Awesome! Thanks for the clarification! I was ready to have a heart attack! ☺
Edgar From: <medbe...@gmail.com> on behalf of David Medberry <openst...@medberry.net> Date: Thursday, February 23, 2017 at 12:17 PM To: "Logan V." <lo...@protiumit.com> Cc: Edgar Magana <edgar.mag...@workday.com>, "openstack-operators@lists.openstack.org" <openstack-operators@lists.openstack.org> Subject: Re: [Openstack-operators] Policy Updates Yep what Logan said. I'm pretty sure Sean Dague talked about this at the last Operator's mid-cycle. The "blank" policy.json just means you get the default policies. You set a value to override the defaults. I don't see it in the Ocata relnotes but git indicates this is where it happened: https://github.com/openstack/nova/blob/stable/mitaka/etc/nova/policy.json<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openstack_nova_blob_stable_mitaka_etc_nova_policy.json&d=DwMFaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=G0XRJfDQsuBvqa_wpWyDAUlSpeMV4W1qfWqBfctlWwQ&m=R2WX6zRqpVyBw2fVL01fmsbTX6XicRJiKW1LNyOcR_k&s=QuBKr7RZpB9lzLV9mMm0Y1NKDL2eP6R04O-UVXklNHU&e=> https://github.com/openstack/nova/blob/stable/newton/etc/nova/policy.json<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openstack_nova_blob_stable_newton_etc_nova_policy.json&d=DwMFaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=G0XRJfDQsuBvqa_wpWyDAUlSpeMV4W1qfWqBfctlWwQ&m=R2WX6zRqpVyBw2fVL01fmsbTX6XicRJiKW1LNyOcR_k&s=HeP7-DU9WTao6BEtltycCJCRlk9H9FxayAU7jBF72LY&e=> again, no change in behavior... On Thu, Feb 23, 2017 at 3:06 PM, Logan V. <lo...@protiumit.com<mailto:lo...@protiumit.com>> wrote: I think this actually started in Newton. Yes it ships blank, however there is still a default policy implemented as before with similar defaults separating the admin and user roles. The default policy is implemented in the nova code base (https://github.com/openstack/nova/tree/stable/newton/nova/policies<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openstack_nova_tree_stable_newton_nova_policies&d=DwMFaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=G0XRJfDQsuBvqa_wpWyDAUlSpeMV4W1qfWqBfctlWwQ&m=R2WX6zRqpVyBw2fVL01fmsbTX6XicRJiKW1LNyOcR_k&s=ra1H4GXwVQfIRH_hhSXlN-ymdb3ZEksRoBb7UNTz9mE&e=>) and overrides can be provided using policy.json (which also accepts yaml despite what the file extension would lead you to believe). The difference now is that the default policy is not enumerated in a policy.json file by default. You can obtain the default policy by running oslopolicy-sample-generator --namespace nova There are also several other oslopolicy-* tools like oslopolicy-list-redundant - can be used to list policies defined in the policy.json which are redundant to the default policy oslopolicy-checker -test access against a specific policy item oslopolicy-policy-generator - dump a consolidated view of the policy (ie defaults combined with overrides) for use with ie. horizon's policy things. One thing I found with exporting this dump from nova and using it in horizon is that you must define a policy called "default" (usually set to "rule:admin_or_owner") because it is not included in the dump and it seemed to cause some odd behavior in horizon like the instances tab not showing up under the admin panel. On Thu, Feb 23, 2017 at 1:52 PM, Edgar Magana <edgar.mag...@workday.com<mailto:edgar.mag...@workday.com>> wrote: > Am I understanding correctly that in Ocata release, the policy.json file for > NOVA is blank? > > What does that mean for us (operators)? Everything will be open for > everybody for the other way around? > > > > In any case, that sounds like an awful approach because know if we upgrade > we will need to be sure that we have a proper json file while in the past we > at least were starting from the default one. > > > > Edgar > > > > From: David Medberry <openst...@medberry.net<mailto:openst...@medberry.net>> > Date: Thursday, February 23, 2017 at 10:45 AM > To: > "openstack-operators@lists.openstack.org<mailto:openstack-operators@lists.openstack.org>" > <openstack-operators@lists.openstack.org<mailto:openstack-operators@lists.openstack.org>> > Subject: [Openstack-operators] Policy Updates > > > > Nova no longer ships with a fleshed-out skeleton of all policy.json. It > ships blank. > > > > Discussion in here on how to help operators select specific settings to > include in their policy.json via documentation. > > > > You (as an op) may want to review and comment on this. This model is being > proposed for all openstack projects (or at least MORE openstack projects.) > > > > https://review.openstack.org/#/c/433010<https://urldefense.proofpoint.com/v2/url?u=https-3A__review.openstack.org_-23_c_433010&d=DwMFaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=G0XRJfDQsuBvqa_wpWyDAUlSpeMV4W1qfWqBfctlWwQ&m=R2WX6zRqpVyBw2fVL01fmsbTX6XicRJiKW1LNyOcR_k&s=60IL3jQQP22RMOWSro-hwyAWcZR7ujQtuX-lD84KDbM&e=> > > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org<mailto:OpenStack-operators@lists.openstack.org> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMFaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=G0XRJfDQsuBvqa_wpWyDAUlSpeMV4W1qfWqBfctlWwQ&m=R2WX6zRqpVyBw2fVL01fmsbTX6XicRJiKW1LNyOcR_k&s=72QegakKTCFXCLdj39ZDobHbOJErXImZfFukhtwhGN8&e=> >
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
