placement/releasenotes/notes/bp-granular-placement-policy-65722fc6d7cb1359.yaml
Matt Riedemann 519e5a22d1 Implement granular policy rules for placement
This adds a granular policy checking framework for
placement based on nova.policy but with a lot of
the legacy cruft removed, like the is_admin and
context_is_admin rules.

A new PlacementPolicyFixture is added along with
a new configuration option, [placement]/policy_file,
which is needed because the default policy file
that gets used in config is from [oslo_policy]/policy_file
which is being used as the nova policy file. As
far as I can tell, oslo.policy doesn't allow for
multiple policy files with different names unless
I'm misunderstanding how the policy_dirs option works.

With these changes, we can have something like:

  /etc/nova/policy.json - for nova policy rules
  /etc/nova/placement-policy.yaml - for placement rules

The docs are also updated to include the placement
policy sample along with a tox builder for the sample.

This starts by adding granular rules for CRUD operations
on the /resource_providers and /resource_providers/{uuid}
routes which use the same descriptions from the placement
API reference. Subsequent patches will add new granular
rules for the other routes.

Part of blueprint granular-placement-policy

Change-Id: I17573f5210314341c332fdcb1ce462a989c21940
2018-05-17 11:12:16 -04:00

32 lines
1.2 KiB
YAML

---
features:
- |
It is now possible to configure granular policy rules for placement
REST API operations.
By default, all operations continue to use the ``role:admin`` check string
so there is no upgrade impact.
A new configuration option is introduced, ``[placement]/policy_file``,
which is used to configure the location of the placement policy file.
By default, the ``placement-policy.yaml`` file may live alongside the
nova policy file, e.g.:
* /etc/nova/policy.yaml
* /etc/nova/placement-policy.yaml
However, if desired, ``[placement]/policy_file`` makes it possible to
package and deploy the placement policy file separately to make the future
split of placement and nova packages easier, e.g.:
* /etc/placement/policy.yaml
All placement policy rules are defined in code so by default no extra
configuration is required and the default rules will be used on start of
the placement service.
For more information about placement policy including a sample file, see
the configuration reference documentation:
https://docs.openstack.org/nova/latest/configuration/index.html#placement-policy