From 0a461979df62cd1df2c807b3f4fb3593b3040d13 Mon Sep 17 00:00:00 2001 From: Matt Riedemann Date: Thu, 30 Nov 2017 18:09:00 -0500 Subject: Implement granular policy rules for placement This adds a granular policy checking framework for placement based on nova.policy but with a lot of the legacy cruft removed, like the is_admin and context_is_admin rules. A new PlacementPolicyFixture is added along with a new configuration option, [placement]/policy_file, which is needed because the default policy file that gets used in config is from [oslo_policy]/policy_file which is being used as the nova policy file. As far as I can tell, oslo.policy doesn't allow for multiple policy files with different names unless I'm misunderstanding how the policy_dirs option works. With these changes, we can have something like: /etc/nova/policy.json - for nova policy rules /etc/nova/placement-policy.yaml - for placement rules The docs are also updated to include the placement policy sample along with a tox builder for the sample. This starts by adding granular rules for CRUD operations on the /resource_providers and /resource_providers/{uuid} routes which use the same descriptions from the placement API reference. Subsequent patches will add new granular rules for the other routes. Part of blueprint granular-placement-policy Change-Id: I17573f5210314341c332fdcb1ce462a989c21940 --- etc/nova/README-policy.yaml.txt | 22 +++++++++++++++++++--- etc/nova/placement-policy-generator.conf | 5 +++++ 2 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 etc/nova/placement-policy-generator.conf (limited to 'etc') diff --git a/etc/nova/README-policy.yaml.txt b/etc/nova/README-policy.yaml.txt index b4a233bc32..7599f80712 100644 --- a/etc/nova/README-policy.yaml.txt +++ b/etc/nova/README-policy.yaml.txt @@ -1,8 +1,24 @@ -To generate the sample policy.yaml file, run the following command from the top -level of the nova directory: +Nova +==== + +To generate the sample nova policy.yaml file, run the following command from +the top level of the nova directory: tox -egenpolicy -For a pre-generated example of the latest policy.yaml, see: +For a pre-generated example of the latest nova policy.yaml, see: https://docs.openstack.org/nova/latest/configuration/sample-policy.html + + +Placement +========= + +To generate the sample placement policy.yaml file, run the following command +from the top level of the nova directory: + + tox -e genplacementpolicy + +For a pre-generated example of the latest placement policy.yaml, see: + + https://docs.openstack.org/nova/latest/configuration/sample-placement-policy.html diff --git a/etc/nova/placement-policy-generator.conf b/etc/nova/placement-policy-generator.conf new file mode 100644 index 0000000000..a2e0697d00 --- /dev/null +++ b/etc/nova/placement-policy-generator.conf @@ -0,0 +1,5 @@ +[DEFAULT] +# TODO: When placement is split out of the nova repo, this can change to +# etc/placement/policy.yaml.sample. +output_file = etc/nova/placement-policy.yaml.sample +namespace = placement -- cgit v1.2.1