Define default neutron policies in code

Registered by Dai Dang Van on 2017-10-31

This blueprint page is used to track the progress of policy-in-code
This is a community wide goal defined in https://governance.openstack.org/tc/goals/queens/policy-in-code.html.

NOTE: gerrit will automatically convert topic names if we include 'blueprint XXXX' in commit messages, so we don't include blueprint get-policy-from-neutron-lib.
Let's use "policy-and-docs-in-code" as a topic (suggested at https://governance.openstack.org/tc/goals/queens/policy-in-code.html#gerrit-topic)

For now, oslo.policy support us to define default policies in code base instead of keep all of them in policy file like the way that oslo.config did.
Then we can add default policies into neutron-lib first and after that, we will/can remove policy.json file in neutron deployment if operators no need to customize the policies.

Blueprint information

Status:
Complete
Approver:
Miguel Lavalle
Priority:
Medium
Drafter:
Akihiro Motoki
Direction:
Approved
Assignee:
Akihiro Motoki
Definition:
Approved
Series goal:
Accepted for stein
Implementation:
Implemented
Milestone target:
milestone icon stein-3
Started by
Akihiro Motoki on 2017-12-12
Completed by
Miguel Lavalle on 2019-02-18

Related branches

Sprints

Whiteboard

we will use this blueprint to track policy-in-code efforts in the neutron stadium.

https://review.openstack.org/#/q/topic:policy-and-docs-in-code+(status:open+OR+status:merged)

https://review.openstack.org/#/c/585037/ neutron
https://review.openstack.org/#/c/585036/ neutron-lib

The work is split into three steps:
- Convert the existing policies defined in policy.json into policy-in-code for all networking projects without changing any behaviors
- Drop "default" rule from the neutron policy (Most projects including nova, cinder and so on no longer has "default" policy)
- Improve policy-in-code documentation using DocumentedRuleDefault (instead of RuleDefault)

Gerrit topic: https://review.openstack.org/#q,topic:policy-and-docs-in-code,n,z

Addressed by: https://review.openstack.org/585036
    policy-in-code support in neutron-lib

Gerrit topic: https://review.openstack.org/#q,topic:bp/neutron-policy-in-code,n,z

Addressed by: https://review.openstack.org/585037
    Convert policy.json into policy-in-code

Addressed by: https://review.openstack.org/527282
    Convert policy.json into policy-in-code

Addressed by: https://review.openstack.org/625394
    Drop 3rd-party plugin specific policies

Addressed by: https://review.openstack.org/625395
    Remove unused get_<plural> rules

Addressed by: https://review.openstack.org/625407
    doc: Add policy reference

Addressed by: https://review.openstack.org/625423
    Convert policy.json into policy-in-code

Addressed by: https://review.openstack.org/625424
    doc: Add policy reference

Addressed by: https://review.openstack.org/625429
    Convert policy.json into policy-in-code

Addressed by: https://review.openstack.org/626016
    Define popular policy rules by constants

Addressed by: https://review.openstack.org/626017
    Define popular policy rules by constants (part 2)

Addressed by: https://review.openstack.org/626018
    doc: Add policy reference

Addressed by: https://review.openstack.org/628927
    Define missing policies for attributes with enforce_policy

Addressed by: https://review.openstack.org/628928
    Guideline on defining in-code policies

Addressed by: https://review.openstack.org/630050
    doc: Use DocumentedRuleDefault

Addressed by: https://review.openstack.org/631527
    doc: Add policy reference

Addressed by: https://review.openstack.org/633534
    Define default policies in code

Addressed by: https://review.openstack.org/636453
    Add policy module to neutron-lib

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.