diff options
| author | Matt Riedemann <mriedem.os@gmail.com> | 2017-11-30 18:09:00 -0500 |
|---|---|---|
| committer | Matt Riedemann <mriedem.os@gmail.com> | 2018-05-17 11:12:16 -0400 |
| commit | 0a461979df62cd1df2c807b3f4fb3593b3040d13 (patch) | |
| tree | c0f0b7ee06fcb7370285f992f77624b202d6c3f6 /nova/hacking/checks.py | |
| parent | ccc02de36c6b05c45400ff4ede9c6af4561cef7e (diff) | |
| download | nova-0a461979df62cd1df2c807b3f4fb3593b3040d13.tar.gz | |
Implement granular policy rules for placement
This adds a granular policy checking framework for
placement based on nova.policy but with a lot of
the legacy cruft removed, like the is_admin and
context_is_admin rules.
A new PlacementPolicyFixture is added along with
a new configuration option, [placement]/policy_file,
which is needed because the default policy file
that gets used in config is from [oslo_policy]/policy_file
which is being used as the nova policy file. As
far as I can tell, oslo.policy doesn't allow for
multiple policy files with different names unless
I'm misunderstanding how the policy_dirs option works.
With these changes, we can have something like:
/etc/nova/policy.json - for nova policy rules
/etc/nova/placement-policy.yaml - for placement rules
The docs are also updated to include the placement
policy sample along with a tox builder for the sample.
This starts by adding granular rules for CRUD operations
on the /resource_providers and /resource_providers/{uuid}
routes which use the same descriptions from the placement
API reference. Subsequent patches will add new granular
rules for the other routes.
Part of blueprint granular-placement-policy
Change-Id: I17573f5210314341c332fdcb1ce462a989c21940
Diffstat (limited to 'nova/hacking/checks.py')
| -rw-r--r-- | nova/hacking/checks.py | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/nova/hacking/checks.py b/nova/hacking/checks.py index eea0a775e6..3780f89761 100644 --- a/nova/hacking/checks.py +++ b/nova/hacking/checks.py @@ -621,13 +621,16 @@ def check_config_option_in_central_place(logical_line, filename): def check_policy_registration_in_central_place(logical_line, filename): - msg = ('N350: Policy registration should be in the central location ' - '"/nova/policies/*".') + msg = ('N350: Policy registration should be in the central location(s) ' + '"/nova/policies/*" or "nova/api/openstack/placement/policies/*".') # This is where registration should happen - if "nova/policies/" in filename: + if ("nova/policies/" in filename or + "nova/api/openstack/placement/policies/" in filename): return # A couple of policy tests register rules - if "nova/tests/unit/test_policy.py" in filename: + if ("nova/tests/unit/test_policy.py" in filename or + "nova/tests/unit/api/openstack/placement/test_policy.py" in + filename): return if rule_default_re.match(logical_line): |