From 0f1b2e3a63d8d87f3ed3ea53f02a0254b7e5af66 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Mon, 18 Mar 2019 13:53:14 +0000 Subject: [PATCH] Remove obsolete policy configuration details from docs The policy-enforcement document was written prior to any of the policy-in-code or policy documentation efforts took place. This commit updates the developer reference for policy to remove these details since they have already been implemented. Subsequent patches will update details of this document by taking into account the recent keystone and oslo changes that help fix the original issues described in this document. Change-Id: I263b2f72037a588623958baccacf78fb6a6be05d --- doc/source/reference/policy-enforcement.rst | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/doc/source/reference/policy-enforcement.rst b/doc/source/reference/policy-enforcement.rst index c6324257a0a7..db384be34854 100644 --- a/doc/source/reference/policy-enforcement.rst +++ b/doc/source/reference/policy-enforcement.rst @@ -33,9 +33,6 @@ There are several problems for current API policy. rule for all the APIs. Deployer can't get better granularity control for the APIs. -* More easy way to override default policy settings for deployer. And - Currently all the API(EC2, V2, V2.1) rules mix in one policy.json file. - These are the kinds of things we need to make easier: 1. Operator wants to enable a specific role to access the service API which @@ -46,9 +43,6 @@ redundant check in the compute API can confuse developers and deployers. 3. Operator can specify different rules for APIs that in same extension. -4. Operator can override the default policy rule easily without mixing his own -config and default config in one policy.json file. - Future of policy enforcement ---------------------------- @@ -92,14 +86,6 @@ layer to guarantee it won't break the back-compatibility. That may ugly some hard-code permission check in API layer, but V2 API will be removed once V2.1 API ready, so our choice will reduce the risk. -Port policy.d into nova -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -This feature make deployer can override default policy rule easily. And -When nova default policy config changed, deployer only need replace default -policy config files with new one. It won't affect his own policy config in -other files. - Use different prefix in policy rule name for EC2/V2/V2.1 API ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~