Dynamic Policies Overlay¶
Dynamic Policies aims to improve access control in OpenStack by improving the mechanisms in which policies are defined and delivered to service endpoints.
One step of dynamic delivery of policies is to overlay the existing service
endpoint’s local policy file with the custom rules defined in
Keystone server. This overlay task is delegated to
Alice the Cloud Deployer¶
Alice is the kind of person who loves new features and eagerly awaits for new
OpenStack features like
Dynamic Policies to enable them in her cloud.
With that feature, she expects to be able to define her custom policy rules in
Keystone server and have those applied to service endpoints transparently.
Behind the scenes,
Keystone Middleware will fetch the
which contains the custom policy rules, for the service it is serving and ask
oslo.policy to overlay the
Stock Policy, which is the existing local
Based on the
Dynamic Policy and on the existing
policy_dirs options, add to
oslo.policy the capability to overlay
rules in the
When there is a rule clashing, the rule from
Dynamic Policy always
overrides the rule in
Stock Policy. It means that any customization made
directly in the
Stock Policy will be lost if there is an entry for it in
Keystone Middleware itself do the overlay logic, however it seems to
not be a task for it at all, since
oslo.policy is the one which does handle
policy files and owns the config options defining where such file is placed.
Impact on Existing APIs¶
This change touches policy rules, which are sensitive data since they define access control to service APIs in OpenStack.
- Primary assignee:
Samuel de Medeiros Queiroz - samueldmq
- Other contributors:
Adam Young - ayoung Morgan Fainberg - mdrnstm
Target Milestone for completion: Liberty-2
Create a new function that receives as input the
Dynamic Policyas a Python dict and write them to the
Stock Policy, i.e the existing local policy file, using override strategy when a clashing occurs.
Any service using the
Dynamic Policies mechanism for access control will
be using the proposed change through
Keystone Middleware, which means that
adoption is transparent to services.
The proposed change will affect the
Anticipated API Stabilization¶
None besides the regular Python code level documentation.
A list of related specs defining the dynamic delivery of policies can be found under the topic dynamic-policies-delivery.
This work is licensed under a Creative Commons Attribution 3.0 Unported License. http://creativecommons.org/licenses/by/3.0/legalcode