Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / 3ab2c357e8510e3d1aa562c29d4b72e9f24e1477^! / . / releasenotes / notes / dynamic-policy-file-discovery-104cbfc64b55d605.yaml
commit3ab2c357e8510e3d1aa562c29d4b72e9f24e1477[log] [tgz]
authorFelipe Monteiro <felipe.monteiro@att.com>Wed Jul 05 22:25:34 2017 +0100
committerFelipe Monteiro <felipe.monteiro@att.com>Mon Jul 10 20:56:49 2017 +0000
treeb96f1454fa489374dae0e5e90d937be2197a41cf
parent2bf66db706a1ddec90ec55a57b227e1d0494cfa8 [diff] [blame]
Dynamic policy file discovery

Patrole should eventually support other services like Heat
and Murano, not just the Big Tent services included in Tempest.

Patrole then should be able to dynamically discover custom
policy files. While the solution this commit implements is
not perfect, it will allow more services' policy file to
be discovered by Patrole. The policy files will still
have to be located on the same host as Patrole.

This commit removes the service-specific policy path
CONF options in favor of a new CONF option called
``[rbac] custom_policy_files`` which is a ListOpt that
includes paths for each custom policy file. Each
policy path assumes that the service name is included in
the path. The paths should be ordered by precedence, with
high-priority paths before low-priority paths. The first
path that is found to contain the service's policy file
will be used.

This commit refactors unit tests and rbac_policy_parser
as needed to work with the changes.

Change-Id: Ia929b77223b54906888af6cd324f0cfa0fafda8f
Implements blueprint: dynamic-policy-file-discovery

diff --git a/releasenotes/notes/dynamic-policy-file-discovery-104cbfc64b55d605.yaml b/releasenotes/notes/dynamic-policy-file-discovery-104cbfc64b55d605.yaml
new file mode 100644
index 0000000..59019cf
--- /dev/null
+++ b/releasenotes/notes/dynamic-policy-file-discovery-104cbfc64b55d605.yaml

@@ -0,0 +1,22 @@
+---
+features:
+  - |
+    Add new configuration option ``[rbac] custom_policy_files``,
+    allowing users to specify list of the paths to search for custom
+    policy files. Each policy path assumes that the service name is
+    included in the path once. Also assumes Patrole is on the same host
+    as the policy files. The paths should be ordered by precedence, with
+    high-priority paths before low-priority paths. The first path that
+    is found to contain the service's policy file will be used.
+deprecations:
+  - |
+    Deprecate the following configuration options from ``[rbac]`` group:
+
+    * cinder_policy_file
+    * glance_policy_file
+    * keystone_policy_file
+    * neutron_policy_file
+    * nova_policy_file
+
+    It is better to use ``[rbac] custom_policy_files`` which supports
+    any OpenStack service.