Policy registration in code
There are two issues being addressed here:
Given a deployed policy file it is not trivial to determine how much it differs
from the defaults that a project expects. This is due to there not being an
authoritative place to find all policies and their defaults. Some projects
provide sample files but they're not always exhaustive. And it's not easy to
diff a production policy file against the sample file after extensive
modification.
Given an authenticated request context it is not possible to determine which
policies will pass. This is because policy checks are ad hoc throughout the
code with no central registry of all possible checks. And a policy file may not
have all policies listed as some may be left to fallback to the default rule.
Blueprint information
- Status:
- Complete
- Approver:
- Matt Riedemann
- Priority:
- High
- Drafter:
- Andrew Laski
- Direction:
- Approved
- Assignee:
- Andrew Laski
- Definition:
- Approved
- Series goal:
- Accepted for newton
- Implementation:
-
Implemented
- Milestone target:
- None
- Started by
- Matt Riedemann
- Completed by
- Andrew Laski
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
WIP Policy-in-code POC
Addressed by: https:/
policy: Add defaults in code (part 2)
Addressed by: https:/
policy: Add defaults in code (part 1)
Addressed by: https:/
policy: Add defaults in code (part 3)
Addressed by: https:/
policy: Add defaults in code (part 4)
Addressed by: https:/
policy: Add defaults in code (part 2)
Addressed by: https:/
policy: Add defaults in code (part 5)
Addressed by: https:/
policy: Replaces 'authorize' in nova-api (part 1)
Addressed by: https:/
policy: Replaces 'authorize' in nova-api (part 2)
Addressed by: https:/
policy: Replaces 'authorize' in nova-api (part 3)
Addressed by: https:/
policy: Replaces 'authorize' in nova-api (part 4)
Addressed by: https:/
Add policy sample generation
Addressed by: https:/
policy: Replaces 'authorize' in nova-api (part 5)
Addressed by: https:/
WIP: policy: clean-up
Addressed by: https:/
Add nova-manage commands for policy helpers
Addressed by: https:/
Hacking check for policy registration
Addressed by: https:/
Remove final use of _ENFORCER.enforce
Addressed by: https:/
Hacking check for _ENFORCER.enforce()
Work Items
Dependency tree

* Blueprints in grey have been implemented.