Dynamic policy file discovery

Registered by Felipe Monteiro

Patrole should eventually support other services like Heat and Murano, not just the Big Tent services included in Tempest.

Part of that requires that Patrole be able to dynamically discover custom policy files. The current solution proposed below is not perfect, but will work in more situations than today.

Dynamic discover of policy files means: Looking in prescribed locations for each service's policy file and using the first one that is encountered.

This means that

    cfg.StrOpt('cinder_policy_file',
               default='/etc/cinder/policy.json',
               help="Location of the neutron policy file."),
    cfg.StrOpt('glance_policy_file',
               default='/etc/glance/policy.json',
               help="Location of the glance policy file.")
    ...

in [0] should be replaced with a single config option called "custom_policy_file_loc" and will look something like:

    cfg.ListOpt('custom_policy_file_loc',
               default=['/etc/%s/policy.json'],
               help="""List of the paths for each custom policy file.
Each policy path assumes that the service name is included in the path.
The paths should be ordered by precedence, with high-priority paths
before low-priority paths. The first path that is found to contain
the relevant policy file by service will be chosen.""")

Then in tempest.conf under [rbac] the following could be included:
custom_policy_file_loc=['/etc/%s/policy.json', 'foo/bar/%s/policy.yaml']

Afterward, discovery of each service's policy file can be included in RbacPolicyParser once, inside ``validate_service`` [1].

The logic here will have to be updated as well: [2].

[0] https://github.com/openstack/patrole/blob/25569dc76b444e1cbed3e612d5b8c35f3cecec31/patrole_tempest_plugin/config.py
[1] https://github.com/openstack/patrole/blob/25569dc76b444e1cbed3e612d5b8c35f3cecec31/patrole_tempest_plugin/rbac_policy_parser.py#L87
[2] https://github.com/openstack/patrole/blob/25569dc76b444e1cbed3e612d5b8c35f3cecec31/patrole_tempest_plugin/rbac_policy_parser.py#L74

Blueprint information

Status:
Complete
Approver:
Samantha Blanco
Priority:
Medium
Drafter:
Felipe Monteiro
Direction:
Approved
Assignee:
Felipe Monteiro
Definition:
New
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Felipe Monteiro
Completed by
Felipe Monteiro

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.