slaweq, lbragstad, and I discussed it in the neutron IRC channel today[1].
Loading rules should be done during init time of policy instead of each rule check. we could move the load_rules() call from enforcer()[2] which is called for every check to policy __init__(). But we need to consider both cases here to know the side effect of it.
1. no policy file: this case will be fine and have no impact as there is no change in the rule after policy init.
2. policy file and operator change rule dynamically: This will be impacted and the operator needs to restart the API service to re-init the policy and load the latest rule. This is something we need to discuss more and get operator feedback if they do restart API service for any modification in policy file or not?
3. policy file name change or new policy file: this anyways needs policy restart. self.policy_file pick the right policy file during policy's init only[3] so new policy file need service restart now also which means no impact of moving load_rule() from enforce(). One example: https://review.opendev.org/c/openstack/nova/+/773192
adding oslo.policy also.
slaweq, lbragstad, and I discussed it in the neutron IRC channel today[1].
Loading rules should be done during init time of policy instead of each rule check. we could move the load_rules() call from enforcer()[2] which is called for every check to policy __init__(). But we need to consider both cases here to know the side effect of it.
1. no policy file: this case will be fine and have no impact as there is no change in the rule after policy init.
2. policy file and operator change rule dynamically: This will be impacted and the operator needs to restart the API service to re-init the policy and load the latest rule. This is something we need to discuss more and get operator feedback if they do restart API service for any modification in policy file or not?
3. policy file name change or new policy file: this anyways needs policy restart. self.policy_file pick the right policy file during policy's init only[3] so new policy file need service restart now also which means no impact of moving load_rule() from enforce(). One example: https:/ /review. opendev. org/c/openstack /nova/+ /773192
[1] http:// eavesdrop. openstack. org/irclogs/ %23openstack- neutron/ %23openstack- neutron. 2021-02- 01.log. html#t2021- 02-01T15: 30:03
[2] https:/ /opendev. org/openstack/ oslo.policy/ src/branch/ master/ oslo_policy/ policy. py#L948
[3] https:/ /opendev. org/openstack/ oslo.policy/ src/branch/ master/ oslo_policy/ policy. py#L533