openstack team mailing list archive

[boden <boden@xxxxxxxxxxxxxxxxxx>]

Consideration / food for thought...
I was recently standing up a grizzly based Cloud whereupon we were 
implementing a fairly simple role based scheme and wanted to provide 
some feedback on that experience with respect to setting up the 
policy.json files properly.

Long story short -- I found it a bit painful (time consuming, not 
mentally challenging) to fully understand all of the possible roles on a 
per service basis. I had hoped all roles per service would be 
provided/documented in the service's corresponding policy.json, but that 
was not the case.

For example (not to pick on nova):
* compute:get_spice_console
* compute:get_vnc_console
* compute:security_groups:remove_from_instance
...
Were not in  /etc/nova/policy.json to name a few...

At the end of the day identifying all the roles became a game of trial 
and error + source grep-foo.

Ideally all of the roles would've been documented in a centralized 
location to make this experience more user friendly. Maybe a py 
annotation in the source files which document the roles used by the 
class and are then consolidated into a centralized document during the 
doc build or something... I do realize some core projects document (a 
portion) their roles on the wiki page, but it does not seem to be a 
consistent process.

Maybe I'm missing something here, in which case I apologize in advance.

Thanks