openstack/ironic-inspector
Code Issues Proposed changes

Fix & suppress oslo policy warnings

Browse Source 
This fix the below warning for DeprecatedRule:

Since 3.7.0, oslo policy started the DeprecationWarning[1] if
deprecated_reason and deprecated_since param are not passed
in DeprecatedRule or they are passed in RuleDefault object.

Andf suppress the policy deprecation and default change warnings

Oslo policy log warnings if defaults for policies are changed.
With new RBAC change every policy rules' default is changed,
which end up lot of warnings in logs. We can suppress these for now
until we are enforcing new defaults.

- https://zuul.opendev.org/t/openstack/build/5cefaef6d02a4b7abe3c449491b81e68/log/job-output.txt#879

[1] https://github.com/openstack/oslo.policy/blob/3.7.0/oslo_policy/policy.py#L1538

Change-Id: If481a5afc3b23d1d196ffd7576d0784a9702da59
This commit is contained in:
Ghanshyam Mann 2021-07-04 14:32:11 -05:00
parent f38d010626
commit 6a4899be86
3 changed files with 43 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
ironic_inspector/policy.py
View File

@ -98,35 +98,51 @@ api_version_policies = [
deprecated_introspection_status = policy.DeprecatedRule(
name='introspection:status',
check_str='rule:is_admin or rule:is_observer'
check_str='rule:is_admin or rule:is_observer',
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_introspection_start = policy.DeprecatedRule(
name='introspection:start',
check_str='rule:is_admin'
check_str='rule:is_admin',
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_introspection_abort = policy.DeprecatedRule(
name='introspection:abort',
check_str='rule:is_admin'
check_str='rule:is_admin',
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_introspection_data = policy.DeprecatedRule(
name='introspection:data',
check_str='rule:is_admin'
check_str='rule:is_admin',
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_introspection_reapply = policy.DeprecatedRule(
name='introspection:reapply',
check_str='rule:is_admin'
check_str='rule:is_admin',
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_introspection_rule_get = policy.DeprecatedRule(
name='introspection:rule:get',
check_str='rule:is_admin'
check_str='rule:is_admin',
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_introspection_rule_delete = policy.DeprecatedRule(
name='introspection:rule:delete',
check_str='rule:is_admin'
check_str='rule:is_admin',
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_introspection_rule_create = policy.DeprecatedRule(
name='introspection:rule:create',
check_str='rule:is_admin'
check_str='rule:is_admin',
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
)
introspection_policies = [
@ -142,18 +158,14 @@ introspection_policies = [
description='Get introspection status',
operations=[{'path': '/introspection', 'method': 'GET'},
{'path': '/introspection/{node_id}', 'method': 'GET'}],
deprecated_rule=deprecated_introspection_status,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
deprecated_rule=deprecated_introspection_status
),
policy.DocumentedRuleDefault(
name='introspection:start',
check_str=SYSTEM_ADMIN,
description='Start introspection',
operations=[{'path': '/introspection/{node_id}', 'method': 'POST'}],
deprecated_rule=deprecated_introspection_start,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
deprecated_rule=deprecated_introspection_start
),
policy.DocumentedRuleDefault(
name='introspection:abort',
@ -161,9 +173,7 @@ introspection_policies = [
description='Abort introspection',
operations=[{'path': '/introspection/{node_id}/abort',
'method': 'POST'}],
deprecated_rule=deprecated_introspection_abort,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
deprecated_rule=deprecated_introspection_abort
),
policy.DocumentedRuleDefault(
name='introspection:data',
@ -171,9 +181,7 @@ introspection_policies = [
description='Get introspection data',
operations=[{'path': '/introspection/{node_id}/data',
'method': 'GET'}],
deprecated_rule=deprecated_introspection_data,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
deprecated_rule=deprecated_introspection_data
),
policy.DocumentedRuleDefault(
name='introspection:reapply',
@ -181,9 +189,7 @@ introspection_policies = [
description='Reapply introspection on stored data',
operations=[{'path': '/introspection/{node_id}/data/unprocessed',
'method': 'POST'}],
deprecated_rule=deprecated_introspection_reapply,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
deprecated_rule=deprecated_introspection_reapply
),
]
@ -194,9 +200,7 @@ rule_policies = [
description='Get introspection rule(s)',
operations=[{'path': '/rules', 'method': 'GET'},
{'path': '/rules/{rule_id}', 'method': 'GET'}],
deprecated_rule=deprecated_introspection_rule_get,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
deprecated_rule=deprecated_introspection_rule_get
),
policy.DocumentedRuleDefault(
name='introspection:rule:delete',
@ -204,18 +208,14 @@ rule_policies = [
description='Delete introspection rule(s)',
operations=[{'path': '/rules', 'method': 'DELETE'},
{'path': '/rules/{rule_id}', 'method': 'DELETE'}],
deprecated_rule=deprecated_introspection_rule_delete,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
deprecated_rule=deprecated_introspection_rule_delete
),
policy.DocumentedRuleDefault(
name='introspection:rule:create',
check_str=SYSTEM_ADMIN,
description='Create introspection rule',
operations=[{'path': '/rules', 'method': 'POST'}],
deprecated_rule=deprecated_introspection_rule_create,
deprecated_reason=deprecated_node_reason,
deprecated_since=versionutils.deprecated.WALLABY
deprecated_rule=deprecated_introspection_rule_create
),
]
@ -257,6 +257,15 @@ def init_enforcer(policy_file=None, rules=None,
rules=rules,
default_rule=default_rule,
use_conf=use_conf)
# NOTE(gmann): Explictly disable the warnings for policies
# changing their default check_str. With new RBAC policy
# work, all the policy defaults have been changed and warning for
# each policy started filling the logs limit for various tool.
# Once we move to new defaults only world then we can enable these
# warning again.
_ENFORCER.suppress_default_change_warnings = True
_ENFORCER.register_defaults(list_policies())

1
ironic_inspector/test/unit/policy_fixture.py
View File

@ -38,3 +38,4 @@ class PolicyFixture(fixtures.Fixture):
CONF.set_override('policy_file', self.policy_file_name, 'oslo_policy')
inspector_policy._ENFORCER = None
self.addCleanup(inspector_policy.get_enforcer().clear)
inspector_policy._ENFORCER.suppress_deprecation_warnings = True

2
requirements.txt
View File

@ -25,7 +25,7 @@ oslo.i18n>=3.15.3 # Apache-2.0
oslo.log>=3.36.0 # Apache-2.0
oslo.messaging>=5.32.0 # Apache-2.0
oslo.middleware>=3.31.0 # Apache-2.0
oslo.policy>=3.6.0 # Apache-2.0
oslo.policy>=3.7.0 # Apache-2.0
oslo.rootwrap>=5.8.0 # Apache-2.0
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
oslo.service!=1.28.1,>=1.24.0 # Apache-2.0