diff options
author | Matt Riedemann <mriedem.os@gmail.com> | 2017-11-30 18:09:00 -0500 |
---|---|---|
committer | Matt Riedemann <mriedem.os@gmail.com> | 2018-05-17 11:12:16 -0400 |
commit | 0a461979df62cd1df2c807b3f4fb3593b3040d13 (patch) | |
tree | c0f0b7ee06fcb7370285f992f77624b202d6c3f6 /setup.cfg | |
parent | ccc02de36c6b05c45400ff4ede9c6af4561cef7e (diff) | |
download | nova-0a461979df62cd1df2c807b3f4fb3593b3040d13.tar.gz |
Implement granular policy rules for placement
This adds a granular policy checking framework for
placement based on nova.policy but with a lot of
the legacy cruft removed, like the is_admin and
context_is_admin rules.
A new PlacementPolicyFixture is added along with
a new configuration option, [placement]/policy_file,
which is needed because the default policy file
that gets used in config is from [oslo_policy]/policy_file
which is being used as the nova policy file. As
far as I can tell, oslo.policy doesn't allow for
multiple policy files with different names unless
I'm misunderstanding how the policy_dirs option works.
With these changes, we can have something like:
/etc/nova/policy.json - for nova policy rules
/etc/nova/placement-policy.yaml - for placement rules
The docs are also updated to include the placement
policy sample along with a tox builder for the sample.
This starts by adding granular rules for CRUD operations
on the /resource_providers and /resource_providers/{uuid}
routes which use the same descriptions from the placement
API reference. Subsequent patches will add new granular
rules for the other routes.
Part of blueprint granular-placement-policy
Change-Id: I17573f5210314341c332fdcb1ce462a989c21940
Diffstat (limited to 'setup.cfg')
-rw-r--r-- | setup.cfg | 2 |
1 files changed, 2 insertions, 0 deletions
@@ -40,6 +40,7 @@ oslo.config.opts.defaults = oslo.policy.enforcer = nova = nova.policy:get_enforcer + placement = nova.api.openstack.placement.policy:get_enforcer oslo.policy.policies = # The sample policies will be ordered by entry point and then by list @@ -47,6 +48,7 @@ oslo.policy.policies = # list_rules method into a separate entry point rather than using the # aggregate method. nova = nova.policies:list_rules + placement = nova.api.openstack.placement.policies:list_rules nova.compute.monitors.cpu = virt_driver = nova.compute.monitors.cpu.virt_driver:Monitor |