Browse Source

Make policy deprecation reasons less verbose

oslo.policy emits a deprecation warning for every single rule that we
have deprecated at least once when a request comes in, and possibly
subsequent times if keystone is running in multiple processes, and even
more after keystone is reloaded. It's not useful to repeat nearly
identical multi-line messages for each policy every time: logs aren't
meant to justify our reasoning, they're just meant to be informative.
The relevant information and rationalization can be found in the release
notes. Repeating these identical multi-line messages starts to use up
space quickly and makes the logs unreadable.

This patch reduces the DEPRECATED_REASON for each policy to one brief
line, which should help make the logs more readable in general and
especially when run in a multiprocess environment, reduce the disk
footprint of the logs, and help with log indexing.

Change-Id: I98a0c06586b18dbd2f6681a24a5af1ea2de70951
Partial-bug: #1836568
tags/16.0.0.0rc1
Colleen Murphy 1 year ago
parent
commit
0526718fee
25 changed files with 74 additions and 169 deletions
  1. +4
    -7
      keystone/common/policies/application_credential.py
  2. +3
    -7
      keystone/common/policies/consumer.py
  3. +2
    -5
      keystone/common/policies/credential.py
  4. +3
    -7
      keystone/common/policies/domain.py
  5. +3
    -7
      keystone/common/policies/domain_config.py
  6. +3
    -7
      keystone/common/policies/ec2_credential.py
  7. +3
    -7
      keystone/common/policies/endpoint.py
  8. +3
    -7
      keystone/common/policies/endpoint_group.py
  9. +3
    -7
      keystone/common/policies/grant.py
  10. +3
    -6
      keystone/common/policies/group.py
  11. +3
    -7
      keystone/common/policies/identity_provider.py
  12. +3
    -7
      keystone/common/policies/implied_role.py
  13. +3
    -7
      keystone/common/policies/mapping.py
  14. +3
    -7
      keystone/common/policies/policy.py
  15. +3
    -7
      keystone/common/policies/policy_association.py
  16. +3
    -7
      keystone/common/policies/project.py
  17. +4
    -7
      keystone/common/policies/protocol.py
  18. +1
    -6
      keystone/common/policies/region.py
  19. +3
    -7
      keystone/common/policies/role.py
  20. +3
    -7
      keystone/common/policies/role_assignment.py
  21. +3
    -7
      keystone/common/policies/service.py
  22. +3
    -7
      keystone/common/policies/service_provider.py
  23. +3
    -6
      keystone/common/policies/token.py
  24. +3
    -7
      keystone/common/policies/trust.py
  25. +3
    -6
      keystone/common/policies/user.py

+ 4
- 7
keystone/common/policies/application_credential.py View File

@@ -31,13 +31,10 @@ deprecated_delete_application_credentials_for_user = policy.DeprecatedRule(
check_str=base.RULE_ADMIN_OR_OWNER
)

DEPRECATED_REASON = """
As of the Train release, the application credential API understands how to
handle system-scoped tokens in addition to project tokens, making the API
more accessible to users without compromising security or manageability for
administrators. The new default policies for this API account for these changes
automatically.
"""
DEPRECATED_REASON = (
"The application credential API is now aware of system scope and default "
"roles."
)

application_credential_policies = [
policy.DocumentedRuleDefault(


+ 3
- 7
keystone/common/policies/consumer.py View File

@@ -36,13 +36,9 @@ deprecated_delete_consumer = policy.DeprecatedRule(
check_str=base.RULE_ADMIN_REQUIRED
)

DEPRECATED_REASON = """
As of the Train release, the OAUTH1 consumer API understands how to
handle system-scoped tokens in addition to project tokens, making the API
more accessible to users without compromising security or manageability for
administrators. The new default policies for this API account for these changes
automatically.
"""
DEPRECATED_REASON = (
"The OAUTH1 consumer API is now aware of system scope and default roles."
)

consumer_policies = [
policy.DocumentedRuleDefault(


+ 2
- 5
keystone/common/policies/credential.py View File

@@ -25,12 +25,9 @@ SYSTEM_ADMIN_OR_CRED_OWNER = (
)

DEPRECATED_REASON = (
'As of the Stein release, the credential API now understands how to '
'handle system-scoped tokens in addition to project-scoped tokens, making '
'the API more accessible to users without compromising security or '
'manageability for administrators. The new default policies for this API '
'account for these changes automatically.'
"The credential API is now aware of system scope and default roles."
)

deprecated_get_credential = policy.DeprecatedRule(
name=base.IDENTITY % 'get_credential',
check_str=base.RULE_ADMIN_REQUIRED


