Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

add attribute to control the placement of policy.json #937

Open
breu opened this issue Apr 21, 2014 · 9 comments
Open

add attribute to control the placement of policy.json #937

breu opened this issue Apr 21, 2014 · 9 comments

Comments

@breu
Copy link
Contributor

breu commented Apr 21, 2014

we have a couple of cookbooks (nova-network, heat, and ceilometer) that have policy.json as a template while the others use the default packaged versions. Support has asked that we template this so we should provide a mechanism to selectively template this file and instructions on how to import the version of policy.json that they want to ship around. I do not think that this file should be attributed in any way.
@cloudnull
Copy link
Contributor

I too think we should have better control / configurability on the policy.json file. IMO I think we should default to the upstream policy.json as provided in the "service" repo "/etc" directory. This would be a flat file and provide for no configurability. However, To make the policy configurable we should allow the user to change the policy file to something else in the configuration file for the "service". This would allow the user to change the policy outside the scope of chef. This change would be an attribute added in all of our "service" cookbooks and I envision it as a str which would always be rendered as /etc/<service>/policy.json unless the user changed it as an environment override.

@galstrom21
Copy link
Contributor

I do not think trying to manage access controls via chef attributes is a very ideal solution. It would be better to get behind a policy service instead (https://wiki.openstack.org/wiki/Congress).

@breu
Copy link
Contributor Author

breu commented Apr 26, 2014

I'm not thinking of managing the file as a template in chef. Just as a file resource with no templating and an option to either drop it or not. The user can upload their own policy file into the chef server.

While congress is cool and all it doesn't solve the fact that we, in some cases, drop down a policy.json and in other cases do not. And in most cases override the packages default version of the file with unintended consequences.

@galstrom21
Copy link
Contributor

Seems like cutting the policy.json files out of the cookbooks might be the best plan then. That way you use the one shipped with the package.

@breu
Copy link
Contributor Author

breu commented Apr 26, 2014

What he said. I say we rip it all out.

@cloudnull
Copy link
Contributor

I disagree, being that redhat and canonical both make opinionated changes in the packages which differ between distros and that we support both distros we need to make updates to our deployments to ensure that the installations are as similar as possible. Shipping the default upstream policy.json in our deployments will ensure that there is no difference in policy unless the file is overridden by the user.

Other related issues on standardizing the deployments: #917

@galstrom21
Copy link
Contributor

Do the upstreams make any changes to the policy.json files?

@cloudnull
Copy link
Contributor

The upstreams are setup for each service based on what the project considers "stable", if that's what your asking.

Example:
https://github.com/openstack/keystone/blob/master/etc/policy.json
https://github.com/openstack/neutron/blob/master/etc/policy.json
https://github.com/openstack/glance/blob/master/etc/policy.json

@galstrom21
Copy link
Contributor

@cloudnull I was asking if RHEL/Ubuntu make changes to the policy.json files or are they dropping the same thing as in the openstack repos?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@galstrom21 @breu @cloudnull