0a461979df
This adds a granular policy checking framework for
placement based on nova.policy but with a lot of
the legacy cruft removed, like the is_admin and
context_is_admin rules.
A new PlacementPolicyFixture is added along with
a new configuration option, [placement]/policy_file,
which is needed because the default policy file
that gets used in config is from [oslo_policy]/policy_file
which is being used as the nova policy file. As
far as I can tell, oslo.policy doesn't allow for
multiple policy files with different names unless
I'm misunderstanding how the policy_dirs option works.
With these changes, we can have something like:
/etc/nova/policy.json - for nova policy rules
/etc/nova/placement-policy.yaml - for placement rules
The docs are also updated to include the placement
policy sample along with a tox builder for the sample.
This starts by adding granular rules for CRUD operations
on the /resource_providers and /resource_providers/{uuid}
routes which use the same descriptions from the placement
API reference. Subsequent patches will add new granular
rules for the other routes.
Part of blueprint granular-placement-policy
Change-Id: I17573f5210314341c332fdcb1ce462a989c21940
67 lines
2.5 KiB
Python
67 lines
2.5 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from keystoneauth1 import loading as ks_loading
|
|
from oslo_config import cfg
|
|
|
|
from nova.conf import utils as confutils
|
|
|
|
|
|
DEFAULT_SERVICE_TYPE = 'placement'
|
|
|
|
placement_group = cfg.OptGroup(
|
|
'placement',
|
|
title='Placement Service Options',
|
|
help="Configuration options for connecting to the placement API service")
|
|
|
|
placement_opts = [
|
|
cfg.BoolOpt(
|
|
'randomize_allocation_candidates',
|
|
default=False,
|
|
help="""
|
|
If True, when limiting allocation candidate results, the results will be
|
|
a random sampling of the full result set. If False, allocation candidates
|
|
are returned in a deterministic but undefined order. That is, all things
|
|
being equal, two requests for allocation candidates will return the same
|
|
results in the same order; but no guarantees are made as to how that order
|
|
is determined.
|
|
"""),
|
|
# TODO(mriedem): When placement is split out of nova, this should be
|
|
# deprecated since then [oslo_policy]/policy_file can be used.
|
|
cfg.StrOpt(
|
|
'policy_file',
|
|
# This default matches what is in
|
|
# etc/nova/placement-policy-generator.conf
|
|
default='placement-policy.yaml',
|
|
help='The file that defines placement policies. This can be an '
|
|
'absolute path or relative to the configuration file.'),
|
|
]
|
|
|
|
|
|
def register_opts(conf):
|
|
conf.register_group(placement_group)
|
|
conf.register_opts(placement_opts, group=placement_group)
|
|
confutils.register_ksa_opts(conf, placement_group, DEFAULT_SERVICE_TYPE)
|
|
|
|
|
|
def list_opts():
|
|
return {
|
|
placement_group.name: (
|
|
placement_opts +
|
|
ks_loading.get_session_conf_options() +
|
|
ks_loading.get_auth_common_conf_options() +
|
|
ks_loading.get_auth_plugin_conf_options('password') +
|
|
ks_loading.get_auth_plugin_conf_options('v2password') +
|
|
ks_loading.get_auth_plugin_conf_options('v3password') +
|
|
confutils.get_ksa_adapter_opts(DEFAULT_SERVICE_TYPE))
|
|
}
|