519e5a22d1
This adds a granular policy checking framework for placement based on nova.policy but with a lot of the legacy cruft removed, like the is_admin and context_is_admin rules. A new PlacementPolicyFixture is added along with a new configuration option, [placement]/policy_file, which is needed because the default policy file that gets used in config is from [oslo_policy]/policy_file which is being used as the nova policy file. As far as I can tell, oslo.policy doesn't allow for multiple policy files with different names unless I'm misunderstanding how the policy_dirs option works. With these changes, we can have something like: /etc/nova/policy.json - for nova policy rules /etc/nova/placement-policy.yaml - for placement rules The docs are also updated to include the placement policy sample along with a tox builder for the sample. This starts by adding granular rules for CRUD operations on the /resource_providers and /resource_providers/{uuid} routes which use the same descriptions from the placement API reference. Subsequent patches will add new granular rules for the other routes. Part of blueprint granular-placement-policy Change-Id: I17573f5210314341c332fdcb1ce462a989c21940
32 lines
1.2 KiB
YAML
32 lines
1.2 KiB
YAML
---
|
|
features:
|
|
- |
|
|
It is now possible to configure granular policy rules for placement
|
|
REST API operations.
|
|
|
|
By default, all operations continue to use the ``role:admin`` check string
|
|
so there is no upgrade impact.
|
|
|
|
A new configuration option is introduced, ``[placement]/policy_file``,
|
|
which is used to configure the location of the placement policy file.
|
|
By default, the ``placement-policy.yaml`` file may live alongside the
|
|
nova policy file, e.g.:
|
|
|
|
* /etc/nova/policy.yaml
|
|
* /etc/nova/placement-policy.yaml
|
|
|
|
However, if desired, ``[placement]/policy_file`` makes it possible to
|
|
package and deploy the placement policy file separately to make the future
|
|
split of placement and nova packages easier, e.g.:
|
|
|
|
* /etc/placement/policy.yaml
|
|
|
|
All placement policy rules are defined in code so by default no extra
|
|
configuration is required and the default rules will be used on start of
|
|
the placement service.
|
|
|
|
For more information about placement policy including a sample file, see
|
|
the configuration reference documentation:
|
|
|
|
https://docs.openstack.org/nova/latest/configuration/index.html#placement-policy
|