+ 3
- 7
keystone/common/policies/domain.py View File

@@ -15,13 +15,9 @@ from oslo_policy import policy

from keystone.common.policies import base

DEPRECATED_REASON = """
As of the Stein release, the domain API now understands how to handle
system-scoped tokens in addition to project-scoped tokens, making the API more
accessible to users without compromising security or manageability for
administrators. The new default policies for this API account for these changes
automatically
"""
DEPRECATED_REASON = (
"The domain API is now aware of system scope and default roles."
)

deprecated_list_domains = policy.DeprecatedRule(
name=base.IDENTITY % 'list_domains',


+ 3
- 7
keystone/common/policies/domain_config.py View File

@@ -41,13 +41,9 @@ deprecated_delete_domain_config = policy.DeprecatedRule(
)


DEPRECATED_REASON = """
As of the Train release, the domain config API now understands default roles and
system-scoped tokens, making the API more granular by default without
compromising security. The new policy defaults account for these changes
automatically. Be sure to take these new defaults into consideration if you are
relying on overrides in your deployment for the domain config API.
"""
DEPRECATED_REASON = (
"The domain config API is now aware of system scope and default roles."
)

domain_config_policies = [
policy.DocumentedRuleDefault(


+ 3
- 7
keystone/common/policies/ec2_credential.py View File

@@ -41,13 +41,9 @@ deprecated_ec2_delete_credentials = policy.DeprecatedRule(
check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER
)

DEPRECATED_REASON = """
As of the Train release, the EC2 credential API understands how to handle
system-scoped tokens in addition to project tokens, making the API more
accessible to users without compromising security or manageability for
administrators. The new default policies for this API account for these changes
automatically.
"""
DEPRECATED_REASON = (
"The EC2 credential API is now aware of system scope and default roles."
)

ec2_credential_policies = [
policy.DocumentedRuleDefault(


+ 3
- 7
keystone/common/policies/endpoint.py View File

@@ -31,13 +31,9 @@ deprecated_delete_endpoint = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
)

DEPRECATED_REASON = """
As of the Stein release, the endpoint API now understands default roles and
system-scoped tokens, making the API more granular by default without
compromising security. The new policy defaults account for these changes
automatically. Be sure to take these new defaults into consideration if you are
relying on overrides in your deployment for the endpoint API.
"""
DEPRECATED_REASON = (
"The endpoint API is now aware of system scope and default roles."
)


endpoint_policies = [


+ 3
- 7
keystone/common/policies/endpoint_group.py View File

@@ -71,13 +71,9 @@ deprecated_remove_endpoint_group_from_project = policy.DeprecatedRule(
)


DEPRECATED_REASON = """
As of the Train release, the endpoint groups API now understands default roles
and system-scoped tokens, making the API more granular by default without
compromising security. The new policy defaults account for these changes
automatically. Be sure to take these new defaults into consideration if you are
relying on overrides in your deployment for the endpoint groups API.
"""
DEPRECATED_REASON = (
"The endpoint groups API is now aware of system scope and default roles."
)


group_endpoint_policies = [


+ 3
- 7
keystone/common/policies/grant.py View File

@@ -101,13 +101,9 @@ deprecated_revoke_grant = policy.DeprecatedRule(
name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED
)

DEPRECATED_REASON = """
As of the Stein release, the assignment API now understands default roles and
system-scoped tokens, making the API more granular by default without
compromising security. The new policy defaults account for these changes
automatically. Be sure to take these new defaults into consideration if you are
relying on overrides in your deployment for the system assignment API.
"""
DEPRECATED_REASON = (
"The assignment API is now aware of system scope and default roles."
)

resource_paths = [
'/projects/{project_id}/users/{user_id}/roles/{role_id}',


+ 3
- 6
keystone/common/policies/group.py View File

@@ -45,12 +45,9 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
'(role:admin and domain_id:%(target.group.domain_id)s)'
)

DEPRECATED_REASON = """
As of the Stein release, the group API understands how to handle system-scoped
tokens in addition to project and domain tokens, making the API more accessible
to users without compromising security or manageability for administrators. The
new default policies for this API account for these changes automatically.
"""
DEPRECATED_REASON = (
"The group API is now aware of system scope and default roles."
)

deprecated_get_group = policy.DeprecatedRule(
name=base.IDENTITY % 'get_group',


+ 3
- 7
keystone/common/policies/identity_provider.py View File

@@ -36,13 +36,9 @@ deprecated_delete_idp = policy.DeprecatedRule(
check_str=base.RULE_ADMIN_REQUIRED
)

