Support service policy files

Registered by Steve McLellan on 2016-08-04

It's been pointed out that that deployers shouldn't have to change multiple places to enforce policy. Horizon already uses (copies of) service policy files to determine what operations should be exposed to users (whether they can list servers, view images etc). Searchlight can do the same. This BP will support configurable paths to service policy files (a deployer is responsible for getting them into the right places) that will be used to enforce which resource types are available to a user for querying/faceting etc. At the same time the existing fine-grained searchlight policy controls will be removed so that from SL's policy.json it'll still be possible to remove a resource type from consideration entirely, and still be possible to disable faceting, but not disable faceting/querying on a per resource basis.

Whether a user can perform e.g. a search on Servers will thus be:
  query:allowed && searchlight:os_nova_server:allowed && nova:os_compute_api:servers:index

Blueprint information

Status:
Started
Approver:
Travis Tripp
Priority:
Medium
Drafter:
Steve McLellan
Direction:
Approved
Assignee:
Steve McLellan
Definition:
Review
Series goal:
Accepted for newton
Implementation:
Needs Code Review
Milestone target:
milestone icon newton-rc1
Started by
Travis Tripp

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/support-service-policy-files,n,z

Addressed by: https://review.openstack.org/351896
    Service policy file support

Not convinced we can realistically do full support for service policy files. The way oslo.policy processes some rules is a bit odd and it's quite hard to generically support everything.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.