bd9d47aa36
The policy engine converts simple strings into instances of rule objects based on a policy DSL. This engine iterates checks and reduces them after each iteration if performing the conversion on list of check strings. When we deprecate policies we apply a logical OR to make upgrades easier for operators. The logical OR, implemented with an OrCheck, only needs to be done once per deprecated rule. Today, we're re-initializing an OrCheck instance each time we load rules, which happens every time oslo_policy.policy.Enforcer.enforce() is called. For most OpenStack usage, this isn't noticiable, especially if you're only using it to enforce access to a specific endpoint. However, this can get expensive if you're using the enforcer to protect the API, protect each resource in a response, and protect each attrbute of the resource (e.g., Neutron makes extensive usage of this pattern to implement RBAC for resources it's responsible for). This commit updates the RuleDefault object to track state of handling deprecated logic ORs so that we only cast the check strings to OrCheck instances once per rule no matter how many times we call load_rules(). Closes-Bug: 1913718 Change-Id: I539672fc220b8d7e3c47ab3dfa6670b88e3f4093
Team and repository tags
oslo.policy
The Oslo Policy library provides support for RBAC policy enforcement across all OpenStack services.
- Free software: Apache license
- Documentation: https://docs.openstack.org/oslo.policy/latest/
- Source: https://opendev.org/openstack/oslo.policy
- Bugs: https://bugs.launchpad.net/oslo.policy
- Blueprints: https://blueprints.launchpad.net/oslo.policy
- Release Notes: https://docs.openstack.org/releasenotes/oslo.policy