Move the Policy Engine

Registered by David Lyle on 2014-11-17

Summary
=======
Moving policy engine out of openstack_dashboard and into django_openstack_auth.

Motivation
========
Turns out openstack_dashboard is not really the right location for the policy engine. The engine is needed by both horizon and openstack_dashboard. Additionally, we currently utilize two separate forms of authorization (policy) checking.

The first and oldest is via user.has_perms() which is a method exposed on the user object from django_openstack_auth. This method does role checking as well as service catalog checking.

The second is the policy engine, which does richer role checking.

We should consolidate how authorization is checked. But that will be a subsequent effort (bp).

We'll need a centralized location for policy to effectively split horizon and openstack_dashboard.

Description
=========
This is really a surgical transplant of the heart of the policy engine into django_openstack_auth.

The first step in this process is convert openstack_dashboard to use a configurable policy check method, POLICY_CHECK_FUNCTION, as the horizon part of the repository does. The will be accomplished by temporarily moving the policy backend to a separate file and configure the POLICY_CHECK_FUNCTION to point to this new backend.

The second step is moving adding the policy engine to django_openstack_auth.

The third step is release django_openstack_auth and make the new version the minimum in openstack_requirements.

The final step is removing the policy backend from openstack_dashboard. And updating the settings file to point at the django_openstack_auth
 policy check method for POLICY_CHECK_FUNCTION.

Note: The files in openstack_dashboard/conf do not move. These are application specific, in this case openstack_dashboard.

UX
===
There should be no visible changes.

Wireframes, Mocks, Videos and UI Markup
---------------------------------------------------------
N/A

Testing
======
As this is purely a transplant. The test is that all things remain the same.
Outside Dependencies
==================
As described in Description, this requires changes to django_openstack_auth.

Requirements Update Required
========================
Yes. The new released version of django_openstack_auth that contains the policy engine will need to be the new minimum.

Doc Impact
=========
N/A

Blueprint information

Status:
Complete
Approver:
David Lyle
Priority:
Medium
Drafter:
David Lyle
Direction:
Approved
Assignee:
David Lyle
Definition:
Approved
Series goal:
Accepted for mitaka
Implementation:
Implemented
Milestone target:
milestone icon mitaka-1
Started by
David Lyle on 2014-11-20
Completed by
David Lyle on 2015-10-09

Related branches

Sprints

Whiteboard

Step 1:
Gerrit topic: https://review.openstack.org/#q,topic:bp/move-policy-engine,n,z

Addressed by: https://review.openstack.org/135793
    Moving policy engine implementation

doug-fish: I think you have a typo in the UX section
There should be visible changes. -> There should not be visible changes.
Seems like a good approach to the problem. Now it's just a simple matter of heart transplant surgery!

david-lyle: Since cross project blueprints aren't really supported, manually adding review link for django_openstack_auth change for step 2:

Addressed by: https://review.openstack.org/136515
    Relocating policy engine from openstack_dashboard

amotoki: Looks good. The direction looks right and the plan is well described.
BTW, for tracking the progress, how about registering a blueprint to openstack_auth too and adding a dependency?

Addressed by: https://review.openstack.org/163028
    Finally remove policy engine code from openstack_dashboard

(?)

Work Items

Work items:
1) Make policy engine pluggable in openstack_dashboard: DONE
2) Import policy engine into django_openstack_auth: DONE
3) Release django_openstack_auth: DONE
4) Update global-requirements : DONE
5) Remove policy engine code from openstack_dashboard: DONE

This blueprint contains Public information 
Everyone can see this information.