Move the Policy Engine
Summary
=======
Moving policy engine out of openstack_dashboard and into django_
Motivation
========
Turns out openstack_dashboard is not really the right location for the policy engine. The engine is needed by both horizon and openstack_
The first and oldest is via user.has_perms() which is a method exposed on the user object from django_
The second is the policy engine, which does richer role checking.
We should consolidate how authorization is checked. But that will be a subsequent effort (bp).
We'll need a centralized location for policy to effectively split horizon and openstack_
Description
=========
This is really a surgical transplant of the heart of the policy engine into django_
The first step in this process is convert openstack_dashboard to use a configurable policy check method, POLICY_
The second step is moving adding the policy engine to django_
The third step is release django_
The final step is removing the policy backend from openstack_
policy check method for POLICY_
Note: The files in openstack_
UX
===
There should be no visible changes.
Wireframes, Mocks, Videos and UI Markup
-------
N/A
Testing
======
As this is purely a transplant. The test is that all things remain the same.
Outside Dependencies
==================
As described in Description, this requires changes to django_
Requirements Update Required
=======
Yes. The new released version of django_
Doc Impact
=========
N/A
Blueprint information
- Status:
- Complete
- Approver:
- David Lyle
- Priority:
- Medium
- Drafter:
- David Lyle
- Direction:
- Approved
- Assignee:
- David Lyle
- Definition:
- Approved
- Series goal:
- Accepted for mitaka
- Implementation:
- Implemented
- Milestone target:
- mitaka-1
- Started by
- David Lyle
- Completed by
- David Lyle
Related branches
Related bugs
Sprints
Whiteboard
Step 1:
Gerrit topic: https:/
Addressed by: https:/
Moving policy engine implementation
doug-fish: I think you have a typo in the UX section
There should be visible changes. -> There should not be visible changes.
Seems like a good approach to the problem. Now it's just a simple matter of heart transplant surgery!
david-lyle: Since cross project blueprints aren't really supported, manually adding review link for django_
Addressed by: https:/
Relocating policy engine from openstack_dashboard
amotoki: Looks good. The direction looks right and the plan is well described.
BTW, for tracking the progress, how about registering a blueprint to openstack_auth too and adding a dependency?
Addressed by: https:/
Finally remove policy engine code from openstack_dashboard
Work Items
Work items:
1) Make policy engine pluggable in openstack_
2) Import policy engine into django_
3) Release django_
4) Update global-requirements : DONE
5) Remove policy engine code from openstack_