DEPRECATED_REASON = """
As of the Stein release, the identity provider API now understands default
roles and system-scoped tokens, making the API more granular by default without
compromising security. The new policy defaults account for these changes
automatically. Be sure to take these new defaults into consideration if you are
relying on overrides in your deployment for the identity provider API.
"""
DEPRECATED_REASON = (
"The identity provider API is now aware of system scope and default roles."
)

identity_provider_policies = [
policy.DocumentedRuleDefault(


+ 3
- 7
keystone/common/policies/implied_role.py View File

@@ -40,13 +40,9 @@ deprecated_delete_implied_role = policy.DeprecatedRule(
check_str=base.RULE_ADMIN_REQUIRED,
)

DEPRECATED_REASON = """
As of the Train release, the implied role API understands how to
handle system-scoped tokens in addition to project tokens, making the API
more accessible to users without compromising security or manageability for
administrators. The new default policies for this API account for these changes
automatically.
"""
DEPRECATED_REASON = (
"The implied role API is now aware of system scope and default roles."
)


implied_role_policies = [


+ 3
- 7
keystone/common/policies/mapping.py View File

@@ -36,13 +36,9 @@ deprecated_delete_mapping = policy.DeprecatedRule(
check_str=base.RULE_ADMIN_REQUIRED
)

DEPRECATED_REASON = """
As of the Stein release, the federated mapping API now understands default
roles and system-scoped tokens, making the API more granular by default without
compromising security. The new policy defaults account for these changes
automatically. Be sure to take these new defaults into consideration if you are
relying on overrides in your deployment for the federated mapping API.
"""
DEPRECATED_REASON = (
"The federated mapping API is now aware of system scope and default roles."
)

mapping_policies = [
policy.DocumentedRuleDefault(


+ 3
- 7
keystone/common/policies/policy.py View File

@@ -40,13 +40,9 @@ deprecated_delete_policy = policy.DeprecatedRule(
check_str=base.RULE_ADMIN_REQUIRED,
)

DEPRECATED_REASON = """
As of the Train release, the policy API now understands default roles and
system-scoped tokens, making the API more granular by default without
compromising security. The new policy defaults account for these changes
automatically. Be sure to take these new defaults into consideration if you are
relying on overrides in your deployment for the policy API.
"""
DEPRECATED_REASON = (
"The policy API is now aware of system scope and default roles."
)


policy_policies = [


+ 3
- 7
keystone/common/policies/policy_association.py View File

@@ -74,13 +74,9 @@ deprecated_delete_policy_association_for_region_and_service = policy.DeprecatedR
check_str=base.RULE_ADMIN_REQUIRED,
)

DEPRECATED_REASON = """
As of the Train release, the policy association API now understands default
roles and system-scoped tokens, making the API more granular by default without
compromising security. The new policy defaults account for these changes
automatically. Be sure to take these new defaults into consideration if you are
relying on overrides in your deployment for the policy association API.
"""
DEPRECATED_REASON = (
"The policy association API is now aware of system scope and default roles."
)

policy_association_policies = [
policy.DocumentedRuleDefault(


+ 3
- 7
keystone/common/policies/project.py View File

@@ -102,13 +102,9 @@ deprecated_delete_project_tags = policy.DeprecatedRule(
)


DEPRECATED_REASON = """
As of the Stein release, the project API understands how to handle
system-scoped tokens in addition to project and domain tokens, making the API
more accessible to users without compromising security or manageability for
administrators. The new default policies for this API account for these changes
automatically.
"""
DEPRECATED_REASON = (
"The project API is now aware of system scope and default roles."
)

TAGS_DEPRECATED_REASON = """
As of the Train release, the project tags API understands how to handle


+ 4
- 7
keystone/common/policies/protocol.py View File

@@ -36,13 +36,10 @@ deprecated_delete_protocol = policy.DeprecatedRule(
check_str=base.RULE_ADMIN_REQUIRED
)

DEPRECATED_REASON = """
As of the Stein release, the federated protocol API now understands default
roles and system-scoped tokens, making the API more granular by default without
compromising security. The new policy defaults account for these changes
automatically. Be sure to take these new defaults into consideration if you are
relying on overrides in your deployment for the protocol API.
"""
DEPRECATED_REASON = (
"The federated protocol API is now aware of system scope and default "
"roles."
)

protocol_policies = [
policy.DocumentedRuleDefault(


+ 1
- 6
keystone/common/policies/region.py View File

@@ -29,12 +29,7 @@ deprecated_delete_region = policy.DeprecatedRule(
)

