From 22c87f31ab9d82c8a579006b3816225df98d1542 Mon Sep 17 00:00:00 2001 From: Pavlo Shchelokovskyy Date: Thu, 23 Jun 2016 14:05:38 +0300 Subject: [PATCH] Implement policies in code Define and register default API policies in Python code similar to config options. Support for such declaration of API access polcies has been put as cross-project community goal for OpenStack Queens release. Specifies blueprint policy-in-code Change-Id: I9bf9a52d3af716d0731bbcaa371872a2f83bf40c --- specs/queens/policy-in-code.rst | 117 ++++++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 specs/queens/policy-in-code.rst diff --git a/specs/queens/policy-in-code.rst b/specs/queens/policy-in-code.rst new file mode 100644 index 00000000..7746daf4 --- /dev/null +++ b/specs/queens/policy-in-code.rst @@ -0,0 +1,117 @@ +.. + This work is licensed under a Creative Commons Attribution 3.0 Unported + License. + + http://creativecommons.org/licenses/by/3.0/legalcode + +.. + This template should be in ReSTructured text. The filename in the git + repository should match the launchpad URL, for example a URL of + https://blueprints.launchpad.net/heat/+spec/awesome-thing should be named + awesome-thing.rst . Please do not delete any of the sections in this + template. If you have nothing to say for a whole section, just write: None + For help with syntax, see http://sphinx-doc.org/rest.html + To test out your formatting, see http://www.tele3.cz/jbar/rest/rest.html + +==================================== +Register and Document Policy in Code +==================================== + +https://blueprints.launchpad.net/heat/+spec/policy-in-code + +Operators need to maintain a (possibly complex) policy.json file that might +differ only slightly from the default one, +and some values in the policy.json file are tied to config options +without explicit dependency between them. + +Problem description +=================== + +As an operator, I would like to specify in the ``policy.json`` file only those +policies that are different from defaults. + +Such support was declared as cross-project OpenStack community goal +for Queens release [#]_. + +Proposed change +=============== + +Since version 1.9.0 oslo.policy supports handling policies in the way +similar to how oslo.config handles config options [#]_. +Policies now can be declared inside Python code with provided defaults, +and registered in the policy engine. +The policy engine then loads these and the policy.json file on start, +with entries in the latter overriding the defaults specified in the code. + +This way, a service with default policies can run without +``policy.json`` file, and operators only need to fill this file in the case +their rules are different. + +Another nice benefit is that this allows to use values from config file in +the default policy - as example, the name of the temporary user's role in Heat +currently is defined both in config file and default policy.json file, so +operators need to update both heat.conf and policy.json file when +changing this role. + +A small performance penalty during service startup is expected, +as well as marginal performance improvements during run-time, +as there's no need to re-read a possibly large policy.json file. + +Sample policy file can be generated based on the registered policies +rather than needing to manually maintain one. + +A number of additional ways to generate policy-related files are supported +by oslo.policy >= 1.10: + +- Merged policy file - a policy file can be generated which is a merge + of registered defaults and policies loaded from a file. + This shows the effective policy in use. +- Redundant policies file - a list can be generated which contains policies + defined in a file which match defaults registered in code. + These are candidates for removal from the file in order to keep it + small and understandable. + +Heat already depends on oslo.policy >= 1.23 in its requirements, so no bump +in dependencies is required. + +Alternatives +------------ + +None. Required to complete the cross-project goal. + +Implementation +============== + +Assignee(s) +----------- + +Primary assignee: + pshchelo IRC: pas-ha + +Milestones +---------- + +Target Milestone for completion: + queens-1 + +Work Items +---------- + +- accumulate, define and register policies in the Python code +- change invocations of ``Enforcer.enforce`` to ``Enforcer.authorize`` + (the call signature is unchanged) +- amend genconfig tox environment to also generate sample policy.json file +- remove policy.json file and update DevStack / Heat's DevStack plugin + to not use policy.json +- (see dependencies) provide configs/scripts to generate merged policy file + and redundant policy file. +- amend documentation accordingly + +Dependencies +============ + +None. + + +.. [#] https://governance.openstack.org/tc/goals/queens/policy-in-code.html +.. [#] https://docs.openstack.org/oslo.policy/latest/user/usage.html