Add deprecation message to policy "default" rule

The default check_str for the "default" policy rule has changed. From the Queens release until this series it was "role:admin" (prior to Queens it was "@", which means allow all requests). In order to accomodate existing policies as best as possible, the default check_str has been changed back to "". In the unlikely event that any existing policies are relying on the default check_str for the "default" rule, they need to start explicitly specifying it to maintain similar behaviour. This patch adds a deprecation warning when using the "default" rule without overriding the value in the policy file. This will result in users who carry over an unsafe policy file from the Queens-Train error seeing a warning. Unfortunately it will also result in a warning for users who no longer supply a policy file and are relying on the default policies in code. Change-Id: I3d3ab9b0172521fb42314f2de33ff02985ad4864 Depends-On: https://review.opendev.org/698790 Depends-On: https://review.opendev.org/699299
2019-12-12 10:23:35 -05:00 · 2019-12-12 10:23:35 -05:00 · 8acedfd48a
commit 8acedfd48a
parent 2d80135f9b
3 changed files with 15 additions and 3 deletions
--- a/glance/policies/base.py
+++ b/glance/policies/base.py
@ -17,7 +17,19 @@ rules = [
    policy.RuleDefault(name='default', check_str='',
                       description='Defines the default rule used for '
                                   'policies that historically had an empty '
-                                   'policy in the supplied policy.json file.'),
+                                   'policy in the supplied policy.json file.',
+                       deprecated_rule=policy.DeprecatedRule(
+                           name='default',
+                           check_str='role:admin'),
+                       deprecated_reason='In order to allow operators to '
+                       'accept the default policies from code by not defining '
+                       'them in the policy file, while still working with old '
+                       'policy files that rely on the ``default`` rule for '
+                       'policies that are not specified in the policy file, '
+                       'the ``default`` rule must now be explicitly set to '
+                       '``"role:admin"`` when that is the desired default for '
+                       'unspecified rules.',
+                       deprecated_since='Ussuri'),
    policy.RuleDefault(name='context_is_admin', check_str='role:admin',
                       description='Defines the rule for the is_admin:True '
                                   'check.'),
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@ -71,7 +71,7 @@ oslo.i18n==3.15.3
 oslo.log==3.36.0
 oslo.messaging==5.29.0
 oslo.middleware==3.31.0
-oslo.policy==1.30.0
+oslo.policy==2.4.1
 oslo.reports==1.18.0
 oslo.serialization==2.25.0
 oslo.service==1.30.0
--- a/requirements.txt
+++ b/requirements.txt
@ -42,7 +42,7 @@ oslo.log>=3.36.0 # Apache-2.0
 oslo.messaging>=5.29.0,!=9.0.0 # Apache-2.0
 oslo.middleware>=3.31.0 # Apache-2.0
 oslo.reports>=1.18.0 # Apache-2.0
-oslo.policy>=1.30.0 # Apache-2.0
+oslo.policy>=2.4.1 # Apache-2.0

 retrying!=1.3.0,>=1.2.3 # Apache-2.0
 osprofiler>=1.4.0 # Apache-2.0