And openstack program can read those
|
||||||
|
directories and files is enough.
|
||||||
|
|
||||||
|
Performance Impact
|
||||||
|
------------------
|
||||||
|
|
||||||
|
This change need iterated a list of directories, that will slow down the
|
||||||
|
init/reload of policy rules.
|
||||||
|
|
||||||
|
Configuration Impact
|
||||||
|
--------------------
|
||||||
|
|
||||||
|
This change introduce new configuration option:
|
||||||
|
policy_definition_path = [list of directories]
|
||||||
|
|
||||||
|
The option is convenient for deployer change where to store the policy config
|
||||||
|
files. The default value is 'policy.d'. The location searching will be same with
|
||||||
|
option 'policy_file'.
|
||||||
|
|
||||||
|
Developer Impact
|
||||||
|
----------------
|
||||||
|
|
||||||
|
When developer add this feature into app, developer need to add UpgradeImpact
|
||||||
|
flags and upgrade docs to notice deployer to create 'policy.d' directory in
|
||||||
|
his development, otherwise there will be error raised by 'policy.d' can't be
|
||||||
|
found.
|
||||||
|
|
||||||
|
Implementation
|
||||||
|
==============
|
||||||
|
|
||||||
|
Assignee(s)
|
||||||
|
-----------
|
||||||
|
|
||||||
|
Primary assignee:
|
||||||
|
Alex Xu (xuhj@linux.vnet.ibm.com)
|
||||||
|
|
||||||
|
Milestones
|
||||||
|
----------
|
||||||
|
|
||||||
|
Target Milestone for completion: Juno-3
|
||||||
|
|
||||||
|
Work Items
|
||||||
|
----------
|
||||||
|
|
||||||
|
This change only need one single patch.
|
||||||
|
This will be implemented in
|
||||||
|
oslo-incubator/openstack/common/policy.py:Enforcer
|
||||||
|
|
||||||
|
Enforcer.load_rules will scan the policy configuration directories, and load
|
||||||
|
them to override the rules by order.
|
||||||
|
|
||||||
|
Incubation
|
||||||
|
==========
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Adoption
|
||||||
|
--------
|
||||||
|
|
||||||
|
Nova will use this to improvement the configuration of policy rules. But this
|
||||||
|
feature can be used by most of openstack project that support policy rules.
|
||||||
|
|
||||||
|
Library
|
||||||
|
-------
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Anticipated API Stabilization
|
||||||
|
-----------------------------
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Documentation Impact
|
||||||
|
====================
|
||||||
|
|
||||||
|
The new option should be documented at configuration documents.
|
||||||
|
http://docs.openstack.org/icehouse/config-reference/content
|
||||||
|
|
||||||
|
And we should describe how to write policies to explain how multiple policy
|
||||||
|
files are combined to build up the full set of rules.
|
||||||
|
|
||||||
|
Dependencies
|
||||||
|
============
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
References
|
||||||
|
==========
|
||||||
|
|
||||||
|
https://etherpad.openstack.org/p/juno-nova-devops
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
This work is licensed under a Creative Commons Attribution 3.0
|
||||||
|
Unported License.
|
||||||
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||||
|
|
Loading…
Reference in New Issue