Policy Files Distribution to Horizon

date:

2015-11-24 15:00

tags:

cross-project, cross-role, json, policy, distribution, Horizon

OpenStack Horizon can use policy.json files to filter the actions available on its webinterface. For that, Horizon consumes the policy.json files of each openstack project (like cinder/nova/glance/…), it doesn’t distribute its own.

Therefore, if the deployer wants to have a consistent policy through the apis and the webinterface, the deployer has to upload its policies to Horizon.

Currently, it’s not done within openstack-ansible.

https://blueprints.launchpad.net/openstack-ansible/+spec/policy-files-distribution

Problem description

Currently every deployer that needs policy files is doing the same work. Let’s try to avoid that in the future: They create policy files for the openstack project thanks to openstack-ansible but then need to upload the policy files to Horizon manually with their own role.

This should fix that, and propose a solution to the policy files deployment

Proposed change

First, there should be a generic cross-role switch (policy_file_distribution_enabled) defaulted to False, unless the deployer has set a _policy_overrides for a component. Of course, a deployer can prevent this policy file distribution by setting it to False.

Then, we should handle the policy distribution in two steps:

1. Download each deployed policy.json file (from the first host of each group) during the horizon-install playbook into the policy_files_distribution_folder (by default /etc/openstack_deploy/) on the deploy node.

2. Having the Horizon role could consume these files on the deploy host and upload the json files to the Horizon nodes. This would require connecting on multiple hosts and will lengthen deployment’s time (on the first run, if enabled)

Alternatives

• Not implementing this, and let the deployer do the work himself

• Rely on Horizon distributing its own policy mapping in the future

• Include each project’s (i.e. nova,neutron,etc.) default policy file from their git source in the Horizon role and use the config_template to upload/override the final nova_policy.json, glance_policy.json,... files on Horizon. This would require us to track OpenStack project policy changes in both Horizon and the respective project roles.

• Download each project policy.json file from their git source repository (i.e. glance, nova,etc.) to the deployment node before running the os_horizon role. Then use the config_template to upload/override the final json files on Horizon. This would require us to track OpenStack projects’ policy files URL changes.

• Last alternative would be to distribute using another mechanism (like memcache/swift/file sync…).

Playbook/Role impact

Small changes in playbooks/role.

Upgrade impact

No upgrade impact.

Security impact

None

Performance impact

Slightly longer deployment time if enabled for the first time. Implementation would redownload if a file exists, unless explicitly told by a variable: policy_file_distribution_force_refresh.

End user impact

The end-user will not have inconsistent behaviour of having one button that doesn’t work because the policy prevents it in the component api but not in Horizon.

Deployer impact

A few new variables:

• policy_file_distribution_enabled

• policy_file_distribution_force_refresh

• policy_files_distribution_files

NB: Their name could be adapted later (cf. implementation)

Developer impact

Nothing should change.

Dependencies

None.

Implementation

Assignee(s)

None yet

Work items

1. group_var to define auto download

2. playbook edition to download policies

3. role changes to upload json files

Testing

• Does this change impact how gating is done?

No

• Can this change be tested on a per-commit basis?

Yes

• Given the instance size restrictions, as found in OpenStack Infra (8GB Ram, vCPUs <= 8), can the test be run in a resource constrained environment?

Yes.

• Is this untestable given current limitations (specific hardware / software configurations available)? If so, are there mitigation plans for this change to be tested within 3rd party testing, gate enhancements, etc…?

This change is testable.

• If the service is not OpenStack specific how can we test the change?

It’s openstack specific

Documentation impact

We’ll need to update the documentation to mention how to edit the policies and how to enable the policy distribution to Horizon.

References

Policy files url:

• Horizon: http://docs.openstack.org/developer/horizon/topics/policy.html#policy-files

• keystone: https://github.com/openstack/keystone/blob/master/etc/policy.json

• Glance: https://github.com/openstack/glance/blob/master/etc/policy.json

• Nova: https://github.com/openstack/nova/blob/master/etc/nova/policy.json

• Neutron: https://github.com/openstack/neutron/blob/master/etc/policy.json

• Cinder: https://github.com/openstack/cinder/blob/master/etc/cinder/policy.json