Dynamic Policies aims to improve access control in OpenStack by improving the mechanisms in which policies are defined and delivered to service endpoints.
One step of dynamic delivery of policies is to overlay the existing service endpoint’s local policy file with the custom rules defined in Keystone server. This overlay task is delegated to oslo.policy.
Alice is the kind of person who loves new features and eagerly awaits for new OpenStack features like Dynamic Policies to enable them in her cloud.
With that feature, she expects to be able to define her custom policy rules in Keystone server and have those applied to service endpoints transparently.
Behind the scenes, Keystone Middleware will fetch the Dynamic Policy, which contains the custom policy rules, for the service it is serving and ask oslo.policy to overlay the Stock Policy, which is the existing local policy file.
Based on the Dynamic Policy and on the existing policy_file and policy_dirs options, add to oslo.policy the capability to overlay rules in the Stock Policy.
When there is a rule clashing, the rule from Dynamic Policy always overrides the rule in Stock Policy. It means that any customization made directly in the Stock Policy will be lost if there is an entry for it in the Dynamic Policy.
Make Keystone Middleware itself do the overlay logic, however it seems to not be a task for it at all, since oslo.policy is the one which does handle policy files and owns the config options defining where such file is placed.
This change touches policy rules, which are sensitive data since they define access control to service APIs in OpenStack.
Target Milestone for completion: Liberty-2
Any service using the Dynamic Policies mechanism for access control will be using the proposed change through Keystone Middleware, which means that adoption is transparent to services.
The proposed change will affect the oslo.policy library.
None besides the regular Python code level documentation.
A list of related specs defining the dynamic delivery of policies can be found under the topic dynamic-policies-delivery.
This work is licensed under a Creative Commons Attribution 3.0 Unported License. http://creativecommons.org/licenses/by/3.0/legalcode