Whether or not a restart is required is actually handled by oslo.policy. Which is only included in Kilo and newer versions of Keystone. The work to avoid restarting the service went in in commit [0] and was further worked on in [1].
Juno and older versions are using the oslo-incubator code to handle policy (before it was turned into it's own library), and AFAICT don't have the check to see if policy.json has been modified. [0] https://github.com/openstack/oslo.policy/commit/63d699aff89969fdfc584ce875a23ba0a90e5b51 [1] https://github.com/openstack/oslo.policy/commit/b5f07dfe4cd4a5d12c7fecbc3954694d934de642 Thanks, Steve Martinelli OpenStack Keystone Project Team Lead From: Timothy Symanczyk <[email protected]> To: "OpenStack Development Mailing List (not for usage questions)" <[email protected]>, "Kris G. Lindgren" <[email protected]>, Oguz Yarimtepe <[email protected]>, "[email protected]" <[email protected]> Date: 2015/12/09 04:40 PM Subject: Re: [openstack-dev] [Openstack-operators] [keystone] RBAC usage at production We are running keystone kilo in production, and I¹m actively implementing RBAC right now. I¹m certain that, at least with the version of keystone we¹re running, a restart is NOT required when the policy file is modified. Tim On 12/9/15, 9:18 AM, "Edgar Magana" <[email protected]> wrote: >We use RBAC in production but basically modify networking operations and >some compute ones. In our case we don¹t need to restart the services if >we modify the policy.json file. I am surprise that keystone is not >following the same process. > >Edgar > > > > >On 12/9/15, 9:06 AM, "Kris G. Lindgren" <[email protected]> wrote: > >>In other projects the policy.json file is read each time of api request. >> So changes to the file take place immediately. I was 90% sure keystone >>was the same way? >> >>___________________________________________________________________ >>Kris Lindgren >>Senior Linux Systems Engineer >>GoDaddy >> >> >> >> >> >> >> >>On 12/9/15, 1:39 AM, "Oguz Yarimtepe" <[email protected]> wrote: >> >>>Hi, >>> >>>I am wondering whether there are people using RBAC at production. The >>>policy.json file has a structure that requires restart of the service >>>each time you edit the file. Is there and on the fly solution or tips >>>about it? >>> >>> >>> >>>_______________________________________________ >>>OpenStack-operators mailing list >>>[email protected] >>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >>_______________________________________________ >>OpenStack-operators mailing list >>[email protected] >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >__________________________________________________________________________ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: [email protected]?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
