Policy registration in code

Registered by Andrew Laski on 2016-05-18

There are two issues being addressed here:

Given a deployed policy file it is not trivial to determine how much it differs
from the defaults that a project expects. This is due to there not being an
authoritative place to find all policies and their defaults. Some projects
provide sample files but they're not always exhaustive. And it's not easy to
diff a production policy file against the sample file after extensive
modification.

Given an authenticated request context it is not possible to determine which
policies will pass. This is because policy checks are ad hoc throughout the
code with no central registry of all possible checks. And a policy file may not
have all policies listed as some may be left to fallback to the default rule.

Blueprint information

Status:
Complete
Approver:
Matt Riedemann
Priority:
High
Drafter:
Andrew Laski
Direction:
Approved
Assignee:
Andrew Laski
Definition:
Approved
Series goal:
Accepted for newton
Implementation:
Implemented
Milestone target:
None
Started by
Matt Riedemann on 2016-06-14
Completed by
Andrew Laski on 2016-08-25

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/policy-in-code,n,z

Addressed by: https://review.openstack.org/329122
    WIP Policy-in-code POC

Addressed by: https://review.openstack.org/328851
    policy: Add defaults in code (part 2)

Addressed by: https://review.openstack.org/328850
    policy: Add defaults in code (part 1)

Addressed by: https://review.openstack.org/329227
    policy: Add defaults in code (part 3)

Addressed by: https://review.openstack.org/329228
    policy: Add defaults in code (part 4)

Addressed by: https://review.openstack.org/329978
    policy: Add defaults in code (part 2)

Addressed by: https://review.openstack.org/329979
    policy: Add defaults in code (part 5)

Addressed by: https://review.openstack.org/330033
    policy: Replaces 'authorize' in nova-api (part 1)

Addressed by: https://review.openstack.org/330034
    policy: Replaces 'authorize' in nova-api (part 2)

Addressed by: https://review.openstack.org/330035
    policy: Replaces 'authorize' in nova-api (part 3)

Addressed by: https://review.openstack.org/330036
    policy: Replaces 'authorize' in nova-api (part 4)

Addressed by: https://review.openstack.org/332473
    Add policy sample generation

Addressed by: https://review.openstack.org/333514
    policy: Replaces 'authorize' in nova-api (part 5)

Addressed by: https://review.openstack.org/333925
    WIP: policy: clean-up

Addressed by: https://review.openstack.org/335667
    Add nova-manage commands for policy helpers

Addressed by: https://review.openstack.org/336622
    Hacking check for policy registration

Addressed by: https://review.openstack.org/336700
    Remove final use of _ENFORCER.enforce

Addressed by: https://review.openstack.org/336701
    Hacking check for _ENFORCER.enforce()

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.