This propose to add a way to override the default policy rules.
There some complain about policy configuration is hard to use. So think of there isn’t a way to override default policy rule. The only way to modify default policy rule is to edit the policy.conf. This isn’t convenient for deployer.
Proposed to support for policy configuration directories. The policy rules that loaded from policy configuration directories will override the default policy rules from ‘policy_file’.
Add new configuration option:
‘policy_configuration_directories’ accept a list of directories. Those directories will be iterated by order. The files in those directories will be loaded by alphabet order, and the rules will be overrided by that order. The sub-directories will be ignore.
If the directory in the policy_configuration_directories isn’t existed, there will be error raised when loading policy.
The policy rules will be loaded from specified directories. If those directories have appropriate permissions, there won’t have any security issue.
The permissions suggest only the admin can read and write the policy configurations directories and files. And openstack program can read those directories and files is enough.
This change need iterated a list of directories, that will slow down the init/reload of policy rules.
This change introduce new configuration option: policy_definition_path = [list of directories]
The option is convenient for deployer change where to store the policy config files. The default value is ‘policy.d’. The location searching will be same with option ‘policy_file’.
When developer add this feature into app, developer need to add UpgradeImpact flags and upgrade docs to notice deployer to create ‘policy.d’ directory in his development, otherwise there will be error raised by ‘policy.d’ can’t be found.
Target Milestone for completion: Juno-3
This change only need one single patch. This will be implemented in oslo-incubator/openstack/common/policy.py:Enforcer
Enforcer.load_rules will scan the policy configuration directories, and load them to override the rules by order.
Nova will use this to improvement the configuration of policy rules. But this feature can be used by most of openstack project that support policy rules.
The new option should be documented at configuration documents. http://docs.openstack.org/icehouse/config-reference/content
And we should describe how to write policies to explain how multiple policy files are combined to build up the full set of rules.
This work is licensed under a Creative Commons Attribution 3.0 Unported License. http://creativecommons.org/licenses/by/3.0/legalcode