Policy Files Distribution to Horizon¶
- date:
2015-11-24 15:00
- tags:
cross-project, cross-role, json, policy, distribution, Horizon
OpenStack Horizon can use policy.json files to filter the actions available on its webinterface. For that, Horizon consumes the policy.json files of each openstack project (like cinder/nova/glance/…), it doesn’t distribute its own.
Therefore, if the deployer wants to have a consistent policy through the apis and the webinterface, the deployer has to upload its policies to Horizon.
Currently, it’s not done within openstack-ansible.
https://blueprints.launchpad.net/openstack-ansible/+spec/policy-files-distribution
Problem description¶
Currently every deployer that needs policy files is doing the same work. Let’s try to avoid that in the future: They create policy files for the openstack project thanks to openstack-ansible but then need to upload the policy files to Horizon manually with their own role.
This should fix that, and propose a solution to the policy files deployment
Proposed change¶
First, there should be a generic cross-role switch
(policy_file_distribution_enabled
) defaulted to False, unless the
deployer has set a _policy_overrides
for a component.
Of course, a deployer can prevent this policy file distribution
by setting it to False.
Then, we should handle the policy distribution in two steps:
Download each deployed policy.json file (from the first host of each group) during the
horizon-install
playbook into thepolicy_files_distribution_folder
(by default/etc/openstack_deploy/
) on the deploy node.Having the Horizon role could consume these files on the deploy host and upload the json files to the Horizon nodes. This would require connecting on multiple hosts and will lengthen deployment’s time (on the first run, if enabled)
Alternatives¶
Not implementing this, and let the deployer do the work himself
Rely on Horizon distributing its own policy mapping in the future
Include each project’s (i.e. nova,neutron,etc.) default policy file from their git source in the Horizon role and use the config_template to upload/override the final
nova_policy.json, glance_policy.json,...
files on Horizon. This would require us to track OpenStack project policy changes in both Horizon and the respective project roles.Download each project policy.json file from their git source repository (i.e. glance, nova,etc.) to the deployment node before running the os_horizon role. Then use the config_template to upload/override the final json files on Horizon. This would require us to track OpenStack projects’ policy files URL changes.
Last alternative would be to distribute using another mechanism (like memcache/swift/file sync…).
Playbook/Role impact¶
Small changes in playbooks/role.
Upgrade impact¶
No upgrade impact.
Security impact¶
None
Performance impact¶
Slightly longer deployment time if enabled for the first time.
Implementation would redownload if a file exists, unless explicitly
told by a variable: policy_file_distribution_force_refresh
.
End user impact¶
The end-user will not have inconsistent behaviour of having one button that doesn’t work because the policy prevents it in the component api but not in Horizon.
Deployer impact¶
A few new variables:
policy_file_distribution_enabled
policy_file_distribution_force_refresh
policy_files_distribution_files
NB: Their name could be adapted later (cf. implementation)
Developer impact¶
Nothing should change.
Dependencies¶
None.
Implementation¶
Assignee(s)¶
None yet
Work items¶
group_var to define auto download
playbook edition to download policies
role changes to upload json files
Testing¶
Does this change impact how gating is done?
No
Can this change be tested on a per-commit basis?
Yes
Given the instance size restrictions, as found in OpenStack Infra (8GB Ram, vCPUs <= 8), can the test be run in a resource constrained environment?
Yes.
Is this untestable given current limitations (specific hardware / software configurations available)? If so, are there mitigation plans for this change to be tested within 3rd party testing, gate enhancements, etc…?
This change is testable.
If the service is not OpenStack specific how can we test the change?
It’s openstack specific
Documentation impact¶
We’ll need to update the documentation to mention how to edit the policies and how to enable the policy distribution to Horizon.
References¶
Policy files url:
Horizon: http://docs.openstack.org/developer/horizon/topics/policy.html#policy-files
keystone: https://github.com/openstack/keystone/blob/master/etc/policy.json
Glance: https://github.com/openstack/glance/blob/master/etc/policy.json
Nova: https://github.com/openstack/nova/blob/master/etc/nova/policy.json
Neutron: https://github.com/openstack/neutron/blob/master/etc/policy.json
Cinder: https://github.com/openstack/cinder/blob/master/etc/cinder/policy.json