Yep what Logan said. I'm pretty sure Sean Dague talked about this at the last Operator's mid-cycle. The "blank" policy.json just means you get the default policies. You set a value to override the defaults.
I don't see it in the Ocata relnotes but git indicates this is where it happened: https://github.com/openstack/nova/blob/stable/mitaka/etc/nova/policy.json https://github.com/openstack/nova/blob/stable/newton/etc/nova/policy.json again, no change in behavior... On Thu, Feb 23, 2017 at 3:06 PM, Logan V. <lo...@protiumit.com> wrote: > I think this actually started in Newton. Yes it ships blank, however > there is still a default policy implemented as before with similar > defaults separating the admin and user roles. The default policy is > implemented in the nova code base > (https://github.com/openstack/nova/tree/stable/newton/nova/policies) > and overrides can be provided using policy.json (which also accepts > yaml despite what the file extension would lead you to believe). The > difference now is that the default policy is not enumerated in a > policy.json file by default. You can obtain the default policy by > running > oslopolicy-sample-generator --namespace nova > > There are also several other oslopolicy-* tools like > oslopolicy-list-redundant - can be used to list policies defined in > the policy.json which are redundant to the default policy > oslopolicy-checker -test access against a specific policy item > oslopolicy-policy-generator - dump a consolidated view of the policy > (ie defaults combined with overrides) for use with ie. horizon's > policy things. One thing I found with exporting this dump from nova > and using it in horizon is that you must define a policy called > "default" (usually set to "rule:admin_or_owner") because it is not > included in the dump and it seemed to cause some odd behavior in > horizon like the instances tab not showing up under the admin panel. > > > On Thu, Feb 23, 2017 at 1:52 PM, Edgar Magana <edgar.mag...@workday.com> > wrote: > > Am I understanding correctly that in Ocata release, the policy.json file > for > > NOVA is blank? > > > > What does that mean for us (operators)? Everything will be open for > > everybody for the other way around? > > > > > > > > In any case, that sounds like an awful approach because know if we > upgrade > > we will need to be sure that we have a proper json file while in the > past we > > at least were starting from the default one. > > > > > > > > Edgar > > > > > > > > From: David Medberry <openst...@medberry.net> > > Date: Thursday, February 23, 2017 at 10:45 AM > > To: "openstack-operators@lists.openstack.org" > > <openstack-operators@lists.openstack.org> > > Subject: [Openstack-operators] Policy Updates > > > > > > > > Nova no longer ships with a fleshed-out skeleton of all policy.json. It > > ships blank. > > > > > > > > Discussion in here on how to help operators select specific settings to > > include in their policy.json via documentation. > > > > > > > > You (as an op) may want to review and comment on this. This model is > being > > proposed for all openstack projects (or at least MORE openstack > projects.) > > > > > > > > https://review.openstack.org/#/c/433010 > > > > > > _______________________________________________ > > OpenStack-operators mailing list > > OpenStack-operators@lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > >
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
