yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #92935
[Bug 2039265] [NEW] Insufficient support for creating default policy rules
Public bug reported:
Since Wallaby, you don't need to give Horizon the full set of policy
rules you are using for cinder (etc). Just the non-default rules, the
same as you have configured for cinder (etc) itself, is enough. See
https://docs.openstack.org/releasenotes/horizon/wallaby.html under
19.1.0 New Features.
It is also mentioned that "they are synced with registered defaults of
back-end services before the horizon release." So they are present in
Horizon out of the box.
Then I would expect that Horizon knows where these default policies are,
and would use them. As of the Yoga version, which I'm using, this
doesn't seem to be the case, however.
One needs to include something like this in local_settings.py:
DEFAULT_POLICY_FILES = {
'identity': '/usr/lib/python3/dist-packages/openstack_dashboard/conf/default_policies/keystone.yaml',
'compute': '/usr/lib/python3/dist-packages/openstack_dashboard/conf/default_policies/nova.yaml',
'volume': '/usr/lib/python3/dist-packages/openstack_dashboard/conf/default_policies/cinder.yaml',
'image': '/usr/lib/python3/dist-packages/openstack_dashboard/conf/default_policies/glance.yaml',
'orchestration': '/usr/lib/python3/dist-packages/openstack_dashboard/conf/default_policies/heat.yaml',
'network': '/usr/lib/python3/dist-packages/openstack_dashboard/conf/default_policies/neutron.yaml',
}
This looks totally like it can't have been meant this way. So, how
should it be done?
There is a further issue. The defaults built into the yoga version of
Horizon match those of the yoga services. What if you're using, say,
cinder of a different version? How do you get the default policies then?
There is a mention of
To update these files, run the following command:
python manage.py dump_default_policies \
--namespace <service> \
--output-file openstack_dashboard/conf/default_policies/<service>.yaml
<service> must be a namespace under oslo.policy.policies to query and
we use "keystone", "nova", "cinder", "neutron" and "glance".
This manage.py script seems to be part of the horizon source only, and not of the installed Horizon. So you cannot run this command in the actual openstack installation.
Furthermore, even if it was installed, it requires that nova, cinder, glance, neutron etc, are installed into the same container where horizon is, because it needs access to the python code of these services.
So this is not really workable.
So how should I get the default policies for horizon, given separate
containers in which nova, cinder etc are installed?
This can be considered a feature request, since I suspect that currently
the answer should be "this is not possible".
** Affects: horizon
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/2039265
Title:
Insufficient support for creating default policy rules
Status in OpenStack Dashboard (Horizon):
New
Bug description:
Since Wallaby, you don't need to give Horizon the full set of policy
rules you are using for cinder (etc). Just the non-default rules, the
same as you have configured for cinder (etc) itself, is enough. See
https://docs.openstack.org/releasenotes/horizon/wallaby.html under
19.1.0 New Features.
It is also mentioned that "they are synced with registered defaults of
back-end services before the horizon release." So they are present in
Horizon out of the box.
Then I would expect that Horizon knows where these default policies
are, and would use them. As of the Yoga version, which I'm using, this
doesn't seem to be the case, however.
One needs to include something like this in local_settings.py:
DEFAULT_POLICY_FILES = {
'identity': '/usr/lib/python3/dist-packages/openstack_dashboard/conf/default_policies/keystone.yaml',
'compute': '/usr/lib/python3/dist-packages/openstack_dashboard/conf/default_policies/nova.yaml',
'volume': '/usr/lib/python3/dist-packages/openstack_dashboard/conf/default_policies/cinder.yaml',
'image': '/usr/lib/python3/dist-packages/openstack_dashboard/conf/default_policies/glance.yaml',
'orchestration': '/usr/lib/python3/dist-packages/openstack_dashboard/conf/default_policies/heat.yaml',
'network': '/usr/lib/python3/dist-packages/openstack_dashboard/conf/default_policies/neutron.yaml',
}
This looks totally like it can't have been meant this way. So, how
should it be done?
There is a further issue. The defaults built into the yoga version of
Horizon match those of the yoga services. What if you're using, say,
cinder of a different version? How do you get the default policies
then?
There is a mention of
To update these files, run the following command:
python manage.py dump_default_policies \
--namespace <service> \
--output-file openstack_dashboard/conf/default_policies/<service>.yaml
<service> must be a namespace under oslo.policy.policies to query and
we use "keystone", "nova", "cinder", "neutron" and "glance".
This manage.py script seems to be part of the horizon source only, and not of the installed Horizon. So you cannot run this command in the actual openstack installation.
Furthermore, even if it was installed, it requires that nova, cinder, glance, neutron etc, are installed into the same container where horizon is, because it needs access to the python code of these services.
So this is not really workable.
So how should I get the default policies for horizon, given separate
containers in which nova, cinder etc are installed?
This can be considered a feature request, since I suspect that
currently the answer should be "this is not possible".
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/2039265/+subscriptions
