Add support for policy.d per service

Registered by Mathieu Gagné on 2017-07-24

Summary
=======

This blueprint suggests adding support for multiple policy directories per service so an operator can load multiple policy files just like they can with services through oslo.policy and policy_dirs config.

See https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo-policy

Motivation
========

Ease life of operators so they can use and apply the same policy files and directories between services and Horizon.

Description
=========

The oslo.policy library allows services to load multiple policy files from multiple policy_dirs, usually policy.d. Some projects such as Neutron stadium projects also make use of policy.d to install and use additional policy files.

Current implementation of django-openstack-auth does not support more than one policy file per service. This means it is impossible for an operator to use an unified set of policy files (and directories) between services and django-openstack-auth as the later expects one single big policy file.

This blueprint suggests adding a new setting (POLICY_DIRS) where multiple policy directories can be defined per service and loaded by the policy enforcer.

Following code would need to be updated to support POLICY_DIRS per service:
https://github.com/openstack/django_openstack_auth/blob/b8567d6/openstack_auth/policy.py#L46-L63

UX
===

N/A

Testing
======

You should be able to load multiple policy files per service spread across multiple directories as defined by the POLICY_DIRS setting.

Outside Dependencies
==================

N/A

Requirements Update Required
========================

N/A

Doc Impact
=========

* Add documentation about new POLICY_DIRS setting.

Blueprint information

Status:
Complete
Approver:
Akihiro Motoki
Priority:
Medium
Drafter:
Mathieu Gagné
Direction:
Approved
Assignee:
Mathieu Gagné
Definition:
Approved
Series goal:
Accepted for 13.0.0-queens
Implementation:
Implemented
Milestone target:
milestone icon queens-2
Started by
Akihiro Motoki on 2017-11-21
Completed by
Akihiro Motoki on 2017-11-21

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/policy-dirs,n,z

Addressed by: https://review.openstack.org/487153
    Add support for policy directories per service

[Nov 22, 2017 -- amotoki]
Note: this was implemented in Queens cycle in django_openstack_auth repo and was merged into the horizon code.

[Nov 27, 2017 -- amotoki]
Moved to horizon

Addressed by: https://review.openstack.org/523542
    Add release note on policy dirs support

Gerrit topic: https://review.openstack.org/#q,topic:policy-dirs,n,z

Addressed by: https://review.openstack.org/527104
    Define default POLICY_DIRS value

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.