DEPRECATED_REASON = (
'As of the Stein release, the region API now understands default roles '
'and system-scoped tokens, making the API more granular without '
'compromising security. The new policies for this API account for these '
'changes automatically. Be sure to take these new defaults into '
'consideration if you are relying on overrides in your deployment for the '
'region API.'
"The region API is now aware of system scope and default roles."
)

region_policies = [


+ 3
- 7
keystone/common/policies/role.py View File

@@ -56,13 +56,9 @@ deprecated_delete_domain_role = policy.DeprecatedRule(
check_str=base.RULE_ADMIN_REQUIRED
)

DEPRECATED_REASON = """
As of the Stein release, the role API now understands default roles and
system-scoped tokens, making the API more granular by default without
compromising security. The new policy defaults account for these changes
automatically. Be sure to take these new defaults into consideration if you are
relying on overrides in your deployment for the role API.
"""
DEPRECATED_REASON = (
"The role API is now aware of system scope and default roles."
)

role_policies = [
policy.DocumentedRuleDefault(


+ 3
- 7
keystone/common/policies/role_assignment.py View File

@@ -25,13 +25,9 @@ deprecated_list_role_assignments = policy.DeprecatedRule(
check_str=base.RULE_ADMIN_REQUIRED
)

DEPRECATED_REASON = """
As of the Stein release, the role assignment API now understands how to
handle system-scoped tokens in addition to project-scoped tokens, making
the API more accessible to users without compromising security or
manageability for administrators. The new default policies for this API
account for these changes automatically.
"""
DEPRECATED_REASON = (
"The assignment API is now aware of system scope and default roles."
)

role_assignment_policies = [
policy.DocumentedRuleDefault(


+ 3
- 7
keystone/common/policies/service.py View File

@@ -36,13 +36,9 @@ deprecated_delete_service = policy.DeprecatedRule(
check_str=base.RULE_ADMIN_REQUIRED
)

DEPRECATED_REASON = """
As of the Stein release, the service API now understands default roles and
system-scoped tokens, making the API more granular by default without
compromising security. The new policy defaults account for these changes
automatically. Be sure to take these new defaults into consideration if you are
relying on overrides in your deployment for the service API.
"""
DEPRECATED_REASON = (
"The service API is now aware of system scope and default roles."
)

service_policies = [
policy.DocumentedRuleDefault(


+ 3
- 7
keystone/common/policies/service_provider.py View File

@@ -36,13 +36,9 @@ deprecated_delete_sp = policy.DeprecatedRule(
check_str=base.RULE_ADMIN_REQUIRED
)

DEPRECATED_REASON = """
As of the Stein release, the service provider API now understands default
roles and system-scoped tokens, making the API more granular by default without
compromising security. The new policy defaults account for these changes
automatically. Be sure to take these new defaults into consideration if you are
relying on overrides in your deployment for the service provider API.
"""
DEPRECATED_REASON = (
"The service provider API is now aware of system scope and default roles."
)

service_provider_policies = [
policy.DocumentedRuleDefault(


+ 3
- 6
keystone/common/policies/token.py View File

@@ -15,12 +15,9 @@ from oslo_policy import policy

from keystone.common.policies import base

DEPRECATED_REASON = """
As of the Train release, the token API now understands how to handle
system-scoped tokens, making the API more accessible to users without
compromising security or manageability for administrators. This support
includes a read-only role by default.
"""
DEPRECATED_REASON = (
"The token API is now aware of system scope and default roles."
)

deprecated_check_token = policy.DeprecatedRule(
name=base.IDENTITY % 'check_token',


+ 3
- 7
keystone/common/policies/trust.py View File

@@ -45,13 +45,9 @@ deprecated_get_trust = policy.DeprecatedRule(
check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
)

DEPRECATED_REASON = """
As of the Train release, the trust API now understands default roles and
system-scoped tokens, making the API more granular by default without
compromising security. The new policy defaults account for these changes
automatically. Be sure to take these new defaults into consideration if you are
relying on overrides in your deployment for the service API.
"""
DEPRECATED_REASON = (
"The trust API is now aware of system scope and default roles."
)

trust_policies = [
policy.DocumentedRuleDefault(


+ 3
- 6
keystone/common/policies/user.py View File

@@ -30,12 +30,9 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
'(role:admin and token.domain.id:%(target.user.domain_id)s)'
)

DEPRECATED_REASON = """
As of the Stein release, the user API understands how to handle system-scoped
tokens in addition to project and domain tokens, making the API more accessible
to users without compromising security or manageability for administrators. The
new default policies for this API account for these changes automatically.
"""
DEPRECATED_REASON = (
"The user API is now aware of system scope and default roles."
)

deprecated_get_user = policy.DeprecatedRule(
name=base.IDENTITY % 'get_user',


Loading…
Cancel
Save